Questions to Ask Potential MSPs
Reviewed by the Fully Compliance editorial team. Updated March 2026.
The short answer: The questions that matter most cover SLA specifics with enforcement mechanisms, security practices including SOC 2 status and MFA requirements, staffing quality and tenure, escalation procedures, on-site availability, and contract exit terms. How the MSP answers matters more than what they answer — evasiveness, marketing language, and defensiveness are disqualifying signals regardless of the content.
You're interviewing managed service providers, and you sense you might be in for a long conversation. Good. The MSPs that breeze through sales calls with confident smiles and quick answers aren't necessarily the ones you should hire — they're the ones who've perfected their pitch. What separates a competent vendor from one that will nickel-and-dime you for years is whether they'll actually answer your hard questions and whether their answers reveal honest self-awareness about what they can and can't deliver.
The best MSPs know this. They expect to be interrogated. They've already been through these conversations with other clients and with their insurance carriers. They have answers ready because they take evaluation seriously. The ones that get defensive or treat your questions as an imposition are already telling you how they'll handle escalations and problems — dismissively.
SLAs Must Be Specific, Measurable, and Enforced — Not Aspirational
Service level agreements matter, but most companies treat them like window dressing. An SLA is only valuable if it's specific, measurable, and actually enforced. Don't ask about SLAs in abstract terms. Ask about what they commit to when things go wrong.
Start with response time. Ask what their typical response time is for critical issues versus high-priority issues versus routine requests. "Typical" is more important than "maximum" — best-case response times don't tell you much, but average response time tells you how they actually operate. Push for numbers: "Two hours for critical issues, four hours for high priority, same business day for medium, next business day for routine" is a reasonable framework. If they hedge on this, they're uncomfortable committing to specific timelines, which means they don't reliably meet them.
Then ask about resolution time, not just response time. Responding to your ticket at 2 AM does you no good if the issue doesn't get fixed for three days. Resolution time commitments are rarer because they're harder to guarantee — sometimes the fix requires coordination with vendors or third parties. But a mature MSP tells you they aim to resolve critical issues within four to eight hours, high-priority within one business day, and everything else within a defined timeline.
Ask them for data. Have they actually been meeting these SLAs? Can they provide statistics on compliance? An MSP that can tell you "we met our critical response SLA 98% of the time last quarter" is already more credible than one that just asserts they're responsive. ConnectWise's 2024 MSP Benchmark Report found that top-performing MSPs track SLA compliance in real time and share dashboards with customers — if your prospective MSP can't produce compliance data, they're not tracking it.
Then ask what happens when they miss. Do customers get credit automatically, or do you have to fight for it? An MSP that automatically credits customers has built that into their business model and takes these promises seriously. One that makes you request credits is betting you won't bother.
Finally, ask what's not covered by the SLA. Every MSP has exclusions — vendor outages, user error, network problems caused by the customer. These exclusions can be reasonable, but they can also be loopholes that swallow the rule. An MSP might claim 99% SLA compliance while excluding half the scenarios where you actually need support.
Security Questions Are Non-Negotiable — and the Answers Must Be Concrete
Your MSP has privileged access to your systems, your data, and your infrastructure. If they get breached, you get breached. If their security is weak, your security is weak, regardless of what you spend on your own tools. This is non-negotiable territory.
Start with certifications. SOC 2 is the baseline for any IT service provider that handles customer data. If an MSP doesn't have SOC 2 certification, that's a red flag. Don't accept "we're very secure, we just haven't done the certification." They've had time to get it, and most reputable MSPs have. If they're resisting, ask why. "This year" is a reasonable timeline for obtaining it. "We're thinking about it" is not. Sophos's 2024 Active Adversary Report found that MSP-targeted attacks increased 78% between 2021 and 2024 — the stakes are too high for unverified security claims.
Once you understand their certification status, ask to see their SOC 2 report. If they have it, they should provide it under NDA. If they won't show it, that's strange and worth exploring.
Then ask about specifics. How do they manage administrative access to customer systems? This is the most important question because most breaches trace back to overly permissive access or stolen credentials. You need to hear that they use multi-factor authentication for all admin access, that they use a privileged access management tool to control and log who accesses what, and that they have audit trails showing exactly who made changes in your environment. If their answer is "we have strong password policies," that's not good enough.
