The most expensive mistake SMBs make with managed IT isn't picking the wrong vendor — it's picking the wrong evaluation criteria. Most companies compare price first, ask for references second, and never look at the contract until after they've signed. Then the first major incident happens, the SLA language turns out to be vague, and they're locked in for 24 more months with no exit clause.
This guide gives you a structured way to evaluate managed IT providers before you commit. Eight criteria, each with a weight that reflects how much it actually matters. A pricing model comparison table so you understand what you're actually buying. Red flags that show up in almost every bad MSP contract. And a decision flowchart to help you determine whether fully managed IT, co-managed IT, or in-house IT is the right structure for your company size and risk profile.
of SMBs that terminated an MSP contract within 18 months cited poor incident response as the primary cause — not cost, not features. Response time matters more than any other single criterion.
Why the Wrong MSP Costs More Than Doing Nothing
A bad managed IT contract doesn't just underdeliver — it actively creates risk. When you outsource IT to a provider that can't perform, you lose the in-house capacity you had before (employees stop learning to handle tier-1 issues, internal knowledge atrophies) while also paying an MSP fee that doesn't buy you reliable coverage. The worst outcomes from a bad MSP relationship include:
- Ransomware recovery without proper backups — MSP contracts that mention "backup services" but don't specify recovery time objectives (RTO) or recovery point objectives (RPO) leave you exposed. Recovery from a ransomware event without tested backups averages $500K–$2M in downtime, data loss, and forensic costs for a 100-person company.
- Compliance violations from misconfigured systems — SOC 2, HIPAA, PCI-DSS, and SOX all have technical control requirements. An MSP that doesn't specialize in your regulatory environment will implement generic controls that fail audits.
- Lock-in at the worst moment — Most MSP contracts require 60–90 days termination notice. If you discover a provider is underperforming after a major incident, you're still paying them while standing up a replacement.
- Out-of-scope billing spirals — A contract that covers "routine maintenance" but bills hourly for "projects" can result in invoices for $8,000–$25,000 on work you assumed was included — office moves, new employee onboarding batches, firewall upgrades.
Doing nothing (continuing with ad hoc IT support or a part-time internal hire) is a legitimate alternative. A mediocre MSP at $100/user/month is not automatically better than a well-run internal generalist at the same all-in cost. The evaluation framework below is designed to help you distinguish between MSPs worth hiring and MSPs worth avoiding.
The 8-Criterion MSP Evaluation Framework
Score each vendor you're evaluating on a 1–5 scale for each criterion, then multiply by the weight. Maximum possible score: 500. Any provider under 300 should be disqualified regardless of price.
| Criterion | Weight | What to Evaluate |
|---|---|---|
| Response Time SLA | ×20 | Hard SLA in writing: P1 (full outage) under 1 hour, P2 (degraded service) under 4 hours, P3 (minor issue) under 8 hours. Vague "commercially reasonable" language scores 1. |
| Technical Depth | ×15 | Number of certified engineers (Microsoft, Cisco, AWS, security certs), staff-to-client ratio (target under 1:50), and whether engineers are employees or contractors. |
| Security Stack | ×15 | What's included: EDR, SIEM, dark web monitoring, email filtering, MFA enforcement, security awareness training. Ask for their specific tools — not just "we provide security." |
| Contract Flexibility | ×15 | Termination notice period (target 30 days), data portability guarantee, SLA credit or exit rights when response targets are missed, and no auto-renewal without affirmative consent. |
| Industry Experience | ×10 | Reference clients in your industry and of similar size. Compliance experience specific to your regulatory environment (HIPAA, PCI, SOC 2). Scores 1 if they have no relevant references. |
| Pricing Transparency | ×10 | Clearly defined scope of included work vs. out-of-scope hourly billing. Itemized pricing, not bundled "all-in" that makes it impossible to compare. Onboarding fee disclosed upfront. |
| Onboarding Process | ×8 | Written onboarding plan with milestones, asset inventory and documentation deliverables, defined handoff from your current IT setup, and time-to-coverage commitment. |
| Strategic Alignment | ×7 | Whether they offer vCIO or technology roadmap services, their process for proactive recommendations (not just reactive support), and account manager accessibility and responsiveness. |
Use this framework as a filter, not a ranking. Any provider that scores below 3/5 on Response Time SLA or Contract Flexibility should be eliminated from consideration regardless of their total score. Those two criteria predict the majority of bad MSP outcomes.
