“Managed IT services” is one of those phrases that means something very specific to the people selling it and something much vaguer to the people buying it. The result is buyers who think they’re paying for an outsourced IT department, sellers delivering reactive ticket-handling, and both sides confused about why the relationship feels off.
Here’s what should actually be on the menu, where the boundaries sit, and what the words mean in plain English.
The five things in any real managed-IT service
A genuinely managed service covers five domains. Less than this and you’re paying for something narrower — which can be fine, but should be priced narrower.
1. Endpoint management
The devices. Laptops, desktops, mobiles, tablets. What’s managed: software inventory, patch deployment, hardware lifecycle, security policy enforcement, monitoring for failures. What’s NOT managed at a basic tier: training your team to use specific software, custom application development, hardware purchase decisions for executives who want particular models.
2. Identity and access
User accounts, passwords, MFA, group memberships, conditional access policies. What’s managed: account lifecycle (joiner-mover-leaver), permission audits, MFA enforcement, sign-in monitoring. What’s NOT in scope: disputes over who should have access to what (that’s a business decision, not an IT decision).
3. Security baseline
Endpoint security (EDR/MDR), email security, backup, password management, security awareness. What’s managed: the controls are configured to a known standard, alerts are monitored, incidents are responded to. What’s NOT included at most tiers: in-depth compliance certification work (SMB1001, Essential Eight Maturity Level 2+, ISO 27001), formal penetration testing.
4. Strategic input
Roadmap planning, technology decisions, vendor coordination, budget guidance. What this looks like: monthly or quarterly review meetings, written recommendations on upcoming decisions, honest input on whether something is worth doing. What it does NOT mean: rubber-stamping anything the client suggests, or pushing premium products the client doesn’t need.
5. Help desk
Day-to-day “something’s broken” support. What’s managed: end-user issues, application support, basic troubleshooting, escalation to vendors where required. What’s NOT included: training (different scope), application customisation (project work), one-off support for tools we don’t manage.
What “managed” doesn’t mean
A few common misunderstandings worth naming:
-
It doesn’t mean ‘unlimited everything.’ Help desk tickets are typically unlimited within reason; project work (new server, M365 migration, office relocation IT) is separately scoped. An MSP that says “everything is included, unlimited” is either lying or going to be unprofitable enough that they go out of business.
-
It doesn’t mean ‘someone available 24/7.’ Most managed services are business-hours plus best-effort after-hours. Genuine 24/7 with response SLA is a premium-tier add-on; if you need it, it’s worth paying for, but it’s not the default.
-
It doesn’t mean ‘all problems will be solved within an hour.’ Service Level Agreements (SLAs) are real, published, and measured — but they’re response times and resolution targets, not magic. A laptop that’s three years old will take a week to replace properly. A vendor outage will take whatever the vendor takes to resolve.
-
It doesn’t mean ‘we own all your IT decisions.’ A good MSP recommends, explains trade-offs, and implements decisions you make. We don’t unilaterally migrate you to a different M365 SKU because we think it’ll improve our metrics.
The price-to-scope honesty test
If an MSP is selling you “managed IT services” but the price seems suspiciously low, ask which of the five domains are actually in scope. Common cuts at the lower end:
- No proactive endpoint management — just monitoring + reactive fixes
- No M365 licensing in the price — they manage it but you buy the licences separately at retail, which adds 20-40% on top
- No backup — they assume you’re handling it
- No strategic input — purely reactive ticket handling
- No regular reporting — you have no visibility into what you’re paying for
These cuts are fine if they’re explicit and the price reflects them. They’re not fine if the marketing says “complete managed IT” and the delivery only covers two of the five domains.
The difference between managed services and break-fix
Break-fix is per-hour or per-incident billing for IT problems as they happen. No retainer, no proactive work, no relationship. Pros: only pay when you need something. Cons: no incentive to prevent problems, no ownership of the environment, no monitoring, problems are first noticed when they become emergencies.
Managed services is monthly retainer + scope. Pros: proactive management means most problems get caught and fixed before users notice; you get an actual IT department for the cost of one. Cons: you pay every month regardless of utilisation; if you really do have zero IT problems, you might feel you’re “wasting” the retainer.
The reality for most SMBs in 2026: between security, compliance, M365 churn, and the cost of any single incident (~$50k AUD average for a small-business ransomware event), proactive managed services wins economically. The break-fix model made sense when IT was an annual headache. It doesn’t make sense when IT is the operational backbone.
How to evaluate a managed-services proposal
Three questions:
- What are the five domains and how is each scoped? If the proposal doesn’t address each cleanly, push for specifics before signing.
- What’s NOT included? A good proposal names exclusions. A bad one is vague.
- What does month 4 look like? Onboarding is dramatic; once it’s done, what does the steady-state relationship look like? Monthly reports? Quarterly reviews? Ongoing roadmap discussions?
If you can’t answer those clearly from the proposal, you don’t have enough information to sign.
Outlaw IT’s five tiers are scoped explicitly — each tier names what’s in, what’s out, and what tier you’d move to if you need more. See the pricing page for the comparison matrix.