Hiring a managed IT provider means handing a vendor the keys to your entire business — email, files, systems, and the security that protects them. Yet many owners choose based on price and a friendly sales rep. These twelve questions surface what actually matters.

What questions reveal a security-first MSP?

The best filter is whether security is baked into their standard offering or sold as an upsell after something goes wrong. Ask these first:

1. Is EDR or managed detection & response included by default, or an add-on?
2. Do you enforce MFA across all clients as standard practice?
3. How do you handle patch management, and how fast are critical patches deployed?
4. Do you provide 24/7 monitoring, and who watches it — your team or a SOC?

How do you judge their reliability and responsiveness?

Vague promises are worthless during an outage. Get commitments in writing:

5. What are your guaranteed response times, and are they in a written SLA?
6. What’s your first-call resolution rate and average ticket time?
7. Can you support us on-site, or is everything remote?

What do they do about backups and disasters?

Running backups is easy; proving they recover is the real work.

8. Do you test restores, and how often — and will you show me the results?
9. What’s your incident-response process if we’re hit with ransomware?
Pro tip

Ask for a redacted example of a recent restore test or incident report. A confident, mature MSP has this documentation ready. Hesitation here tells you the “backups” are a checkbox, not a tested capability.

What reveals how they’ll treat you as a client?

Transparency and fair terms predict the whole relationship.

10. What reporting do we get, and how often will we review security posture together?
11. Who owns our data, documentation, and admin credentials?
12. If we ever leave, how does offboarding work and what does it cost?

The last question matters more than it seems. A confident provider makes leaving straightforward because they intend to earn your renewal, not trap you. If exit terms are punitive or your own documentation is held hostage, that’s how the relationship will feel from the inside too.

What’s the real difference between break-fix and managed?

Incentives. A break-fix shop profits when things break; an MSP profits when things run. That single distinction shapes everything — whether they proactively patch, whether they push you toward resilience, and whether they see your uptime as their job or your problem. You’re not just buying support hours; you’re buying an alignment of interests.

Evaluating a provider's security claims?

Run the Ransomware Reality Check first, so you know exactly which gaps a new MSP needs to close.

Free Reality Check

Take these twelve questions to every provider you evaluate and compare the answers side by side. The right partner will welcome the scrutiny — because answering well is exactly how they win good clients.