← All posts

Managed IT · January 12, 2026 · intSignal Team

How to Choose an MSP: A Buyer's Due-Diligence Checklist

Buy the operation, not the sales deck

Every managed service provider demos well. The pitch is polished, the logos are impressive, and the pricing looks reasonable next to the cost of hiring. None of that tells you what happens at 2 a.m. when a domain controller is down or a ransomware note appears on a file share. Due diligence is about pulling the demo apart to see whether there is a real operation behind it — repeatable process, staffed coverage, tooling you can keep, and contractual teeth. The questions below are the ones that separate a partner from a vendor you will be trying to escape in eighteen months.

Security posture: the first filter

An MSP holds privileged access to everything you own. If their own security is weak, you have simply outsourced your attack surface to a third party — and supply-chain compromise of IT providers is now a well-documented attack pattern in the Verizon DBIR. Screen for it before anything else.

  • Independent attestation. Ask for a current SOC 2 Type II report (not a Type I, not a "we follow SOC 2 practices"). Read the exceptions section, not just the cover page.
  • How they protect their access to you. Multi-factor everywhere, a privileged access management system, just-in-time admin rather than standing domain admin, and separate credentials per client tenant.
  • Detection on their own estate. A provider selling you monitoring should be able to describe their own logging, alerting, and incident response without hesitating.
  • Cyber insurance and compliance alignment. Confirm they carry their own cyber liability coverage and can support the framework you answer to — whether that is HIPAA, PCI DSS, CMMC, or a customer's SOC 2. A partner who runs a disciplined security and compliance program makes your own audits easier; one who does not becomes a finding.

If a provider gets defensive about their own controls, stop there. The rest of the evaluation does not matter.

Staffing and escalation: who actually answers

"24/7 support" is the most oversold phrase in the industry. It can mean a fully staffed operations center or one on-call technician with a pager and a fast answering service. Make them prove which.

  1. Headcount and tiers. How many engineers, split across which tiers? What is the ratio of technical staff to total endpoints under management?
  2. Follow-the-sun or on-call? After hours, is there a live team or a single person being woken up? Where are they located?
  3. The escalation path. Ask them to walk a Sev-1 from first ticket to resolution: who touches it at each tier, and what triggers a jump to the next level. Vague answers mean the path does not exist.
  4. Continuity of knowledge. Will you have a named account lead who knows your environment, or start every ticket explaining your network again? A strong helpdesk and support function is measured by how rarely you have to repeat yourself.

Tooling ownership: partner or hostage

This is the question most buyers skip, and the one that hurts most at renewal. MSPs run your environment through their stack — RMM, endpoint protection, SIEM, backup, documentation. When the relationship ends, who keeps the tooling, the configuration, and the historical data?

  • Are licenses in your name or theirs?
  • If you leave, do you retain the endpoint agents and backup repositories, or does everything go dark on day one?
  • Where does documentation of your environment live, and can you export it?

Providers who lock you into proprietary, non-portable tooling are engineering your dependence on purpose. A complete IT support engagement should leave you more capable and more portable over time, not less.

SLAs with teeth

A service level agreement that carries no penalty is a marketing document. Read for the specifics.

  • Response versus resolution. Many SLAs guarantee only that someone acknowledges your ticket quickly, then say nothing about fixing it. You want both response and resolution targets, defined by severity.
  • Coverage windows. Do the targets apply 24/7 or only during business hours?
  • Remedies. What happens when they miss — service credits, escalation rights, termination for chronic breach? An SLA with no consequence is a best-effort promise wearing a suit.
  • Recovery objectives. For anything touching backup and continuity, RPO and RTO must be named, contractual, and periodically tested — assumed recovery is not recovery.

Onboarding and the first 90 days

The quality of onboarding predicts the quality of the whole relationship. A serious provider runs a structured transition: full asset discovery, network and security assessment, documentation, and a remediation plan for what they find. Be suspicious of anyone who wants to skip discovery and "just start supporting." They will be flying blind, and so will you. Ask to see a sample 30/60/90-day onboarding plan before you sign.

References, reporting, and proof

  • Real references. Ask for clients of similar size and industry, ideally one that has been with them three-plus years, and one that recently left.
  • Reporting cadence. What do monthly and quarterly business reviews actually contain — ticket trends, patch compliance, backup success rates, security posture — or is it a page of green checkmarks?
  • Metrics they hold themselves to. A provider that measures first-contact resolution, mean time to resolve, and SLA attainment is running an operation. One that cannot produce those numbers is improvising.

Exit and data portability: decide it before you sign

Negotiate the divorce during the honeymoon. The contract should spell out the notice period, transition assistance obligations, format and timeline for returning your data, and what it costs. Confirm your backup and disaster recovery repositories are exportable in a standard format. If exit terms are missing or one-sided, that is a deliberate lock-in strategy, not an oversight.

Pricing models: match the model to your estate

  • Per-user — a flat fee per employee covering all their devices. Predictable and simple; best when people carry multiple devices. You can overpay for seldom-active or shared accounts.
  • Per-device — priced by endpoint or server. Precise for device-heavy, low-headcount environments; costs blur when one user has a laptop, desktop, and phone.
  • Tiered / bundled — good/better/best packages. Easy to compare on paper, but read what each tier excludes. The gap between tiers is where the surprises live.

Whatever the model, hunt for the exclusions: after-hours rates, project work billed on top, per-incident security response, onboarding fees, and overage charges. The headline price is rarely the real price.

Red flags to walk away from

  • No SOC 2 or independent security attestation, and defensiveness when asked.
  • "24/7" that turns out to be one on-call technician.
  • Proprietary tooling and data you cannot take with you.
  • SLAs with response times but no resolution targets or remedies.
  • Long lock-in contracts with vague or hostile exit terms.
  • Pricing that only makes sense once you read the exclusions.
  • References they are reluctant to provide.

Run it as a scorecard

Turn these into a weighted checklist and score every finalist the same way: security posture, staffing and escalation, tooling ownership, SLA teeth, onboarding, references and reporting, exit terms, and total cost including exclusions. The provider that scores well across all eight is the one still serving you well in year three — not just the cheapest line on the quote.

If you want a partner who welcomes this level of scrutiny, that is exactly how intSignal is built to be evaluated. Talk to our team and we will walk you through our SOC 2 posture, staffing model, SLAs, and exit terms before you commit to anything.