Most companies pick an MSP the wrong way: three quotes, one spreadsheet column (price), done. Then they churn. Roughly 6 in 10 SMBs that switch MSPs cite service quality, not cost, as the reason they left (CompTIA State of the Channel, 2025).
This checklist gives you 15 criteria to score every bidder against, the evidence to demand for each one, and the red flags that predict a bad two years. Work through it before you sign anything — and if you're still building your shortlist, our provider directory lets you filter by region and specialty.
How should you score MSP candidates?
Use a weighted scorecard. Score each of the 15 points from 0-3, multiply by the weight, and compare totals. It removes the "nice sales guy" bias that drives most bad selections.
| Category | Points on this checklist | Suggested weight |
|---|---|---|
| Service delivery & SLAs | 1-4 | 30% |
| Security & compliance | 5-8 | 30% |
| Business health & fit | 9-12 | 25% |
| Contract & pricing | 13-15 | 15% |
The average SMB now spends 10-15% of its IT budget on managed services, and contracts run 12-36 months (Mordor Intelligence managed services market report, 2026). A bad pick is a multi-year mistake. Spend the two weeks of diligence.
Service delivery: points 1-4
1. Written response-time SLAs by severity
Demand a table: P1 outage = 15-60 minute response, P2 = 2-4 hours, P3 = next business day. "Best effort" language is a red flag. See our guide to MSP response-time SLAs for benchmark numbers by tier.
2. Real helpdesk metrics
Ask for last quarter's numbers: average first-response time, average resolution time, and first-contact resolution rate. Healthy MSPs run 70%+ first-contact resolution and under 30-minute first response during business hours (Datto Global State of the MSP Report, 2024). If they can't produce the report in 48 hours, they don't track it.
3. Escalation path with names
Who handles a P1 at 2 a.m.? Get the on-call structure in writing: tier 1 → tier 2 → engineer → account manager.
One-person shops can't staff this — which matters above roughly 15 employees.
4. Onboarding plan with a timeline
A competent MSP hands you a 30-60 day onboarding plan: discovery, agent deployment, documentation, baseline security fixes. Onboarding fees near one month's contract value are normal. No plan means improvised support later — here's what good onboarding looks like.
Security and compliance: points 5-8
5. Their own security posture
Ask whether the MSP itself enforces MFA on all staff, holds cyber liability insurance ($1M-$5M is standard), and has SOC 2 or equivalent attestation. MSPs are a top attack vector — CISA has issued repeated advisories on threat actors targeting MSPs to reach their customers (CISA Advisory AA22-131A, 2022).
6. The security stack they deploy to you
Minimum 2026 stack: EDR on every endpoint, enforced MFA, email filtering, DNS filtering, and security awareness training. Ask which products and why. Vague answers ("we use enterprise-grade tools") score zero.
7. Backup and tested recovery
Backups don't count unless restores are tested. Demand the schedule (e.g., hourly incremental, daily offsite), retention terms, and the date of the last successful test restore. Get RTO/RPO targets in the SLA.
8. Compliance experience in your framework
HIPAA, CMMC, PCI DSS, SOC 2 — if you carry a framework, your MSP must have current clients in it. Ask how many and request one as a reference. A generalist learning compliance on your dime is expensive.
Business health and fit: points 9-12
9. Client-to-technician ratio and tenure
Ask how many endpoints per technician they manage. Healthy MSPs run roughly 250-400 endpoints per tech; far above that means slow tickets (Kaseya MSP Benchmark Report, 2025). Also ask average technician tenure — churn on their side becomes churn in your ticket quality.
10. References from companies your size
Two or three references, same size band and ideally your industry. Ask each: response times on the worst day, surprise invoices, and what they'd change. References all 5x your size means you'll be the small fish.
11. Vendor and stack alignment
If you're a Microsoft 365 shop, you want documented M365 depth — partner status, certifications, migration count. Ask what their preferred stack is. An MSP that resells one vendor for everything optimizes for their margin, not your fit.
