What is a managed service provider (MSP) and what do they actually do

If you have never hired one, “managed service provider” sounds like vague consulting jargon. What does it actually mean? Are they a help desk? An IT company? A security firm? Something else?

The short answer: a managed service provider, or MSP, is a company that runs parts of your business IT for you on an ongoing monthly basis, instead of you running it yourself or calling someone only when something breaks. The longer answer involves what is actually included, how the relationship works day to day, and why more small businesses are shifting away from handling IT internally.

This guide walks through all of that in plain language. No vendor jargon, no sales pitch. If you are trying to figure out whether an MSP is something your business should be thinking about, this is the starting point. For the full Sequentur service overview – what we include, who it fits, what it costs, and how the engagement works – see managed IT services for small business.

A plain English definition

An MSP provides and maintains business technology services for you, as a monthly subscription, instead of charging per incident or per project. They typically handle:

• IT support. When an employee’s laptop will not turn on or their Outlook stops working, the MSP is who they contact for help.
• Security. Firewalls, antivirus (now called EDR), email filtering, monitoring for threats, responding when something suspicious happens.
• Backup and recovery. Making sure your business data is backed up, testing the backups, restoring files when needed.
• Cloud services. Setting up and managing Microsoft 365 or Google Workspace, keeping them configured correctly.
• Hardware and software management. Keeping laptops, phones, and servers up to date, patched, and configured to company policy.
• Helpdesk. A phone number or portal employees can use to get help, with documented response times.

The exact scope varies by provider. Some MSPs are general IT shops that do all of the above. Some specialize in a specific area (security-only MSPs are sometimes called MSSPs). Some concentrate in specific industries like healthcare, legal, or defense contracting – the vertical vs generalist comparison walks through when that specialization matters vs when a strong generalist is equally good. Some add strategic services like IT planning and technology roadmaps.

The business pays a monthly fee, usually calculated per user or per device (see how MSPs are paid for the mechanics of each pricing model), and gets all of this handled. Instead of buying IT support as hours or incidents, you are buying an outcome: “the IT stuff works.”

What MSPs actually handle day to day

A real MSP relationship is not just a help desk number. It is a continuous operational layer. Here is what that looks like in practice:

User support

When an employee has a problem, they contact the MSP. Email, chat, phone, or a ticketing portal – whatever the MSP offers. The MSP helps them resolve it, often remotely, usually the same day for non-urgent issues and within hours for anything blocking work.

The kinds of issues that come up: password resets, locked accounts, software installs, printer setup, VPN troubleshooting, Outlook acting weird, file recovery, device replacement. Hundreds of flavors, all small in isolation, collectively enormous if nobody is handling them.

Proactive monitoring

Behind the scenes, the MSP watches your systems. Their monitoring tools see when a server’s disk is filling up, when a workstation is failing patches, when someone’s account has suspicious login attempts. They act on these signals before the user notices a problem.

This is the biggest difference between an MSP and an old-style break-fix IT consultant. The MSP is trying to prevent problems. Break-fix waits for them to happen.

Patching and updates

Operating systems, applications, and firmware all need security updates regularly. The MSP handles this centrally – every Windows laptop gets Windows updates on a schedule, every browser stays current, every server gets patched during off-hours.

For a small business, this alone is a significant amount of work that either gets done by someone (or by the MSP) or quietly does not get done, which is how most business breaches happen.

Security monitoring and response

Endpoint detection and response (EDR) runs on every managed device, watching for malicious behavior. The MSP’s security team monitors the alerts, investigates anything suspicious, and responds to incidents. This is either part of managed IT or layered on as a managed cybersecurity service.

Backup and recovery

Business data gets backed up automatically – workstations, servers, cloud applications. The MSP monitors whether the backups actually succeed (which is different from whether they are configured), and periodically tests restores so they know the backups actually work.

When someone deletes a file they needed, or a server fails, the MSP restores it. When the business experiences a disaster (ransomware, physical damage, major failure), the MSP is who runs the recovery.

Onboarding and offboarding

New hires need accounts created, devices issued, software installed, access granted. Departing employees need access revoked, devices wiped, data preserved. For a distributed team, the MSP handles this remotely – the laptop arrives at the new hire’s home configured and ready, the departing employee’s access is shut down cleanly. See managed IT support for remote and hybrid teams for the distributed-team version of this.

