In today’s business landscape, where technology and cybersecurity are foundational, not optional, choosing the right Managed IT Services Provider (MSP) is more than just a line item on a budget. It’s a strategic decision that can directly impact your operations, resilience, and bottom line.
With the growing number of MSPs in the market, getting lost in a sea of promises and service bundles is easy. But behind the slick pitches and feature lists, not all MSPs are built the same. We believe every business should understand exactly what they’re buying into—because the right partnership should be clear, effective, and built to last.
You’ve heard it before: you get what you pay for. And in the MSP world, that rings especially true. As the industry matures, we see a clear split between Price-Centric and Value-Centric MSPs. One focuses on cutting costs; the other on delivering outcomes. In this article, we’ll explain what that means, what to watch for, and how to choose an MSP that fits your risk tolerance and business priorities, without the smoke and mirrors.
Price-Centric MSPs
Price-centric MSPs lead with low rates—and on the surface, that can be appealing. But to keep those upfront costs down, they often trim out essential components. Security tools, backup systems, or proactive monitoring may be offered à la carte—meaning you’ll need to add them back in later (if they even offer them) to meet best practices or your risk threshold.
It’s not inherently a bad model if your business is comfortable managing risk or has in-house IT support to fill the gaps. But be cautious: price-centric MSPs often come with long lists of support exclusions. That can lead to surprise charges when something breaks or falls outside the fine print. In short, the price may look low—but the total cost of ownership can stack up quickly.
Here are several things to consider:
- They may charge extra for certain technical or proactive services like:
- Server Backups
- Microsoft 365 or Google Workspace Backups
- Onsite work
- Specific types of incidents (Helpdesk)
- PC deployments
- Adding or removing users
- vCIO (Virtual Chief Information Officer)
- Strategic planning
- Access to training platforms
- Firmware/bios updates for Critical Infrastructure
- Penetration Testing
- They may reduce the frequency at which certain services are performed:
- Applying security updates every year, or not at all, instead of each month
- Performing phishing testing once per year, instead of every week or two
- They may remove certain types of security services like:
- SOC (Security Operations Centre) Protection
- Phishing Testing
- DarkWeb Monitoring
- On-going compliance checks (year-round)
- They may include lower-quality vendors
(e.g. using a weaker antivirus that detects or stops less) - They may charge for onboarding
No two MSPs are exactly alike; this isn’t a one-size-fits-all checklist. When you receive a proposal, it’s worth taking the time to dig deeper. Go beyond the headline price to understand what’s included and, as importantly, what’s not.
If price is your main driver, ensure you’re comfortable with the trade-offs. What will it cost to add back critical services down the line? And how could those support exclusions impact your business if something goes wrong? A cheaper monthly rate can quickly become more expensive when unexpected issues or gaps in service arise. Knowing what you're signing up for upfront helps you avoid surprises later.
Value-Centric MSPs
Value-centric MSPs generally come with a higher price tag, but that’s because they include more out of the gate. Their offerings are typically more streamlined, making it easier for businesses to align with IT best practices without needing to piece together services or worry about hidden gaps.
These providers tend to be proactive, security-focused, and process-driven. They often integrate more deeply with your business, offering strategic planning and consistent support instead of just reacting when something breaks. Because most essentials are already included, there’s usually no long list of exclusions or upcharges for standard services. What you see is closer to what you get.
While they may seem more expensive upfront, a value-centric MSP can cost less in the long run, especially once you factor in the actual cost of adding necessary services back into a stripped-down, price-centric offering.
Questions to ask each MSP
To navigate the complexities, we’ve prepared a list of questions to ask MSPs. This will help you determine what is and is not included, allowing for a line-by-line comparison.
Helpdesk
What it is: Every MSP should offer a helpdesk to support your team.
Why it’s important: A weak helpdesk team impacts your team.
Question(s) to ask:
- How much helpdesk time is included during business hours per month?
- Is there an extra charge for on-site, after-hours or business-hours support?
- What types of support or incidents aren’t covered?
- To ensure efficient resolution, is there a mandatory escalation process, including a max duration per technician?
Preventative Maintenance
What it is: Your network connects many devices, including computers, servers, networking and more. All systems should be updated regularly for security, performance and stability.
Why it’s important: Many MSPs do not provide regular maintenance beyond Windows Updates. To protect the business, all network-connected systems, inside and outside your sites, should receive updates via maintenance.
Question(s) to ask:
- How often are Windows Updates applied to Desktops and Servers?
- How often are BIOS and Firmware updates applied to server hardware, network switches, wireless equipment, and firewalls? Is there an additional charge to apply these updates?
Asset Management & 24/7 Monitoring
What it is: Your network connects many devices, including computers, servers, networking and more. Each device should be tracked and catalogued so that you maintain an accurate inventory of assets.
