15 Cybersecurity Questions to Ask Your MSP

Cybersecurity is the place where MSP marketing and MSP reality diverge most. Almost every provider claims “enterprise-grade cybersecurity,” “24/7 SOC monitoring,” and a “comprehensive security stack.” Almost none of them mean the same thing by those phrases.

This is a list of fifteen specific cybersecurity questions to ask an MSP before you sign — phrased so a non-technical buyer can use them, with notes on what a good answer actually sounds like. Use it as a checklist on every sales call.

Why these questions matter more than the marketing

Most managed IT providers will pass a basic “do you have antivirus?” sniff test. The real question isn’t whether they have a security stack — it’s how thoughtfully they operate it. The differences that matter are operational: who is watching the alerts, how quickly they respond, what they do when they find something, whether they can prove any of it.

A weak provider treats cybersecurity as a checkbox. A strong provider treats it as a continuous operational discipline. The questions below are designed to surface which kind of provider you’re dealing with.

The 15 questions

1. What does your standard security stack include for a customer my size?

A real provider can list specific tools: EDR (e.g., SentinelOne, CrowdStrike, Defender for Endpoint), email security (e.g., Mimecast, Proofpoint, Defender for Office 365), MFA enforcement, password vault, vulnerability scanning, patch management, and DNS filtering. A weak provider will say “industry-leading tools” and pivot.

What a good answer sounds like: “For your size, we standardize on [named EDR], [named email security], conditional access in M365, [named password manager], and monthly vulnerability scanning. Any deviation from that is documented as an exception.”

2. Who is responsible for monitoring our security alerts?

A real provider names a Security Operations Center — either internal or a partner — and explains coverage. A weak provider says “our team” without specifying who, when, or how.

What a good answer sounds like: “Our SOC is staffed 24/7 by [number] analysts. Tier 1 alerts are triaged within 15 minutes; Tier 2 incidents involve a senior engineer within 30 minutes. We use [named SIEM/XDR] as the alert aggregation platform.”

3. What’s the difference between EDR and antivirus, and which do you deploy?

If they can’t explain the difference clearly, that itself is the answer. Antivirus is signature-based — it stops known threats. EDR (Endpoint Detection and Response) is behavior-based — it stops unknown threats by detecting suspicious activity, even from legitimate-looking software. EDR is now table-stakes for any business with sensitive data.

What a good answer sounds like: “We deploy EDR, not just antivirus. The difference matters because EDR catches behaviors traditional antivirus can’t see — e.g., a legitimate process being misused, lateral movement, encryption activity, etc.”

4. Do you enforce MFA on every account, including admin accounts?

The answer should be yes, with no exceptions. The single most common security gap discovered in MSP onboarding is a small number of admin accounts without MFA. A real provider audits and enforces it.

What a good answer sounds like: “Yes, MFA is enforced on every user account and every admin account. Admin accounts use phishing-resistant MFA (FIDO2 or hardware tokens, not SMS). We audit MFA coverage monthly.”

5. How do you handle privileged access?

Privileged access is the riskiest type of account — admin rights, global admin, etc. Real providers separate privileged access from normal accounts, log every use, and rotate credentials.

What a good answer sounds like: “We use a privileged access management platform — [named PAM] — to vault and broker access to admin credentials. Each privileged session is logged and recorded. Standing admin rights are minimized; just-in-time elevation is the default.”

A weak answer is “our techs use admin accounts when needed” — meaning shared, persistent admin credentials with no audit trail.

6. What happens in the first 30 minutes of a confirmed security incident?

A real provider has a documented incident response runbook. They can describe what happens, who is notified, what gets contained, and how communication flows. A weak provider says “we’d handle it” without specifics.

What a good answer sounds like: “Within 30 minutes: containment of affected endpoints, escalation to our incident response team, notification of customer leadership, initial scoping. We have a written runbook; happy to share an excerpt under NDA.”

7. Is incident response included in the monthly fee, or billed separately?

Most contracts exclude incident response from the monthly fee — you pay $250–$450/hr extra when you most need help. A real provider will be upfront about what’s included and what’s billable.

