This guide gives you the framework to tell them apart. Not as an IT professional — as a business owner who needs to make a good decision without becoming a technology expert first.
Unlock full access
Step 1: Define What You Actually Need
Before you evaluate any provider, be clear on what you’re buying. Managed IT is not a single product. It exists on a spectrum from “someone manages our devices” to “a fully outsourced IT and security department.” Where you land on that spectrum depends on:
Your Situation | What You Probably Need |
Under 15 employees, simple technology environment, low compliance requirements | Foundational managed IT — monitoring, patching, helpdesk, basic security stack |
15–50 employees, mix of office and remote, some compliance exposure | Mid-tier managed IT with documented SLAs, security awareness training, EDR, email security |
50+ employees, regulated industry (healthcare, legal, finance), or prior incident | Full managed security services — SOC monitoring, compliance documentation, vCISO, ransomware guarantee |
Internal IT team, want to augment not replace | Co-managed IT — MSP provides security depth and specialized services while internal team handles day-to-day |
Starting with clarity about your needs prevents you from over-buying features you don’t need or under-buying protection you do.
Step 2: Evaluate the Fundamentals
Every provider you seriously consider should clear these baseline requirements without exception:
Local presence and response capability
Phoenix is a large metro. “Local” can mean Tempe or it can mean a call center in another state with a Phoenix phone number. Ask specifically: where are your technicians based? What’s your typical on-site response time in [your city]? Who would show up at my office in an emergency?
Documented SLAs with actual consequences
Every provider promises fast response. The ones who mean it put it in writing with consequences for missing it. Ask to see the SLA document before you sign anything. Read the P1 (critical incident) response time. Ask what happens if they miss it.
Acceptable: 1-hour acknowledgment, 4-hour resolution target for P1, with credit or remedy for misses.
Not acceptable: “we prioritize critical issues” without specific time commitments.
Security stack depth
Ask exactly what security tools are included in their standard engagement. The minimum acceptable stack in 2025:
• Endpoint Detection and Response (EDR) — not basic antivirus
• Email security with anti-phishing and sandboxing
• Patch management with documented SLAs for critical patches
• Security awareness training with phishing simulations
• Monitored backup with tested restoration
• MFA enforcement across all managed accounts
If any of these are “add-ons” rather than included, get the full price with them included. These are not optional.
Documentation practices
Ask: “If we decided to leave you after 12 months, what documentation would you provide for the transition?” The answer tells you everything about how they operate. Good MSPs document everything and make transitions smooth. Bad ones hold documentation hostage.
Proof of monitoring
Ask to see a sample of the monthly report they provide clients. It should include: what was patched, what alerts fired, what was resolved, current security posture summary. If they can’t show you a sample report, they’re not reporting — which means they may not be monitoring in any meaningful way.
Step 3: The Ten Questions Worth Asking
Ask every provider you’re seriously considering these exact questions. Compare the answers.
Question | What a Good Answer Sounds Like | Red Flag Answer |
What is your P1 response time, and what happens if you miss it? | Specific time (e.g., 1 hour), specific remedy (credit or escalation) | "We prioritize urgently" with no time commitment |
How many clients does each of your account managers support? | Under 50; ideally 30–40 | "I’d have to check" or numbers over 75 |
What is your technician-to-client ratio? | Concrete answer with specifics | Vague or deflected |
When did you last do a security assessment on a client, and what did you find? | Recent, specific, shows they proactively surface issues | "We check things regularly" without specifics |
What’s your onboarding process, and how long does it take? | Documented 30–60 day process with phases | "We’ll get you set up pretty quickly" |
What happens to our documentation and passwords if we leave? | Full handoff package, 30-day transition support | Awkward pause, vague answer, or conditions |
Are you SOC 2 certified, and if not what is your security posture? | SOC 2 or clear explanation of their controls | Blank stare or "we take security seriously" |
What’s your backup and disaster recovery process? | Off-site, tested, RTO/RPO defined | "We do backups" without specifics on testing |
What guarantee do you offer? | Specific financial commitment (ransomware guarantee, SLA credits, etc.) | None offered, or vague satisfaction guarantee |
Can I talk to two or three of your current Phoenix clients? | Yes, immediately | Hesitation, conditions, or no |
Step 4: Evaluate the Proposal
When you receive a written proposal, look for:
• Scope clarity: Every service is described specifically, not in category names like “security.” You should be able to read the proposal and know exactly what you’re getting.
• Exclusion transparency: Good proposals list what is NOT included. If there are no exclusions listed, they haven’t been honest yet.
• SLA specifics in writing: The response time commitments from your conversation should be in the contract, not just the sales pitch.
• Data ownership language: Your data is yours. The contract should say so explicitly.
• Termination and transition terms: What’s the notice period? What’s the transition obligation? Can you leave without penalty if they miss their SLA?
Step 5: The 3AM Test
After you’ve done all of the above, ask yourself one question about each provider you’re seriously considering:
If something went catastrophically wrong at 3AM on a Saturday night — ransomware, a data breach, a critical system down — would you genuinely trust this provider to answer, take ownership, and fix it?
That gut feeling is worth more than any checklist. It’s built from the cumulative impression of every interaction, every answer, every moment in the sales process where they either showed you who they really are or carefully managed your perception.
The right IT partner passes the 3AM Test before you sign the contract. The wrong one fails it sometime in the first year, usually when it’s expensive.
What Makes AEGITz Different
We’re going to tell you what we believe distinguishes us, and we’d encourage you to hold us to exactly the same standard as every other provider in this guide.
• We back our security work with a $50,000 cash-backed ransomware guarantee on SENTINEL and FORTRESS tiers. We put money on the line because we believe in the work.
• We provide full documentation handoff to any client who leaves. We don’t hold documentation hostage.
• We serve Phoenix businesses exclusively — we’re not a national provider with a Phoenix branch.
• Our FLOW service handles AI automation alongside IT — we’re not just keeping the lights on, we’re helping you grow.
• We answer the 3AM call. Our SLA is in writing with consequences.
If any of that doesn’t check out in your reference calls, you should choose someone else. That’s the standard we hold ourselves to.
Schedule a 30-minute no-obligation discovery call with AEGITz. We’ll answer every question in this guide honestly — including the hard ones. aegitz.com
