What MSSP Providers Actually Do (and What They Don’t)
Before you can pick a managed security provider, you need to know what one actually is — because the word “MSSP” gets slapped on everything from a true 24/7 security operations center to a guy who resells antivirus licenses and forwards you alerts. Knowing the difference is the whole game.
A genuine Managed Security Service Provider runs continuous monitoring out of a staffed SOC, detects and triages threats around the clock, manages your logs (often via a SIEM), handles incident response, runs vulnerability scans, and produces the reporting auditors want for compliance frameworks. That’s the baseline. Anyone calling themselves an MSSP should do most of this without you asking.
Now the distinctions that trip people up:
- MSP — manages your IT (servers, helpdesk, patching). Security is a side dish, not the entrée.
- MDR vendor — focuses tightly on detection and response at the endpoint level; faster and deeper on threats, but often narrower than a full MSSP’s compliance and log scope.
- Reseller — licenses you a tool and disappears when something fires.
The piece most buyers miss is shared responsibility. The MSSP watches, detects, and advises — but they rarely own remediation on your systems unless your contract explicitly says so. Patching, user access, and acting on their recommendations frequently stay your job. According to the FTC, businesses remain accountable for safeguarding customer data even when a vendor handles the monitoring. Get that boundary in writing before you sign anything.
Should You Outsource Security? Who Benefits and Who Shouldn’t
Knowing what an MSSP does is one thing; knowing whether you need one is another. Most security incidents don’t happen at 10am on a Tuesday when your IT team is caffeinated and alert. They happen at 2am on a holiday weekend. If nobody is watching during those hours, you don’t have a security program — you have one that works business hours.
You’re a strong candidate to outsource if:
- You have no genuine 24/7 monitoring, and your two- or three-person IT team is already buried in help-desk tickets and patching.
- A client contract, cyber insurer, or framework (SOC 2, HIPAA, PCI DSS) is now demanding controls you can’t staff for internally.
- You’ve had a recent near-miss — a phishing click, a ransomware scare, a failed audit — that exposed how thin your coverage really is.
In-house or hybrid often makes more sense if:
- You handle data so sensitive or regulated you genuinely can’t hand off raw access (certain defense, legal, or healthcare contexts).
- You already have a mature security team and need surge capacity — a co-managed model usually beats full outsourcing here.
Whatever triggered your search, translate it into requirements before you talk to anyone. “We failed an audit” becomes “we need SOC 2 Type II evidence and log retention for X months.” “A client demanded it” becomes a specific control list. A vague pain point gets you a vague pitch — and an overpriced contract.
How MSSP Pricing Models Work and Where Costs Hide
The sticker price on an MSSP proposal is rarely what you’ll pay — and the gap between the two is where buyers get burned. Most providers bill using one of a handful of models, each with its own quirks.
- Per-device or per-endpoint: Common and predictable, but costs balloon as you grow. Watch how they count servers, firewalls, and cloud workloads.
- Per-user: Cleaner for knowledge-worker shops, but it can quietly inflate when you onboard contractors or seasonal staff.
- Per-data-volume: You pay by how many logs you ingest (often per GB/day). This is where overage charges bite hardest.
- Flat retainer or tiered packages: Easiest to budget, but “tiers” often gate the features you’ll need during an incident.
The real traps live in the fine print. The big one: incident response billed separately. Plenty of MSSPs monitor and alert for a flat fee, then charge $250–$500+ per hour when an actual breach requires hands-on remediation — exactly when you have no leverage. Also scan for onboarding fees, log-retention overages (90 days versus a year is a meaningful cost difference), and after-hours escalation surcharges.
On contracts, treat anything longer than 12–24 months without strong exit terms as a yellow flag. Negotiate three things specifically: a clean exit clause with notice periods you can live with, data portability (you get your logs and configs back in usable formats), and a capped annual price escalator so renewals don’t surprise you.
How to Verify a Provider’s Credentials and SOC Capability
Pricing tells you what a provider costs; credentials tell you whether they can deliver. Anyone can put “24/7 SOC” and “SOC 2 certified” on a website. Your job is to demand the receipts, because the gap between a real security operations center and a reseller forwarding alerts is where breaches slip through at 2am.
SOC 2 Type II vs. ISO 27001 — ask for the real document
These prove different things. A SOC 2 Type II report shows an independent auditor tested the provider’s controls over a period (usually 6–12 months), not a single snapshot. ISO 27001 certifies they have a documented security management system in place. A logo on a footer proves neither. Ask for the actual report under NDA — a credible provider hands it over without flinching. If they send a one-page certificate instead, that’s a tell.
Confirm the SOC is owned, not subcontracted
Ask point-blank: do you employ your own analysts, or do you white-label another company’s SOC? Many “providers” subcontract overseas during off-hours. Request the analyst tier structure (Tier 1 triage through Tier 3 threat hunting) and confirmed coverage across all shifts, weekends, and holidays — the times you’re most exposed.
