What is a network assessment and why your business should have one

Most small and mid-sized businesses run their network on faith. The internet works, the printers usually print, the WiFi covers most of the office most of the time, and nobody has been hit by ransomware yet. As long as nothing is on fire, the network does not get attention. The problem is that the things that take down a small business network rarely announce themselves first. A switch that has been quietly dropping packets for six months, a firewall whose firmware has not been updated since 2021, an access point still running default credentials, a flat network where the guest WiFi can reach the accounting server. None of those issues file a ticket. They just sit there until something goes wrong.

A network assessment is the structured way to find out what you actually have, where it is breaking, and what it would cost to fix. It is not a sales pitch. It is the engineering equivalent of a physical exam for the network – inventory, measurements, security review, and a prioritized list of findings. Most businesses that have one walk away surprised by at least three things they did not know were true.

This article covers what a real network assessment includes, what you get out of it, how long it takes, what it typically costs, and when it is the right move. It is written for owners, office managers, and IT generalists who are evaluating whether to bring an MSP in for a closer look or who want to know what they should be getting before they sign one. A network assessment is the entry point for the broader operational engagement covered in managed network services for small business.

Short answer: what a network assessment is and when you need one

A network assessment is a structured discovery engagement that maps your network, inventories every device, measures real performance, identifies security gaps, and produces a prioritized findings report. A standard SMB assessment takes one to three weeks, costs between $1,500 and $7,500 depending on scope, and produces enough information to plan the next 12 to 24 months of network spend. It is the right move when the network has grown organically without an architecture, when something has gone wrong and you want to know why, when you are evaluating an MSP, when you are about to expand or move offices, or when you have never had one done.

What a network assessment covers at a glance

Area	What gets reviewed	What you find out
Topology	How devices are connected, broadcast domains, segmentation	Whether the network has a real design or just grew
Device inventory	Every firewall, switch, access point, server, endpoint	What you actually own, ages, support status – and where unmanaged switches need to be replaced with managed ones
Performance	Throughput, latency, packet loss, WiFi coverage	Where the real bottlenecks are
Security gaps	Open ports, default credentials, unpatched firmware	Where an attacker would get in
Patch and firmware status	OS, firmware, and software versions across the fleet	What is end-of-life or behind on updates
Backup verification	Backup jobs, retention, restore testing	Whether your backups would actually restore
Configuration review	Firewall rules, WiFi settings, DNS, DHCP	What is misconfigured or accidentally exposed
Documentation	Network diagrams, IP plans, vendor and license records	Whether anyone could pick this up if your IT person left
Findings and remediation plan	Prioritized list of issues with severity and recommended fix	What to do first, what can wait, what to budget for

If you only get a few of these in your “assessment,” it is not a network assessment. It is a sales pitch in a Word document.

Why most SMBs need a network assessment

Three patterns produce 80 percent of the SMBs that benefit most from an assessment.

The network grew without a design

The original network was set up for ten people in a single suite. Then the company hired, moved, took over the suite next door, brought on remote workers, added a guest WiFi, plugged in a few VoIP phones, installed cameras, and added a couple of servers. Each addition made sense at the time. None of it was planned together. Twelve years later there are five switches daisy-chained off a sixth, two parallel WiFi systems, and a firewall that is technically running but has not had a configuration change reviewed in years.

This is the most common SMB network reality and it is not a moral failure. It is what happens when a business grows faster than it pauses to redesign its infrastructure. An assessment is the way out – it produces the documented baseline that should have been there from the start.

Something broke and nobody knows why

A ransomware incident, a multi-day outage, a video conferencing call that drops every Tuesday at 2 p.m. – these are the events that finally make leadership ask why the network is the way it is. The article on signs your small business network has been compromised covers the security side, and why your small business network is slow and how to fix it covers the performance side. Either category becomes the trigger for a structured look.

The business is about to change shape

Office moves, new locations, mergers, big headcount expansions, and major SaaS migrations all stress a network in ways the existing design was never tested for. Doing a network assessment before the change costs less than reacting after – and the assessment frequently changes what gets ordered, where it gets installed, and how the cutover is sequenced.

