Voyager MSP
Cheddar IT
Book a call1300 757 632
Operations

Choosing a Managed IT Provider: What Good Actually Looks Like

Most managed IT contracts look similar on paper. Here's what actually differentiates good providers from mediocre ones, and the questions to ask.

7 min read

Every managed IT provider’s website says the same things: 24/7 support, proactive monitoring, Australian-based engineers, cybersecurity expertise. The marketing pages are interchangeable.

The actual experience of being a client is not interchangeable. Some MSPs are genuinely helpful partners; others are pleasant on the sales call and mediocre afterwards. Here’s what actually differentiates the good ones, based on what we’ve seen across the Australian market.

Service levels that are actually written into the contract

Any MSP will talk about fast response times on the sales call. The question is: what’s in the contract?

A good managed service agreement specifies, in writing:

  • Response time per priority level (how fast do we know your issue exists and start working it)
  • Resolution time per priority level (how fast is it fixed)
  • What counts as P1, P2, P3, P4 (clear, not subjective)
  • Hours of cover (business hours? 24/7? After-hours for P1 only?)
  • Credits or remedies if SLAs are missed

If the contract says “best efforts” or “reasonable time,” that’s not an SLA — it’s a hope. Credible providers write specific numbers into the agreement.

Proactive work, not just reactive tickets

The difference between a reactive helpdesk and a proper managed service is what happens when nothing is broken.

Proactive work includes:

  • Patch management (applications and operating systems) on a documented schedule
  • Security monitoring and alerting
  • Backup verification
  • Asset lifecycle tracking — what’s ageing, what’s out of warranty, what’s failing
  • Capacity and performance monitoring
  • Documentation updates as the environment changes
  • Quarterly or monthly reviews with the client

You can tell whether an MSP does proactive work by asking: “What has your team done in our environment this month that we didn’t ask about?” If the answer is “nothing, you didn’t raise a ticket,” that’s a reactive helpdesk.

A real service desk, not an answering machine

Staff don’t read email when they’re locked out of the domain. A real service desk has:

  • A phone number people actually pick up during the hours in the SLA
  • Australian-based engineers for most SMB work (offshore L1 has its place; it shouldn’t be the main experience)
  • Ticket visibility — a portal where you can see what’s open, what’s in progress, and the history
  • Clear escalation — when L1 can’t resolve something, it moves to L2 quickly, not in two days

Call your prospective MSP’s support line at 9am on a Tuesday and time how long it takes to get to a real engineer. That number tells you more than the brochure does.

Transparent billing and no surprise invoices

A good managed service has a predictable monthly cost. Out-of-scope work is called out before it’s done, with a quote, not surprise-billed afterwards. Hardware and licensing pass-throughs are transparent, not marked up silently.

Questions to ask:

  • What’s included in the monthly fee? (Be specific. “Unlimited support” always has fine print.)
  • What’s billed separately and at what rate?
  • How are hardware and licensing handled?
  • If we request a project, how is it scoped and quoted?

An MSP whose business model depends on scope creep and surprise invoices is not a partner — they’re a vendor.

Documentation that survives staff changes

A well-run MSP documents client environments continuously — credentials, network diagrams, configuration details, procedures, vendor contacts, warranty dates. They use something like IT Glue, Hudu, or a comparable documentation platform.

The test: if the engineer who knows your environment best leaves the MSP tomorrow, does the next engineer have what they need? In badly-run MSPs, the answer is “no” — knowledge lives in individual heads. In well-run ones, it’s all documented and accessible.

Ask to see what documentation exists about your environment (or a sample client’s, redacted). The answer reveals a lot.

Security is taken seriously, not just mentioned

Security is table-stakes for any MSP in 2025. What matters is whether it’s actually practised:

  • Do they have MFA on their own staff accounts and their tools?
  • Do they have an incident response plan? Have they rehearsed it?
  • Are they aligned to a recognised framework (Essential Eight, ISO 27001, SOC 2)?
  • Do they require MFA, patching, EDR, and backup as minimums for clients — and walk away from clients who refuse?
  • Are their privileged access tools (RMM, PSA) secured appropriately?

An MSP that’s careless about its own security is a supply chain risk to you. The Kaseya and SolarWinds-style attacks of recent years have mostly been MSP-to-client attacks.

Strategic capability, not just ticket execution

The best MSPs bring capability you don’t have in-house. That includes:

  • vCIO (virtual Chief Information Officer) — strategic IT planning, budget forecasting, roadmap
  • Cloud architecture — not just admin of existing cloud workloads, but actual design capability
  • Security engineering — beyond EDR and MFA, into detection, response, and governance
  • Project delivery — migrations, refreshes, office moves, managed properly

You don’t always need every capability, but you should know which ones the MSP can credibly deliver. Some are helpdesk-plus-patching and honest about that. Others claim strategic capability they don’t really have.

Alignment with your business

Good MSPs know your industry and your stack. If you’re a law firm, the MSP should know how Clio, NetDocuments, LEAP and practice management tools work. If you’re a healthcare clinic, they should understand EHR systems and Privacy Act obligations. If you’re a manufacturer, they should understand OT/IT segmentation.

Generic MSPs can serve generic businesses fine. Specialised businesses benefit significantly from an MSP that’s run environments like yours before.

Questions to ask during evaluation

Short list of questions that consistently differentiate good from mediocre:

  1. “Can I see a sample monthly report for an existing client?”
  2. “What’s your current engineer-to-client ratio?”
  3. “When was your last security incident, and how did you handle it?”
  4. “Can I talk to 2-3 existing clients similar to us?”
  5. “If we had a P1 incident at 3am Saturday, what actually happens?”
  6. “What’s in your contract about exit — how do we leave cleanly if it doesn’t work out?”

The answers — including whether they dodge any of these — tell you a lot.

The bottom line

Picking a managed IT provider is as much about culture and communication as it is about technical capability. Contracts matter, but they don’t tell you whether the MSP will be helpful to work with day-to-day.

Spend time with any provider you’re considering. Talk to their current clients. Call their support line. Ask specific questions. The good ones welcome the scrutiny; the mediocre ones try to change the subject.

If you’re evaluating providers and would like a plain-spoken conversation about what Cheddar IT actually does (and doesn’t do), get in touch. A good decision here tends to compound for years.