MSP Red Flags: Warning Signs to Watch

Reviewed by the Fully Compliance editorial team. Updated March 2026.

The short answer: The biggest MSP red flags are opacity around security practices, vague service definitions designed to be interpreted after you sign, resistance to putting commitments in writing, pricing too low to be sustainable, and defensiveness when asked detailed questions. How an MSP sells to you is a direct preview of how they'll serve you. If they're evasive during evaluation, they'll be evasive during incidents.

You're either shopping for a managed service provider or you've had one for a while and something feels off. Maybe the sales process felt too smooth — a lot of promises, not many specifics. Maybe you've been with your MSP for two years and you still couldn't tell someone exactly what you're paying for. Maybe your last IT emergency revealed that the "24/7 monitoring" you were promised had some significant asterisks, and downtime stretched on while you waited to hear back.

Finding a good MSP is genuinely hard for the same reason finding a good mechanic is hard: the person selling you the service knows enormously more about it than you do, and that information gap is where bad deals live. Most MSPs are competent and ethical. But the ones that aren't use a very recognizable playbook, and once you know what to look for, the warning signs are hard to miss. The pattern starts in the sales process and accelerates once you're locked into a contract. Learning to recognize those signals before you sign saves years of frustration and thousands in unexpected bills.

The Sales Process Is a Direct Preview of Service Quality

Pay attention to how an MSP sells to you, because it's a direct preview of how they'll serve you. The sales behavior that matters most is how much pressure they apply and how willing they are to customize their offering to your actual needs.

A good MSP wants to understand your environment before quoting you a price. They spend time asking about your infrastructure, your user count, your applications, your compliance requirements, your pain points, and your growth plans. This isn't politeness — it's how they figure out what you actually need and whether they can deliver it. They say "we need to see your environment before we can commit to a timeline," and that restraint is a good sign. An MSP that quotes you a price on the first call, before they know anything about your environment, is going to underdeliver or overcharge — usually both. When you hear "here's our standard package, it's $X per month," that's a commodity pitch, not a tailored service.

Watch for the MSP that has an answer for everything and a caveat for nothing. Real IT environments are messy — network equipment from three vendors, applications written by different teams in different eras, custom integrations that only one person understands, hardware past end-of-life but still working. A competent provider tells you "that depends," flags potential complications, says "we'd need to see your environment before we can commit to that." The MSP that promises everything works perfectly from day one, that migration will be seamless, that you'll see immediate cost savings across the board — that's a sales team optimizing for the close, not for the relationship. According to CompTIA's 2024 Channel survey, 43% of organizations that switched MSPs within the first two years cited "overpromising during the sales process" as a primary driver of dissatisfaction.

The proposal itself is revealing. You want specifics: what's included in the base price, what's excluded, what costs extra, what the escalation path looks like, what response time commitments are, and what happens if they don't meet them. If the proposal is mostly marketing language about "strategic partnerships" and "technology alignment" with vague service descriptions and no measurable commitments, that's intentional. Vague language gives the MSP room to define scope later, and the definition will favor them, not you.

Ask them what they don't do well. Every MSP has weaknesses — maybe they're great at infrastructure but weak on application support, strong in Microsoft environments but limited with Mac or Linux, lacking expertise in your industry-specific software. A provider that answers this honestly is telling you something valuable about their self-awareness and their respect for your intelligence. One that insists they're excellent at everything is either lying or hasn't been honest with themselves about their blind spots.

Opacity Around Security Is the Biggest Red Flag Category

This is the biggest red flag category, and it's gotten more important as cyber insurance, compliance requirements, and breach liability have made MSP security practices a direct business risk for their clients. Your MSP has privileged access to your systems — administrative credentials, remote access to your servers and workstations, the ability to make changes across your infrastructure without your direct involvement. That level of access means their security posture is your security posture. If they get breached, you get breached.

So when you ask an MSP about their own security practices — their internal MFA requirements, their access controls, their employee vetting, their incident response capabilities — and you get vague answers, that's a significant problem. "We take security very seriously" is not an answer. "We follow industry best practices" is not an answer. Those phrases could mean anything or nothing, and they're deployed by vendors who don't want to get specific. What you need to hear is concrete detail: they require MFA on all internal accounts, they use a privileged access management solution, they conduct background checks on all employees with client system access, they have a documented and tested incident response plan, they carry cyber liability insurance, and they have SOC 2 certification from a reputable auditor.