What a real network assessment includes

A real assessment has a structure. The exact sequence varies by provider, but the deliverables look similar.

1. Topology mapping

Someone walks the building – or remotes in across all sites – and produces a diagram showing how every network device connects to every other network device. ISP termination (and whether there is a redundant secondary connection or whether the single fiber is a quiet single point of failure), firewall, core switch, access switches, access points, servers, NAS, printers, VoIP, cameras, IoT. The diagram captures broadcast domains, VLANs, trunk ports, uplinks, and any segmentation in place. Most SMBs have never seen a current network diagram of their own office. The first time they do, problems jump off the page.

2. Full device inventory

Every device on the network gets inventoried. For network gear: vendor, model, firmware version, install date, end-of-life date, support contract status. For endpoints and servers: OS, patch level, antivirus or EDR coverage, last successful backup, drive health, disk encryption status. Inventory is the foundation for everything else – you cannot patch what you do not know exists, and most SMBs find devices in their inventory that they had forgotten were running.

3. Performance measurement

This is where the assessment goes beyond inventory. The assessor measures actual throughput at multiple points in the network – not just the speed test at the router, but throughput between key endpoints, across switches, over WiFi in different parts of the office. They look at latency, packet loss, error counters on switch ports, and broadcast traffic levels. WiFi gets a coverage map showing signal strength and channel utilization room by room.

This is where most “the network is slow” complaints turn into specific findings. A 40 percent packet loss on one switch port. A WiFi access point covering an area where four others overlap on the same channel. A backup job that pushes 800 GB across a 1 Gbps switch every night and saturates it from 2 a.m. to 5 a.m. None of this shows up in a 30-second conversation – it shows up in measurement.

4. Security review

The security side of an assessment maps to the same checklist a competent attacker would run – the verification version of which is the network security checklist for small business, which any SMB can self-audit against quarterly.

• External attack surface: what ports are open from the internet, what services are exposed
• Firewall configuration: rule hygiene, default-deny posture, outbound filtering, geo-blocking – the baseline a fresh deployment should hit is in how to set up a business firewall for a small office
• Internal segmentation: can guest WiFi reach the accounting server, can a single compromised endpoint reach the entire network
• Default credentials: how many devices are still on the vendor default
• Patch status: what firmware and software is running unpatched
• Wireless security: encryption standards in use, guest network isolation (the baseline a clean guest WiFi setup should hit), rogue AP detection
• Remote access: VPN configuration, MFA enforcement, who can get in from outside
• Logging and monitoring: what is being logged, where logs go, who reviews them

The findings here often surprise leadership the most. The security side of VPN vs zero trust network access and how ransomware gets into small business networks are both worth reading alongside this one – the assessment uses the same threat model.

5. Patch and firmware status

Network gear runs firmware that vendors update for security and bug fixes. Endpoints and servers run OS and application updates. The assessment captures what is current, what is behind, what is end-of-life with no path forward, and what is end-of-support but still running. The takeaway is usually two or three devices that need to be replaced and a patch cadence problem that needs to be fixed.

6. Backup verification

Backups are the single most lied-about part of an SMB IT environment. Every business says they have backups. Many of those backups have not completed successfully in months, are stored in a way that ransomware can encrypt them along with the originals, or have never been tested by actually restoring something. A real assessment looks at:

• What is being backed up and what is not
• Where the backups go and whether they are immutable or air-gapped
• How long backups are retained
• Whether a restore has actually been tested in the last 12 months
• How long a full restore would take if needed today

Backup findings often become the highest-severity items in the report. A business that has no working backup is one ransomware event away from a closing event.

7. Configuration review

Firewall rules, DNS settings, DHCP scopes, VLAN assignments, WiFi SSID configuration, switch port settings – the things that were set up at some point and have not been reviewed since. Configuration drift is normal. Configuration review catches the things that drift turned into actual exposure.

8. Documentation and operational readiness

Could someone other than your current IT person pick up the network and understand it? Are there current diagrams, IP plans, vendor contact records, license keys, admin credentials in a secure vault, monitoring dashboards, alert routing? Operational readiness is what determines how long an outage lasts when something does go wrong.

