MSP Red Flags: Warning Signs to Watch

This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Your specific situation may vary, and you should evaluate any service provider relationship based on your organization's unique requirements.

You're either shopping for a managed service provider or you've had one for a while and something feels off. Maybe the sales process felt too smooth—a lot of promises, not many specifics. Maybe you've been with your MSP for two years and you still couldn't tell someone exactly what you're paying for. Maybe your last IT emergency revealed that the "24/7 monitoring" you were promised had some significant asterisks, and downtime stretched on while you waited to hear back.

Finding a good MSP is genuinely hard for the same reason finding a good mechanic is hard: the person selling you the service knows enormously more about it than you do, and that information gap is where bad deals live. Most MSPs are competent and ethical. But the ones that aren't tend to use a very recognizable playbook, and once you know what to look for, the warning signs are hard to miss. The pattern starts in the sales process and often accelerates once you're locked into a contract. Learning to recognize those signals before you sign could save you years of frustration and thousands in unexpected bills.

The Sales Process as a Preview

Pay attention to how an MSP sells to you, because it's a direct preview of how they'll serve you. The sales behavior that matters most is how much pressure they apply and how willing they are to customize their offering to your actual needs.

A good MSP will want to understand your environment before quoting you a price. They'll spend time asking about your infrastructure, your user count, your applications, your compliance requirements, your pain points, and your growth plans. This isn't politeness—it's how they figure out what you actually need and whether they can deliver it. They might say "we need to see your environment before we can commit to a timeline," and that restraint is a good sign. An MSP that quotes you a price on the first call, before they know anything about your environment, is either going to underdeliver or overcharge. Usually both. When you hear "here's our standard package, it's $X per month," be skeptical. Every organization is different. If they're treating yours like a commodity, they're not thinking about your fit.

Watch for the MSP that has an answer for everything and a caveat for nothing. Real IT environments are messy. Network equipment from three vendors, applications written by different teams in different eras, custom integrations that only one person understands, hardware that's past end-of-life but works fine. A competent provider will tell you "that depends," will flag potential complications, will say "we'd need to see your environment before we can commit to that" or "that's going to require some planning because of your legacy systems." The MSP that promises everything works perfectly from day one, that migration will be seamless, that you'll see immediate cost savings across the board—that's a sales team optimizing for the close, not for the relationship. The initial engagement will look fine. Problems emerge later when reality doesn't match the promises.

The proposal itself is highly revealing. You want to see specifics: what's included in the base price, what's excluded, what costs extra, what the escalation path looks like, what response time commitments are, and what happens if they don't meet them. If the proposal is mostly marketing language about "strategic partnerships" and "technology alignment" with vague service descriptions and no measurable commitments, that's not an oversight—it's intentional. Vague language gives the MSP room to define scope later, and the definition will favor them, not you. You'll discover gaps when problems happen, and by then you're locked in.

Here's a question that sounds minor but tells you something important: ask them what they don't do well. Every MSP has weaknesses. Maybe they're great at infrastructure but weak on application support. Maybe they're strong in Microsoft environments but limited with Mac or Linux. Maybe they don't have expertise in the industry-specific software you rely on. A provider that answers this question honestly—"we're strong on infrastructure and Office 365, but we're not the best for healthcare-specific EHR integrations"—is telling you something valuable about their self-awareness and their respect for your intelligence. They're also setting realistic expectations. One that insists they're excellent at everything is either lying or they haven't been honest with themselves about where they have blind spots. Either way, you're going to discover gaps after you've signed.

Opacity Around Security

This is the biggest red flag category, and it's gotten more important as cyber insurance, compliance requirements, and breach liability have made MSP security practices a direct business risk for their clients. Your MSP has privileged access to your systems. In many cases, they have administrative credentials, remote access to your servers and workstations, and the ability to make changes across your infrastructure without your direct involvement. That level of access means their security posture is effectively your security posture. If they get breached, you get breached, and you'll be the one explaining to your board and your insurance carrier why you trusted someone without properly vetting them.

