MSP Buyer's Guide.

/ 01What an MSP actually does

A Managed Services Provider (MSP) is a company that runs all or part of your IT for a flat monthly fee. The category exists because most small and mid-sized businesses can't afford to hire the eight specialists they actually need to run modern IT properly — a helpdesk tech, a network engineer, a server admin, a cybersecurity analyst, a backup specialist, an M365 admin, a procurement person, and a strategic IT planner. Hiring all eight costs $700K+ a year in salary. An MSP gives you fractional access to all of them for $110-$185 per user per month.

A good MSP handles, at minimum:

• 24/7 helpdesk — your team calls or emails a single number when anything breaks
• Patch management — Windows, macOS, third-party apps, all kept current
• Cybersecurity stack — EDR (endpoint detection & response), DNS filtering, email security, MFA enforcement, vulnerability scanning
• Backup monitoring — verifying backups actually ran and are restorable (testing restores quarterly)
• Network management — firewall, switches, Wi-Fi monitored and updated
• Microsoft 365 / Google Workspace admin — license management, security baselines, mailbox / SharePoint / Drive support
• Vendor coordination — when your line-of-business app vendor and your ISP point fingers at each other, your MSP refs
• Strategic IT planning (vCIO) — quarterly business reviews, budgeting, roadmap, hardware lifecycle planning

What an MSP is not: a guarantee that nothing will ever break. Things still break — that's what IT is. A good MSP just keeps the breakage rare and the recovery fast.

/ 02The four MSP pricing models

Per-user, all-inclusive (flat-rate)

The MSP charges a flat fee per user (often per "supported endpoint" — usually a person with a laptop/phone/M365 account). Includes everything in the agreement, no per-incident charges. This is what most modern MSPs offer and what you should generally want. Typical Tennessee pricing: $110-$185 per user per month all-in.

Per-device

Charged per managed device — laptops, servers, network gear each have a price. Common in environments with weird ratios (e.g., a warehouse with 5 employees and 30 ruggedized scanners). The math can be cheaper or much more expensive than per-user depending on your setup.

Tiered / "bronze, silver, gold" packages

Different price tiers with different inclusions. Watch out: the cheapest tier often excludes cybersecurity, after-hours support, or vCIO. The economics rarely work in your favor — you end up needing the gold tier anyway.

Block-of-hours / co-managed

You buy a block of hours per month for an internal IT person to call when stuck. Works for companies with strong internal IT who just need backup. Doesn't replace 24/7 monitoring.

/ 0314 questions to ask every MSP

Print this list. Ask every MSP you interview. The ones that answer crisply and confidently are the ones to short-list.

1. What's your average first-response time? Look for under 15 minutes for critical, under 1 hour for normal. Get it in writing.
2. What's your resolution-time SLA by priority level? A vague answer here is a major flag.
3. How many tickets does your average tech handle per day? If it's over 25, you'll be a number, not a client. Healthy is 8-15 tickets per tech per day.
4. What's your tech-to-client-user ratio? Healthy is 1 tech per 75-125 supported users. If they're at 200+, response times will suffer.
5. What's included vs not? Get a written scope document. Common "gotchas" excluded from base contracts: after-hours support, on-site dispatch beyond X miles, new-user onboarding, project work, application-specific support.
6. What cybersecurity stack do you deploy? Look for: managed EDR (not just antivirus — SentinelOne, CrowdStrike, Huntress, or similar), DNS filtering, email security, MFA enforcement, vulnerability scanning. If they say "antivirus" without elaboration, walk.
7. What's your patching cadence and how do you verify it? Look for: critical patches within 7 days, monthly cycles otherwise, with verification reporting.
8. How do you test backups? Backups that have never been restored aren't backups; they're hopes. Look for quarterly restore tests on real data.
9. Can I see a sample monthly report? You should get one. It should be readable by a non-IT person.
10. What's your contract length and exit clause? Look for: 12-36 month initial term, 30-day notice exit clause without penalty.
11. Who owns the data, accounts, and documentation if I leave? Answer: you do. Get it in writing.
12. Can I talk to three current clients my size in my industry? Any reputable MSP will say yes. Some hesitation is normal (they may need permission); a flat refusal is disqualifying.
13. What's your tech turnover? High turnover = your account constantly changes hands. Healthy MSPs run 10-15% annual turnover; bad ones run 40%+.
14. What does the first 90 days look like? A real MSP has a documented onboarding process. Vague answers here mean you'll be a science experiment.

/ 04Red flags that disqualify a provider

These are deal-breakers, not "yellow flags." If you see any of these, move on.