If they have a SOC 2 report, that's third-party verification that an auditor reviewed their controls and confirmed they actually work. If they don't have one and can't articulate why or when they plan to, that's a serious concern. The Kaseya VSA attack in 2021 demonstrated at industrial scale what happens when an MSP's security fails — ransomware deployed across an estimated 1,500 downstream organizations through a single compromised tool. The refusal to get certified suggests they're either too small to invest in it yet, which is understandable if they have a credible roadmap, or they're skeptical of the value, which suggests they don't see security assurance as important.

The MSP that gets defensive when you ask security questions is waving a flag. A mature provider expects these questions, welcomes them, and has answers ready. The one that treats your security questions as an imposition, that responds with "trust us, we've been doing this for twenty years," or that becomes evasive is telling you their security posture hasn't kept pace with the threat environment. The threat landscape of twenty years ago is nothing like today's.

Vague Service Definitions Create Leverage for the MSP, Not for You

If an MSP can't clearly articulate what's included in their service, that's a major red flag. You should know exactly what "managed" means for each service category. If the definition is vague, you'll discover gaps when problems happen, and you'll be arguing about whether something is covered.

Ask: What exactly do you monitor? What devices does monitoring cover? What happens if a device has an issue — do you wait for failure or detect problems proactively? What's the response time expectation for different issue types? If they can't answer specifically, they're either disorganized or intentionally vague so they can define scope after you sign.

Scope creep happens when service boundaries are fuzzy. The MSP does work and later tells you it's outside their scope. You argue it should be included. The MSP blames you for misunderstanding the contract. A good contract with clear scope prevents this entirely. If an MSP resists defining scope clearly, if they want everything to be flexible and open-ended, they're planning to work the boundaries to their advantage.

Poor Communication During Sales Predicts Poor Communication During Incidents

During the sales process, is the MSP responsive? Do they answer your questions quickly? Do they provide thoughtful answers or just send over sales material? If they're unresponsive now, when they want your business, they'll be worse once you're locked in. Sales responsiveness doesn't guarantee service responsiveness, but lack of sales responsiveness is almost always predictive of poor service responsiveness.

Watch for communication style. Do they listen to your needs or do they pitch their standard offering? Do they ask questions to understand your environment? How they engage with you early signals how they'll engage long-term.

Ask specifically about communication cadence: How often do you check in with customers? Do you send regular status reports? If they seem disorganized about communication, if they have no rhythm to how they stay in touch, you'll waste time trying to get their attention during incidents. An MSP that communicates proactively — sending status reports, reaching out about upcoming maintenance, flagging issues before they become emergencies — is thinking about your success. One that disappears until you page them is reactive and will frustrate you constantly.

Missing Security Certifications Are Non-Negotiable

If an MSP has no security certifications, no documented security practices, and can't articulate how they protect customer data, they're not serious about security. This is non-negotiable. You're giving them access to your systems and your data. SOC 2 certification is the baseline expectation for any MSP claiming to be a professional vendor. It's not perfect, but it demonstrates that a third-party auditor reviewed their practices. Datto's 2023 Global State of the MSP Report found that 82% of MSPs with SOC 2 certification reported higher customer retention than those without — because clients rightly treat it as a trust signal.

Ask point-blank: Do you have SOC 2 certification? If they say no, ask why. "We're too small right now but we're planning it for next year" is credible. "We don't think it's necessary" is not. Walk away from that answer. An MSP saying security certification isn't important is one you don't want managing your infrastructure.

Resistance to Written Commitments Is a Dealbreaker

If an MSP resists putting commitments in writing, that's a major red flag. A good MSP documents service levels, service definitions, pricing, and contract terms. If they want everything verbal, if they push back on detailed contracts, if they suggest that specific commitments "aren't necessary," they're planning to be flexible about promises — which means they're planning to break them when convenient.

Ask: Can you put that in writing? If they hesitate, suggest it's not necessary, or ask you to trust them verbally, be very skeptical. Everything important must be documented. If they won't document something, they know they can't consistently commit to it.

