How to Choose a Managed IT Service Provider (Without Getting Burned)

Finding good IT support for your small business is genuinely difficult. MSPs all use the same language: proactive, 24/7 support, business-aligned IT strategy. The brochures look the same. The demos feel the same. And the price differences seem arbitrary.

Until something goes wrong. Then the differences become very clear, very fast.

This guide gives you the full framework for evaluating MSPs before you're locked in — the same process that works whether you're choosing your first managed IT provider or replacing one that let you down.

For the deep-dive version of everything in this guide, see the full MSP Evaluation Guide — including a downloadable scorecard and proposal scoring matrix.

Step 1: Know What You Need Before You Talk to Anyone

Most business owners walk into MSP conversations without a clear picture of their own environment. This creates two problems: you can't evaluate whether a provider has real experience with businesses like yours, and you end up with proposals that don't quote the same scope — making comparison impossible.

Before you contact any MSP, document your current state:

• User count and growth trajectory. How many users now, and where will you be in 18 months? An MSP who is well-staffed for 30 users may not be able to handle 75.
• Device inventory. Workstations (Windows/Mac), servers (on-premise/cloud), mobile devices, and network equipment. Be specific about age and OS versions.
• Software stack. Line-of-business applications, ERP/CRM, industry-specific software (EHR, legal practice management, accounting software). These need specific expertise, not generic helpdesk skills.
• Cloud vs. on-premise. Are you on Microsoft 365 or Google Workspace? Do you have on-premise servers that need physical maintenance? Are you in the middle of or planning a cloud migration?
• Compliance requirements. HIPAA, GLBA, CMMC, PCI-DSS, SOC 2, CCPA — list all that apply. This narrows the field significantly and affects price.
• Current pain points. What specifically is broken or inadequate about your current IT situation? This becomes the scoreboard for evaluating proposals.

Use the free IT RFP Generator to structure this into a document you can send to every provider. It ensures you're comparing apples to apples — not the cheapest proposal against the most comprehensive one.

Step 2: Building Your Shortlist (Where to Find Candidates)

Where most businesses go wrong: evaluating whoever calls them, or picking the three companies in the first page of Google results without any vetting criteria. You want 3–4 candidates who already meet minimum bar — not 10 to sort through.

The most reliable sources for candidates:

• Industry association referrals. Your healthcare association, bar association, or trade group likely has IT vendor partners. These providers have specifically marketed to your industry — which usually means relevant experience.
• Peer referrals in your vertical. Ask the three most tech-sophisticated businesses you know in your industry who they use. One specific recommendation from a peer who understands your environment is worth more than any review site.
• Vendor referrals. Your EHR vendor, practice management software, or legal software company often has a preferred MSP program. These providers have already been vetted for compatibility with your core software.
• Matching services. Services like SerenIT match businesses to MSPs based on industry, size, and compliance requirements — removing the cold-search problem.

Minimum requirements before a provider makes your shortlist: they must have at least three verifiable clients in your industry, they must serve businesses your size, and they must be able to meet your compliance requirements before the first call. Don't put anyone on your shortlist who doesn't meet these before the first conversation.

Step 3: SLA Requirements — What the Numbers Should Actually Be

Every MSP will tell you they're responsive. SLAs are where that claim either gets backed up or quietly avoided.

A credible MSP SLA defines response time by severity, with contractual remedies for violations:

• P1 — Critical (complete outage, data breach, ransomware): Response within 15–30 minutes, remediation begin within 1 hour, continuous work until resolved. These should be rare.
• P2 — High (significant impact to multiple users, major function down): Response within 1–2 hours, same-business-day resolution target.
• P3 — Medium (single user affected, workaround available): Response within 4 hours, next business day resolution.
• P4 — Low (minor issue, no productivity impact): Response within 1 business day, 3-5 business day resolution.

The most important question: "What is the contractual remedy if you miss a P1 SLA?" A provider who has a real SLA will answer with a specific credit or refund formula. A provider who hedges, says "we take it very seriously," or claims they never miss their SLAs is telling you there's no consequence — which means the SLA is decoration.

Also ask about after-hours coverage: do they have dedicated staff on-call 24/7, or does after-hours coverage mean your ticket sits until 8am? For a medical practice, a law firm, or a manufacturer on second shift, this distinction matters enormously.

Read the full SLA deep-dive in the MSP Evaluation Guide — including example contract language for SLA remedies.

Step 4: Understanding MSP Pricing Models

MSP pricing is not as simple as "per user per month." Most providers use one of several models, and understanding which one you're buying matters for total cost comparison.

Per-user pricing is the most common for small and mid-size businesses. You pay a flat monthly rate per user regardless of how many tickets they generate. This is predictable and aligns the MSP's incentives with preventing problems — they don't make more money when something breaks.

Per-device pricing charges per managed device: workstations, servers, firewalls. It's common for businesses with a high device-to-user ratio (manufacturing, healthcare). Watch for device definitions — some MSPs count mobile phones separately, some don't.

