Best Co-Managed IT Partner for 100+ Employee Companies: Evaluation Checklist
At 100 employees, the IT support model that worked at 30 stops fitting.
The helpdesk ticket volume has doubled. The compliance requirements that didn't exist three years ago are now attached to contracts, insurance renewals, and enterprise client onboarding questionnaires. The internal IT manager — if there is one — is running at capacity on operational work with no bandwidth left for the security and compliance layer the business increasingly needs.
Co-managed IT is the answer most 100+ employee companies eventually arrive at. The question is how to evaluate partners when the market is full of providers that claim co-managed capability without the operational infrastructure to deliver it.
This checklist covers the eight evaluation dimensions that separate genuine co-managed IT partners from providers that manage infrastructure and call it co-managed.
Why Evaluation Criteria Matter More Than Provider Claims
Every MSP in the market claims co-managed capability. The claim is easy to make and hard to verify without the right evaluation framework.
The failure mode in co-managed IT isn't usually technical. It's operational — unclear ownership, undocumented changes, escalation paths that break down under pressure, and compliance documentation that exists on paper but not in practice. IT managers on Reddit's r/ITManagers consistently cite overselling, poor deliverables, and unclear accountability as their primary concerns about co-managed providers.
Those aren't technology problems. They're infrastructure problems — operational, documentation, and governance infrastructure that genuine co-managed partners build deliberately and generic IT providers don't.
The evaluation checklist that follows is designed to surface that infrastructure before you sign a contract, not after you've spent six months untangling a broken arrangement.
Criterion 1: Documented Responsibility Matrix
The most important artifact in any co-managed IT engagement is the responsibility matrix — the documented agreement about who owns what, how escalation works, and what happens when something falls between defined boundaries.
A genuine co-managed partner has a structured process for building this matrix before the engagement begins. They can show you examples from current clients. They have defined categories that the matrix covers: helpdesk and user support, endpoint management, security operations, patch management, infrastructure changes, vendor management, and compliance documentation.
A provider that can't show you a sample responsibility matrix from a current engagement hasn't done co-managed IT systematically. They've managed infrastructure for clients who happened to have internal IT staff.
What to ask: Can you show me a redacted responsibility matrix from a current co-managed client at our scale? Walk me through how ownership boundaries were established and how disputes about ownership get resolved.
Criterion 2: Shared Tooling and Visibility
Co-managed IT requires that both the MSP and the internal IT team have full visibility into what's happening in the environment. A provider that manages your systems without giving your internal team visibility isn't co-managing. They're managing with an internal observer.
Shared tooling means: a ticketing system both teams use and can see, a monitoring dashboard the internal IT team can access in real time, change logs that document every action the MSP takes in the environment, and alert routing that respects the responsibility matrix rather than defaulting everything to the MSP.
AccountableHQ's HIPAA documentation standards and CMMC's System Security Plan requirements both create documentation obligations that depend on this visibility — the internal team needs to know what the MSP is doing to maintain accurate compliance documentation.
What to ask: What ticketing and monitoring platforms do you use in co-managed engagements? Does our internal IT team have full read access to everything — tickets, alerts, changes, and documentation? What's the process when our team needs to see what happened on a specific system last Tuesday at 3am?
Criterion 3: Security Operations Depth
For 100+ employee companies, the security operations component of co-managed IT is often the primary driver — the internal team can handle helpdesk and infrastructure, but 24/7 security monitoring and incident response capability requires resources the internal team can't build alone.
System intrusion surged from 36% to 53% of all breaches in 2025 per Verizon DBIR. Ransomware was implicated in 88% of SMB breaches — attacks that deploy after hours when internal IT isn't watching. A co-managed partner that handles helpdesk and patching but doesn't bring genuine 24/7 security operations capability isn't solving the highest-value gap.
Genuine security operations depth means: a dedicated SOC with human analysts across all shifts — not automated alerting to an on-call engineer. Industry-specific detection logic tuned to your threat profile. Incident response capability including containment and eradication, not just notification. Mean time to detect and mean time to respond metrics that are measured and reported.
What to ask: Do you operate your own SOC or white-label a third party's platform? How many analysts are on shift overnight and on weekends? What is your mean time to detect and respond for current co-managed clients at our scale? Walk me through what happens when a high-severity alert fires at 2am on a Sunday.
Criterion 4: Compliance Documentation Ownership
For 100+ employee companies in regulated industries — healthcare, manufacturing, financial services, professional services — the compliance documentation layer is where co-managed IT creates or destroys value beyond operational support.
Compliance documentation includes: annual HIPAA risk assessments, NIST CSF program documentation, CMMC System Security Plan maintenance, cyber insurance evidence packages, policy framework maintenance, and tabletop exercise facilitation and documentation.
The question isn't whether the provider supports compliance. It's who owns each component of the compliance documentation program in their co-managed engagement model — and whether the internal team or the provider is accountable for production.
Only 41% of defense industrial base organizations surveyed had reached CMMC readiness levels. For manufacturers at the 100+ employee scale entering the CMMC pipeline, a co-managed partner that can't own the System Security Plan and POA&M process alongside security operations is a compliance gap waiting to surface.
What to ask: In your co-managed model, who owns risk assessment production, policy framework maintenance, and cyber insurance evidence package assembly? Can you show me a sample compliance documentation deliverable from a comparable regulated industry client?