What a good answer sounds like: “Initial triage and containment for the first 4 hours of any Sev 1 incident is included. Forensics, breach communication, and recovery are billed at $X/hr — we recommend a small annual incident retainer to streamline that work.”

8. Do you have cyber insurance, and what does it cover?

A real provider carries professional liability AND cyber insurance covering their own potential negligence. You should ask to see a Certificate of Insurance with limits.

What a good answer sounds like: “We carry $X million in cyber liability insurance and $Y million in errors-and-omissions coverage. Happy to provide a COI with our MSA. Note: our insurance covers our negligence; you should still carry your own cyber insurance.”

9. How do you back up our data, and how often is a restore tested?

Backups that aren’t tested aren’t backups. Real providers test restores monthly or quarterly and report results.

What a good answer sounds like: “We use [named backup tool] with [defined retention] for endpoints, servers, and M365. Restores are tested monthly on a rotating sample. Quarterly we run a full disaster recovery exercise. Reports go to your team automatically.”

10. How do you patch our systems, and what’s your patch compliance target?

Real providers patch on a defined cadence and report compliance percentages. The benchmark for SMB environments: 95%+ patch compliance for high/critical CVEs within 14 days of vendor release.

What a good answer sounds like: “Patches are deployed weekly via [named RMM]. Critical patches within 7 days, high within 14, medium within 30. We aim for 98% compliance on critical and report monthly. Our current customer-wide average is 96%.”

11. How do you protect against phishing, and do you run simulations?

Most breaches start with phishing. A real provider has both technical defenses (advanced email filtering, attachment sandboxing, link rewriting) AND user training with periodic simulations.

What a good answer sounds like: “Email security uses [named email security tool] with attachment sandboxing and URL rewriting. We run quarterly phishing simulations through [named platform] with mandatory remediation training for users who click. We report click-through rates and improvement trends to your team.”

12. What’s your security baseline for Microsoft 365 / Google Workspace?

Most companies live inside M365 or Google Workspace. The MSP needs a defined security baseline for these platforms.

What a good answer sounds like: “For M365, we enforce: MFA on all accounts, conditional access policies for unmanaged devices, audit log retention, ATP/Defender for Office 365, sign-in risk policies, mailbox audit, and disable of legacy authentication. We run monthly Secure Score checks and report on changes.”

13. Do you have any third-party security certifications? SOC 2? CMMC?

A real provider can name their certifications and offer a current SOC 2 Type II report under NDA. Smaller MSPs may not be SOC 2 audited yet — that’s not necessarily disqualifying, but they should have a clear answer.

What a good answer sounds like: “We’re SOC 2 Type II audited annually; happy to provide the most recent report under NDA. We also align to CIS Critical Security Controls. We are not [Cert X] because [honest reason].”

14. Can you describe a recent security incident at a customer and how it was handled?

Real providers will share, with details anonymized. A weak provider will say “we’ve never had one” or “I can’t share that.” Every MSP with real customers has handled incidents. Honesty here is itself a signal.

What a good answer sounds like: “Last quarter we handled [type of incident] at a [size/industry] customer. Detection was [X minutes from initial event], containment was [Y minutes], full recovery took [Z hours/days]. Lessons-learned changes were [specific].”

15. What’s the first cybersecurity recommendation you’d make for our environment based on what you’ve seen?

This question separates providers who actually looked at your environment during discovery from providers who didn’t. A real provider has at least one specific, environment-grounded answer. A weak provider will give a generic recommendation that could apply to anyone.

What a good answer sounds like: “Based on the discovery, the first thing we’d address is [specific finding] — for example, your [specific tenant/system] is configured with [specific weakness], which we’d fix in week 1 of onboarding.”