9. Findings and remediation plan

The output of all of the above is a written report with a prioritized findings list. Each finding has a severity (critical, high, medium, low), a description of what was found, why it matters, and a recommended fix with effort estimate. The report should be the reference document leadership uses to plan the next 12 to 24 months of network spend.

What you actually get out of it

The deliverable should include all of the following.

A current network diagram

The diagram alone is worth the engagement for many SMBs. It is the document that did not exist before and that everything else (insurance, audits, future projects, MSP onboarding, key-person risk reduction) gets easier with.

A complete device inventory

A spreadsheet (or live database) of every network device with its model, firmware, status, and end-of-life date. The inventory is the foundation for budget planning – you can finally answer “what do we need to replace next year and the year after.”

A prioritized findings list

The findings list is the reason the assessment is structured the way it is. Critical and high-severity findings get a fix recommendation and an estimate. Medium and low-severity findings get documented for the roadmap. Leadership can read the executive summary and understand the risk picture in five minutes; IT can read the full report and start working.

A remediation roadmap

A 12 to 24 month plan that sequences the fixes. Some are urgent. Some can wait until the next budget cycle. Some pair naturally with other planned work (an office move, a new line of business, a SaaS migration). The roadmap is what turns the findings into actionable budget conversation.

A baseline you can measure against

After the assessment, there is a documented “this is what the network was on date X” reference. Future assessments measure against it. That is what makes the assessment a recurring tool rather than a one-time event.

How long a network assessment takes

The answer depends on scope, but the typical SMB engagement looks like this:

Phase	Typical duration	What happens
Kickoff and information gathering	1 to 3 days	Stakeholder interviews, document collection, access setup
On-site or remote discovery	2 to 5 days	Walk-through, device discovery, configuration capture
Performance and security measurement	3 to 7 days	Throughput tests, WiFi coverage mapping, vulnerability scanning
Analysis and report preparation	3 to 5 days	Findings analysis, prioritization, report writing
Findings review and roadmap session	Half a day	Walk-through with leadership, Q&A, roadmap planning
Total	1 to 3 weeks

A single-office SMB with under 50 endpoints typically lands at one to two weeks. A multi-site engagement with a hundred endpoints across several offices is more like three weeks. Engagements that try to compress this into a single afternoon are not real assessments.

What a network assessment costs

Costs vary, but the SMB ranges below are honest market ranges as of 2026.

Engagement size	Typical cost range	What is in scope
Single office, under 25 endpoints	$1,500 to $3,000	Standard assessment, single site, one network
Single office, 25 to 75 endpoints	$3,000 to $5,000	Standard assessment with deeper performance and security review
Multi-site, 75 to 200 endpoints	$5,000 to $7,500	Multiple sites, multiple networks, more complex segmentation
Larger or specialized	$7,500+	Compliance-driven (HIPAA, CMMC, SOC 2), unusual scope, M&A diligence

Some MSPs offer a free or low-cost initial assessment as part of their sales process. There is nothing wrong with that as long as you understand what you are getting – a free assessment is usually a scoping conversation plus a high-level scan, not a full engagement. Both have value, but they are different products.

Self-assessment vs MSP-led assessment

A motivated IT generalist can do meaningful self-assessment work. The honest tradeoffs:

What you can do yourself

• Build a device inventory using a spreadsheet
• Run speed tests from a wired laptop at multiple points
• Audit firewall rules and remove obviously stale ones
• Verify that backups actually restore something
• Check firmware status on every device
• Review who has admin access to what

What is harder to do well yourself

• Structured WiFi coverage mapping (requires the right tools and methodology)
• Vulnerability scanning that reaches every device without missing or breaking things
• Segmentation analysis (it is hard to evaluate your own design)
• Configuration review (you wrote the configuration, so blind spots persist)
• Threat modeling and risk prioritization (requires breadth of exposure to other environments)

The pragmatic SMB pattern is: do the inventory and patch-status pieces yourself, get an outside MSP for the security and architecture review, then use the combined findings as your roadmap.