Strategic advice

A good MSP is not just reactive. They advise on technology decisions – what to buy, when to upgrade, how to handle growth, where the real risks are in the business. For a small business without an IT director, the MSP fills that role too.

Vendor coordination

When the internet goes down, the MSP deals with the ISP. When a SaaS tool has an outage, the MSP investigates and communicates. When hardware dies, the MSP coordinates the replacement. The business owner does not have to know the difference between a network problem and a DNS problem – that is the MSP’s job.

What services MSPs typically include (and what they do not)

An MSP’s scope is defined by a contract (sometimes called a Master Services Agreement or MSA). See what should be in a managed IT services agreement for the full section-by-section breakdown. Typical inclusions:

• Helpdesk during business hours, often extended hours for urgent issues
• Endpoint management for every user and device
• Standard security stack (EDR, email filtering, MFA configuration)
• Microsoft 365 or Google Workspace administration
• Backup of endpoints and cloud data
• Documentation of the IT environment
• Monthly or quarterly reporting

Common exclusions or add-ons (often billed separately as projects):

• Major infrastructure deployments (new servers, new offices, migrations)
• Security assessments and compliance audits
• Custom software development or integrations
• Web hosting and website management (different discipline)
• Specific compliance certifications (some MSPs offer this, some do not)
• 24/7 coverage beyond a certain tier
• On-site work at the client’s office (some providers charge per visit)

Read the contract before signing. Services that are “included” at one MSP may be add-ons at another, and assumptions about scope are the single most common source of friction in MSP relationships.

The break-fix alternative and why it stopped working

Before “managed services” became the standard, most small businesses bought IT help the way they bought plumbing: when something broke, you called someone, they fixed it, you paid the invoice. Break-fix IT vs managed IT services walks through the cost math, incentive misalignment, and where break-fix still makes sense in detail.

This model is called “break-fix.” It had some upsides (only pay when you need help) and a lot of downsides:

• No prevention. Problems accumulate until they are big enough to call about. The day you call is usually a crisis.
• Slow response. The break-fix technician may be available next week. Your business is down until they arrive.
• No ongoing knowledge. Each incident starts from scratch. The technician does not know your environment.
• Predictably underinvested. Security patches, backups, documentation, monitoring – none of these happen until something fails.
• Unpredictable cost. A quiet month costs nothing. A bad month costs thousands.
• Cannot scale. Growing past a handful of employees makes break-fix untenable.

The shift to managed services happened because the break-fix model could not keep up with how dependent businesses became on technology. When your CRM is down for two days, the cost of the outage dwarfs whatever you saved by not having proactive IT.

Managed services flipped the economics. Instead of paying when things break, you pay a predictable monthly fee to keep things from breaking. The cost is higher in a quiet year, lower in a bad year, and substantially more effective at preventing bad years entirely.

Who MSPs are designed for

MSPs fit businesses that have outgrown “our office manager handles IT” but are not big enough to hire a full IT department. That is a wide range – roughly 10 employees at the low end, up to a few hundred at the high end – but some common signals that a business is in the right zone:

• You have 15 to 250 employees, most of whom depend on IT to do their jobs
• You do not have a dedicated IT person, or your IT person is overwhelmed (if you have one to three internal IT staff who are stretched, co-managed IT lets an MSP fill specific gaps instead of replacing the internal team)
• You use Microsoft 365, Google Workspace, or a similar cloud stack
• You have some kind of sensitive data (customer records, financial data, health data, intellectual property)
• You are growing or expect to grow, and you know your current IT setup will not scale
• You are in a regulated industry or have compliance obligations (HIPAA, SOC 2, PCI)
• You have had a security incident, or you worry that you would not catch one
• You have a distributed or hybrid workforce

MSPs are less of a fit for very small businesses where the cost exceeds the benefit, or for large enterprises with deep internal IT departments. In between, the math works out in most cases.

What the MSP relationship looks like in practice

The onboarding phase

When you engage an MSP, the first 30-60 days are transition. They inventory your environment (what hardware you have, what software you use, what accounts exist, what gets backed up), identify the urgent gaps, and bring your systems under management. This is usually scoped as a project with defined deliverables. What to expect in the first 90 days of MSP onboarding walks through each phase, what deliverables you should see, and the red flags that mean onboarding is going off the rails.

Common findings during onboarding: accounts nobody can identify, devices without encryption, missing MFA, outdated software, backups that have not been tested, documentation that does not exist. The MSP gets these into a workable state before routine managed IT begins.

