The IT services market in Central Florida is crowded, and the difference between providers is invisible from the outside. Every website says the same things: “24/7 monitoring,” “expert engineers,” “proactive support,” “we treat you like family.” Sales calls sound the same. Pricing structures look the same. The only differences that actually matter are technical — and the only way to find them is to ask technical questions before signing.
This is the list of questions Nexgen wishes more Central Florida businesses asked us, the firms across town, and any MSP they’re evaluating. The answers separate operators who run real infrastructure from resellers who attach a brand to someone else’s stack.
Question 1: “Who actually owns the infrastructure my data sits on?”
Most MSPs are resellers. They badge their services on top of someone else’s hosting, someone else’s monitoring platform, someone else’s helpdesk software, and someone else’s data center. When something fails, their support ticket goes to the upstream provider’s queue, not to a person with the authority to fix the thing.
Better answer: “We own and operate the infrastructure your data sits on. Here’s the colo facility. Here’s the rack number. Here’s the engineer who is responsible for that hardware.” A real operator can answer this in detail. A reseller can’t.
Question 2: “What are your specific response time commitments, in writing, for each priority tier?”
“24/7 support” can mean anything from “an engineer is awake somewhere” to “you’ll get a callback Monday morning if you call Friday night.” Real response-time SLAs are tiered (typically Priority 1 through 4) with documented time-to-acknowledge and time-to-resolution targets.
Better answer: “Priority 1 incidents — production down, security event, multi-user outage — get a 15-minute response 24/7 with an engineer actively engaged until resolution. Priority 2 within 1 hour, resolution within 4 business hours. Priority 3 within 4 hours, resolution within 1 business day. It’s all in your service agreement.” If the answer is fuzzy, the SLA is fuzzy.
Question 3: “Can I see your last quarter’s actual ticket resolution time data?”
The SLA is the contract. The data is the reality. Mature MSPs measure their own performance and can produce reports showing actual response times against committed SLAs. If a provider can’t show you that data, they probably don’t measure it — which means they don’t manage it.
Bonus follow-up: “What’s your worst week looked like in the last 12 months, and what changed afterward?” The answer reveals whether they treat operations as a continuously improved discipline or as a stack of tickets to clear.
Question 4: “What’s your cybersecurity stack, by product name?”
“We use enterprise-grade security tools” is marketing language. Real answers include specific product names: which EDR (CrowdStrike, SentinelOne, Defender for Endpoint), which SIEM (Microsoft Sentinel, Splunk, Wazuh), which email filtering (Mimecast, Proofpoint, Microsoft Defender for Office 365), which firewall (Cisco, Fortinet, Palo Alto, Meraki), which backup product, which DNS protection.
Better answer: “Here’s the actual stack we deploy: [specific product names]. Here’s why we picked those products versus alternatives. Here’s how they integrate.” Anyone who uses generic terms is either inexperienced or hiding the answer.
Question 5: “What certifications do your engineers actually hold, and can I verify them?”
Certifications aren’t everything — experience matters more — but they’re table stakes for technical credibility. Look for at minimum: CCNA or CCNP (Cisco networking), CompTIA Security+ or CySA+ (security fundamentals), Microsoft 365 certifications (since most SMBs run on M365), AWS or Azure certifications if cloud is in scope.
Better answer: A list of named engineers with their specific certifications, plus URLs to LinkedIn profiles where the certs are publicly verifiable. If the answer is “our team is highly certified” without specifics, you’re being marketed at, not informed.
Question 6: “How do you handle Microsoft 365 administration specifically?”
If your business uses Microsoft 365 (and most do), the depth of M365 expertise inside your MSP determines a huge percentage of your operational quality. M365 administration is a specialty — license management, conditional access policies, data loss prevention, mailbox security, Teams governance, Azure AD configuration, Defender deployment.
Better answer: “We have engineers certified specifically on M365 administration. Here’s our approach to license tier optimization, our conditional access policy framework, our DLP rules, and our incident response playbook for M365 security events.” A weak MSP will give a generic answer. A strong one will give a 20-minute technical deep dive.
Question 7: “What happens to my data if I terminate the contract?”
The answer reveals the operator’s posture toward client data. Mature MSPs have a documented offboarding process: data export formats, timeline, who controls the export, what gets deleted from their systems, what gets handed to you, and what proof you get that the deletion happened.
Better answer: “Within 30 days of contract termination, we hand you a complete export of your data in standard formats, a written summary of what was returned and where, and a deletion certificate from our systems. The process is documented in your service agreement.” If the answer is hand-wavy, your data is at risk if you ever want to leave.
Question 8: “Can you walk me through a real incident response — with timestamps?”
Pick a scenario: ransomware on a workstation discovered at 11pm Saturday. Walk me through what happens, who responds, what tools are used, what the communication cadence to me looks like, and what the rough timeline to containment and recovery looks like.
Better answer: A confident, detailed walk-through with named tools, named response phases, and realistic timelines. Bonus credibility if they can reference a real (anonymized) incident from the last 90 days where they did exactly this. If the answer is theoretical or generic, the operator hasn’t actually responded to many incidents.
Question 9: “How do you handle compliance requirements (HIPAA, PCI-DSS, CMMC, SOC 2)?”
If your business is in a regulated industry, this question separates MSPs that can support you from MSPs that can’t. Real compliance support requires specific tools (audit logging, encryption at rest and in transit, access controls, retention policies), specific processes (regular risk assessments, employee training, documented incident response), and specific documentation (written information security policies, business associate agreements for HIPAA, attestation reports).
Better answer: “Here’s our compliance framework for [your industry]. Here are the controls we implement. Here’s the documentation you’ll receive. Here’s how we handle audits.” Vague reassurance about compliance is worse than no answer at all — it suggests gaps that won’t surface until your auditor finds them.
Question 10: “Who is the senior engineer I’ll actually work with day-to-day, and can I meet them now?”
Sales calls are conducted by salespeople. Service is delivered by engineers. The best MSPs introduce you to your actual primary engineer during the sales process, not after the contract is signed. The worst MSPs run a “switch-and-bait” pattern: senior people sell you, then assign you to junior engineers who aren’t named anywhere on the proposal.
Better answer: “Your primary engineer is [name]. They have [X years] of experience, hold [specific certs], and you’ll work with them directly. Here’s their LinkedIn. We can do a 15-minute intro call before you sign anything.” Anyone who can’t or won’t introduce you to your engineer pre-sale will hand you to whoever’s available post-sale.
The Pattern
Every question on this list shares the same structure: it asks for specifics where most providers give generics. The right MSP will answer specifically and with confidence. The wrong MSP will pivot to marketing language. That pivot is the actual signal you’re looking for.
Nexgen has been answering these questions for Central Florida businesses since 2003. If you’d like a written assessment of your current MSP relationship — or a clear scope of work for a Nexgen engagement — the IT Systems Audit produces both as a deliverable within 5 business days of the working session.