Ask about employee vetting. Do they do background checks on all staff with access to customer systems? At minimum, everyone with any access to your data should be vetted. If they exclude contractors or part-time staff, that's a vulnerability they're comfortable with, and you shouldn't be.
Ask about incident response. Do they have a documented incident response plan? Have they tested it? If they haven't tested it, they don't have one — they have an untested hypothesis. Ask what happens if they discover they've been compromised in a way that might affect your data. What's their notification timeline? 24 hours is reasonable. 72 hours is the regulatory floor, not a service standard.
Staffing Quality Determines Whether You Get Expertise or Escalation Chains
MSP quality is fundamentally a people problem. You're not hiring a company — you're hiring the people at that company to understand and manage your environment. High turnover, lack of specialization, and overwork all degrade service quality in ways that are hard to measure until you're locked into a contract.
Ask about staff tenure and stability. What's the average tenure of their technical team? "Some people here five years and some who are new" is normal. "Most of our staff is under two years" means you're constantly retraining them on your environment with minimal institutional knowledge. Every time a familiar face leaves, you're starting over. Ask specifically about your account — who would be the primary contact? How long have they been with the company?
Ask about expertise gaps. What certifications does their team hold? What specializations do they have? If your environment is primarily Microsoft, do they have Azure certifications? If you run Linux, do they have relevant experience? An MSP full of Microsoft specialists is great for a Windows-centric organization but creates blind spots elsewhere.
Ask about the ratio of engineers to customers. An MSP with 20 engineers and 200 customers can probably serve you well. The same MSP with 20 engineers and 500 customers is stretched thin. They might not want to tell you this number — it reveals their capacity limits. But reluctance to discuss how they staff for service delivery is itself informative. The Bureau of Labor Statistics reports average IT sector turnover at approximately 13% annually as of 2024 — ask how the MSP compares.
Ask whether problems always flow through junior staff or whether you have access to senior expertise when it matters. Every MSP has junior technicians doing first-level support — that's efficient and appropriate. But when a problem gets complicated, does it escalate to someone with deep expertise, or does it get bounced between junior people who are all learning?
Remote Support and On-Site Availability Must Be Explicitly Defined
How the MSP supports you matters — not every issue can be resolved remotely, and vague commitments around on-site support create expectation gaps.
Ask about the support tools they use. Do they have monitoring agents running on your systems continuously, or do they connect remotely on an as-needed basis? Continuous monitoring is better because it gives them real-time visibility. Ask how they secure remote access — if they rely on manual screen-sharing sessions, that's weaker than having permanent agents with secured, logged access. They should use their own authentication, not your credentials.
Ask about on-site support. Some issues genuinely require hands-on work — hardware failures, network problems, security incidents requiring forensic investigation. Can the MSP provide on-site support? How quickly? Is it included in the base price or billed separately? Do they have technicians geographically distributed who can reach you?
Response time is crucial. Ask them to walk you through what happens when you call with an emergency at 3 AM on a Saturday. Who gets the page? How long before a human responds? What's the chain of escalation if the first person can't solve it? If the answer involves "next business day," you're not getting 24/7 support regardless of what they market.
Escalation Procedures Reveal the MSP's Real Quality
This is where the MSP's real quality becomes visible. When something goes wrong, how do they respond? Do they investigate, or do they deflect?
Ask about their escalation procedure. When you report a problem, who gets notified? How does it move up the chain if initial troubleshooting doesn't resolve it? You want clarity — "critical issues escalate to the on-call senior engineer within 30 minutes if not resolved at first level."
Ask what happens if the MSP makes a mistake that causes downtime. Do they investigate root cause? Do they provide a post-incident review explaining what went wrong and how they'll prevent it? Do they compensate you for downtime caused by their errors? An MSP that does post-incident reviews and provides root cause analyses is learning from mistakes. One that just moves on to the next ticket repeats the same mistakes. Ask whether they track recurring issues and proactively fix root causes or just reactively respond each time the problem surfaces.
Reference Checks and Customer Retention Data Validate the Sales Pitch
Talk to their existing customers. Ask for references from similar-sized companies in similar industries who've been customers for at least two to three years. Long-term customers tell you whether the MSP improves things or just maintains them.
