If you're evaluating managed service providers, you've probably already read three "10 questions to ask your MSP" articles. They all ask the same things — "do you have 24/7 support?" "what's your response time?" — which is exactly why no MSP gets surprised by them anymore. Everyone has rehearsed answers.
Here's a different angle. We're an active MSP. We wrote this guide because we'd rather compete on substance than on whoever has the slickest sales deck. The 14 questions below are the ones that actually separate serious providers from the ones repackaging the same RMM toolkit and calling it a "platform." If a provider answers them well, they're worth a real evaluation. If they dodge, you've learned something important.
The 14 Questions
- What's in your security stack?
- Show me a redacted SLA report.
- Who actually answers when I call?
- What's your client churn?
- How do you handle incidents?
- Can I talk to a client who left?
- What's the onboarding plan?
- How do you price changes?
- What's your patch cadence?
- Who owns my documentation?
- Compliance frameworks supported?
- When wouldn't you take us as a client?
- Cyber insurance requirements?
- What's your AI / automation strategy?
1What's in your security stack?
Specifically. By name. The provider should be able to tell you in 60 seconds which EDR they deploy (CrowdStrike, SentinelOne, Defender for Business?), which MDR partner sits behind it, which RMM platform they use (NinjaOne, ConnectWise Automate, Datto?), which backup tooling, which identity provider integration, which email security layer. If the answer is vague ("we use industry-standard tools") or evasive ("that's confidential"), they're either embarrassed by their stack or they don't have one — they're cobbling together whatever each tech happens to know.
Why this matters: the stack determines what you're actually buying. Two MSPs charging the same monthly fee can be deploying wildly different security maturity. The right question isn't "do you have EDR?" — every MSP says yes. It's "which one, why, and what does the configuration look like?"
2Show me a redacted SLA report from a real month.
Every MSP claims they hit their SLAs. The honest ones can prove it. Ask for a redacted monthly report showing actual response times, ticket categories, SLA-met vs SLA-missed counts, and trend lines. If they hesitate or produce something obviously cherry-picked, that tells you they don't track this — which means they can't improve it.
What you're looking for: a report that admits some SLA misses. A 100%-met report from a real MSP doesn't exist. Either they're cooking the books or they're calculating SLA in an unusually permissive way.
3Who actually answers when I call after hours?
"24/7 support" can mean many things. It can mean a real engineer with admin access to your environment. It can mean an offshore L1 who creates a ticket and tells you a US engineer will call back during business hours. It can mean an answering service. These are very different products at very different prices.
Probe deeper: "If I call at 2am on a Saturday with a server outage, who picks up, what can they actually do, and how quickly does it escalate if they can't fix it?" An MSP serious about 24/7 support has a clear answer with named tiers and escalation procedures.
4What's your client retention / churn rate?
This is the question MSPs hate most because it's the hardest to fake. A healthy MSP retains 92–96% of clients annually. Below 85% means something is structurally wrong — bad onboarding, scope-creep into unprofitable engagements, or quality problems. Above 98% is suspicious — either too small a sample to be meaningful, or they're so conflict-averse they hold onto clients who'd be better off leaving.
Follow-up: "Of the clients who left last year, why did they leave?" The answer tells you what the MSP is bad at. If they can't think of any reasons, they're not paying attention.
5Walk me through how you handle a security incident, end-to-end.
Have them describe their last real incident, not a generic process. What detected it. Who got paged. What the first 15 minutes looked like. How communication to you (the client) would have worked. What containment, eradication, and recovery would have involved. Whether they have a documented runbook or are improvising.
If the answer is theoretical ("well, we have an incident response policy that..."), they haven't actually run incidents. That's not necessarily disqualifying — small MSPs may not have had a major incident yet — but you should know.
6Can I talk to a client who left you?
References from current clients are useful but selected. References from departed clients tell you what an unsuccessful engagement looked like. Most MSPs will be uncomfortable with this question. A confident MSP will name three former clients and offer to facilitate the introduction.
This is unusual enough that it doubles as a culture signal. An MSP that does this comfortably is signaling that they're not afraid of accountability. That's worth a lot.
7What's the onboarding plan — specifically — for the first 30, 60, and 90 days?
Vague onboarding is where MSPs hide poor execution. A real onboarding plan has documented milestones: environment discovery and documentation (week 1–2), agent deployment and monitoring (week 2–3), security baseline and remediation (week 3–6), policy and procedure review (week 4–8), and a 90-day business review.
