What does a managed IT service agreement actually include?

“Managed IT” sounds straightforward until you start comparing providers and realize every company defines it differently. One provider’s “all-inclusive” plan excludes half the things another provider considers standard. Let’s break down what you should expect, what’s commonly extra, and how to avoid paying for a service that doesn’t deliver.

What “Managed IT” Actually Means

At its core, managed IT means you’re outsourcing the monitoring, maintenance, security, and support of your technology environment to a managed service provider (MSP) for a predictable monthly fee.

Instead of calling someone when things break (break-fix), you have a dedicated IT partner who:

• Watches your systems 24/7
• Prevents problems before they become outages
• Provides a help desk for day-to-day support
• Keeps your systems secure and up to date
• Plans your technology roadmap

That’s the concept. But the details — what’s included, what’s excluded, and what the service levels look like — vary significantly between providers. Here’s what you should be looking for.

Core Services: What Should Always Be Included

These are the foundational services that any legitimate managed IT agreement should include. If a provider charges extra for these, they’re selling you break-fix with a monthly wrapper.

24/7 Monitoring and Alerting

Your MSP should be watching your systems around the clock — not just during business hours. This includes:

• Server monitoring — CPU, memory, disk space, services, and hardware health
• Network monitoring — firewalls, switches, routers, internet connectivity, and bandwidth
• Workstation monitoring — health, performance, and security status of employee computers
• Alert management — automated alerts for issues, with human review and response

What to look for: Ask whether monitoring is truly 24/7 or just business hours. Ask who responds to alerts at 2 AM on a Saturday. If the answer is “we’ll get to it Monday,” that’s not 24/7 monitoring.

Help Desk Support

Your employees need a way to get help with technology issues. A managed IT agreement should include:

• Multiple contact methods — phone, email, and a ticketing portal at minimum
• Reasonable response times — 15 minutes to 1 hour for initial response depending on priority
• Remote support — the ability to troubleshoot and fix issues remotely
• Knowledgeable technicians — people who can actually solve problems, not just log tickets

What to look for: Ask about average response and resolution times. Ask what percentage of issues are resolved on first contact. Good MSPs resolve 70-80% of issues remotely on the first interaction.

Patch Management

Keeping operating systems, applications, and firmware up to date is critical for both security and stability. Your MSP should handle:

• Operating system patches — Windows, macOS, and server OS updates
• Third-party application patches — Office, browsers, Java, Adobe, and other common applications
• Firmware updates — network equipment, server hardware
• Patch testing — verifying updates don’t break anything before deploying broadly
• Patch reporting — visibility into what’s been patched and what’s pending

What to look for: Ask how quickly critical security patches are deployed. Best practice is within 24-72 hours for critical vulnerabilities, with routine patches deployed within 1-2 weeks.

Backup Management

Backups are the foundation of disaster recovery, and your MSP should manage them end to end:

• Backup configuration — setting up automated backups for servers, workstations, and cloud data
• Backup monitoring — verifying that backups complete successfully every day
• Backup testing — regularly restoring data to verify it’s recoverable
• Off-site / cloud storage — ensuring backups are stored separately from your primary systems
• Backup reporting — regular reports showing backup status and any issues

What to look for: Ask how often they test restores (monthly at minimum for critical systems). Ask where backup data is stored and whether it’s encrypted. Ask whether Microsoft 365 / Google Workspace data is backed up (it should be — cloud providers don’t protect against accidental deletion or ransomware).

Cybersecurity Tools and Management

Basic cybersecurity should be included in every managed IT agreement, not sold as an add-on:

• Endpoint protection — antivirus / anti-malware on all devices (increasingly, endpoint detection and response or EDR)
• Email security — spam filtering, phishing protection, attachment scanning
• Firewall management — configuration, monitoring, and rule management
• Multi-factor authentication — setup and management of MFA for critical systems
• Security awareness training — basic employee training on phishing, passwords, and safe practices

What to look for: Ask specifically what security tools are included. “We use best-in-class security” is meaningless — you want names and specifics. Ask whether security awareness training is included or extra.