Red flags in cybersecurity answers

Patterns that indicate a weak security operation:

Vague tool references. “Industry-leading EDR” with no product name. “Enterprise email security” with no product name. A real provider names tools.
No SOC story. “Our team handles alerts” without specifying who, when, or how.
Antivirus instead of EDR. “We deploy [named antivirus]” with no behavioral detection layer is a 2018 security stack.
Manual incident response. No written runbook, no defined escalation path, no “we’d start with X within Y minutes.”
No cyber insurance, or won’t share a COI. Real providers carry it and disclose it.
No SOC 2 timeline. Smaller MSPs may not be audited yet, but they should have a clear answer about when they will be — or why they aren’t pursuing it.
Defensive answers to question 14. A provider who refuses to discuss any past incident, even anonymized, is hiding something or has nothing to share.

What most companies don’t realize

Three things experienced buyers know:

Cybersecurity capability varies more between MSPs than any other capability. Help desk performance is fairly similar across mid-market MSPs. Cybersecurity capability is on a spectrum from “checkbox” to “real SOC.” Two MSPs with the same per-user fee can deliver radically different security postures. The 15 questions above are designed to surface which end of the spectrum you’re on.

The cybersecurity questions you ask shape what you’ll be sold. MSPs notice which buyers are paying attention. Asking these questions in the sales process changes how the proposal comes back — providers who can answer well will lean in, providers who can’t will quietly de-emphasize the security pitch.

Cyber insurance is your safety net, not your strategy. Don’t rely on insurance to cover what good operations would prevent. Insurance is what you have because something went wrong; security operations are what you have so something doesn’t go wrong in the first place.

How to evaluate an IT provider’s cybersecurity posture

Before you sign, request these in writing:

The full list of security tools in their standard stack
A diagram or written description of how SOC monitoring works
A copy of (or excerpt from) the incident response runbook
A current Certificate of Insurance for cyber and E&O coverage
Their most recent SOC 2 Type II report or equivalent (under NDA)
The first three security recommendations they’d make for your environment

Compare across providers. The differences will be larger than you expect.

The single most useful cybersecurity question: “Walk me through what would happen in the first 30 minutes of a confirmed ransomware incident on our network.” Real providers can answer in detail, in real time, without hesitation. Weak providers will pause and improvise.

Frequently asked questions

What’s the difference between an MSP and an MSSP?

An MSP (Managed Service Provider) delivers general IT support — help desk, monitoring, patching, basic security. An MSSP (Managed Security Service Provider) is a security-focused specialist — SOC monitoring, threat hunting, advanced incident response. Many modern MSPs include MSSP-tier capabilities or partner with an MSSP for the security layer. Whether you need a dedicated MSSP depends on your industry, regulatory environment, and risk profile.

Is an MSP enough for my cybersecurity, or do I also need a separate security firm?

For most SMBs (under 250 employees), a competent MSP with strong security operations is sufficient. For regulated industries (healthcare, finance, defense, legal), a dedicated MSSP or security partnership is often appropriate — either as a complement to your MSP or as a separate engagement.

What is EDR and is it really necessary?

Endpoint Detection and Response is behavior-based security software that runs on every laptop, desktop, and server. It catches suspicious activity that traditional antivirus misses (e.g., malicious use of legitimate tools, lateral movement, encryption activity). For any business with sensitive data, EDR is now considered the baseline — antivirus alone is no longer sufficient.

What should we expect to pay for managed cybersecurity?

In a fully-managed engagement, cybersecurity is typically bundled into the per-user fee (commonly $135–$200/user/month for full MSP service). Standalone managed security services (MSSP) typically run $25–$60/user/month on top of base IT support. Beware of providers who break out cybersecurity as a high-margin add-on without offering a meaningfully better security posture for the extra spend.

How often should an MSP run cybersecurity training for our staff?

Quarterly phishing simulations and annual mandatory training is a reasonable baseline for SMB. Higher-risk environments (regulated data, finance functions) should run monthly simulations. The simulation results matter more than the training itself — a well-run program shows declining click-through rates over time.

Keep learning

12 MSP Red Flags to Watch for Before You Sign — Red Flag #6 covers contract signals tied to security
How to Read an MSP Proposal Line-by-Line — where the security stack section sits in the SOW
Hidden Costs of Managed IT Services — incident response is one of the most-frequently-excluded cost categories

To find providers with strong managed cybersecurity capabilities, browse the MSP directory.