All-inclusive vs. tiered pricing is the major differentiator. All-inclusive means every service is in the base rate. Tiered pricing has a base rate plus add-ons (advanced security, compliance tools, additional storage, after-hours coverage). Tiered proposals almost always look cheaper in comparison — until you add the required add-ons back in.

Typical 2026 ranges for managed IT:

• Small business (under 25 users): $100–$175/user/month all-inclusive
• Mid-size (25–100 users): $85–$150/user/month all-inclusive
• Healthcare/compliance: add $25–$75/user/month over standard rates
• Co-managed IT (supporting internal IT staff): $40–$80/user/month

For a full breakdown of what's included vs. extra-cost, see the MSP Pricing Guide.

Step 5: Comparing Security Stacks

The cheapest MSP proposal is almost always cheap because the security stack has been stripped out. This is the single most common way businesses get deceived in MSP shopping — they compare the monthly rate and miss that the security tools that would have prevented the ransomware attack aren't included.

The security components that should be included in any credible MSP's base offering in 2026:

• EDR (Endpoint Detection and Response) — not standard antivirus. Real EDR detects and isolates threats in progress; antivirus only catches known signatures.
• Email security and phishing filtering — Microsoft 365 Defender or equivalent. Basic M365 email security is insufficient alone.
• MFA enforcement — on Microsoft 365, VPN, and any cloud systems with business data. If MFA is "optional" or "user-configured," it won't be used consistently.
• Managed backup with tested restores — not just backup enabled. The MSP should be able to tell you the last time they tested a restore and what the RTO was.
• Patch management with defined SLA — critical security patches applied within 24–48 hours of release; standard patches on a defined monthly cycle.
• DNS filtering — blocks malicious domains before a connection is made. Cheap but highly effective.

Ask specifically about what is NOT included. Common upcharges to watch for: dark web monitoring, SIEM, security awareness training, advanced email filtering, mobile device management (MDM), and compliance-specific tools. If these are extra-cost, factor them into your total comparison.

Step 6: Who Actually Does the Work

Some MSPs are primarily sales organizations who subcontract technical work — sometimes offshore, sometimes to a partner network, sometimes to a rotating pool of contractors. The branding and sales experience belong to the MSP you're signing with; the actual IT work is done by someone else.

Ask these questions directly:

• "Who are the specific technicians who will work on our account day-to-day?"
• "Are they employees or contractors?"
• "Where are they based?"
• "What is your client-to-technician ratio across your account portfolio?"

A healthy client-to-technician ratio is under 80:1. Above 100:1 and you will feel it in ticket response times. Anything higher than 120:1 is a warning sign that the MSP has over-sold their capacity.

Also ask about named account management: will you have a dedicated account manager and primary engineer who knows your environment, or will a different tech answer every ticket? Businesses with complex environments — particularly regulated industries — benefit significantly from an assigned engineer who has context on your setup.

Step 7: Industry-Specific Requirements

IT requirements vary significantly by industry. A healthcare practice has HIPAA compliance obligations, EHR support requirements, and PHI encryption needs that a general MSP isn't equipped to handle. A law firm has different requirements: matter confidentiality, client file security, and sometimes bar association security rules. A defense contractor may need CMMC compliance. A financial firm has GLBA and possibly FINRA or SEC cybersecurity requirements.

The question to ask any MSP: "How many clients do you currently serve in our specific industry, and can you describe what's different about how you serve them vs. your general clients?"

If the answer is generic ("we've worked with a few healthcare clients"), probe further. If they can't describe your industry's specific compliance framework without looking it up, they don't have real experience in your vertical.

Industry-specific IT guides:

• Healthcare IT — HIPAA-compliant managed IT requirements
• Legal IT — law firm security and confidentiality requirements
• Financial services IT — GLBA, FINRA, and SEC requirements
• Government contractor IT — CMMC and DFARS compliance
• Manufacturing IT — OT/IT security and production uptime
• Accounting and tax IT — client data protection and seasonal capacity

Step 8: How to Run Reference Calls That Actually Tell You Something

Most reference calls are useless because the questions are too vague. "Have you been happy with them?" is not a reference check — it's a formality. Ask references these specific questions:

• "Describe the last time something went seriously wrong and how they responded."
• "What's their average ticket response time been in your actual experience vs. their SLA?"
• "Have you ever had a security incident? If so, how did they handle it?"
• "What would you change about the engagement if you were starting over?"
• "If a company exactly like yours was evaluating them today, what would you tell them?"
• "Has the quality of service changed over time — better or worse?"

Request references specifically from clients who have been with the MSP for at least 18 months (long enough for the honeymoon period to end) and who are in your industry. New clients and clients in different industries won't give you useful signal.