Vendor Management (Basic)

When something goes wrong with your internet, your phone system, or your line-of-business software, you shouldn’t have to play middleman between vendors. Your MSP should:

• Be the first point of contact for technology issues, even when the problem is with a third-party vendor
• Coordinate with vendors on your behalf for outages, service issues, and support tickets
• Track vendor issues to resolution

What to look for: Ask who handles the vendor relationship when your internet goes down. If the answer is “that’s your ISP, you need to call them,” the MSP isn’t managing the full picture.

Strategic Services: What Separates Good from Great

Beyond the core operational services, a strong managed IT agreement includes strategic elements that help your business grow. These are the services that turn your MSP from a vendor into a partner.

vCIO / Strategic Technology Consulting

A virtual Chief Information Officer (vCIO) provides executive-level technology leadership:

• Technology roadmap — a 1-3 year plan aligning IT investments with business goals
• Budget planning — annual IT budget with forecasting for major expenses
• Vendor evaluation — objective guidance on new tools and platforms
• Risk assessment — identifying where your business is vulnerable
• Compliance guidance — understanding regulatory requirements and what they mean for your IT

Quarterly Business Reviews (QBRs)

Regular formal meetings between your leadership and your MSP to review:

• IT performance (ticket trends, response times, uptime)
• Budget tracking (spending vs. plan)
• Roadmap progress (what’s been completed, what’s next)
• Security posture (threats, vulnerabilities, improvements)
• Business changes (growth plans, new needs, upcoming projects)

Documentation

Your MSP should maintain comprehensive documentation of your IT environment:

• Network diagrams
• Server and workstation inventory
• Software licensing records
• User accounts and access permissions
• Passwords and credentials (in a secure vault)
• Configuration details
• Vendor contacts and contracts

Why this matters: Documentation ensures that anyone on the MSP’s team can support your environment, reduces recovery time during incidents, and protects you if you ever need to switch providers.

What’s Typically Extra

Not everything can be included in a fixed monthly fee. Here are services that are commonly billed separately, and why:

Projects and Implementations

• Office moves or expansions
• New server deployments
• Cloud migrations
• Major software implementations
• Network infrastructure upgrades
• New office buildouts

Why it’s extra: Projects are one-time efforts with defined scopes. Including them in the monthly fee would either make the fee unsustainably high or create a disincentive for the MSP to approve needed improvements.

Hardware Procurement

Most MSPs help you purchase hardware, but the hardware itself is usually a separate cost:

• Servers, workstations, laptops
• Network equipment (firewalls, switches, access points)
• Peripherals (monitors, docking stations, printers)

Some MSPs offer Hardware-as-a-Service (HaaS) where hardware is included in the monthly fee and refreshed on a regular cycle. This can be a good option for budget predictability.

On-Site Support

Many managed IT agreements are primarily remote-support-based. On-site visits may be:

• Included for a set number of visits per month
• Billed at a reduced hourly rate
• Included for emergencies but extra for routine work
• Fully included (less common, but the best model for businesses that need regular on-site presence)

What to look for: Ask how on-site support is handled. If you’re a single-location office, you’ll need on-site support for hardware issues, network cabling, and new equipment setup. Make sure you understand what triggers an on-site visit and what it costs.

Advanced Cybersecurity

While basic security should be included, advanced services may be extra:

• Security Operations Center (SOC) monitoring — 24/7 human review of security alerts
• Managed Detection and Response (MDR) — active threat hunting and incident response
• Penetration testing — simulated attacks to find vulnerabilities
• Compliance-specific services — HIPAA risk assessments, PCI DSS scoping, CMMC preparation
• Dark web monitoring — scanning for compromised credentials
• Security Information and Event Management (SIEM) — centralized security log analysis

After-Hours Support

Check whether your agreement covers support outside business hours:

• Some MSPs include 24/7 support at no extra charge
• Some charge premium rates for after-hours calls (1.5x to 2x)
• Some include emergency-only after-hours support (system down, not password resets)

What to look for: If your business operates outside standard 8-5 hours — evenings, weekends, multiple time zones — make sure your agreement covers those hours.

Understanding SLAs (Service Level Agreements)

SLAs define the performance standards your MSP commits to. They’re the teeth in your agreement. Here’s what to look for:

Response Time SLAs

How quickly will the MSP acknowledge and begin working on your issue?

