Somewhere around the 20-employee mark, most businesses hit an inflection point with IT. The owner’s nephew who “knows computers” can’t keep up anymore. The one internal IT person is drowning in help desk tickets and never gets to strategic projects. Or worse, nobody is managing IT at all — just reacting when things break.
That’s when Managed Service Providers (MSPs) enter the conversation. But the MSP industry has a reputation problem: vague proposals, confusing pricing, and a tendency to oversell and underdeliver. So here’s a straightforward look at what MSPs actually do, what they cost, and how to tell the good ones from the bad ones.
Break-Fix vs. Managed Services: Two Very Different Models
Before we get into MSP specifics, you need to understand the two fundamental IT support models.
Break-Fix
You call someone when something breaks. They bill you by the hour. Typical rates run $150-$250/hour for on-site work, $100-$175/hour for remote support. There’s no ongoing relationship — you’re paying for reactive repairs.
Break-fix works when you have very simple IT needs (under 10 employees, no servers, basic cloud setup) and can tolerate downtime while you wait for a technician. The economics fall apart quickly once you have enough infrastructure that problems become frequent — a few bad weeks can cost more than a year of managed services.
Managed Services
You pay a flat monthly fee. The MSP monitors your systems 24/7, handles routine maintenance (patches, updates, backups), provides help desk support, and manages your security stack. They make money by keeping things running smoothly, not by billing hours when things break.
This alignment of incentives is the core value proposition. A break-fix provider has no financial reason to prevent problems. An MSP has every reason to.
What Does an MSP Actually Cost?
MSP pricing typically falls into a per-user-per-month model. Here’s what the market looks like:
Budget Tier: $100-$150/user/month
At this level, you’re getting basic monitoring, patch management, antivirus, help desk support during business hours, and maybe some basic backup. The MSP is probably using a single RMM (Remote Monitoring and Management) tool like ConnectWise Automate or Datto RMM, a basic ticketing system, and commodity security tools.
This tier is fine for very small businesses with minimal compliance requirements. Don’t expect proactive security management, after-hours support, or strategic IT planning.
Mid-Market: $150-$200/user/month
This is where most competent MSPs land. You should expect:
- 24/7 monitoring with a staffed NOC (Network Operations Center)
- Help desk support during extended business hours, with after-hours emergency coverage
- Endpoint protection with EDR (Endpoint Detection and Response) — tools like SentinelOne, CrowdStrike, or Microsoft Defender for Endpoint
- Patch management for OS and third-party applications
- Backup management and disaster recovery planning
- Basic security awareness training
- Quarterly business reviews with IT roadmapping
- A named account manager or virtual CIO (vCIO) for strategic guidance
Premium Tier: $200-$250+/user/month
At the premium end, you’re adding:
- Full security stack management (SIEM, SOC, vulnerability scanning)
- Compliance support for HIPAA, SOC 2, PCI-DSS, or CMMC
- Full after-hours help desk (not just emergencies)
- On-site support hours baked into the contract
- Network and infrastructure management (switches, firewalls, WiFi)
- Mobile device management (MDM)
What’s Typically NOT Included
Even in comprehensive agreements, certain things are usually billed separately:
- New projects — setting up a new office, migrating to a new platform, deploying new infrastructure. These are scoped and quoted as one-time projects.
- Hardware — most MSPs will procure hardware for you, but the cost is passed through or financed separately.
- Line-of-business application support — your MSP handles the infrastructure, but they’re probably not supporting your custom ERP or industry-specific software.
- Internet circuits and telecom — some MSPs will manage the vendor relationship, but circuit costs are yours.
What a Standard MSP Agreement Looks Like
A typical managed services agreement (MSA) runs 1-3 years. Here’s what to look for in the contract:
SLA (Service Level Agreement) Expectations
The SLA defines response and resolution times by severity level. A reasonable SLA looks like:
| Severity | Description | Response Time | Resolution Target |
|---|---|---|---|
| Critical | Business down, all users affected | 15-30 minutes | 4 hours |
| High | Major service degraded, multiple users affected | 30-60 minutes | 8 hours |
| Medium | Single user impacted, workaround available | 2-4 hours | 24 hours |
| Low | Non-urgent request, no business impact | 8 hours | 48-72 hours |
Pay attention to the difference between response time (when they acknowledge the issue) and resolution time (when it’s actually fixed). Some MSPs advertise a 15-minute response time but bury the fact that resolution targets are undefined.
