What We Would Look for If We Were Hiring an MSP

We get asked some version of this question at least once a month: “If you weren’t an MSP, how would you pick one?” It’s a fair question. After 20+ years working in enterprise and government IT before building a managed IT practice, we’ve seen what good providers do, what bad ones hide, and where the gap between marketing and reality gets widest.

We’ve published a detailed MSP evaluation checklist with specific questions to ask during the sales process. This post takes a different angle. Instead of a checklist format, we’re sharing the evaluation framework we would use if we were on the other side of the table, along with the reasoning behind each priority.

Ask for Proof, Not Promises

Every MSP will tell you they offer proactive monitoring, fast response times, and strategic guidance. Those claims are meaningless without evidence. If we were evaluating a provider, the first three things we’d request are a sample quarterly business review (QBR) deck, a 90-day patch compliance report, and a copy of their onboarding timeline.

The QBR deck tells you how they think about the relationship. A provider that runs real QBRs will have a standard format showing ticket trends, security posture changes, project status, and upcoming recommendations. If they can’t produce a redacted sample, they probably don’t run QBRs at all. That means you’ll never get a structured conversation about where your IT stands or where it needs to go. We’ve written about why this strategic planning function matters and what it actually delivers. If your MSP doesn’t offer it, you’re paying for maintenance without direction.

The patch compliance report reveals operational discipline. Patching isn’t exciting, but it’s the single most impactful security practice for SMBs. According to CISA, known vulnerabilities with available patches remain the primary initial access vector for ransomware. A provider that tracks patch compliance across your environment and reports on it regularly is doing the unglamorous work that prevents breaches. A provider that can’t show you this data is likely not tracking it, which means patches are being missed.

The onboarding timeline reveals process maturity. We’ve documented what our own first 30 days look like because we think transparency about the process matters. A provider with a structured onboarding plan, broken into discovery, deployment, and optimization phases, has done this enough times to know what works. A provider who says “we’ll take over by Monday” either hasn’t done many transitions or is telling you what you want to hear.

The Difference Between a Partner and a Ticket-Taker

This is the distinction that matters most and the one that’s hardest to evaluate during a sales process. A ticket-taker waits for something to break, fixes it, and closes the ticket. A strategic partner identifies risks before they cause downtime, plans infrastructure changes around your business calendar, and brings recommendations to leadership meetings.

The clearest signal is whether the MSP assigns a dedicated virtual CIO or technology advisor to your account. This is the person who bridges IT operations and business strategy. They should be reviewing your technology spend quarterly, maintaining a forward-looking roadmap, and advocating for changes that align with where your business is heading. If there’s no one filling this role, your MSP is managing your infrastructure but not leading your technology.

Another signal: how the MSP talks about your environment during the sales process. A ticket-taker will focus on seat counts and monthly pricing. A strategic partner will ask about your growth plans, your compliance obligations, your risk tolerance, and how technology fits into your competitive position. The depth of their discovery questions mirrors the depth of the relationship you’ll get.

We’d also pay attention to how they handle disagreements. A good MSP will push back when you’re about to make a decision that creates risk. If a provider agrees with everything you say during the sales process, they’ll agree with everything you say after the contract is signed, including the bad ideas that nobody challenges.

Does the MSP Practice What They Preach?

This is the question most buyers never think to ask, and it’s one of the most revealing. Does the MSP apply the same security and operational standards to their own business that they recommend to clients?

Specifically, we’d want to know whether the MSP holds a SOC 2 Type II certification or is working toward one. Do they carry cyber insurance, and what does the policy cover? What endpoint detection and response tool runs on their own workstations? Do their employees go through the same security awareness training they recommend to clients?

A provider who recommends SentinelOne for your endpoints but runs basic antivirus on their own machines isn’t confident in what they sell. A provider who insists on MFA for your team but hasn’t enforced it internally has a credibility gap. A provider without cyber insurance is asking you to trust them with your data while being unwilling to insure their own liability.

This principle extends to operational practices too. If the MSP recommends documented disaster recovery plans for your business, ask to see theirs. If they sell SOC monitoring as essential, ask whether their own infrastructure is monitored around the clock. The answers reveal whether their recommendations come from conviction or from a services catalog.

What Real 24/7 Support Actually Looks Like

Every MSP claims 24/7 support. Few deliver it. The gap between “we have an after-hours number” and “we have trained engineers monitoring your environment around the clock” is enormous, and it only becomes visible during an actual incident.

If we were evaluating a provider, we’d ask three specific questions about after-hours support. First, who answers the phone at 2 AM on a Saturday: a member of their technical team or a third-party answering service? Second, does the person who answers have access to your environment documentation and the authority to take action, or do they just log a ticket for the morning shift? Third, what’s their average after-hours response time over the past 90 days, and can they prove it with data?

An answering service that takes your name and promises a callback is not 24/7 support. It’s a voicemail with a human voice. Real 24/7 operations mean analysts are actively watching dashboards, triaging alerts, and responding to incidents in real time regardless of the hour. The staffing model behind that commitment is expensive, which is one reason so many providers fake it. Ransomware deployments overwhelmingly happen on Friday nights, weekends, and holidays because attackers know when coverage drops off. If your MSP’s 2 AM plan is “we’ll call someone in,” you need to know how long that actually takes.

Contract Terms That Should Make You Nervous

MSP contracts contain terms that can lock you in, make it expensive to leave, or create pressure the provider can use against you. If we were signing with a provider, we’d read the contract more carefully than the marketing materials.

Auto-renewal with narrow cancellation windows. Some contracts automatically renew for a full year unless you give written notice 60 or 90 days before the renewal date. That window is easy to miss, and it locks you in for another cycle even if you’re unhappy with the service.

Unclear data ownership and offboarding. When the contract ends, who owns the documentation the MSP created? Do they hand over network diagrams, passwords, and configuration records, or do those “belong to the provider”? How long does the transition period last, and what does it cost? A provider who makes it difficult to leave is a provider who expects you to want to.

Vague scope definitions. “Unlimited support” rarely means unlimited. Read the fine print on what’s included in the monthly fee versus what gets billed as a project. The most common complaint from businesses switching MSPs is discovering that half the work they assumed was covered required additional charges.

No written SLAs. If response time commitments aren’t in the contract, they don’t exist. Verbal promises during the sales process have no enforcement mechanism. Every provider sounds great during the sales cycle. The contract is where you find out what they’re actually willing to commit to.

Why the Cheapest Option Costs the Most

When you’re comparing MSP proposals, the lowest bid is almost always the one cutting the most corners. Managed IT requires specific staffing levels, tooling costs, and operational overhead that can’t be eliminated without reducing service quality. A provider significantly undercutting the market is either understaffing their service desk, using lower-quality security tools, skipping strategic planning functions, or planning to make up the difference with project fees that aren’t in the base quote.

The math works like this. An MSP that charges 30% less but takes twice as long to resolve tickets costs you more in lost productivity than you saved on the invoice. A provider that skips enterprise endpoint protection or deploys a consumer-grade tool saves on licensing but leaves you exposed to threats that a proper EDR solution would catch. A provider without a vCIO function saves on headcount but never identifies the infrastructure problem that eventually causes a six-figure outage.

The real cost of staying with an underperforming provider accumulates in categories that don’t show up on the MSP invoice: unpatched systems, compliance gaps, missed optimization opportunities, and security incidents that could have been prevented. When you’re evaluating proposals, throw out the lowest and highest bids. Then evaluate the remaining providers on the criteria above, not on price. The right MSP should be an investment that pays for itself through reduced risk and technology that actively supports where your business is heading.