How to Evaluate a Managed IT Provider: An Honest Checklist From the MSP's Perspective

Most “how to choose an MSP” articles are thinly disguised sales pitches. They list criteria that conveniently match the author’s strengths and gloss over the areas where honest answers get uncomfortable. This post is different. We’re sharing the checklist we’d want a prospect to bring into any evaluation, including ours. If an MSP can’t answer these questions directly, that tells you something.

We’ve spent 20+ years in enterprise and government IT before building a managed IT practice for small and mid-sized businesses. That background taught us what separates providers who deliver from those who just collect monthly invoices. Here’s what to ask, what good answers sound like, and where to push harder.

Response Time SLAs: Get the Numbers in Writing

Ask every MSP candidate for their response time commitments by severity level. You should see something like: critical issues (server down, security incident) acknowledged within 15 minutes, high-priority issues within 30 minutes, standard requests within 1 to 2 hours. If they give you vague language like “we respond quickly” or “our team is always available,” keep looking.

The more important follow-up is how they measure and report on those SLAs. A good provider will show you their actual performance data, not just the targets. Ask for their average response time over the past 90 days. If they can’t produce that number, they aren’t tracking it, which means the SLA is decorative.

Also clarify what “response” means. Some providers count an auto-generated “we received your ticket” email as a response. You want to know when a real technician starts working on the problem, not when their ticketing system sends an acknowledgment.

Security Stack: Are They Running a SOC or Reselling an RMM?

There’s a wide gap between an MSP that monitors your antivirus alerts and one that operates a security operations center with trained analysts reviewing threats around the clock. Both will tell you they “handle security.” The difference matters when an actual incident occurs.

Ask specifically: Do you run your own SOC or partner with a third-party MDR provider? What endpoint detection and response (EDR) tool do you deploy? How do you handle threat hunting versus just reacting to alerts? What does your security stack actually include beyond antivirus?

A provider with real security depth can walk you through their tooling and explain why they chose it. They’ll name specific products (SentinelOne, CrowdStrike, Fortinet, Microsoft Defender for Business) and explain how those tools integrate. If the answer is “we use best-in-class solutions” without naming anything, that’s a red flag.

Onboarding: What Does Day One Actually Look Like?

Switching IT providers is disruptive. A good MSP acknowledges that and has a documented onboarding process to minimize it. Ask them to walk you through their transition plan step by step: how they inventory your environment, how they get credentials and access from your current provider, how they handle the overlap period, and what the first 30/60/90 days look like.

Red flags here include providers who say they can “take over by Monday” or who don’t mention a discovery phase. A proper onboarding takes 2 to 4 weeks for a 50-person company and longer for complex environments. If someone promises zero downtime with no transition plan, they either haven’t done this many times or they’re telling you what you want to hear.

Escalation Paths: Who Do You Call at 2 AM?

When something breaks at 2 AM on a Saturday, you need to know exactly who picks up the phone and what authority they have to act. Ask your MSP candidate to describe their escalation path from first contact to engineering-level support. You should hear specific roles and timeframes, not “our team handles it.”

Key questions: Is there a named account manager or vCIO assigned to your account? Can that person make decisions, or do they need to “check with engineering”? For after-hours emergencies, is support handled by the same team that knows your environment, or does it roll to a generic call center?

The best MSPs assign a primary point of contact who knows your business, your infrastructure, and your priorities. When you call about a problem, they should already have context. If every interaction starts with “can you describe your environment,” the relationship is too transactional.

Compliance Experience: Can They Speak Your Language?

If your business operates under HIPAA, CMMC, PCI DSS, or SOC 2 requirements, your IT provider needs to understand those frameworks at a practical level, not just recognize the acronyms. Ask them to describe a specific compliance engagement they’ve supported. What controls did they implement? What gaps did they find? How did they help the client through an audit?

A provider with genuine compliance experience will talk about specific technical controls: encryption requirements, access logging, network segmentation, evidence collection for auditors. A provider without that experience will pivot to generalities about “keeping your data safe.”

Also ask whether they’ve worked with your specific auditors or assessors. Compliance isn’t theoretical. It’s about producing the right evidence in the right format when an assessor asks for it. Your MSP should be a partner in that process, not a bystander.