Onboarding
Switching to a new MSP is a significant undertaking. A good provider will do a thorough onboarding that includes:
- Full network discovery and documentation
- Security assessment and baseline
- Migration of management tools (deploying their RMM and security agents)
- Documentation of all credentials, licenses, and vendor contacts
- Meeting with key stakeholders to understand business priorities
Budget 30-60 days for onboarding. If an MSP says they can be fully operational in a week, they’re either cutting corners or lying.
How to Evaluate MSPs: Questions That Matter
When you’re comparing providers, these questions separate the serious operators from the ones running on duct tape and good intentions:
Technical Competence
- What RMM and PSA platforms do you use? Look for established tools like ConnectWise, Datto, or NinjaOne. Custom-built tools are a red flag — they’re usually underfeatured and poorly maintained.
- What’s your security stack? They should be able to name specific EDR, email security, and backup products. If they say “we use best-of-breed tools” without naming them, push harder.
- How do you handle patching? Patches should be tested before deployment, rolled out on a schedule, and monitored for failures. “We turn on auto-update” is not a patching strategy.
- What certifications does your team hold? Look for Microsoft partner status, CompTIA Security+, Cisco certifications, or vendor-specific certs relevant to your environment.
Operational Maturity
- How many clients do you support per technician? Industry average is around 80-100 endpoints per technician. If they’re running lean at 150+, response times will suffer.
- Do you have a staffed NOC, or is “24/7 monitoring” just automated alerts going to an on-call phone? There’s a massive difference between a team watching dashboards and a pager going off at 3 AM.
- What does your escalation path look like? You should know exactly what happens when a Level 1 tech can’t resolve your issue — how quickly does it get to Level 2 or Level 3?
- Can I see a sample monthly report? Reports should include ticket metrics, SLA compliance, security events, and patch compliance rates. If they don’t measure it, they can’t improve it.
Business Practices
- Who owns my data and documentation if we leave? Your credentials, network diagrams, and configuration documentation should be yours. Period. Any MSP that holds this hostage during offboarding is running a racket.
- What’s the termination clause? Look for 30-60 day notice periods. Contracts requiring 6+ months notice to terminate are a red flag.
- Do you carry cyber liability insurance? A responsible MSP carries errors and omissions (E&O) insurance and cyber liability coverage. Ask for proof.
Red Flags to Watch For
After years in this industry, certain patterns reliably predict a bad MSP relationship:
- No documentation. If your current MSP can’t produce a network diagram, asset inventory, or password vault, they’re flying blind and so are you.
- Slow ticket response with excuses. “We’re short-staffed this week” every week means they’re permanently understaffed. Your SLA should protect you here.
- Recommending hardware they resell at high markup. MSPs should be transparent about hardware costs. If they won’t show you the wholesale price, they’re making margin at your expense.
- No security focus. An MSP that doesn’t bring up security in the first conversation is living in 2010. Security should be woven into everything they do, not an expensive add-on.
- One-person shops posing as full MSPs. Nothing against solo consultants — they serve a purpose. But if you need 24/7 coverage and your “MSP” is one person with a cell phone, you don’t have an MSP.
- They never push back. A good MSP should occasionally tell you “that’s a bad idea” — running unsupported software, skipping MFA, giving everyone admin rights. If they agree with everything, they’re order-takers, not advisors.
When You Don’t Need an MSP
To be fair, not every business needs managed services:
- Under 10 employees with simple needs (cloud email, a few laptops, no servers): A break-fix relationship or a part-time consultant may be more cost-effective.
- You have a strong internal IT team that just needs staff augmentation for specific projects: Co-managed IT agreements let you keep your team while adding depth in areas like security or cloud.
- Your industry requires in-house IT for compliance or operational reasons: Some organizations need boots on the ground. An MSP can still supplement with NOC services or security monitoring.
Finding the Right MSP in Nashville
Nashville’s business community has grown significantly over the past decade, and the MSP market has grown with it. The challenge isn’t finding an MSP — it’s finding one with the technical depth, operational maturity, and cultural fit to be a genuine partner rather than just a vendor.
Exodata has been providing managed IT services to Nashville-area businesses across healthcare, professional services, and manufacturing. We operate a staffed NOC, maintain deep expertise in security and compliance, and believe that honest, transparent partnerships produce better outcomes than slick sales pitches.
If you’re evaluating MSPs — or frustrated with your current one — start a conversation with our team. We’ll give you a straight assessment of what you need, even if the answer is that you don’t need us.
Looking for reliable IT support? Exodata provides managed IT services with 24/7 support and a 15-minute response SLA. Contact us to learn how we can help.