So when you ask an MSP about their own security practices—their internal MFA requirements, their access controls, their employee vetting, their incident response capabilities—and you get vague answers, that's a significant problem. "We take security very seriously" is not an answer. "We follow industry best practices" is not an answer. Those are phrases that could mean anything or nothing, and they're usually deployed by vendors who don't want to get specific. What you want to hear is concrete detail: they require MFA on all internal accounts, they use a privileged access management solution for managing credentials, they conduct background checks on all employees with client system access, they have a documented incident response plan that's been tested, they carry cyber liability insurance, and they have SOC 2 certification from a reputable auditor. That's a provider that's thought about security and can articulate it.

If they have a SOC 2 report, even better—that's third-party verification that an auditor reviewed their controls and confirmed they actually work. If they don't have one and can't articulate why or when they plan to, that should factor heavily into your evaluation. The refusal to get certified suggests they're either too small to bother (which is fine, but then they should have a credible roadmap) or they're skeptical of the value (which suggests they don't see security assurance as important to selling to you, a bad sign).

The MSP that gets defensive when you ask these questions is waving a flag. A mature provider expects these questions, welcomes them, and has answers ready. They've already had these conversations with other prospective clients and with their cyber insurance carrier. They know this is baseline due diligence. The one that treats your security questions as an imposition, that responds with "trust us, we've been doing this for twenty years," or that becomes evasive is telling you that their security posture probably hasn't kept pace with the threat environment. The threat landscape of twenty years ago is nothing like today's, and if they're defensive about proving they're secure now, they're probably not.

Vague Service Definitions and Scope Creep

If an MSP can't clearly articulate what's included in their service, that's a major red flag. You should know exactly what "managed" means for each service category. If the definition is vague, you'll discover gaps when problems happen, and you'll be arguing about whether something is covered.

Ask: What exactly do you monitor? What devices does monitoring cover? What happens if a device has an issue—do you have to wait for it to fail, or do you detect problems before they happen? What's the response time expectation for different issue types? If they can't answer specifically, they're either disorganized or they're intentionally vague so they can define scope after you sign and have leverage over you.

Scope creep happens when service boundaries are fuzzy. The MSP does work and later tells you it's outside their scope. You argue it should be included. The MSP blames you for misunderstanding the contract. You're frustrated, they're profitable. A good contract with clear scope prevents this. If an MSP resists defining scope clearly, if they want everything to be flexible and open-ended, they're planning to work the boundaries to their advantage. That's a sign they're thinking about how to squeeze profit out of the relationship rather than how to deliver value.

Poor Communication and Unresponsive Support

During the sales process, is the MSP responsive? Do they answer your questions quickly? Do they provide thoughtful answers or just send over sales material? If they're unresponsive now, when they want your business, they'll be worse once you're locked in. Sales responsiveness doesn't guarantee service responsiveness, but lack of sales responsiveness is almost always predictive of poor service responsiveness.

Watch for communication style. Do they listen to your needs or do they just pitch their standard offering? Do they ask questions to understand your environment, or do they assume everything's standard? How they engage with you early signals how they'll engage long-term. A sales conversation should feel like someone trying to understand your needs. It should not feel like someone trying to squeeze you into a templated package.

Ask specifically about communication cadence: How often do you check in with customers? Do you send regular status reports? Can I reach you when I need you? If they seem disorganized about communication, if they have no rhythm to how they stay in touch, you'll waste time trying to get their attention during incidents. An MSP that communicates proactively—sending status reports, reaching out about upcoming maintenance, flagging issues before they become emergencies—is thinking about your success. One that disappears until you page them is reactive and that's going to frustrate you constantly.

Missing Security Certifications and Practices

If an MSP has no security certifications, no documented security practices, and can't articulate how they protect customer data, they're not serious about security. This is non-negotiable. You're giving them access to your systems and your data. They need to prove they have controls in place. SOC 2 certification is the baseline expectation for any MSP claiming to be a professional vendor. It's not perfect, but it demonstrates that a third-party auditor reviewed their practices.

Ask point-blank: Do you have SOC 2 certification? If they say no, ask why. If they can't articulate a credible reason—"we're too small right now but we're planning it for 2027" is credible, "we don't think it's necessary" is not—walk away. This is a signal about how seriously they take security. An MSP saying "security certification isn't important" is one you don't want managing your infrastructure.

Ask about employee security training, background checks, access controls, and incident response procedures. If they haven't thought about any of this, they're an immature vendor. These are basic expectations for any service provider with your data.