Reporting and Transparency: Can You See Your Own Data?

You’re paying for IT management. You should be able to see what’s happening in your environment without filing a request. Ask every MSP candidate what reporting they provide, how often, and whether you get access to dashboards or a client portal.

Good providers send monthly reports that cover ticket volume, resolution times, security events, patch compliance, and asset health. Great providers give you real-time access to that data through a portal where you can see open tickets, SLA performance, and trends without waiting for someone to compile a PDF.

If an MSP resists giving you visibility into your own environment, that’s one of the clearest red flags in the evaluation. Transparency and accountability go together. A provider who’s confident in their work wants you to see the numbers.

Process and Documentation: How Do They Actually Run?

An MSP’s internal processes tell you more about their maturity than their sales pitch ever will. Ask specifically about three areas: onboarding, offboarding, and disaster recovery. The quality and detail of their answers will separate the operators from the order-takers.

Onboarding documentation. Beyond the transition timeline covered above, ask to see their onboarding checklist or project plan. A mature provider has a documented, repeatable process: environment discovery, credential transfer, agent deployment, baseline configuration, user communication templates, and a formal handoff meeting when the transition is complete. If the answer is “we just start working on tickets,” there’s no process behind the operation.

Offboarding and knowledge transfer. Ask what happens if you leave. A confident MSP will describe a clean offboarding process: transferring all documentation, network diagrams, and credential vaults to you or your next provider within a defined window. They’ll explain who owns the documentation they created during the engagement (it should be you) and how they ensure continuity so nothing falls through the cracks during the handoff. Providers who get evasive about offboarding are telling you that leaving will be painful by design, not by necessity.

Disaster recovery and business continuity. Ask them to walk you through their recovery process for a realistic scenario: a ransomware event that encrypts your file server and email. You want to hear specific steps, not platitudes about backups. How often are backups tested with actual restores? What’s the recovery time objective (RTO) they commit to? Do they maintain runbooks for your environment, or are they figuring it out in real time during a crisis? A provider with strong documentation can show you the playbook. A provider without it will talk in generalities about “getting you back up quickly.”

The thread connecting all three is documentation. A well-run MSP documents everything: network topology, standard operating procedures, escalation workflows, and recovery runbooks. That documentation isn’t just operational insurance for them. It’s your insurance that you’re never locked into a provider because they’re the only ones who know how your environment works.

References: What to Actually Ask

Every MSP will give you references, and every reference will say positive things, because that’s how references work. The value is in what you ask. Skip “are you happy with them?” and focus on specifics:

• “Describe a time something went seriously wrong. How did they handle it?”
• “How long did onboarding take, and what surprised you about the process?”
• “Have you ever had trouble getting information about your own environment?”
• “If you could change one thing about working with them, what would it be?”

These questions surface real experiences instead of rehearsed satisfaction statements. Pay attention to hesitation or vague answers. A reference who can describe a specific incident and how the MSP resolved it is far more valuable than one who just says “they’re great.”

Visit Their Office

This one gets overlooked, but it matters. Ask to visit your MSP candidate’s office. If they don’t have a physical office, that tells you something about their investment in the business. If they do, the visit tells you even more.

A well-run MSP office shows investment in the business: organized workspaces, a visible NOC or SOC if they claim to operate one, and staff who look like they’re actually working on client environments. You don’t need a Fortune 500 campus, but you should see evidence that this is a real operation with infrastructure behind it, not a handful of remote contractors working from their couches.

The office visit also lets you meet the team who will actually support your business. If the people you meet during the sales process disappear after the contract is signed, that’s a pattern worth catching early. Ask to meet your account manager, the help desk lead, and at least one engineer. The quality of those conversations will tell you more than any slide deck.

Putting the Checklist to Work

Print this list. Bring it to every MSP evaluation. A confident provider will welcome the scrutiny because they’ve already built their operation around these standards. A provider who deflects, delays, or gets defensive when you ask for specifics is showing you how they’ll behave when you’re a client.

The goal isn’t to find a perfect provider. It’s to find one whose strengths align with your needs and whose weaknesses are ones you can live with. Every MSP has tradeoffs. The honest ones will tell you about them upfront. For more context on when outsourcing your IT makes sense, check out 7 signs it’s time to outsource your IT services.