Most CFOs we work with describe their experience evaluating managed IT quotes the same way: three vendors, three completely different proposals, no apparent way to compare them apples to apples. One quotes per-user, one quotes per-device plus monitoring, one bundles everything with a “discovery fee” that conveniently happens after you sign.
This guide is the framework we’d hand a CFO before they sit down with an MSP proposal. It covers what each line item should actually cost in 2026, the 10 questions that immediately separate strong vendors from weak ones, and the red flags that should kill a deal before you sign.
You don’t need to know what an SIEM is to use this. You need to know what to ask.
Why MSP quotes look so different
Three structural reasons MSP proposals are hard to compare:
- Pricing models vary. Per-user, per-device, per-tier, per-asset, all-inclusive flat fee, or any combination.
- Scope varies. What one MSP includes in “managed services” another sells as five separate products.
- Tooling assumptions vary. One MSP includes EDR, another assumes you already buy your own.
Translation: the headline number in each quote is meaningless until you’ve normalized them.
The 10 questions that filter the field
Email these 10 questions to every MSP you’re evaluating. The answers will tell you more than the proposal does.
1. What’s your pricing model and why?
Listen for: per-user is most common in 2026 and most predictable. Per-device gets weird as people use laptops, phones, and tablets. Tiered (“Bronze/Silver/Gold”) is fine but you have to verify what’s in each tier.
2. What’s included in the base price, and what’s a separate line item?
Make them produce a written list of: 24/7 helpdesk, endpoint monitoring & management (RMM), endpoint detection & response (EDR), patch management, email security, backup, mobile device management, M365/Google Workspace administration, vulnerability scanning, strategic reviews/vCIO time, after-hours emergency response.
Anything missing from their bundled price will show up as a quote later.
3. What’s the on-boarding and discovery process? Is it a separate fee?
Most legitimate MSPs charge a one-time discovery / on-boarding fee in the $4K–$15K range for a 25–75 person business. If a vendor says “no on-boarding fee, we just include it” — they almost always recoup it through inflated monthly pricing or scope cuts.
4. What’s your average ticket response time, by priority?
Real MSPs have published SLAs:
- Critical: 15–30 min response
- High: 1–2 hour response
- Medium: 4 hour response
- Low: next business day
If they can’t tell you, they don’t measure it.
5. Will I have a dedicated account manager? How often do we meet?
Quarterly Business Reviews (QBRs) should be standard. If the answer is “we’ll meet when there’s an issue,” the relationship will be reactive.
6. Show me a sample first-30-day report and a sample QBR deck.
You’re testing whether they actually deliver these documents — not just promise to. A vendor with three years of clients should have de-identified examples to share.
7. What’s your renewal and termination process?
Notice period (30/60/90 days), data return obligations, off-boarding fees. The contract should be readable, not obscured.
8. Who owns the licenses and equipment?
Microsoft 365, EDR, backup, firewalls, switches — buy through the MSP or buy your own? If through them, what happens at termination? Best practice for licenses is “we own them, they manage them.”
9. What does your security stack look like?
You should hear: EDR, MFA enforcement, email security, vulnerability scanning, MDR (managed detection & response) or 24/7 SOC, backup with offsite copy, encrypted channels for remote work. Specific products can vary; the stack should be coherent.
10. What happens if I’m not satisfied? Can I exit?
A confident MSP gives a clear exit pathway. A weak MSP buries termination in legalese.