Ask the MSP what percentage of their customers renew their contracts. If it's 80% or higher, customers are satisfied enough to stay. If it's lower than 60%, something's wrong. Ask what their average customer lifetime is. If it's less than two years, understand why.
When you call references, ask about real experience, not just satisfaction: How responsive is the MSP during a problem? Have they ever had a critical issue that required immediate help? How did the MSP handle it? Ask whether the main contact has changed. If the account manager changed three times in two years, that's a red flag.
Contract Terms Must Protect You, Not Just the MSP
Read the contract carefully before you sign, and ask specific questions about the terms that protect you.
Ask about termination. What notice do you have to provide? 30 days is reasonable. 90 days is standard. Six months or longer should trigger skepticism. Is there an early termination fee? Some MSPs charge the full remaining contract value. Others charge a percentage or flat fee. Understanding this matters because it determines how much it costs to leave if the relationship isn't working.
Ask about auto-renewal. Some MSPs use auto-renewal with narrow cancellation windows — you have to provide written notice 60 or 90 days before renewal, and if you miss the window, you're locked in for another year or more.
Ask what happens to your data, documentation, and configurations if you leave. Can you export everything? Will they help you transition to a new provider? A good MSP makes offboarding relatively clean because they know a good breakup protects their reputation.
Ask about scope creep. The contract must specify what's included in the base price and what's billable separately — new user setups, after-hours support, hardware procurement, compliance-related projects. If the scope is vague and the MSP interprets it broadly, your bill grows quickly.
How They Answer Matters More Than What They Answer
The questions you ask matter, but how they answer matters more. A good MSP answers directly, acknowledges where they're not the best fit, and provides specifics. If you ask "what's your response time," they say "typically four hours for high-priority issues" rather than "we're very responsive." If you ask about certifications, they tell you exactly which ones they hold, when they were last audited, and offer to show you the report.
A mediocre MSP uses marketing language: "We focus on customer success." "We follow industry best practices." "We take security very seriously." These phrases mean nothing without specifics. An MSP that won't answer directly, that deflects hard questions, or that gets defensive is revealing how they'll operate once you're locked in. The ones that are helpful, honest about limitations, and willing to engage with your concerns are the ones worth trusting.
Frequently Asked Questions
What's the single most important question to ask an MSP?
"What happens when you make a mistake that causes downtime for my organization?" The answer reveals accountability, incident response maturity, and cultural attitudes toward ownership. An MSP that describes root cause analysis, post-incident review, client notification, and prevention measures is operating at a mature level. One that deflects or insists they don't make mistakes is not.
How do I compare MSPs when they all structure their services differently?
Break the evaluation into categories: SLA commitments, security certifications and practices, staffing quality and tenure, included services versus add-ons, and contract terms. Score each MSP in each category based on specifics, not marketing claims. The MSP that provides the most concrete, verifiable answers across all categories is typically the strongest choice.
Should I negotiate MSP contracts?
Yes. SLA terms, pricing, scope definitions, termination clauses, and auto-renewal terms are all negotiable. The MSP's initial proposal is a starting point. Push for specific SLA commitments with enforcement mechanisms, clear scope definitions that minimize ambiguity, reasonable termination terms, and pricing that reflects your actual needs rather than their standard package.
How important are certifications compared to references?
Both are essential but serve different purposes. Certifications — especially SOC 2 Type II — validate that security controls and processes exist. References validate that the MSP actually delivers quality service in practice. An MSP with great certifications but poor references has the infrastructure but not the execution. An MSP with great references but no certifications has execution but questionable controls. You need both.
What contract length is standard for MSP agreements?
One to three years is standard. Shorter contracts give you flexibility but may come at a higher monthly rate. Longer contracts lock in pricing but create exit friction. The key is understanding the exit terms regardless of length — early termination fees, notice periods, data handoff obligations, and auto-renewal clauses matter more than the contract duration itself.
When should I walk away from an MSP during evaluation?
Walk away if they refuse to provide their SOC 2 report, get defensive about security questions, can't articulate specific SLA commitments, resist putting service definitions in writing, can't produce references from organizations similar to yours, or quote pricing significantly below market without a credible explanation. Any one of these is a serious concern. Two or more together is disqualifying.