You Are About to Hand Someone the Keys to Your Business. Do You Know What to Ask?
Every business owner eventually faces the same decision. Your “IT guy” just retired. Your company has grown past the point where Karen in accounting can handle the network. Or maybe you just realized that the break-fix shop you have been calling charges you $200 every time a printer jams and has never once told you that your backups do not work.
Whatever brought you here, you are now shopping for a managed services provider. And you are about to discover that every MSP looks the same on a website. They all promise “proactive support,” “enterprise-grade security,” and “a strategic partnership.” The words are identical. The delivery is not.
I have spent over 20 years advising MSPs and the business owners who hire them. The providers who earn trust do not look the way most buyers expect. The questions below are how you tell the difference.
Why Most MSPs Look the Same (and Why That Is a Problem)
The MSP market is crowded and getting more competitive by the quarter. Kaseya’s 2026 State of the MSP Report found that 71 percent of MSPs now say acquiring new customers is their biggest business challenge.[1] That means you are hearing from more providers than ever, all making similar promises.
The numbers get more specific. The share of customers spending $25,000 or more annually fell from 75 percent to 41 percent year over year.[1] Deal sizes are compressing. Providers are competing harder for each dollar. And in a crowded market, the temptation to promise everything and define nothing is real.
Meanwhile, the market is shifting under your feet. According to ScalePad’s 2026 MSP Trends Report, which surveyed more than 1,100 providers across North America, 60 percent of MSPs now have a formal Customer Success program, but the other 40 percent are still figuring it out.[2] The providers investing in that infrastructure will serve you better. The ones who are not will leave you chasing them for updates.
So how do you sort the competent from the comet-wavers? You ask questions they do not expect, and you watch how they answer.
11 Questions That Separate a Real MSP from a Pretender
1. “Can you show me your onboarding process, not as a sales deck, but as a documented workflow?”
A structured onboarding process is the first real test. The right answer involves a defined sequence: network documentation, security baseline assessment, credential inventory, backup verification, and a 30-60-90 day stabilization plan. If the answer is “we will get you set up within a few weeks,” keep looking. According to the research from MSPs who track onboarding rigor, clients who go through a formal onboarding process have measurably better retention and satisfaction scores than those who do not.[2]
2. “How do you document what you do for my network, and can I see a sample?”
Documentation is not optional. It is the invisible engine that keeps an MSP from collapsing when a technician leaves. If your provider cannot show you a password repository, a network diagram, or a sample knowledge base entry, they do not have a system. They have a guy with a notebook. That notebook walks out the door when he does.
3. “What does your security baseline include as mandatory for every client?”
There is a right answer, and it is specific. At minimum, it should include endpoint detection and response on every device, multi-factor authentication everywhere, managed patch management, email security filtering, and monitored backups with tested recovery. If an MSP tells you they “recommend” security but do not require it, they are accepting risk on your behalf without telling you. The best providers do not give you the option to skip security. They make it the foundation of the engagement.
4. “How do you handle my backups, and when was the last time you tested a recovery?”
Backing up data and recovering from a backup are two entirely different things. One is an automated job. The other requires testing. A competent MSP performs regular recovery tests, not once a year, but on a documented schedule. If your provider hesitates on this question, your backups are theoretical. And theoretical backups have saved exactly zero businesses.
5. “What is your average response time, and how do you measure it?”
Pay attention to the difference between “response time” and “resolution time.” Response is how fast they acknowledge you. Resolution is how fast they fix the problem. A provider that conflates the two is playing a numbers game. Ask for specifics. What is the SLA for critical issues? For non-critical? What happens if they miss it? Is there any consequence, or is the SLA just a marketing bullet point?
6. “Who will actually be supporting my account day to day?”
There is a pattern in the MSP industry: the salesperson who wins the deal is not the team that delivers the work. That is not inherently dishonest, but you should know the answer before you sign. Ask for names. Ask for experience levels. Ask how many accounts each technician is responsible for. A technician carrying 80 to 100 tickets a day does not have time for proactive work. They are in survival mode.
7. “Can you provide a sample report, not a template, but a real report from an existing client?”
Monthly reports should tell you what happened, what it means, and what is coming next. They should include ticket volumes, patching status, security findings, backup health, and upcoming project or lifecycle recommendations. If the sample report is a pretty dashboard with no narrative, you are looking at a provider that values appearance over insight. Data without context is not a report. It is noise.
8. “How do you handle technology recommendations, and do you have vendor relationships that influence your guidance?”
This is where trust lives or dies. Some MSPs recommend the solution that pays them the highest margin, not the one that fits your business. That is not always wrong. They have to make a living. But you deserve to know the incentive structure. A provider willing to have an honest conversation about vendor compensation is a provider you can trust. One that insists “we are completely vendor-neutral” and refuses to discuss it further is hiding something.