12. Strategic review cadence (vCIO)
Quarterly business reviews with a roadmap and budget forecast separate partners from ticket-takers. Ask to see a sanitized QBR deck. What vCIO services actually include is worth reading before you weigh this one.
Contract and pricing: points 13-15
13. Transparent pricing model with a sample invoice
Per-user, per-device, or flat-rate — any model works if the quote itemizes what's in and out. Demand a sample invoice from a similar client. Our pricing models breakdown shows the 2026 ranges to sanity-check quotes against: $125-$200/user/month is the standard band.
14. Exit terms and data ownership
The contract must state: you own all data, documentation, and passwords; offboarding assistance is included or priced; termination notice is 30-90 days. Auto-renewal clauses with 6-month notice windows are a known trap (check MSP contract terms and clauses).
15. Scope boundaries in writing
What's "unlimited" and what's a billable project? Office moves, new servers, and after-hours work are the usual carve-outs at $150-$250/hr (TechTarget managed services pricing analysis, 2025). Unlisted exclusions become invoice disputes.
What are the red flags that should end a conversation?
- No written SLA, or SLA without severity-based response times
- Can't produce helpdesk metrics or references within a week
- No MFA on their own staff accounts
- Backup claims without test-restore evidence
- Pressure to sign before discovery, or quotes 40%+ below the field
- Auto-renewal with more than 90 days' required notice
A quote far below market usually means thin staffing. The math doesn't lie: a tech handling 600 endpoints can't hit a 30-minute response SLA.
Frequently Asked Questions
How many MSPs should I evaluate before choosing?
Three to five. Fewer than three gives you no pricing baseline; more than five burns weeks without changing the decision. Build the shortlist from referrals, industry peers, and a vetted directory, then run all bidders through the same 15-point scorecard.
What questions should I ask MSP references?
Four questions: How fast do they actually respond on bad days? Have you had surprise invoices, and for what? What broke during onboarding? Would you sign again? References tell you about reality; sales decks tell you about ambition. Push for one reference in your size band and industry.
How long should an MSP contract run?
12 months for a first engagement when you can get it. MSPs push 36-month terms — sometimes with onboarding fees waived as the trade — and multi-year deals are fine on renewal once service is proven. Whatever the term, cap auto-renewal notice at 90 days and get exit assistance in writing.
What is a good MSP response time SLA?
Benchmark numbers for SMB contracts: 15-60 minutes for a P1 (business-down) incident, 2-4 hours for P2 (degraded), and next business day for P3 requests. Resolution-time targets matter as much as response. Make sure the SLA includes service credits when targets are missed.
How much should I expect to pay a good MSP?
For a standard SMB stack in 2026: $125-$200 per user per month, or $30-$150 per device depending on type. Quotes well below that range usually cut security tooling or staffing. Normalize every bid against the same service catalog before comparing prices.
Related Reading
- Questions CEOs Should Ask Their MSP
- MSP Contracts and SLAs: Red Flags and Typical Terms
- How to Hire an MSP: The Complete Buyer's Guide
Sources
- CompTIA. "State of the Channel." 2025. https://www.comptia.org/content/research/comptia-state-of-the-channel
- Mordor Intelligence. "Managed Services Market Size & Share Analysis." 2026. https://www.mordorintelligence.com/industry-reports/global-managed-services-market-industry
- Datto. "Global State of the MSP Report." 2024. https://www.datto.com/resources/global-state-of-the-msp-report/
- CISA. "Protecting Against Cyber Threats to Managed Service Providers and their Customers (AA22-131A)." 2022. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-131a
- Kaseya. "MSP Benchmark Report." 2025. https://www.kaseya.com/resource/msp-benchmark-report/
- TechTarget. "Popular Pricing Models for Managed Service Providers." 2025. https://www.techtarget.com/searchitchannel/feature/What-are-the-popular-pricing-models-for-managed-services-providers
— The MSP Directory Team