For a ready-to-use version of this scoring matrix, see the VendorSage IT Vendor Evaluation Scorecard — it includes this framework plus criteria for cloud vendors, software vendors, and security providers.
MSP Pricing Model Comparison
Most managed IT providers offer one of three pricing structures. The right model depends on whether you have more users or more devices, and how stable your headcount is.
| Pricing Model | How It Works | Best For |
|---|---|---|
| Per-User | $75–$200/user/month. Covers all devices and services for each named user. Price scales with headcount. Most common model for 50–200 employee companies. | Companies where employees have multiple devices (laptop + mobile + desktop) or where device count is hard to track. Growing companies prefer this because pricing scales predictably. |
| Per-Device | $50–$150/device/month. Desktop, laptop, server, and network device each billed separately. Can be cheaper if device count is low relative to headcount. | Companies with high device-to-user ratios (warehouses, labs, retail), or where some users only need basic support. Watch for device scope creep — printers, IoT, and specialty hardware often add cost. |
| Flat-Rate | $1,500–$8,000/month regardless of headcount (up to a defined ceiling). Common for offices under 30 users. Simple budgeting but limited flexibility. | Small offices with stable headcount where the MSP is comfortable defining a ceiling. If you're growing, you'll hit the ceiling faster than expected and pricing resets. |
| Hybrid | Base flat-rate for core monitoring + per-user or per-device for help desk. Most complex to evaluate but common at mid-market MSPs. | Companies that need 24/7 infrastructure monitoring but have variable help desk volume. Requires careful scope definition to avoid out-of-scope billing. |
The per-user model is the easiest to budget and evaluate. When comparing quotes, always convert to a per-user-per-month number — it's the only apples-to-apples comparison across pricing models. For a full breakdown of what these models cost at 50, 100, and 200 employees, see Managed IT vs In-House IT: The Real Cost Comparison.
Red Flags in MSP Contracts
The contract negotiation phase is where most SMBs leave the most value on the table. Most business owners aren't contract lawyers, and MSP sales reps know which clauses will cause problems later. Here are the specific things to flag before signing.
For a full list of contract terms to review across all IT vendor types, see 12 Red Flags in IT Vendor Selection and How to Negotiate IT Vendor Contracts.
SLA Language to Watch
- "Commercially reasonable efforts" — Not an SLA. Legally meaningless. Every response time commitment should be a specific number of hours with defined measurement criteria (e.g., "clock starts when ticket is opened in the portal, not when an engineer picks it up").
- Response vs. resolution — Many contracts specify a response time (an engineer acknowledges the ticket) but not a resolution time. Ask for both, and ask specifically about P1 (full outage) resolution targets.
- Exclusions and carve-outs — "Not covered: issues caused by third-party software, end-user error, or acts of God" can exclude a significant portion of real-world incidents. Ask them to give you three recent P1 incidents and walk you through exactly how their contract coverage applied.
Contract Term and Exit Clauses
- Auto-renewal with short cancellation windows — A 36-month contract with a 90-day cancellation window that auto-renews means if you miss the window once, you're locked in for another three years. Push for 30-day termination with cause, 60-day without.
- No data portability guarantee — Your asset inventory, network documentation, and ticket history belong to you. Get that in writing before you sign. Some MSPs make migration painful by withholding documentation when contracts end.
