How to choose an MSP: the questions to ask.
Choosing a managed service provider comes down to a handful of pointed questions: is security included or sold separately, what are the SLAs, who answers at 3am, how do you leave, and will they price transparently? The right MSP gives specific, written answers — the wrong one gets vague.
- The single best filter: is security included or an upsell? Make them name the tools.
- SLAs and response times must be defined per priority and written into the contract, not promised verbally.
- Ask who literally answers at 3am — a real 24/7 SOC, or a voicemail?
- A confident MSP gives transparent per-user pricing and a clean exit. Vagueness is the red flag.
Start with the one question that filters most providers
Before anything else, ask: “Is security included in the per-user fee, or sold separately?” How an MSP answers tells you almost everything. A good provider names the specific tools — EDR, email security, backup — and tells you whether a 24/7 SOC is watching them. A weak one says “yes, security’s included” and changes the subject. If security is mentioned but never specified, assume it isn’t really there.
The buyer’s checklist
Work through these before you sign. Treat written, specific answers as the bar — not enthusiasm.
- Security: included or extra? Which exact tools, and is anyone monitoring them 24/7?
- SLAs and response times. Are targets defined per priority level, written into the contract, and measured?
- Who answers at 3am? A staffed SOC, an on-call engineer, or a voicemail until Monday?
- Exit and lock-in. Notice period, data ownership, how you get your documentation out, any exit fees.
- References. Can they introduce you to clients of a similar size and sector?
- Microsoft focus. Are they genuinely strong on Microsoft 365 and identity, where most of your work and most attacks live?
- Pricing transparency. Will they give an indicative per-user range now and a firm quote after discovery — or only “contact us”?
- Onboarding. What does the first 30 days look like, and who owns it?
You’re not buying a price list — you’re buying the answer to “what happens at 3am when it goes wrong?” Make them answer it specifically.
Good answers vs bad answers
Use this to score the conversation. The pattern is always the same: specific and written beats vague and verbal.
| You ask… | Good answer | Bad answer |
|---|---|---|
| Is security included? | “Yes — EDR, email security and backup in the per-user fee, monitored by our 24/7 SOC.” | “Don’t worry, security’s covered.” |
| What’s your SLA? | “1-hour response for critical, defined per priority, in the contract.” | “We’re usually pretty quick.” |
| Who answers at 3am? | “Our staffed SOC; here’s the escalation path.” | “Leave a ticket and we’ll pick it up.” |
| How do we leave? | “30 days’ notice, your data and docs are yours, no exit fee.” | “Let’s not worry about that now.” |
| What does it cost? | “Typically £X–£Y per user; firm quote after discovery.” | “Every client’s different — contact us.” |
Pricing in the table is illustrative of the conversation, not a quote. Realistic UK ranges sit around £30–£120+ per user per month depending on scope.
Red flags to walk away from
- Security as a mystery upsell. If they won’t name the tools or say who monitors them, the protection probably isn’t real.
- No SLA in writing. Verbal promises about speed are worth nothing when it matters.
- Long lock-ins, no exit plan. A 36-month term with no data-portability clause is designed to trap you.
- “Contact us” and nothing else. A provider that won’t even ballpark a per-user range is hiding the number, not protecting it.
Make the decision
Shortlist two or three providers, run the same checklist past each, and weight security and the 3am answer heavily — those are the things you can’t fix later. If you’re also weighing whether to keep any of this in-house, our guide on managed security vs in-house covers the trade-offs. When you’re ready to put us through the checklist, book a call — we’ll answer every question above, specifically.
Questions we get asked.
What questions should I ask an MSP before signing?
Ask whether security is included or sold separately, what the SLAs and response times are, who actually answers at 3am, how you exit and get your data out, whether they can give client references, how Microsoft-focused they are, and whether they’ll give transparent per-user pricing. Good answers are specific and written into the contract; vague or evasive answers are the warning sign.
Is security usually included with managed IT?
It varies, which is exactly why you must ask. Some MSPs include baseline security such as EDR and patching in the per-user fee; others sell it as a separate upsell or barely cover it. A good provider names the specific tools — EDR, email security, backup — and tells you whether a 24/7 SOC is watching them. If “security” is mentioned but never specified, assume it isn’t really there.
What SLA response time should I expect from an MSP?
There’s no single right number — it depends on priority levels. A reasonable SMB SLA might target a response within an hour for critical issues and a few hours for routine ones, during agreed hours, with out-of-hours or 24/7 cover available for security. What matters is that targets are defined per priority, written into the contract, and measured — not just promised verbally.
How do I avoid getting locked in to an MSP?
Before signing, ask about the exit process: notice period, who owns and how you retrieve your data and documentation, and whether there are exit fees. A confident provider has a clean offboarding process and keeps your documentation portable. Avoid very long terms with no data-portability clause — that’s lock-in by design, not partnership.
Where we help.
Ask us
anything above.
Book 30 minutes. We’ll answer every question on this page — security, SLAs, who answers at 3am, exit, and a transparent per-user price — specifically, in writing.