Cómo Evaluar a un Proveedor de TI en 30 Minutos (Preguntas, Banderas Rojas, Cómo Luce lo Bueno)

Most owners walk into an MSP discovery call thinking it's a vendor evaluation — like picking a coffee supplier or a printer-leasing company. It isn't. Within six months, your IT provider will know more about your business than half your employees. They'll have admin access to your email, your files, your accounting system, and the laptops on every desk. They'll be in the room (or on the call) every time something breaks. That's not a vendor relationship. That's a hire.

The shift in mindset that helps most: walk into the call the way you'd walk into a senior-hire interview. You're not asking "what does it cost?" first. You're asking "can this team actually do the job, and will I want to be in business with them in three years?" Cost matters. It's not the first question.

A 30-minute discovery call won't tell you everything. But run honestly, it's enough to filter out the bottom half of the SoCal MSP market. The other half — the providers who could actually run your IT — give you specific, confident, sometimes inconvenient answers to the questions below.

Spend the first ten minutes getting concrete answers about the company itself. Vagueness here predicts vagueness everywhere else.

"How long has the company been operating, and how many people are on the team?" Both numbers matter. A two-person shop that's been running for ten years is a very different bet from a 20-person shop that opened last year. Either can be the right answer for a small business — but the answer changes how you think about resilience. What happens when the principal goes on vacation? What happens when the lead engineer quits?

"How many clients in our industry do you currently support?" If the MSP has a strong vertical concentration — say, ten dental practices in the Inland Empire, or four RIAs across SoCal — they've already learned the compliance edges. If they're industry-agnostic, they'll have to learn yours on your dime. Neither is automatically wrong, but the answer should match how they price the relationship.

"What's your typical client size — number of users and revenue?" A 200-user firm and a 12-user firm are different products. An MSP optimized for one will struggle with the other. Watch for the answer "we serve everyone" — that's almost always a sign they don't really know who they serve, which means they don't really know how to serve you specifically.

Red flag in this block: the answers all rhyme. "We're a great fit for your size, in your industry, doing exactly what you need." Real MSPs have a sharper picture of who they serve and who they don't.

What good sounds like: "We're a six-person team. We've been running for eight years. We're heavy in professional services and healthcare across the Inland Empire and OC — about 18 active clients, average size 15 users. Your size and industry are inside the box we serve well."

Now you're past the company snapshot. The middle ten minutes are about how they deliver.

"Walk me through what happens the first 30 days after we sign." A real MSP has done this dozens of times and can describe the onboarding process in steps. They know what they ask for, in what order, and why. A vague "we get you set up and then start supporting you" is a sign onboarding isn't standardized — which means yours will be ad-hoc.

"What tools do you deploy on our laptops, and what do they do?" Listen for specifics: an RMM agent, an EDR security tool, a backup agent. They should be able to name the products and explain in plain English what each one does. "We have monitoring" is not an answer. "We deploy [specific RMM] for patch management and remote access, and [specific EDR] for endpoint security — that's how we catch ransomware before it spreads" is.

"What does a typical helpdesk ticket look like, end to end?" Ask for a real example. They should describe how the ticket gets opened (phone, email, portal), how it's triaged, how response time targets work, and how the user gets updated. If the answer is hand-wavy, the ticket experience will be too.

"How do you handle after-hours emergencies?" Two things matter here. First — is after-hours included in the monthly fee or charged separately? Second — what counts as an emergency? An MSP that has thought this through has a written definition. One that hasn't will improvise, expensively.

Red flag in this block: they describe their process by listing the brands of software they use, without explaining what each one does for you. The tools matter less than the process around them.

What good sounds like: confident, specific answers that include the words "we usually" and "in your case it would be" — meaning they have a default playbook AND they're already adapting it to what you've told them.

The last ten minutes filter the most. Most MSPs are comfortable with the first two blocks. This one separates the security-first providers from the helpdesk-first ones.

"What's your approach to cybersecurity for a company our size?" Listen for whether the answer is structured around a framework — NIST, CIS Controls, the Microsoft Zero Trust pillars — or whether it's a list of products. A real security-aware MSP starts with "how should access to your systems work" and works backward to tools. A product-first MSP starts with the tools they happen to resell.

"What does your incident response process look like if we get hit with ransomware tomorrow?" This is the most revealing question on the list. A confident MSP has a runbook — they can tell you who they call, what they isolate first, who handles client communications, who works with cyber-insurance. A nervous MSP changes the subject. If they don't have an IR plan for their own clients, you don't have one either.

"How do you handle compliance work for our industry?" If you're in a regulated vertical — healthcare ([HIPAA](/industries/healthcare)), [financial services](/industries/financial-services), real estate / title — the MSP should know the framework names without prompting and have at least one client where they've been through an audit or examiner cycle. If they say "we make sure things are compliant" without naming what compliant means, treat that as a red flag.

"What's the biggest mistake your last new client made before you came in?" The answer here is often the most useful in the call. A real MSP has stories — "the last new client had MFA on email but not on their accounting system, so when an attacker got the accountant's password they had three weeks to do whatever they wanted before anyone noticed." Stories like that mean they actually do this work.

Red flag in this block: every answer is reassuring without being specific. "We've got that covered" is not an answer to a security question. It's how you know you don't have it covered.

What good sounds like: "We follow CIS Controls v8 as our baseline. For ransomware, our IR plan starts with isolating the affected device through our EDR console — usually within 5 minutes of detection — then we walk the client through carrier notification because most cyber-insurance policies have specific timing requirements. We've been through one ransomware response on a client and several on prospects we picked up after."

A 30-minute call gives you a lot of signal but no guarantees. Use the next 24 hours to do three things.

Write down three concrete answers from the call — things specific enough that you'd recognize them if they showed up in the contract. "They include EDR in the monthly fee." "They commit to a 30-day onboarding playbook." "They've worked with [specific framework] for at least one client." These specifics are what should show up in the SOW. If they don't, the conversation was marketing, not commitment.

Run two reference checks. Ask the MSP for two clients in your industry or your size range. Call them. Ask one question: "What's it actually like to work with them on a hard week?" The good weeks are easy. The bad weeks are how you find out who the MSP really is.

Compare against [our contract checklist](/blog/it-support-contract-checklist-2026). If you've talked to two or three providers, the differences in their answers will line up with the differences in their contracts. The MSP that gave specific answers usually delivers specific contracts. The one that gave vague answers will deliver vague contracts and you'll spend the next year arguing about scope.

If you're a SoCal small business and you'd like a sanity-check call before you sign with anyone — including us — we'll do a 30-minute conversation. We'll tell you what we'd ask if we were sitting across from your shortlist. No pitch, no commitment. The point is for you to make a confident decision, not to add another logo to our roster.