Why it’s important: Security, taxation and visibility.
Question(s) to ask:
- Do you regularly scan all connected devices including computers, servers and networking equipment in real time for issues and for asset management purposes? If not, how much does it cost?
Computer Deployments
What it is: This refers to setting up and integrating new computer systems within your network.
Why it’s important: Proper computer deployments ensure that new systems are securely and effectively integrated into your existing network. Most MSPs do not include time to deploy or rebuild computers, which means your business will incur extra charges.
Question(s) to ask:
- Do you charge extra to deploy, or rebuild, computers? If so, how much?
- If deployment is included, must the computers be purchased from the MSP to be eligible?
- Do you come on-site to set them up? Is on-site deployment an extra charge?
- How do you ensure all computers are set up properly and include all software and settings for the particular user?
- Do you have an evergreening process that proactively helps replace computers every 3-5 years? How often do we meet to review the list of PCs and budget for them?
- Do you securely wipe the drive before reusing and rebuilding a computer for another user to ensure the next user cannot recover existing data?
Potential Impact: $250-$800 per PC per deployment
Adding / Removing Users
What it is: Users come and go. When this happens, accounts need to be created or shut down.
Why it’s important: Many MSPs charge extra to add or remove users.
Question(s) to ask:
- Do you charge extra to add or remove users? If so, how much?
Potential Impact: $50-$250 per user add or removal
Microsoft 365 or Google Workspace Backup Service
What it is: This service ensures that your data stored in Microsoft OneDrive, Google Drive, Teams, SharePoint, and Email are continuously backed up and safeguarded.
Why it’s important: It acts as a safety net, protecting your data from loss through accidental deletion, security threats, or unexpected issues typically caused by users (not Microsoft). As on-premise servers become irrelevant, backing up your data with Microsoft is just as important as a server backup.
Question(s) to ask:
- Do you include a Microsoft 365 or Google Workspace backup service that protects all users and shared data? If not, how much is it?
- How many times per day does it backup each user’s data?
- Does it protect private messaging data between users in Microsoft Teams?
- What doesn’t it protect?
- Where is the data stored when backed up (e.g. Canada)?
Potential Impact: $5-$10 per user per month.
EDR Protection
What it is: Endpoint Detection and Response (EDR) is a security solution that helps identify and respond to suspicious activities on endpoints like computers and servers.
Why it’s important: It enhances the protection of your endpoints from advanced threats, ensuring that risks are quickly identified and mitigated.
Question(s) to ask:
- Is EDR Protection included with the service for all computers and servers? If not, how much is it?
Potential Impact: $3-$7 per endpoint per month
SOC Protection
What it is: A Security Operations Center (SOC) is a centralized team that deals with security issues on an organizational and technical level. They provide real-time 24/7 security incident monitoring, containment, and support. A SOC should not be mistaken for regular 24/7 RMM monitoring, which is often designed to identify site outages or general technical issues.
Why it’s important: This ensures continuous surveillance of your systems, promptly identifying and responding to threats.
Question(s) to ask:
- Is a SOC (Security Operations Center) service included? If not, how much is it?
- Is the SOC service your own, or outsourced to a third party? Which one?
- Please clarify how your SOC service differs from standard RMM monitoring in terms of specific tools, processes, and personnel dedicated to real-time cybersecurity threat detection and response.
Potential Impact: $5-$20 per user per month
Penetration Testing
What it is: An annual security exercise where security professionals simulate cyberattacks on your system to identify vulnerabilities. There are numerous levels of Penetration Testing available.
Why it’s important: It helps proactively identify and address potential weaknesses before attackers exploit them. It also holds your MSP or MSSP accountable by having a third-party or third-party service analyze your cyber-security posture.
Question(s) to ask:
- Is Penetration Testing included? If not, what does it cost?
- Is the test performed by your own team or a third-party security partner? Who is it?
- Please explain the depth and extent of your penetration testing services, particularly focusing on whether it involves standard automated tool-based testing or advanced penetration testing involving cyber-security experts and more comprehensive testing techniques.
Potential Impact: $2,500-$50,000 per year, depending on the level of testing
Online University and Training Portal
What it is: Online platforms that provide various training modules related to cybersecurity and office productivity.
Why it’s important: Continuous learning helps keep the team updated with the latest best practices and threat prevention strategies.
Question(s) to ask:
- Is an online training portal available with course material that can be used during employee onboarding, or annually, to provide basic cyber-security training? If not, what does it cost?
- Does the portal offer additional courses for Microsoft 365 or Google Workspaces?
Potential Impact: $5-$15 per user per month
Phishing Testing
What it is: Regular simulated e-mail phishing testing provided by a service provider to educate the team and assess their awareness and responsiveness to emerging phishing threats.