9. “What is your offboarding process if we part ways?”
A provider that cannot tell you how they will exit the relationship is a provider that plans to trap you. A clean, documented offboarding process includes the return of all credentials, the transfer of all documentation, a transition timeline, and a clear policy on data retention and deletion. If an MSP requires a 36-month contract with a 50 percent early termination penalty, ask hard questions about why their retention depends on legal obligation rather than service quality.[3]
10. “How do you stay current on emerging risks, and when was the last time you brought a risk to a client before the client had to ask?”
This question separates reactive from proactive. A reactive provider fixes things after they break. A proactive provider calls you and says, “Here is a vulnerability we found, here is what we recommend, and here is why it matters to your business.” If every conversation you have had with your current IT provider starts with a problem you reported, you have a reactive provider. No matter what the brochure claims.
11. “Can you tell me about a time you told a client something the client did not want to hear?”
MSPs earn their fees by telling the truth before the truth becomes expensive. That means sometimes telling a client that the 10-year-old server needs replacing, that the cloud migration budget was too low, or that the security incident was caused by a password on a Post-it note. If the provider cannot share a specific example, not a sanitized marketing story, but a real one, they have never had the kind of relationship you should want. You do not need a provider who says yes. You need one who tells you the truth and then helps you act on it.
The Table-Stakes Checklist
Eleven questions can feel like a lot. If you only walk away with a short list, here is the minimum baseline every credible MSP should meet on day one:
| What to Check | Why It Matters |
|---|---|
| Formal, documented onboarding process | Sets expectations and catches issues before they become emergencies |
| EDR on every endpoint, MFA everywhere | Non-negotiable security foundation in 2026 |
| Documented backup with tested recovery | Untested backups are not backups |
| Named support team with manageable account loads | Prevents survival-mode service delivery |
| Sample monthly report with narrative context | Proves they measure and communicate what matters |
| Documented offboarding and transition process | Ensures you are never trapped, only committed |
| Proactive risk identification, not just reactive fixes | The whole point of managed services is preventing fires |
What Most Buyers Get Wrong
Here is what I see business owners get wrong when shopping for MSPs.
They shop on price first. The cheapest bid should give you pause, not relief. MSP pricing varies for a reason. Full managed IT, including security, monitoring, backup, patching, help desk, and strategic guidance, typically runs between $100 and $250 per user per month, depending on the scope and tools included.[4] If a provider is quoting half that number, ask what is missing. It is usually the things that keep you safe at 2 AM.
They accept vague answers because the provider seemed confident. Confidence is a sales skill. Competence shows up in documentation, in specifics, and in the willingness to say “I do not know, but I will find out.” A provider who has a precise answer about their security baseline, their onboarding workflow, and their recovery testing schedule is further along than one who says everything you want to hear in broad strokes.
They treat the decision as a commodity purchase. IT support is not a commodity any more than legal counsel is. You are choosing a partner who will have administrator access to your systems, your data, and your email. That is a trust relationship. Treat it with the gravity it deserves.
Frequently Asked Questions
How much should I expect to pay for managed IT services?
Per-user pricing typically ranges from $100 to $250 per user per month for comprehensive managed IT that includes security, monitoring, patching, backups, and help desk support. Per-device pricing varies widely from $30 to $200 per device depending on device type and management depth. The right number for your business depends on complexity, compliance requirements, and how strategic the relationship needs to be.[4]
Should I avoid long-term contracts?
Not necessarily, but approach every contract with caution around termination terms. A provider that requires 36 months with steep early termination penalties may be relying on legal lock-in rather than service quality. Look for agreements with 12-month terms, 30- to 60-day termination-for-convenience clauses, and clear offboarding procedures. The contract should protect both sides, not just theirs.[5]
What if I already have an internal IT person?
That changes the conversation. You may not need full managed services. You may need co-managed IT, a model where the MSP augments your existing staff, handles after-hours support, provides security layers your internal person lacks bandwidth for, or covers gaps during vacations and transitions. Many competent MSPs offer both models. The evaluation criteria above still apply, whether you are replacing or augmenting.
How do I verify an MSP’s security claims?
Ask for evidence. A SOC 2 Type II report is a strong signal. It means an independent auditor verified their security controls. Ask about their own internal security practices. Do they use the same tools they deploy for clients? Do they have a security team or a designated security lead? Can they share examples of how they have handled previous client security incidents? A provider who takes security seriously will have answers ready.
About Brent Lacy: Brent Lacy is the author of Rewired MSP: Mastery, Scalability and Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business Security. With over 20 years in the managed services industry, Brent writes about the operational discipline, trust-based relationships, and strategic thinking that separate MSPs built to last from those built to bill.
Related Articles:
