How to evaluate an MSSP: 10 questions to ask before signing

Evaluating a managed security provider is difficult in part because the thing you're buying — security coverage — is hard to test before you need it. You're making a judgment about how a provider will perform under adversarial conditions before those conditions exist. The following questions are designed to surface that operational reality, not the sales narrative.

1. What do your analysts actually do when an alert fires?

Ask for a specific walkthrough. Not "our team investigates and escalates" — the step-by-step process from signal to action. You want to understand whether analysts are triaging against your environment specifically, what tools they're working in, and what the escalation path looks like in practice. If the answer is vague, the process is probably vague.

2. What's your SLA for initial response, and what constitutes the clock starting?

Response SLAs are only useful if you understand when they begin. Does the clock start when the alert fires? When an analyst first reviews it? When a confirmed incident is declared? These are meaningfully different. A 4-hour SLA that starts when a human first touches an alert that sat in a queue is not the same as one that starts at signal detection.

3. What visibility do I have into what your analysts are doing in my environment?

Some providers give clients a portal with real-time access to alert queues, investigation notes, and analyst actions. Others send a weekly PDF. The difference matters for your internal team's ability to learn from incidents, maintain situational awareness, and make decisions about your own security investments. Ask to see the client portal before signing.

4. Who actually responds to an incident — your analysts or a separate IR team?

Detection is not response. Some MSSPs detect and escalate to you. Others detect and escalate to a separate (and separately contracted) IR team. Others have analysts with containment authority in your environment. Understanding where that boundary is determines whether you have response capability or just detection capability. Get this in writing.

5. What's your staff-to-client ratio, and does it change for critical incidents?

A solo analyst covering 200 clients can't provide meaningful coverage during a mass-exploitation event — when multiple clients are being hit simultaneously. Ask how the provider scales during high-incident-volume periods and what the contractual commitment is, if any.

6. What tools are you deploying in my environment, and who owns the data?

MSSP telemetry collection often involves deploying agents, configuring log forwarding, or setting up API integrations. Ask what data leaves your environment, where it's stored, what the retention policy is, and what happens to it when you offboard. Data sovereignty in security relationships is a real operational and legal consideration.

7. What's your offboarding process?

This is a question about leverage. If the answer is complicated or vague, the relationship is designed to be sticky in ways that aren't in your interest. Clean offboarding — deprovisioning access, returning or destroying data, providing configuration exports — should be clearly documented in the contract.

8. How do you handle findings that implicate your own tooling or process?

Ask this directly. What happens if an investigation reveals that a blind spot in the monitoring coverage let an attacker persist for 30 days? Reputable providers have post-incident review processes that include honest assessment of their own coverage gaps. If the answer is defensive, that tells you something about the relationship dynamic.

9. Can you provide references from clients in a similar industry or threat profile?

Not case studies — actual contacts you can call. A provider that has worked extensively in healthcare has different operational calibration than one that primarily serves retail. Industry-specific threat intelligence, regulatory familiarity, and incident experience all matter. References let you validate the operational reality, not the sales deck.

10. What does the first 90 days look like operationally?

The transition period is when coverage gaps are most likely to exist. Ask specifically: what's the discovery and onboarding process, who's responsible for it on both sides, and how do you measure readiness before declaring full coverage operational? A provider that can't describe this clearly probably doesn't have a defined process.

Using this in a real evaluation

These questions work best as a structured conversation, not a questionnaire. How a provider responds — whether they engage with specifics or deflect to marketing language — tells you as much as the content of the answers. If you're in the process of evaluating MSSPs and want to understand how ThreatGrid approaches these questions, start a conversation with us. We're happy to walk through this list directly.