The ongoing relationship

After onboarding, the relationship settles into a cadence:

• Daily: The helpdesk handles tickets. Monitoring watches for issues. Patches apply on schedule.
• Weekly: A brief internal review of what tickets came in, what trends are emerging, what needs attention. Some clients get a weekly summary.
• Monthly: A meeting (or report) covering ticket volume, security posture, upcoming changes, outstanding issues. This is where strategic conversations happen.
• Quarterly: A deeper business review. What technology decisions should the business be making? What is the roadmap? Where are the risks?
• Annually: A policy and architecture review. What has changed? What needs to change?

The goal is for the client to feel like IT is a stable, quiet capability they can trust, rather than a constant source of friction.

What you still handle

An MSP does not replace the business’s own judgment. The client still:

• Decides what technology to invest in
• Sets priorities
• Makes personnel decisions (hiring, firing, who gets what access)
• Handles HR and legal matters (including offboarding decisions)
• Approves budgets
• Owns the relationship with employees

The MSP provides advice, implements decisions, and handles the operational layer. It does not take over running the business.

How to tell a good MSP from a bad one

Not every company calling itself an MSP is operating as one. Some are effectively break-fix shops with a monthly fee layered on top. A few signals (see how to choose an MSP – what to ask before you sign for the full evaluation playbook):

Signs of a quality MSP

• They want to understand your business before they quote
• They have a documented onboarding process
• They provide regular reporting proactively
• They have named contacts you can reach
• They respond to urgent issues within defined SLAs
• They bring ideas to you, not just respond to yours
• They have their own security house in order (SOC 2, cyber insurance, documented practices)
• Their contract clearly defines what is in and out of scope

Red flags

• Very low pricing (the math does not support real service at very low prices – see what managed IT services actually cost for realistic ranges)
• No clear SLAs or response time commitments
• No reporting or visibility into what they are doing
• High staff turnover (which shows up as new faces every month)
• Reluctance to document the environment or share documentation (this becomes a serious problem at exit time – the switching playbook covers how to recover when the outgoing MSP is uncooperative)
• They do not use the tools they sell to you
• Their own security practices are sloppy

The cheapest MSP is almost never the best choice. But the most expensive one is not automatically the best either. What matters is fit with your business, clear scope, and demonstrated operational discipline.

What this means for your business

If your IT setup is working and you have a capable person handling it, you may not need an MSP today. That is a legitimate answer.

If any of the following signs are true, though, it is worth having the conversation:

• IT issues are taking you or your team away from the work that actually makes money
• You have had a security incident or a near-miss
• You cannot answer basic questions about your security posture, backup state, or device compliance
• Your staff complains about IT friction regularly
• Your “IT person” is not actually an IT professional
• You are about to grow, open a new location, or add a new line of business

An MSP is a way to buy IT as a service rather than building it yourself. Whether that is the right choice depends on your business, but understanding what the option looks like is the first step.

How Sequentur fits in

Sequentur is a security-first MSP / MSSP for small and medium-sized businesses. What that means in practice: we operate as a full managed service provider – helpdesk, endpoint management, backup and recovery, Microsoft 365 administration, and strategic IT advisory – but security sits at the center of every engagement rather than being an optional add-on. EDR on every device, 24/7 monitoring through our MDR practice, conditional access and MFA enforced as a baseline, and documented security processes that hold up to audit scrutiny. For clients in regulated industries or with specific security needs, we layer that deeper through managed cybersecurity services, alongside managed Microsoft 365 services and managed IT for remote and hybrid teams.

The distinction between “MSP” and “MSSP” (Managed Security Services Provider) often comes up when businesses are evaluating providers. A traditional MSP handles IT operations with security as one component. A pure MSSP focuses exclusively on security and typically coordinates with a separate IT provider. A security-first MSP/MSSP combines both in one relationship, which matters for small and medium-sized businesses because splitting the responsibilities between two vendors creates gaps that attackers find.

The businesses we work best with are typically in the 15-to-250-employee range, often in regulated industries (healthcare, legal, financial services, defense), with either no dedicated IT or an internal IT lead who needs the operational and security support to focus on strategic work.

If you have been handling IT yourself and are starting to feel like it is the wrong use of your time, or you have an internal IT person who is drowning, schedule a call and we will walk through what a managed relationship with security at its core would look like for your team.