- SLA credit terms — If they miss their SLA, what happens? "Service credits" that apply to future invoices are nearly worthless if you're about to terminate. Push for the right to exit without penalty if SLAs are missed more than twice in a rolling 90-day period.
Scope and Billing Ambiguity
- Vague "project" vs. "support" definitions — Ask for three specific examples of work that would be billed as a project (hourly or fixed-fee) vs. covered under the retainer. If they can't answer clearly, the out-of-scope billing will be unpredictable.
- Onboarding fees and migration costs — Most MSPs charge an onboarding fee of $1,500–$15,000 depending on environment complexity. Get this in writing upfront and confirm what happens if onboarding runs over scope.
Not sure what's in your current vendor contracts?
The VendorSage free IT assessment reviews your current vendor relationships, identifies contract risk, and scores your overall IT spend efficiency.
Get Your Free IT Assessment →In-House vs. Co-Managed vs. Fully Managed: The Decision Flowchart
The right IT model isn't always fully managed IT. For some companies at specific growth stages, co-managed IT or a strong internal hire is a better investment. Work through these questions in order.
What Good Looks Like: Shortlist Criteria
After scoring providers against the 8-criterion framework, use these questions to build your shortlist of 2–3 finalists before requesting formal proposals:
- Can they provide three references from companies within 20% of your employee count? Not their biggest success stories — companies like yours. Call the references; don't just accept email introductions.
- Will they show you a sanitized sample contract? Any MSP reluctant to share contract language before you're in late-stage discussions is signaling something. The good ones have nothing to hide.
- What happens in the first 90 days? Get a written onboarding plan. It should include: asset discovery, documentation handoff, existing ticket system review, and a named project manager for the transition.
- What are their escalation paths? Tier-1 helpdesk → Tier-2 engineering → Senior engineer → Management. For P1 incidents, you should be able to reach a named senior engineer, not just a helpdesk queue.
- How do they handle the end of the contract? Ask directly: "If we decide to leave in 18 months, what does the offboarding process look like?" Their answer tells you how much they rely on lock-in vs. performance to retain clients.
One practical test: Before signing, submit a test support ticket outside business hours and measure response time. The gap between what MSPs promise and what they deliver is most visible when no one is watching.
Frequently Asked Questions
The eight most important criteria are: (1) response time SLAs and escalation paths, (2) technical certifications and staff depth, (3) security stack and compliance experience, (4) pricing model fit, (5) contract terms and exit clauses, (6) industry experience, (7) onboarding process, and (8) references from similar-sized companies. Weight response time and contract flexibility most heavily — those predict the majority of bad MSP outcomes.
Per-user pricing for full-service managed IT typically runs $75–$200/user/month for a 50–200 person company. Per-device pricing ranges from $50–$150/device/month. The cheapest option is rarely the best — the gap between a $75/user and $125/user MSP is often the difference between a 4-hour and 30-minute SLA.
Watch for: auto-renewal clauses with short cancellation windows, vague "commercially reasonable efforts" SLA language, no data portability clause, broad out-of-scope carve-outs that bill hourly for anything beyond basic monitoring, and contracts over 36 months without exit clauses tied to service failures.
For companies with a physical office presence and under 100 employees, local MSPs typically win on accountability and on-site responsiveness. National MSPs make more sense with multiple locations, remote-first operations, or strict compliance requirements that benefit from specialized depth.
Co-managed IT is a hybrid model where an internal IT person handles strategic work while an MSP handles tier-1 help desk, 24/7 monitoring, and patching. It makes sense for companies between 75 and 200 employees who need internal IT knowledge but can't justify a full internal team. The co-managed MSP layer typically runs $25–$60/user/month for supplemental coverage.
Get a free IT assessment before you sign anything
The VendorSage assessment reviews your current IT setup, identifies coverage gaps, and gives you a personalized recommendation — takes 2 minutes and costs nothing.
No spam. Just practical IT buying advice.