What an assessment will not tell you

Setting expectations matters. A network assessment will not:

• Replace ongoing monitoring. It is a point-in-time snapshot, not a permanent watchman. Continuous monitoring is what an MSP relationship adds on top.
• Find every vulnerability. Vulnerability scanning catches known issues; targeted attack simulation (a penetration test) is a different engagement.
• Predict the future. The roadmap is based on today’s network and today’s known threats. Both will change.
• Resolve disagreement on its own. If leadership and IT disagree on priorities, the report informs the conversation but does not end it.

When to do a network assessment

Common triggers, in rough order of how often they come up.

Trigger	Why an assessment now
You have never had one	Most SMB networks have grown without a current architecture review
You are evaluating an MSP	The findings make the proposal scope concrete instead of abstract
Something just broke	An incident is the cheapest opportunity to do a structural review
You are moving or expanding	Designing the new space without a baseline is a guess
Your IT person is leaving	The diagrams and inventory protect against key-person risk
Your insurance is asking	Cyber insurance applications now ask questions only an assessment can answer
Compliance requires it	HIPAA, CMMC, SOC 2 all expect documented network controls
Annual cadence	Once you have done one, doing it again every 18 to 24 months keeps the baseline current

Common network assessment mistakes

Even when SMBs commission an assessment, there are predictable ways to get less out of it than they should.

1. Treating it as a checkbox. A report sitting in a shared drive is not an outcome. The roadmap has to actually drive budget and project decisions over the following 12 to 24 months. If nothing changes after the report, you paid for paper.

1. Letting the assessor scope the engagement without pushback. A “free assessment” that is really a 30-minute scan plus a sales meeting is not a network assessment. Read the deliverables list before you sign. If the deliverables do not include an inventory, a diagram, and a prioritized findings list, it is not a real assessment.

1. Assuming all assessments are the same. A break-fix shop’s assessment is shallower than a security-first MSP’s assessment. A vendor-aligned assessment skews findings toward what that vendor sells. Ask what the assessor is incentivized to recommend before you read the recommendations.

1. Skipping the executive readout. The findings session matters as much as the report. Leadership needs to hear the top three risks in plain English. Without that conversation, the report stays unread and nothing changes.

1. Doing it once and never again. Networks drift. The state of the network 18 months after an assessment is different from the state on day one. Re-assessment cadence (typically every 18 to 24 months) keeps the baseline current.

1. Refusing to share access. An assessor who is not given read access to firewalls, switches, the directory, and the backup system cannot produce a real assessment. If trust is the blocker, scope a smaller engagement first and grow from there.

1. Not budgeting for remediation. The assessment tells you what to fix. Remediation costs more than the assessment. Plan for a remediation budget of three to ten times the assessment cost depending on what is found – a clean network costs less to remediate, a neglected one costs more.

1. Confusing it with a penetration test. An assessment maps and audits the network. A pen test attempts to compromise it. Both are useful and they are different products – an assessment is usually the right starting point, with a pen test added later for higher-stakes environments.

1. Letting findings sit for years. A “high severity” finding that is still open 18 months later is no longer just a finding. It is a documented decision to accept the risk. Insurance underwriters, auditors, and post-breach forensics will all read it that way.

1. Skipping the documentation handoff. The diagrams, inventory, and configuration backups produced during the assessment are the most durable output. Make sure they end up in your documentation system, not just in the assessor’s project folder.

How long it takes for an assessment to pay back

Outcome	Typical time to value
Critical security finding fixed	Same week (cost of breach avoided is the highest-leverage payback)
Network performance issue identified and fixed	1 to 4 weeks (productivity gain compounds)
End-of-life equipment replaced on schedule	1 to 12 months (budget plan, no fire drill)
Documentation gap closed	Immediate (insurance, audits, key-person risk all improve)
Reduced incident frequency	6 to 18 months (fewer outages, fewer support calls)
Cleaner MSP relationship and scope	First month of managed services

Most SMBs that take the findings seriously see the assessment cost recovered within the first remediation cycle – in productivity, downtime avoided, or one prevented incident.

How Sequentur can help

If you are considering a network assessment, or you have one and want a second opinion on the findings, schedule a call.