Resistance to Documentation and Clear SLAs

If an MSP resists putting commitments in writing, that's a major red flag. A good MSP will document service levels, service definitions, pricing, and contract terms. If they want everything verbal, if they push back on detailed contracts, if they suggest that specific commitments "aren't necessary," they're planning to be flexible about promises—which is another way of saying they're planning to break them if convenient.

Ask: Can you put that in writing? If they hesitate, suggest it's not necessary, or ask you to trust them verbally, be very skeptical. Everything important should be documented. If they won't document something, they know they can't consistently commit to it. They're keeping room to wriggle out later.

SLAs are the most important protection you have. If an MSP resists SLAs, offers vague ones, or provides SLAs with no enforcement mechanisms or consequences for missing them, they're telling you something. A confident vendor that believes in its service will put its money where its mouth is. A vendor that avoids SLAs or makes them toothless knows it can't consistently meet commitments.

High Staff Turnover and Lack of Deep Expertise

If an MSP has high staff turnover, you're constantly retraining technicians on your environment. Every time someone new takes over your account, there's a learning curve and a window of risk. Your systems are only understood by the people running them, and when those people leave, that institutional knowledge leaves too.

Ask: What's your average tenure? If they tell you "we have some people with five years and some with one year," that's a normal distribution and acceptable. If they say "most of our staff is under two years," you should be concerned. You want experience and institutional knowledge handling your account.

Ask who on their team has deep expertise in your technologies. If everything routes through junior staff who consult senior people, your issues take longer to resolve and you're paying a lot of money for troubleshooting that could be solved faster by someone who knows your environment intimately. You want senior people actively engaged, not just junior people escalating to seniors.

High turnover is often a sign the MSP isn't investing in retention, isn't managing workload well, or is paying below market. All of those things correlate with service quality issues.

Proprietary Lock-In Through Opaque Systems

Some MSPs use proprietary tools and systems that lock you in. If you leave, you can't take your configuration, you can't easily replicate their setup, and you're forced to pay for migration or accept incomplete data handoff. The MSP knows this and may intentionally design for lock-in.

Ask: If I leave, how much of my configuration is in your proprietary tools? Will I be able to export everything in a format another vendor can understand? Can a new MSP pick up where you left off, or would there be significant translation work? If you leave, will migration be clean or painful? If they're vague or defensive about this, that's a signal.

Good MSPs use standard tools that you can understand and another vendor can manage. The tools should be portable. If an MSP uses proprietary tooling for everything—proprietary monitoring platform, proprietary configuration system, proprietary documentation format—ask whether that's for legitimate technical reasons or for lock-in. Sometimes there are good reasons. Sometimes it's intentional vendor capture.

Pricing That's Too Good to Be True

If an MSP promises everything at a price that seems unbelievably low, something is being cut. Either they're understaffed so you won't get good service, or they're overselling scope and you'll discover gaps later, or they're getting there now intending to raise prices later, or they're planning to nickel-and-dime you with constant add-ons.

Pricing that's similar to competitors is not a sign of a bad deal. It's a sign the market is efficient and you're getting market rate. Pricing that's significantly lower than competitors is a warning sign. Something is different and you should understand what before you sign. Ask them specifically how they can offer such attractive pricing. If the answer is "we're just very efficient," ask them to prove it. If the answer is "we operate at lower margins," that might be fine but understand the trade-off. If they can't explain it, you're looking at a sustainability problem or hidden costs.

Reading the Signals

Red flags during evaluation predict red flags during the relationship. An MSP that's evasive, vague, pushy, or dismissive of your questions is showing you how they'll treat you as a customer. An MSP that's willing to negotiate, clear about limitations, flexible about working with your needs, and thoughtful about addressing concerns is showing you a different kind of partnership. The choice between these two options is the difference between a five-year relationship you trust and one that turns into constant negotiation and frustration.

Listen to those signals. The MSP that answers directly, acknowledges its limitations, and provides flexibility in working with you is more likely to be a good partner. The one that avoids specific answers, insists everything is fine, and wants you to trust them without evidence is one you should evaluate carefully.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general guidance about evaluating managed service providers. Individual MSP relationships vary—evaluate any provider based on your organization's specific needs and risk profile.