If the onboarding plan is "we'll figure it out together" or "every client is different," that means they don't have a plan. Onboarding is the highest-risk period of an MSP engagement — bad onboarding sets up bad ongoing service. Demand specifics.
8How do you handle change orders and scope creep?
This is where MSPs make or lose money. Some MSPs allow scope creep silently and resent you for it. Others nickel-and-dime every minor request. Both are signs of a broken pricing model.
The healthy answer: "We track everything against the SOW. Small requests within the spirit of the engagement are absorbed. Anything that materially expands scope gets a change order with explicit pricing — you see it before work starts. Quarterly business reviews are where we rebalance scope as your business changes."
9What's your patch cadence and how do you handle exceptions?
"We patch monthly" is not an answer. The right answer covers: when critical/zero-day patches get fast-tracked, how patches are tested before deployment to production, the approval workflow for exceptions, and what happens when a vendor releases a patch on the second Tuesday at 5pm before a long weekend.
If they patch everything immediately without testing, they'll break something at the worst possible moment. If they patch quarterly to avoid breakage, they're leaving you exposed for weeks at a time. Neither extreme is right.
10Who owns my documentation and how do I get it if we part ways?
A surprising number of MSPs treat your environment documentation as proprietary trade secret — credentials in their PSA, network diagrams in their SharePoint, runbooks in their IT Glue tenant. When the engagement ends, you discover they retain everything and you start from scratch with the next provider.
Healthy answer: "Your documentation lives in your environment or in a shared location you own. At the end of the engagement, you get a complete handoff package: credentials in your password manager, network diagrams in your file storage, runbooks in your documentation tool. We use IT Glue / Hudu / Confluence for our internal version, but we don't hostage your data."
11What compliance frameworks have you actually supported?
"We support HIPAA / SOC 2 / PCI-DSS / CMMC" is on every MSP website. The real question is which clients they've actually carried through audits, which auditors they've worked with, and what their role in the audit process looked like — were they the IT operations layer the auditor reviewed, or were they actively producing the evidence and answering control questions?
MSPs that handwave on compliance are fine for businesses without compliance burden. If you have one, demand specifics. "We have a client who passed their SOC 2 Type II in October with [auditor name]" is a real answer.
12When wouldn't you take us as a client?
The best diagnostic question in this entire list. An MSP that takes every client is not selective enough to be profitable, which means they'll cut corners somewhere — either on your engagement or on the next client over.
A good MSP can articulate where they're a bad fit. Examples: "we're a poor fit for under-10-user environments because our delivery model doesn't pencil out," or "we don't take on environments where senior leadership won't enforce MFA — it sets up the engagement for failure," or "we're not the right MSP for businesses that want unlimited project work folded into their monthly retainer." If they can't name a single disqualifying client profile, they don't know what they're optimized for.
13What's your stance on cyber insurance requirements?
Cyber insurance underwriting has become much stricter over the past three years. Insurers require specific controls (MFA on all admin accounts, EDR on every endpoint, immutable backups, written IR plans). MSPs need to know these requirements because they affect what they deploy and how they document it.
The right MSP can speak fluently about insurance requirements, has helped clients complete the lengthy underwriting questionnaires, and can warn you when something in your environment is going to hit a denial-of-coverage trigger.
14What's your AI and automation strategy — and how is it changing what you deliver?
This is the question most MSPs are unprepared for in 2026. Either they dismiss AI ("it's just hype, doesn't change anything for our work") or they overstate it ("we use AI throughout our operations" with no specifics). The correct middle ground is real: AI tools (especially agentic ones) are materially changing how MSP work gets done. Ticket triage, alert classification, documentation drafting, even routine remediation work are increasingly AI-augmented. An MSP that doesn't have a coherent answer here is going to be uncompetitive within 18 months.
The other half of this question: can they help you with AI and automation? Many MSPs can only deliver legacy IT services. The forward-looking ones treat AI/automation as an actual service line — building workflow automations, integrating Claude or similar models into client business processes, deploying agents that take real actions inside the systems clients already use. We do this ourselves; we've watched the market split into "MSPs doing AI" and "MSPs avoiding AI." The first group is taking share.
Putting it together.
You don't need to ask all 14. Pick the 5-6 most relevant to your situation, ask them across 3-4 candidates, and pay attention to how the answers differ in substance. The MSPs that answer with specifics, name names, and admit limitations are the ones worth a deeper conversation. The ones that respond with corporate-marketing phrases ("industry-leading," "best-in-class," "white-glove service") have given you all the information you need.
And if you want to put us through this evaluation, we welcome it. Twenty minutes, no slide deck. Book the call and ask us the hardest questions you've got.