Five Questions to Ask Before You Sign with an MSSP
The managed security services market has grown significantly over the past several years, and with that growth has come a wide range of providers offering similar-sounding services at varying price points and quality levels. SOCaaS, MDR, XDR, managed SIEM — the terminology is consistent across vendors in a way that the actual delivery often is not.
Buying managed security services is not like buying a software license. You are buying an operational capability that you will depend on when something goes wrong. The questions that matter are not about features. They are about what actually happens when the service is put to work.
These five questions cut through the marketing language and tell you what you actually need to know before committing to a managed security relationship.
Question 1: Who Actually Responds to an Alert at 2am?
This is the most important question you can ask, and the answer will tell you more about the service than any SLA document. When your SIEM fires a critical alert at 2am on a Saturday, who sees it? Is it a trained security analyst who can investigate, make a judgment call, and take action? Is it an automated system that creates a ticket? Is it a tier-one analyst in an offshore operations center working from a runbook with no authority to escalate?
The answer varies dramatically across providers. Some MSSPs have genuine 24/7 human coverage with experienced analysts who have the authority and the tools to act. Others have automated alerting with human review during business hours and escalation procedures that take hours to activate outside of them. The SLA language often looks similar. The operational reality is not.
Ask for specifics. How many analysts are on shift at 2am on a Sunday? What is their average tenure? What authority do they have to take containment action without waiting for client approval? What does escalation look like and what is the expected time from alert to human review?
Question 2: What Does Your Mean Time to Detect Actually Look Like in Practice?
MTTD is a standard metric in the managed security space and most providers will give you a number. The number is not always meaningful on its own. Mean time to detect what, exactly? Automated detections that fire on known signatures have a different MTTD than analyst-led investigations that surface novel activity. A provider whose MTTD is fifteen minutes for commodity malware and six hours for lateral movement is not the same as a provider with fifteen-minute MTTD across both.
Ask for MTTD broken down by detection type. Ask what percentage of detections are automated versus analyst-identified. Ask for examples of incidents where analyst judgment identified something the automated tooling missed. The answers will tell you whether the MTTD number reflects the kind of detection that matters or the kind that is easy to measure.
Question 3: What Platforms Are You Actually Running and Do You Own the Data?
The technology stack an MSSP runs matters, but the more important question is data ownership and portability. If you end the relationship, what happens to your data? Can you export your SIEM logs, your historical detections, your incident records? Are they in a format you can ingest into a different platform or are they locked in a proprietary system?
Some providers run enterprise-grade platforms that give you genuine visibility and data portability. Others run proprietary systems where the data is effectively theirs while you are a customer and yours only in a limited sense when you leave. Understanding this before you sign is significantly easier than negotiating it after.
Also ask about the technology stack specifically. Platforms matter. A provider running Stellar Cyber, SentinelOne, and Qualys is making different capability and quality commitments than a provider running a collection of open-source tools stitched together with custom integrations. You should know what you are paying for.
Question 4: How Do You Handle Incident Response When Something Actually Happens?
Most managed security contracts include some form of incident response support, but the scope of that support varies considerably. Does the provider have IR capability or do they stop at detection and notification? If they detect a ransomware infection beginning to spread, what is the next step — do they contain it or do they call you and wait?
Ask for a specific scenario walkthrough. Walk them through a ransomware scenario and ask exactly what they do, in what sequence, with what authority, and what they hand off to you and when. The answer will reveal whether IR is a genuine capability or a line item in the contract that means "we will tell you when something is wrong."
Also ask about their breach coach and legal counsel relationships. In a real incident, access to legal counsel and insurance coordination moves fast. Knowing whether your MSSP has those relationships established before you need them is worth understanding in advance.
Question 5: Can I Talk to a Current Client in My Industry?
This is the question that separates providers who are confident in their delivery from those who are not. Any MSSP worth signing with can connect you with a reference client in a comparable industry who will give you an honest account of what the service is like to receive — not just to buy.
Pay attention to whether the reference is offered proactively or whether it has to be requested. Pay attention to whether the reference client is in a comparable industry and of a comparable size, or whether the provider is connecting you with their largest and most prominent customer as a showcase rather than a representative example.
When you speak with the reference, ask about responsiveness, communication quality, and whether the service delivered what was promised after the contract was signed. The gap between sales and delivery is where managed security relationships most often fall short, and a reference client can tell you whether that gap exists in a way that no sales conversation can.
What Good Answers Look Like
A provider who answers these five questions with specificity, confidence, and without deflection is demonstrating something important: they have thought through their operational model and they are comfortable with scrutiny. That comfort with scrutiny is itself a signal about how they approach the work.
A provider who redirects to marketing materials, offers vague commitments about SLAs, or cannot connect you with a reference client is telling you something equally important.
The managed security relationship is one where you are trusting another organization with visibility into your environment and responsibility for your security outcomes. That trust should be earned through direct, specific answers to direct, specific questions — not through a polished sales presentation.
Ask the questions. Listen to the answers. Sign with the provider who earned it.