12 Questions to Ask Any Cybersecurity Provider Before You Sign
The right MSSP is a business-critical partner. The wrong one gives you a false sense of security that's more dangerous than having nothing. These questions will separate the two.
The managed security services market is crowded and unevenly skilled. Many "MSSPs" are really managed IT providers that have added an antivirus deployment and a monitoring dashboard and called it security. A few are genuinely excellent. Telling them apart requires asking the right questions — and knowing what bad answers look like.
These 12 questions are the ones we recommend every SMB buyer use in any MSSP evaluation, including when evaluating us.
Q1. What does your monitoring actually cover — and what does it not?
Many MSSPs monitor endpoints only. Ask specifically: email, cloud (M365/Google Workspace), identity (Active Directory/Entra), network traffic, and dark web. If they can't give a clean answer on scope, assume gaps exist.
Red flag: "We monitor everything" without specifics.
Q2. What's your average response time when an alert fires — and what do you actually do?
Monitoring without response is a camera, not a security guard. Ask: who gets the alert, how fast, and what's their authority to act? Can they isolate an endpoint without calling you first?
Red flag: "We'll notify you" as the response plan — that puts the response burden back on you.
Q3. Do you have a SOC (Security Operations Centre), and is it yours or a third party's?
Many smaller MSSPs resell SOC services from a wholesale provider. That's not inherently bad — but you should know whether the threat analysts are in-house or outsourced, and what their SLA looks like.
Red flag: Evasive answers about whether they actually staff a SOC.
Q4. How do you handle incidents that happen outside business hours?
Ransomware does not respect office hours. Most SMB-targeted attacks hit Friday evening through Sunday. Ask for their after-hours escalation process in writing.
Red flag: No clear after-hours coverage, or coverage only available as an expensive add-on.
Q5. What compliance frameworks do you have experience with for my industry?
If you're an auto dealer, your MSSP should know the FTC Safeguards Rule cold. An insurance agency needs NAIC Model Law expertise. Generic compliance claims are not the same as vertical-specific experience.
Red flag: "We can help with any compliance framework" said by someone who clearly just Googled yours.
Q6. Can you show me a sample monthly report — the real one, not a marketing demo?
The quality of reporting tells you everything about how seriously they take your security. Good reports include: specific incidents, false-positive rates, coverage gaps, and strategic recommendations.
Red flag: A traffic-light dashboard with no context or narrative.
Q7. What tools are in your stack — and do they actually talk to each other?
A disjointed collection of point solutions creates alert fatigue and coverage gaps. Ask whether their EDR, SIEM, email security, and identity tools share telemetry.
Red flag: "Best-of-breed" used to mean "unintegrated" — push for specifics.
Q8. What's your client-to-analyst ratio?
An analyst managing 200+ clients cannot meaningfully respond to any of them. Industry benchmarks suggest 50–80 clients per analyst as a workable ratio for genuine managed security (not just monitoring).
Red flag: Refusal to share this number, or a ratio above 150:1.
Q9. What happens if you get breached?
MSSPs are high-value targets — SolarWinds, Kaseya, and multiple smaller incidents show this. Ask about their own security posture, segmentation between client environments, and what indemnification they offer.
Red flag: "We've never been breached" said as a final answer.
Q10. What does your onboarding process look like, and how long does it take?
A 90-day onboarding with no security during that period is a risk. Ask for week-by-week milestones and what coverage exists during the transition.
Red flag: No documented onboarding process.
Q11. What are the contract terms — minimum commitment, exit clauses, and what you own?
Some contracts lock you in for 3 years with punishing exit clauses. Others keep your security data in a proprietary format you can't export. Read these before signing.
Red flag: Multi-year minimums with data lock-in and no exit provisions.
Q12. Can I talk to two or three current clients in a similar industry and size?
Any legitimate MSSP should be able to provide references. A business in your vertical who has worked with them for 12+ months is the most valuable data point you can collect.
Red flag: References are unavailable, heavily managed, or only from large enterprises.
Green Flags to Look For
- Written, role-specific incident response playbooks they can show you
- Transparent about what they don't cover
- Proactive about your specific regulatory environment
- Client references in your industry that you can actually call
- Plain-English reporting with strategic context, not just metric dashboards
- No pressure to sign before you've had time to review the contract
The Question of Price
Price is rarely the right primary criterion. An MSSP charging $250/month for "enterprise-grade security" is almost certainly delivering neither. The economics of managed security require real people, real tools, and real processes — none of which are cheap.
That said, cost-effective security for SMBs is achievable. Platforms have matured, and a well-structured SMB-focused MSSP can deliver meaningful protection at $375–$1,400/month for a business of 5–25 people. The key is understanding what's included — not just what's advertised.
Ask for a line-item breakdown: what tools, what monitoring coverage, what response capacity, what reporting cadence. Then ask the same questions of every provider you're evaluating so you're comparing like for like.
One Final Check: The Google Test
Before signing anything, Google the provider's name plus "breach," "outage," and "complaint." Check their Better Business Bureau profile. Look for any public regulatory actions or lawsuits. This isn't foolproof, but it takes five minutes and sometimes surfaces material information that the sales call didn't.
Related reading: Kapacyber vs DIY vs Big MSP — a side-by-side comparison, The Complete Cybersecurity Checklist for Small Businesses in 2025, Transparent pricing from Kapacyber.
Ask Us Those Same 12 Questions
We welcome the scrutiny. Book a free 30-minute assessment and bring your list. We'll answer every question — in plain English, with no pressure.
Book Free Assessment