Criterion 5: Escalation Path Clarity
The escalation path is where co-managed arrangements succeed or fail under pressure. When an incident occurs at midnight, both teams need to know exactly who does what — without having to figure it out in real time.
A genuine co-managed partner has documented escalation paths for every scenario type: security incidents, infrastructure failures, compliance events, and vendor emergencies. The paths define who gets notified first, what actions the MSP takes before contacting the internal team, what the internal team is expected to do upon notification, and how incident documentation flows between teams.
The escalation paths should also cover routine situations: what ticket types the MSP resolves without internal IT involvement, what requires internal IT approval before the MSP acts, and what triggers a conversation rather than a unilateral decision.
What to ask: Walk me through your escalation path for a high-severity security incident that occurs outside business hours. Who does what, in what order, and what documentation do both teams produce? How does escalation work for a situation that falls outside the defined responsibility matrix?
Criterion 6: Internal IT Team Relationship Model
The quality of the working relationship between the co-managed partner and the internal IT team determines whether the arrangement creates value or creates friction. This is the dimension that's hardest to evaluate objectively — and the one that matters most for day-to-day operations.
Providers optimized for co-managed IT treat the internal IT team as a genuine partner — communicating proactively, explaining decisions, and actively supporting the internal team's effectiveness. Providers that tolerate co-managed IT as a revenue accommodation treat the internal team as a constraint on their preferred way of working.
Reddit's r/ITManagers consistently recommends asking to meet the specific engineer who will be assigned before signing. The quality of that relationship depends on the individual as much as the organization.
What to ask: Can we meet the specific engineer or team lead who will be assigned to our account before we sign? How do you handle situations where your team and our internal IT manager disagree about the right technical approach? What does a typical monthly touchpoint between your team and our internal IT manager look like?
Criterion 7: Transition and Onboarding Process
For companies transitioning from fully managed to co-managed — or bringing a new co-managed partner into an environment that was previously managed differently — the onboarding process reveals a provider's genuine operational maturity.
A structured onboarding process includes: comprehensive environment documentation before the first change is made, responsibility matrix development before both teams are working the environment simultaneously, shared tooling configuration so visibility is established from day one, and an explicit communication protocol for the first 90 days when ownership boundaries are being established.
Providers without a structured onboarding process for co-managed transitions create exactly the institutional knowledge gaps and ownership ambiguities that make co-managed IT frustrating for internal IT teams.
What to ask: Walk me through your co-managed onboarding process step by step. What documentation do you produce before you start making changes? How do you handle the transition period when both teams are learning to work together?
Criterion 8: References from Internal IT Teams
The most reliable evaluation signal is a reference conversation with an internal IT manager at a current co-managed client — not a C-suite client who evaluates outcomes, but the person on the internal IT team who works with the MSP daily.
That conversation should surface: whether the responsibility matrix works in practice, whether the MSP communicates changes proactively or retroactively, whether the internal team has genuine visibility into what the MSP does, and whether the relationship feels like a partnership or an accommodation.
What to ask: Can you connect me with the internal IT manager at a current co-managed client at our scale — specifically the person on the internal team, not the CTO or CFO? I want to understand what working with your team looks like day to day.
The Evaluation Scorecard
| Criterion | Green Flag | Red Flag |
|---|---|---|
| Responsibility matrix | Sample available; built before engagement starts | "We figure it out as we go" |
| Shared tooling | Full internal IT visibility from day one | MSP-only access to monitoring and ticketing |
| Security operations | Own SOC; 24/7 human analysts; MTTD metrics | Automated alerting; business-hours only |
| Compliance documentation | Defined ownership per component; sample deliverables available | "We support compliance" without specifics |
| Escalation paths | Documented per scenario type; tested in onboarding | Verbal commitment; no documentation |
| Internal IT relationship | Proactive communication; internal team empowered | MSP makes unilateral decisions; changes undocumented |
| Transition/onboarding | Structured process with defined milestones | "We'll figure out the details after you sign" |
| References | Internal IT manager reference available | C-suite only; can't connect with operational team |
Where Securafy Fits
Securafy's co-managed IT model is built for 100+ employee companies with internal IT staff that need the security, compliance, and after-hours coverage layer that internal teams at this scale consistently can't build alone.
Every engagement begins with a documented responsibility matrix before either team touches the environment. Shared ticketing and monitoring give the internal IT team full visibility into everything Securafy does. The security operations layer includes 24/7 SOC coverage, managed EDR, and incident response capability — not business-hours alerting. Compliance documentation ownership is defined by component in the responsibility matrix, with annual risk assessments, policy maintenance, and cyber insurance evidence packages produced as operational outputs.
For regulated businesses in Ohio — healthcare, manufacturing, financial services — the compliance layer satisfies HIPAA, CMMC, NIST CSF, and Ohio Safe Harbor requirements simultaneously from a single program.
If you're evaluating co-managed IT for your organization, the Co-Managed IT service page covers how Securafy structures the responsibility matrix, shared tooling, and compliance documentation in practice.
To understand your current IT cost structure before making a co-managed decision, the IT Cost Calculator gives you a baseline for what you're spending and where co-managed IT changes the equation.
The 2026 Cybersecurity Buyer's Guide covers the security and compliance program fundamentals every growing company should understand before selecting any co-managed IT partner.
Join the Conversation