Priority	Example	Expected Response
Critical	All systems down, business stopped	15-30 minutes
High	Key system down, multiple users affected	30 minutes - 1 hour
Medium	Single user issue affecting productivity	1-4 hours
Low	Request, question, or non-urgent issue	4-8 hours

Resolution Time SLAs

How quickly will the issue be fully resolved?

Priority	Expected Resolution
Critical	1-4 hours
High	4-8 hours
Medium	8-24 hours
Low	24-72 hours

Note: Resolution times are harder to guarantee because some issues are complex. Good MSPs commit to resolution targets and track their performance against them, but acknowledge that some issues take longer.

Uptime SLAs

If your MSP manages your infrastructure, they should commit to uptime guarantees:

• 99.9% uptime — the standard target (about 8.7 hours of downtime per year)
• 99.99% uptime — the premium target (about 52 minutes of downtime per year)

What to look for: Ask what happens when SLAs aren’t met. Service credits? Fee adjustments? Or nothing? SLAs without consequences are marketing, not commitments.

Pricing Models

Per-User Pricing

The most common model. You pay a fixed monthly fee per user, and each user gets a full suite of services regardless of how many devices they use.

• Typical range: $125 - $250 per user per month
• Pros: Simple, predictable, scales naturally as you add or remove employees
• Cons: Can be more expensive for businesses with few users but many servers or devices

Per-Device Pricing

You pay per device (server, workstation, laptop, etc.) rather than per user.

• Typical range: $50 - $150 per device per month (servers higher than workstations)
• Pros: Clear relationship between cost and infrastructure
• Cons: Can get complex with BYOD, multiple devices per user

Tiered Packages

Some MSPs offer “good, better, best” packages with increasing service levels.

• Basic: Monitoring and help desk only
• Standard: Monitoring, help desk, backup, basic security
• Premium: Everything including vCIO, advanced security, compliance support

Watch out for: Packages where essential services (like backup or security) are only in the premium tier. These should be standard, not upsells.

Red Flags in Managed IT Agreements

Vague Scope of Services

If the agreement doesn’t clearly state what’s included and what’s excluded, expect surprise charges. “Comprehensive IT management” means nothing without specifics.

Long Lock-In Periods Without Performance Guarantees

Three-year contracts with no SLAs and no exit provisions mean you’re locked in even if the service is terrible. Look for 1-year terms with 60-90 day termination clauses, or month-to-month after the first year.

No Reporting or Transparency

If your MSP doesn’t provide regular reports on tickets, response times, uptime, and security, you have no way to evaluate their performance. Expect monthly or quarterly reports at minimum.

Hidden Escalation Costs

Some agreements look affordable until you realize that anything beyond the most basic support is billed extra. Ask for a list of the last 20 tickets from a current client (anonymized) and whether any would have been billed separately.

No Documentation Handoff

If you ever leave, you need your documentation: passwords, configurations, network diagrams, vendor contacts. Make sure your agreement specifies that you own this data and that the MSP will provide it during a transition.

”All-Inclusive” with a Long Exclusion List

Read the fine print. “All-inclusive” agreements often exclude projects, hardware, after-hours support, on-site visits, and advanced security. If more is excluded than included, the label is misleading.

The Bottom Line

A managed IT agreement should give you predictable costs, proactive support, and the strategic guidance to use technology as a business advantage. The core should include monitoring, help desk, patch management, backup, and basic cybersecurity. Strategic services like vCIO consulting, roadmapping, and quarterly reviews are what separate a true partner from a commodity provider.

Before you sign, make sure you understand:

1. Exactly what’s included and what’s extra
2. The SLAs and what happens when they’re not met
3. How pricing works and how it scales as you grow
4. What reporting and visibility you’ll receive
5. The contract term and exit provisions

The right managed IT agreement isn’t just a service contract — it’s a partnership that supports your business today and positions you for growth tomorrow.

---

Want to understand what managed IT should look like for your business? centrexIT provides transparent, comprehensive managed IT services tailored to businesses in San Diego and beyond. Contact us to see what’s included.