Why it’s important: This exercise helps ensure your team is equipped to recognize and appropriately respond to ongoing phishing attacks.
Question(s) to ask:
- Is a Phishing Testing service included? If not, how much is it?
- Does the testing service run weekly, bi-weekly, monthly, quarterly, or annually?
- What happens when an employee fails a phishing test?
Potential Impact: $1-$5 per user per month
Dark Web Scanning
What it is: Regular scans on the dark web to ascertain if your business data is being traded or is at risk.
Why it’s important: It helps in identifying potential threats and data breaches early, enabling proactive protective measures.
Question(s) to ask:
- Is Dark Web Scanning included? If not, how much is it?
- How often does the service run its scans?
- When content is found, is there a charge to deal with remediation? If so, how much?
Potential Impact: $1-$5 per user per month
Drive Encryption
What it is: Tools like BitLocker are used to encrypt drives in computers, protecting the stored data.
Why it’s important: It adds an extra layer of security, safeguarding sensitive information like PII (Personally Identifiable Information) from unauthorized access and theft. For example, if an HR employee’s computer housing e-mail or documents about employees is lost or stolen, you must be able to prove it was encrypted or report the incident as a privacy breach to the government.
Question(s) to ask:
- Is Drive Encryption monitoring included for all computers? If not, how much?
Potential Impact: $2-$7 per device per month
Additional Considerations
Based on experience, we recommend confirming if the offering covers the following services or fees:
- Is After-Hours Support Included? Support outside of regular hours might be more expensive. Some providers charge higher hourly rates for after-hours services, adding to the cost. We recommend working with an MSP that includes after-hours support for emergencies, which should be defined by both parties ahead of time so that it’s understood.
- Does the MSP charge extra to support mobile devices (e.g. iPhone, iPad)? Some MSPs may charge an extra fee for each mobile device that needs support. Confirm if additional costs can be expected.
- Does the MSP charge to build quotes for Projects? Some providers might add extra charges for creating project quotes (we’re not talking about doing the actual project work). These fees can add unexpected costs, ranging from 0.5 to several hours of work. Ideally, you shouldn’t pay to have a quote created. This should be covered as part of the MSPs Proactive Process.
- Does the MSP support Third-Party Software? Support for LOB (line-of-business) software used by your team might not be included and could come with hourly charges, making the service more costly in the long run. Confirm if all of your software will be supported under the agreement.
- Does the MSP include LOB Software Updates? Applying updates to third-party software or fixing related issues might come with extra hourly costs, adding to the overall expense. Confirm if applying updates for applications like QuickBooks, Sage 300, or other applications is included.
- Are Unexpected Incidents from Software Updates covered? When updates are applied, unexpected problems might not be covered, leading to additional hourly charges for fixing issues not included in the standard package. Confirm if this is included.
- Does the MSP charge an Onboarding Fee? Starting the service might come with an extra fee, adding to the initial cost. This fee could be a flat rate or equivalent to a month of services.
- Does the MSP charge an Assessment Fee? Initial assessments may also have extra charges, adding another cost at the beginning of the service.
Example Comparison
As you receive proposals, build a comparison table that can be used to confirm what is and is not included, and how each addition or exclusion impacts the overall price. For demonstration purposes, the table below focuses exclusively on price influencers. When you build your own table, ensure you include all of the questions provided above so that you get a broader understanding to compare against.
In this example, after running the numbers against the total number of users, the Price-Centric MSP:
- Costs more
- Has less included in the offer
- Offers more risk because of the number of exclusions
If your business is looking for less risk each month, from both a financial and security perspective, the Value-Centric MSP is the logical choice.
Summary
Choosing the right Managed IT Services Provider (MSP) isn’t just a checkbox—it’s a decision that can shape how your business handles risk, security, and growth. Understanding the difference between Price-Centric and Value-Centric MSPs is key to making the right call.
Price-centric MSPs may offer lower upfront costs, but often exclude critical services or best practices. Those gaps can lead to hidden fees, operational disruptions, or costly surprises later. The initial savings may disappear once you factor in the price of adding those missing pieces back in.
While often more expensive on paper, value-centric MSPs tend to offer a more complete and proactive approach. With built-in security, strategic planning, and fewer exclusions, these MSPs can lower your total cost of ownership and give you peace of mind in the process.
When evaluating providers, don’t stop at the quote. Ask detailed questions. Compare line by line. Look closely at charges for onboarding, backups, user changes, and security. And consider the relationship: Do you want a true strategic partner, or just a helpdesk that answers tickets?
The goal is to build a resilient, effective, and transparent partnership that genuinely supports your business goals.
At SIRKit, we believe in clarity over confusion. As a Value-Centric MSP, our approach is built around complete, honest, and security-first service. If you're weighing MSP options, we’re happy to help—whether that means working with us or helping you make the right call for your business.