SLAs are the most important protection you have. If an MSP resists SLAs, offers vague ones, or provides SLAs with no enforcement mechanisms or consequences for missing them, that's telling. A confident vendor that believes in its service puts its money where its mouth is. A vendor that avoids SLAs or makes them toothless knows it can't consistently meet commitments.

High Turnover Erodes Institutional Knowledge About Your Environment

If an MSP has high staff turnover, you're constantly retraining technicians on your environment. Every time someone new takes over your account, there's a learning curve and a window of risk. Your systems are only understood by the people running them, and when those people leave, that institutional knowledge leaves too. The Bureau of Labor Statistics reports average IT sector turnover at approximately 13% annually as of 2024 — significantly higher turnover at an MSP suggests they're not investing in retention, not managing workload well, or paying below market. All correlate with service quality issues.

Ask: What's your average tenure? "Some people with five years and some with one year" is normal. "Most of our staff is under two years" is concerning. Ask who on their team has deep expertise in your technologies. If everything routes through junior staff who consult senior people, your issues take longer to resolve and you're paying a premium for troubleshooting that someone with more experience would solve faster.

Proprietary Lock-In Is Intentional Vendor Capture

Some MSPs use proprietary tools and systems that lock you in. If you leave, you can't take your configuration, you can't easily replicate their setup, and you're forced to pay for migration or accept incomplete data handoff. The MSP knows this and may intentionally design for lock-in.

Ask: If I leave, how much of my configuration is in your proprietary tools? Will I be able to export everything in a format another vendor can understand? Can a new MSP pick up where you left off, or would there be significant translation work? Good MSPs use standard tools that another vendor can manage. If an MSP uses proprietary tooling for everything — monitoring, configuration, documentation — ask whether that's for legitimate technical reasons or for lock-in.

Below-Market Pricing Means Something Is Being Cut

If an MSP promises everything at a price significantly below competitors, something is being cut. Either they're understaffed, overselling scope that you'll discover gaps in later, planning to raise prices once you're locked in, or planning to nickel-and-dime you with constant add-ons.

Pricing similar to competitors is not a sign of a bad deal — it's a sign the market is efficient and you're getting market rate. Pricing significantly lower is a warning sign. Ask them specifically how they can offer such attractive pricing. If the answer is "we're just very efficient," ask them to prove it. If they can't explain the pricing gap, you're looking at a sustainability problem or hidden costs that will surface after you sign.

Red flags during evaluation predict red flags during the relationship. The MSP that's evasive, vague, pushy, or dismissive of your questions is showing you how they'll treat you as a customer. The one that answers directly, acknowledges limitations, and provides flexibility is showing you a different kind of partnership. Listen to those signals.

Frequently Asked Questions

What is the single biggest red flag when evaluating an MSP?
Evasiveness about security practices. Your MSP will have administrative access to your systems, and if they can't clearly articulate their MFA requirements, access controls, incident response plan, and certification status, they either haven't thought about security seriously or they know their practices won't hold up to scrutiny. Either way, that's disqualifying.

How do I know if an MSP's pricing is too low?
Compare their quoted price against at least three other providers for the same scope of services. If they're 20–30% below the field, something is different — and you need to understand what. Ask them directly how they deliver the same services at a lower price point. Credible answers include geographic cost advantages, a smaller team with less overhead, or a narrower scope of services. Vague answers like "we're just more efficient" are not credible.

Should I worry if the MSP pushes for a long-term contract?
Multi-year contracts are standard in the MSP industry — they provide stability for both parties. The concern isn't the contract length but the exit terms. Understand early termination fees, cancellation notice windows, auto-renewal clauses, and data handoff obligations. A long contract with reasonable exit terms is fine. A long contract with punitive exit terms is designed to trap you.

What does it mean if the MSP won't provide references?
It means they either don't have satisfied customers willing to speak on their behalf, or they're concerned about what those customers would say. Either is a serious problem. Any professional MSP with a track record should be able to produce multiple references from organizations similar to yours in size and industry.

How important is staff turnover at an MSP?
Very important. High turnover means the people who understand your environment leave regularly, new people must learn your systems from scratch, and there's a constant window of risk during transitions. Ask about average staff tenure and specifically about turnover on the team that would serve your account. If most staff have been there less than two years, expect continuity problems.