MSSP Evaluation Checklist: 15 Questions to Ask Before You Renew

Your managed security contract is coming up for renewal, and the easiest thing to do is sign for another year. But “easy” and “smart” aren’t the same thing. The cybersecurity provider that was a good fit 18 months ago may not be keeping pace with your business, your compliance requirements, or the threats targeting your industry right now.

Before you renew, run your current provider through these 15 questions. Their answers will tell you whether you’re getting real protection or paying for a false sense of security.

Response Times and SLAs

1. What is your mean time to detect and mean time to respond, and can you prove it?

Any provider can promise “fast response.” Fewer can show you the data. Ask for actual MTTD and MTTR metrics from the last 12 months, not marketing claims from a sales deck. A strong MSSP should be detecting threats in minutes and responding within the hour for critical incidents. If they can’t produce these numbers, they probably aren’t tracking them, which tells you something about their operational maturity.

2. How do you handle after-hours and weekend incidents?

A SOC that operates only during business hours leaves your business exposed during the 128 hours per week when nobody is watching. Attackers know this. Ransomware deployments overwhelmingly happen on Friday nights, weekends, and holidays. If your provider’s after-hours plan is “we’ll call someone in,” you need to understand how long that actually takes and what happens to alerts in the gap.

3. What is the escalation path when a critical alert fires at 2 AM?

This question separates real 24/7 SOC operations from providers who route after-hours alerts to an on-call technician’s phone. You want a defined escalation path: analyst triages, senior analyst validates, incident commander engages, your team gets notified with context and recommended actions. If the answer is vague, the process probably is too.

SOC Capabilities and Technology Stack

4. What EDR platform do you deploy, and do your analysts actually use it for threat hunting?

There is a significant difference between deploying SentinelOne or a comparable EDR tool and actually using it to its full capability. Some providers install the agent and let it run on autopilot. Others have analysts actively hunting for indicators of compromise, tuning detection rules, and investigating anomalies that automated systems miss. Ask which one your provider does, and ask for examples.

5. Do you operate your own SIEM, or are you reselling a vendor’s managed platform?

This matters because it determines how much control your provider has over detection logic. A provider running their own SIEM can write custom correlation rules for your environment, tune out noise that’s specific to your tech stack, and adapt quickly when new threat intelligence emerges. A provider reselling a vendor platform is often limited to whatever that vendor ships out of the box.

6. What does your firewall management actually include?

If your provider manages Fortinet or another next-gen firewall platform, ask what “management” means in practice. Does it include rule reviews, firmware updates, VPN troubleshooting, and policy optimization? Or does it just mean they’ll log in if something breaks? Firewall management should be proactive. If your provider isn’t reviewing your rule base quarterly, misconfigurations are accumulating.

7. How do you protect email beyond basic spam filtering?

Email remains the primary attack vector for business email compromise, credential phishing, and ransomware delivery. Ask whether your provider deploys advanced email security like Proofpoint with features such as impersonation detection, URL rewriting, and attachment sandboxing. Basic spam filtering is table stakes; it won’t stop a targeted phishing campaign built with AI-generated content.

Compliance and Regulatory Support

8. Which compliance frameworks do you actively support, and what does “support” mean?

There is a wide gap between a provider that says “we help with HIPAA” and one that maintains your risk assessment documentation, maps your technical controls to specific regulatory requirements, and walks you through audit preparation. If your business operates under HIPAA, CMMC, PCI DSS, or SOC 2, your provider should be able to describe exactly what they deliver for each framework, not just list acronyms.

9. How do you help us prepare for compliance audits?

A strong security partner generates the evidence you need before the auditor asks for it: access logs, patch compliance reports, incident response documentation, vulnerability scan results, and policy attestations. If your provider scrambles to pull reports when audit season arrives, that’s a sign they aren’t building compliance into their daily operations.

Incident Response

10. Walk me through what happens in the first 48 hours after a confirmed breach.

This is the question that reveals operational depth. You want specifics: containment procedures, forensic preservation, communication protocols, coordination with cyber insurance carriers, and regulatory notification timelines. A provider with a mature incident response capability will describe this confidently and in detail. One that hasn’t been tested will give you generalities.

11. Do you coordinate directly with our cyber insurance carrier during a claim?

Many business owners discover after an incident that their security provider and their insurance carrier have never communicated. Your MSSP should understand your policy’s requirements, maintain documentation that supports claims, and be prepared to work directly with the carrier’s breach counsel and forensics team. This coordination can make the difference between a covered claim and a denied one.

Reporting, Visibility, and Strategic Guidance

12. What reporting do we receive, and can we access our security data in real time?

Monthly PDF reports that nobody reads aren’t visibility. Ask whether you get access to a live dashboard showing alert volumes, threat trends, endpoint health, and compliance posture. Ask whether reports include plain-language executive summaries that you can bring to a board meeting, not just raw data dumps formatted for engineers.

13. Do you provide vCISO or strategic security advisory services?

A managed security provider should do more than block threats. They should help you make informed decisions about security investments, risk tolerance, and technology roadmap. A virtual CISO engagement means someone is reviewing your security posture quarterly, aligning your controls with business objectives, and advising on emerging risks before they become incidents. If your provider only talks to you when something breaks, you’re missing the strategic layer.

Onboarding, Contracts, and Flexibility

14. What does your onboarding process look like, and how long does the transition take?

Switching providers feels daunting, which is exactly why some MSSPs make it hard to leave. Ask prospective providers to walk you through their onboarding timeline, including how they handle migration from tools like ConnectWise, asset discovery, baseline configuration, and integration with your existing tech stack. A provider confident in their service will make onboarding straightforward because they know retention comes from results, not lock-in.

15. What are the contract terms, and what happens if we need to scale up or down?

Multi-year contracts with steep early termination fees are a red flag. Your business changes. Your headcount fluctuates. You acquire companies or spin off divisions. Your security provider should be able to accommodate that growth and contraction without punishing you for it. Ask about contract length, termination clauses, and how pricing adjusts when your environment changes.

How to Use This Checklist

Print these questions out or pull them up on a screen during your next provider review meeting. Score each answer on a simple scale: the provider exceeds expectations, meets expectations, or falls short. Any question where your provider falls short is a gap worth investigating further.

Pay special attention to clusters. If your provider scores well on technology but poorly on compliance support and strategic guidance, you may be working with a tool vendor rather than a security partner. If response times and SOC capabilities are weak, you’re carrying more risk than you realize.

If you’re also evaluating whether your current provider’s approach still makes sense given your growth, the post on the real cost of switching IT providers breaks down what that transition actually involves. And if your provider is stacking point solutions from different vendors without a unified strategy, read about why a full security stack matters more than any single tool.

The Renewal Decision

Renewing a security contract without evaluating your provider is like renewing an insurance policy without reading the coverage. You might be fine. You might also be paying for protection you’re not actually getting.

The 15 questions above aren’t designed to trick anyone. They’re designed to give you clarity about whether your current MSSP is operating at the level your business requires. If your provider answers all of them confidently, with specifics and evidence, you’ve probably found a good partner. If the answers are vague, defensive, or full of qualifiers, that’s the information you need before you sign for another year.