Choosing a managed IT provider in 2026 is the most consequential operational decision most SMBs make outside of senior hiring. The right MSP becomes a fractional CIO, a 24×7 SOC, a compliance partner, and a vendor-management team rolled into one. The wrong one becomes a tax on every business decision for the next 36 months. This guide is the practical 7-question framework U.S. SMBs and mid-market firms should run every prospective MSP through before signing.
The 7 Questions Every Buyer Should Ask
- What is included in your standard managed tier — exactly? Demand a service-inclusion matrix per row.
- What is your published response and resolution SLA? Vague “unlimited support” is a yellow flag. Real SLAs have minutes for P1 and hours for P2/P3.
- Who provides EDR, and is 24×7 SOC included or extra? Managed detection with human triage is what cyber insurance and audits expect.
- Can I see a sample QBR and a sample compliance evidence package? If they can’t show what they produce for current clients, they don’t produce it.
- How do you generate cyber insurance evidence? MFA coverage reports, EDR coverage, restore-test logs — on what cadence, and who owns delivery?
- Can I talk to two reference clients of my size in my industry? Specificity matters.
- What is the offboarding process if we leave? Documented transition plan, data export, and timing — should be in writing.
Red Flags in MSP Proposals
- Pricing significantly below $95/user/month — usually missing critical components
- EDR “available” but not included
- No mention of MFA enforcement, conditional access, or DMARC
- Backup is “included” but not immutable; no restore testing mentioned
- 3-year contracts with auto-escalation and 90-day cancellation windows
- vCIO that turns out to be a quarterly status email, not a real strategic engagement
- Ownership of admin credentials, registrar, or SSL certificates by the MSP without explicit transfer terms
Apples-to-Apples Comparison
| Capability | Vendor A | Vendor B |
|---|---|---|
| Per-user price | $X | $Y |
| EDR vendor + tier | ? | ? |
| 24×7 SOC | Y/N | Y/N |
| Email security gateway | ? | ? |
| Backup architecture | ? | ? |
| Compliance evidence cadence | ? | ? |
| vCIO QBR cadence | ? | ? |
| Helpdesk SLA | ? | ? |
| Onboarding fee | $? | $? |
| Auto-escalator | ?% | ?% |
| 3-year TCO | $? | $? |
Bottom Line
Picking an MSP well is mostly about scope clarity. Build the inclusion matrix, run the seven questions, talk to references, and treat below-market pricing as a yellow flag rather than a deal.
Evaluating an MSP proposal? ACS provides 30-minute no-cost quote reviews benchmarked against 2026 industry data for U.S.-based SMBs and mid-market firms. Contact us.
