The MSP industry has a marketing problem and a real problem, and they are not the same. The marketing problem is that every provider's website says the same six things: 24/7 monitoring, proactive support, comprehensive cybersecurity, strategic partnership, scalable solutions, world-class team. The real problem is that the gap between the best and worst MSPs serving small business is enormous, and the websites do not help you tell them apart.
Here is what I would actually look for if I were hiring one in 2026, and the things I would walk away from.
Define what you are buying before you talk to anyone
"Managed services" is a category, not a service. Decide which of these you actually need:
- Helpdesk and end-user support. Tickets, password resets, the new-laptop-onboarding dance.
- Infrastructure management. Servers, network, M365 or Google Workspace tenant, backups, patching.
- Security operations. EDR, monitoring, incident response, vulnerability management. This is increasingly its own thing (often called MDR), and a generalist MSP that says "yes we do that too" usually does it badly.
- Strategic IT (vCIO). Roadmap, budget, vendor selection. Real if the person is real, theater if they are a salesperson with a title.
If you ask for all four from one provider, you will get one of them well and three of them as filler. Better to be honest about which one is the priority for the next 12 months.
The questions that separate good from average
Skip "tell me about your company." Ask these instead:
- What is your average tenure of L2 and L3 engineers? (Under 18 months means you will be re-explaining your environment forever.)
- Show me a redacted ticket from last week, start to finish. (You learn more from this than from any sales deck.)
- What is your stack? Specifically: RMM (ConnectWise Automate, NinjaOne, Datto), PSA, EDR (Huntress, SentinelOne, CrowdStrike), backup (Veeam, Datto, Cove)? "We are vendor-agnostic" usually means "we resell whoever pays us the best margin this quarter."
- What is your incident response posture if our domain is compromised at 2 a.m. Saturday? Who picks up the phone, in what timeframe, with what authority?
- Can I talk to two clients my size who left you, not just two who stayed?
The last question is the one almost no MSP is ready for. Their answer tells you a lot.
Read the SLA like a lawyer, not a customer
"24/7 support" often means "24/7 someone will answer, but the engineer who can fix it shows up Monday." Pin down response time, resolution time, what counts as a P1, and what the penalty is if they miss. If the only penalty is a service credit equal to one day of fees, the SLA is decorative.
Also: who owns your data, your tenant admin credentials, your domain registrar, your DNS? It should be you, in writing. If a provider resists turning over root-level access on request, that is the entire answer about whether to sign with them.
The pricing models, briefly
Per-user all-you-can-eat (typically $100 to $250 per user per month for full-stack) is predictable and rewards stability. Per-device is older and tends to favor MSPs over clients. Block hours feel cheap until you have a bad month. Pure project work plus a thin retainer is fine if you have decent in-house IT and need a force multiplier rather than a full outsource.
Cheap MSPs are not cheap. They are using a different cost structure (offshore L1, autopilot RMM, no real engineering depth) and you will feel it the first time something nontrivial breaks.
Pilot before you commit
A 90-day paid pilot on a defined scope (say, M365 management plus helpdesk for one department) tells you more than any reference call. Plenty of providers will refuse this. That is also useful information.
If you want a second opinion on shortlisting providers without it turning into a sales call, Syncritech does that as a flat-fee engagement.