What each line item should cost in 2026
For a typical 50-person business:
| Line item | Reasonable range | Notes |
|---|---|---|
| Fully managed IT (per user/month, all-in) | $150 – $250 | Includes helpdesk, RMM, patching, EDR, basic email security, M365 admin |
| Add-on: Advanced email security | $4 – $8 / user / mo | Defender P2, Mimecast, Avanan |
| Add-on: MDR / 24/7 SOC | $15 – $35 / user / mo | Big jump but standard for regulated industries |
| Add-on: M365 Backup | $4 – $7 / user / mo | Veeam, Datto, AvePoint |
| One-time on-boarding | $4,000 – $15,000 | Includes discovery, tooling deployment, documentation |
| vCIO / strategic time | $200 – $400 / hr or bundled | Look for at least 2 hrs/quarter included |
| After-hours emergency | $150 – $250 / hr | Or bundled (preferable) |
What this means in practice: A 50-person business in healthcare or finance should expect to spend $10,000–$15,000 per month on managed IT, all-in, including security and compliance tooling. Less than $10K and you’re probably under-protected. More than $20K and you should be getting white-glove service or have a complex environment that justifies it.
The 7 red flags that should kill a deal
🚩 1. The discovery happens after you sign. Real discovery should be a structured pre-sale process, not “we’ll figure out your environment after you commit.”
🚩 2. The contract auto-renews for 36 months. 12 months is standard. 24 acceptable with right pricing. 36+ is a lock-in trap.
🚩 3. They quote a much lower price than competitors. Get clear about what they’re cutting. Usually it’s MDR, advanced email security, or response-time SLAs.
🚩 4. They can’t show you a sample report. Either they don’t deliver them or they’re embarrassing.
🚩 5. They want to be your only IT vendor. Modern best practice has separation: your MSP for operations, a different firm for annual security audits and pen testing.
🚩 6. They’re vague about which engineer will be on your account. You should know names, roles, and certifications before signing.
🚩 7. Their references are all under 1 year. A healthy MSP has 3+ year client relationships. Ask for two references at the 3+ year mark.
How to compare three quotes side-by-side
Build a single spreadsheet with rows for every component:
| Component | Vendor A | Vendor B | Vendor C |
|---|---|---|---|
| Per-user managed IT | $X/user/mo | $Y/user/mo | $Z/user/mo |
| EDR included? | Yes / Vendor X / no | … | … |
| 24/7 helpdesk? | Yes/no | … | … |
| MDR / SOC? | Yes (price) / Add-on / No | … | … |
| Backup included? | Yes / Add-on / No | … | … |
| Discovery / on-boarding | $X one-time | … | … |
| QBR cadence | Quarterly / Bi-annual / On request | … | … |
| Response SLA (Critical) | 15 min / 1 hr / “ASAP” | … | … |
| 3-year total cost | $X | $Y | $Z |
The 3-year total is the most useful number. Most MSPs price aggressively for year 1 and then escalate. Compare actual TCO.
A sample 50-person business — what “right” looks like
| Line item | Cost |
|---|---|
| Managed IT (50 × $200/user/mo) | $10,000/mo |
| MDR / 24/7 SOC (50 × $25) | $1,250/mo |
| M365 Backup (50 × $5) | $250/mo |
| One-time on-boarding | $8,500 |
| QBR + vCIO time included | — |
| Year 1 total | ~$148,000 |
| Year 2+ (no on-boarding) | $138,000 |
| 3-year total | ~$424,000 |
That’s the all-in number a CFO should expect. If quotes vary by more than 25% from this baseline, the gap is in scope, not in vendor efficiency.
Where to start
We’ve offered this for free to CFOs in evaluation processes: send us your top two quotes and we’ll do an apples-to-apples comparison sheet — what each vendor includes, what’s missing, what the realistic 3-year cost is, and what we’d add or cut. No sales pitch attached.
Schedule a free 30-minute quote review →
Or call 1-650-300-7557.
Frequently asked questions
Should I always pick the lowest quote?
No, almost never. The lowest quote almost always cuts something material — either response time, MDR, or scope.
How do I know if I’m under-spending on IT?
Industry rule of thumb: 4–8% of revenue for professional services, 6–10% for healthcare and finance, 10%+ for tech-heavy businesses. If you’re under 3% you’re probably accumulating risk.
Should we negotiate?
Yes. 5–15% is typically negotiable. The discovery fee, contract length, and SLA-tier pricing all have flex.
Is per-user pricing always best?
For most professional services businesses, yes — predictable and scales with headcount.