Step 9: Contract Red Flags to Look for Before Signing

The contract is where an MSP's actual relationship with clients lives — not the sales presentation. Read it carefully before signing, specifically looking for:

• Auto-renewal with long notice requirements. If the contract auto-renews for a full year and you must give 90 days notice to cancel before renewal, missing the window locks you in for another year with no recourse.
• IP and documentation ownership. Do they own the configurations, documentation, scripts, and network diagrams they create for your environment? If so, you can't take that work product with you when you leave. Require ownership transfer on termination.
• Vague SLA language. "Best efforts," "reasonable response time," "industry standard" — these mean nothing. SLAs must have specific numeric commitments with defined remedies.
• License bundling. If your Microsoft 365 licenses are assigned to the MSP's tenant, your licenses are portable but your configuration and tenant may not be. Understand exactly what you own vs. what lives on their platform.
• Out-of-scope creep clauses. Contracts that define out-of-scope services broadly can result in extra charges for work you reasonably expected was included. Ask for a clear list of what's never included and what triggers a separate project invoice.
• Liability caps. Most MSP contracts cap their liability at one month's fees. That's fine for minor issues — but in a data breach scenario where downtime costs you hundreds of thousands of dollars, $5,000 in liability coverage is meaningless. Negotiate this if you're in a high-stakes compliance environment.

Use the IT Contract Scanner to flag red flags in the contract language before you sign.

Automatic Disqualifiers: Walk Away If You See These

Some things should end an evaluation immediately, regardless of how the rest of the proposal looks:

• No written SLA with defined response times. If they can't produce a specific SLA document during the sales process, they either don't have one or can't meet one. Either is a dealbreaker.
• Refusal to sign a BAA if you're in healthcare or financial services. This is a compliance violation in progress, not just a red flag.
• No after-hours coverage path. "Call the emergency line and someone will call you back" is not a coverage model. You need defined after-hours staffing with a guaranteed response time.
• Cannot provide references from companies your size in your industry. References are a basic deliverable. If they can't produce them, either their existing clients won't vouch for them or they don't have relevant experience.
• 3+ year contract with no performance exit clause. Any contract longer than 1 year should include an exit right if SLAs are missed for two consecutive months. If they won't add this, they know they can't hold their SLA consistently.
• License bundling that makes portability impossible. Your Microsoft 365 licenses, your email domain, your firewall configuration — these belong to you. Any MSP who structures the engagement so that switching means losing access to your own data is betting on lock-in as a retention strategy.

Step 10: What Good Onboarding Actually Looks Like

Onboarding is the period where most MSP relationships either succeed or start to fail. A good onboarding process takes 30–60 days and involves:

• Discovery and documentation. The MSP inventories all devices, software, user accounts, network equipment, and configurations. This should result in a documented network diagram and asset register that you own.
• Security baseline assessment. Before they touch anything, they assess your current security posture: patch status, MFA status, backup status, EDR coverage. This becomes the baseline for measuring improvement.
• Account and access setup. All users migrated into their RMM (remote monitoring and management) tool, helpdesk ticketing system set up, and escalation contacts defined.
• User communication. Your staff needs to know how to submit tickets, who to call for urgent issues, and what to expect from response times. This should be documented and communicated, not assumed.
• First security sweep. Patch backlog addressed, MFA enforced, backup verified, EDR deployed to all endpoints.

Ask any MSP you're evaluating for their onboarding documentation — a checklist or project plan for the first 60 days. If they don't have a structured onboarding process, the relationship will be chaotic from day one.

The First 90 Days: What Success Actually Looks Like

The first 90 days are a honeymoon period where most MSPs perform well because they're still actively trying to win your long-term loyalty. Use this time to establish the benchmarks you'll hold them to going forward:

• Demand a security baseline report by day 30. What was the patch status, backup status, and security exposure when they took over? What's been addressed? This documents the starting point and creates accountability.
• Track actual vs. contracted response times. Log every ticket, record when it was opened and when the first response came. After 90 days you'll have real data on whether they're meeting their SLA.
• Request a 90-day business review. A good MSP does quarterly business reviews (QBRs) with a summary of tickets, trends, resolved issues, and upcoming recommendations. If they're not doing this proactively, ask for it.
• Test after-hours coverage. Within the first 60 days, call the after-hours line during off-hours (even with a non-critical question) to verify coverage actually works as described.
• Check backup restores. Ask to see a recent test restore — not just confirmation that backups are running. A backup that's never been tested is an assumption, not a guarantee.

If the relationship is failing to deliver on the basics in the first 90 days, escalate formally before the initial contract review period ends. Most MSP contracts have a 30-day termination right within the first 90 days; after that, you're locked into the contract term.

Using the Full MSP Evaluation Framework

This guide covers the essential steps, but the full process — including an RFP template, a proposal scoring matrix, reference call scripts, and a contract negotiation checklist — is in the How to Evaluate an MSP guide.

The tools that support each step of this process:

• IT RFP Generator — define scope before any vendor call, get apples-to-apples proposals
• Vendor BS Detector — paste a proposal section and get plain-English red flags
• IT Contract Scanner — flag problematic clauses before you sign
• MSP Evaluation Check — if you're already with an MSP and wondering if they're delivering
• IT Budget Calculator — benchmark what you should be spending before you evaluate proposals

The best local IT support for your business isn't the cheapest or the most polished in the sales process — it's the one who treats your IT environment like a responsibility. That's a harder thing to evaluate from a brochure, which is exactly why the process above matters.