• Won't quote a price without seeing your environment first — this one is actually good. The red flag is the opposite: an MSP that quotes a firm price after a 15-minute sales call without an environment assessment is making it up.
• Won't put SLAs in writing — "we'll get to it" isn't a service level. If they won't commit to specific response times, they don't have processes; they have hopes.
• Won't let you talk to current clients — flat refusal (not just "let me ask first") means they don't have happy clients.
• Charges for "discovery" before you're a client — a basic environment assessment as part of the sales process is free at any real MSP.
• Sells you their proprietary platform you can't take with you — if your data, documentation, and accounts are locked into their custom system, leaving costs a fortune. Modern MSPs use industry-standard tools (HaloPSA, ConnectWise, SyncroMSP, NinjaOne, Datto, etc.) that the next MSP can pick up.
• Manufacturer-only allegiance — "we only deploy [Brand X] firewalls" usually means commission, not best-fit. A good MSP picks tools per customer based on requirements, not per-vendor kickback.
• No documented offboarding policy — if leaving them is undefined, you're trapped.
• Pricing dramatically below market — if everyone is quoting $150/user/month and one provider quotes $65, they're either skipping security or shifting costs to "extras" later. There's no magic here.

/ 05What to look for in the contract

The contract is where MSPs hide the actual deal. Read these sections carefully:

Scope of services

Should be specific, not "we'll provide IT support." Look for explicit inclusions and exclusions. Examples of items that are often excluded: new-user onboarding fees ($75-$150 each), new-PC setup fees ($150-$300), after-hours emergency support (1.5-2x rate), on-site dispatch beyond 30 miles, application-specific support (sometimes called "tier 3 / vendor escalation").

Service level agreements (SLAs)

Real SLAs include:

• Response time by priority (P1/P2/P3 or critical/high/normal)
• Resolution time targets
• Uptime commitments where applicable
• Credits or remedies if SLAs are missed

If the contract says "best effort" anywhere, that's not an SLA. That's a wish.

Term and exit clause

Look for 30-day-notice exit without penalty. Some MSPs require 60-90 days; that's acceptable if everything else is good. Watch for: auto-renewal that requires 90+ days notice (common trap), "buyout" fees for early termination (sometimes called "demobilization"), or clauses that void your right to data export.

Data ownership and offboarding

Should explicitly state: you own all your data, accounts, and documentation. The MSP will provide all credentials, configuration data, and account ownership at termination. Look for a specific timeline (e.g., "within 10 business days of termination notice").

Limitation of liability

Almost always capped at 1-3 months of fees. That's industry standard. What you want to verify: cybersecurity incidents involving the MSP's negligence (e.g., they didn't patch a known critical vulnerability) carry separate, higher caps or are excluded from the standard limitation.

Vendor pass-through

Hardware, licenses, third-party services: how are they billed? Common approaches are at-cost-plus-margin (typical 10-20%), or flat markup, or "we sell at the manufacturer's MSRP." Get this in writing — surprise hardware markups are how some MSPs make their real margin.

/ 06How a real transition works

If your MSP can't describe their first-90-days process in detail, they don't have one. A real transition looks like this:

Days 1-15: Discovery & documentation

The new MSP audits your environment in detail. Inventory every device, account, network configuration, license, vendor relationship. Document every existing process, password vault entry, and access pathway. This is the boring foundational work that determines whether the relationship is going to work for the next three years.

Days 15-30: Tooling deployment

RMM agent (remote monitoring & management) installed on every endpoint. EDR / cybersecurity tools deployed. Backup verification and baseline created. Network monitoring established. Helpdesk ticketing live for your users.

Days 30-60: Stabilization

The MSP works through whatever they found in discovery — out-of-date systems, expired licenses, security gaps, documentation holes. You're getting tickets through the new system. Response times being measured against SLA.

Days 60-90: Strategic review

First vCIO meeting. The MSP presents what they found, what they fixed, and a 12-month roadmap of recommended projects with budget. This is when you find out whether they're a real strategic partner or just a helpdesk.

If 90 days in you still don't know who your account manager is or you've never had a strategic conversation, the relationship is going to be transactional forever. That's fine if that's what you want — but it usually isn't.

/ 07The bottom line

The MSP industry has a lot of mediocre players. The good ones look obvious in interviews if you ask the right questions. Use the 14-question list. Ask for client references. Walk away from anyone who won't put SLAs in writing or who quotes you a price without seeing your environment.

If you're in Tennessee and want to talk about your situation honestly — including whether we're the right fit (we won't be for everyone, and we'll tell you if we're not) — we offer a free environment assessment and a written report. No pressure, no sales-call ambush.