Verify who actually touches your data
Press on three things: whether analysts undergo background checks, where your data physically lives (data residency matters for HIPAA, GDPR, and many client contracts), and which named entities can access it. If they can’t answer cleanly, assume they haven’t thought about it — and neither will they during an incident.
The Non-Obvious Questions to Ask Before You Sign
The sales deck won’t tell you what happens when ransomware hits at 2am on a Saturday. The right questions cut through the polish and expose whether a provider can deliver when it counts.
Operational questions
Ask who your named account lead is — an actual person, not a ticketing queue. Then map the escalation path: who picks up at 2am, how fast, and through what channel? Push for mean-time-to-detect and mean-time-to-respond SLAs with financial penalties attached. An SLA without teeth is a promise. If they won’t commit to numbers in writing, that tells you something.
Risk-transfer questions
Confirm they carry both errors & omissions insurance and cyber liability coverage, and ask for the actual policy limits — these often run $1M–$5M depending on the provider’s size. Read the liability terms closely: many contracts cap their exposure at one to three months of fees, which is meaningless if a breach costs you seven figures. Clarify their breach notification obligations — how quickly they’re contractually required to tell you something’s wrong.
Relationship questions
Nail down the review cadence (monthly or quarterly), what reporting you’ll see, and a realistic onboarding timeline — credible providers usually need 30–90 days. Finally, demand references from clients your size and in your industry, then call them. Ask what broke and how the provider responded. That one answer reveals more than any brochure.
Red Flags That Signal the Wrong MSSP
The most dangerous MSSP isn’t the one that fails loudly during a breach — it’s the one that gives you a polished sales deck now and disappears when it matters. The warning signs usually show up before you sign, if you know where to look.
Watch for evasiveness on the fundamentals. If they get vague about who owns and staffs the SOC — whether it’s their own analysts or a subcontractor three layers deep — that’s a problem. So is refusing to share a current SOC 2 Type II report under NDA, or being unable to name a specific escalation contact for a 2am incident. “Our team handles that” is not an answer.
Distrust opacity in the contract. Pricing that can’t be broken down line by line, aggressive multi-year lock-in with brutal early-termination penalties, and incident response quoted as a surprise add-on rather than a defined inclusion all point to a relationship built to favor them. According to the FTC, deceptive billing and undisclosed fees remain among the most common business complaint categories — and security contracts are no exception.
Be skeptical of tool-heavy, human-light operations. If their pitch is mostly dashboards with no clear story about who interprets the alerts, walk. Ask about analyst turnover and request a redacted response track record. A provider that can’t show you what they’ve done during a real incident hasn’t earned a multi-year commitment.
How to Run a Structured MSSP Evaluation and Shortlist
Spotting red flags helps you eliminate the wrong providers; a structured evaluation helps you defend the right one. The fastest way to lose this decision in front of leadership is to walk in with a gut feeling and a couple of glossy sales decks.
Start with a weighted scorecard. List your real requirements, assign each a weight based on what matters most to your organization, then score every candidate 1–5. A simple structure:
| Category | Weight |
|---|---|
| Coverage (24/7 SOC, response, escalation) | 30% |
| Compliance (SOC 2 Type II, ISO 27001, data residency) | 25% |
| Operational fit (named lead, review cadence, communication) | 25% |
| Cost & contract terms | 20% |
Don’t sign a three-year deal off a scorecard alone. Run a structured RFP so answers are comparable side by side, then push for a proof-of-value pilot — typically 30–60 days — where the provider monitors a slice of your environment. You’ll learn more from one real escalation drill than from ten reference calls.
Finally, bring in legal, finance, and leadership before you commit. Legal reviews liability, E&O coverage, and termination clauses; finance pressure-tests the total cost (often $2,000–$15,000+ per month depending on scope). Then document why you chose them — the scorecard, the pilot results, the dissenting concerns — so the decision is yours to defend, not second-guess.
What to Expect During Onboarding and the First 90 Days
Signing the contract is where the real test begins — a polished sales team tells you nothing about whether the operations team can deliver. A solid MSSP runs a predictable onboarding sequence, and you should know what each milestone looks like so you can spot trouble early.
Expect roughly this arc in the first 90 days:
- Weeks 1–2: Asset discovery. They map your endpoints, servers, cloud accounts, and identities. If they can’t tell you what they’re protecting, they can’t protect it.
- Weeks 2–4: Log integration. Your SIEM or EDR feeds get connected, and escalation contacts are documented — including the named lead and the 2am phone tree.
- Weeks 4–8: Baseline tuning. The provider learns your normal so alerts get sharper, not noisier.
- Weeks 8–12: First incident drill and review meeting. A tabletop exercise proves the escalation path works before a real breach tests it.
Early warning signs of a poor fit
Watch for tuning that drags past week six, alert volume that climbs instead of dropping, or a missed first review meeting. Any of these means you raise it in writing immediately and request a remediation plan — don’t wait for the quarterly check-in.
Governance that holds them accountable
Lock in a monthly or quarterly review cadence and track concrete metrics: mean time to detect, mean time to respond, false-positive rate, and percentage of alerts triaged within SLA. Numbers, not reassurances, tell you whether you chose well.




