Start with the obvious filter: do they actually cover your area?
A surprising number of "Paducah managed IT" providers are based in Louisville or Nashville and treat Western Kentucky as a satellite market. That's not a dealbreaker — modern MSP work is remote-first — but it's a question to ask early. If the provider's nearest office is three hours away and your network needs an after-hours truck roll, what's the actual SLA? "Same-day onsite" means different things from Hopkinsville versus from Louisville. Get the answer in writing, not in a sales call.
For pharmacies, clinics, and any HIPAA-aligned business, also ask whether the provider has worked with your specific dispensing system or EHR. "We can learn it" is not the same as "we already coordinate with the vendor weekly." The pharmacy-IT learning curve is real.
The evaluation framework: nine questions that separate signal from sales-pitch
1. Is your pricing per unit, per user, or hourly?
Three honest pricing models exist, and each tells you something about how the MSP thinks about the relationship. Per-unit (per device, per mailbox, per location) is auditable line-by-line and predictable; per-user flat-rate is simpler to model but tends to average up at small scale; hourly / block-hour / break-fix is cheap on paper and unpredictable in reality. None of the three is wrong — but the MSP should be able to explain in one sentence why they chose theirs and what tradeoffs come with it. See our breakdown of what IT support actually costs in 2026.
2. Can you list the vendors in your security stack, by layer?
The good answer is specific: "Datto EDR for endpoint, Microsoft Defender for email, Inky for anti-phishing, NextDNS for DNS filtering, Ubiquiti for network, Datto for backup." That tells you (a) there's an actual stack, (b) the vendors are reputable, (c) the layers are covered. The weaker answer is "we use best-in-class tools." That's a hedge.
3. What's your SLA on tickets, and is it measured?
"We get back to you quickly" is not an SLA. Real numbers look like: "≤1-hour response on tickets during business hours, after-hours emergency number included on every plan, response times reported quarterly with the actual numbers, not a vendor-supplied stock chart." Ask for the most recent quarter's report.
4. How are projects priced?
Fixed-price up front is the right default. "Time and materials" or "we'll let you know when we're done" is a recipe for surprise invoices, especially on big-ticket projects like office buildouts, AD migrations, or EHR cutovers. Confirm that project work is scoped, priced, and approved before any technician touches a keyboard.
5. What does your onboarding look like, week by week?
A good MSP has a documented onboarding process — usually a phased approach over 30–90 days that discovers the existing environment, stabilizes the immediate risks, and then optimizes the stack over time. If onboarding is "we'll connect to your network and see what's there," the rest of the relationship will be similarly improvisational.
6. What's the contract term and termination notice?
Reasonable: 12-month initial term, 60–90-day termination notice after the initial term, a written offboarding process that returns your data and your documentation. Watch for: multi-year auto-renew traps, "termination fees" that effectively buy out the remaining term, refusal to document the offboarding process. The MSP that plans to earn the renewal is the one to keep.
7. How do you handle vendor coordination?
Most small businesses have at least a few SaaS vendors the MSP doesn't manage directly — the EHR, the practice-management software, the niche industry app. Ask: when one of those vendors is the root cause of a problem, who calls them? On the right answer, the MSP makes the call and stays on the line. On the wrong answer, you're stuck triaging between vendors while everyone says "it's the other guy's problem."
8. What does the quarterly business review cover?
A QBR isn't a sales meeting. It should cover: ticket volume and resolution time, security posture (controls in place, gaps closed), patch compliance, backup-restore test results, the 12-month roadmap, the budget for any upcoming hardware refreshes. If the QBR is mostly "here's how things are going" without numbers, ask to see a sample of what a real QBR looks like with a real client (anonymized).
9. Who do you say no to?
The MSP that wants every client is usually the wrong fit for most clients. The good answer sounds like: "We don't take clients who refuse MFA, who won't enforce EDR, or who want pure break-fix without a security floor." That's a partner with a defined service model, not a sales pipeline.
Three patterns that should make you pause
- "Unlimited everything" — if every line item is unlimited, the contract is hiding something. Look at the exceptions.
- No published pricing, no quote until "discovery" — reasonable for a complex environment, suspicious for a 10-person office. Most MSPs can ballpark within 15% from a 15-minute call.
- Heavy emphasis on selling the cybersecurity insurance, not building the controls — the controls reduce your premium and protect you in a claim. The insurance is the floor, not the strategy.
How to make the apples-to-apples comparison
Build a simple grid with one row per MSP and columns for: monthly cost (with units broken out), security-stack vendors (named), SLA numbers, project pricing model, contract term, onboarding length, QBR contents. Even if the proposals come in different formats, normalize them into the grid. The right answer usually becomes obvious within ten minutes of seeing the proposals side-by-side — not because one is cheaper, but because one has clearer answers across the board.
Then do the soft side: call one current client of each MSP (they should provide references on request) and ask two questions. "What's it like when something goes wrong?" and "If you were starting over, would you pick them again?" The reference call usually clarifies what the proposal can't.