5 Questions to Ask Your MSP to Prove Your Security Is Working

Most MSPs say they “handle security,” but that doesn’t automatically mean your environment is secure. The challenge is that security is hard to verify, especially when it spans dozens of tools, dashboards, and configurations.

In practice, many organizations don’t revisit their security posture until a vendor questionnaire lands, a compliance deadline approaches, or a breach triggers hard questions. Waiting until that moment turns security into a scramble instead of a controlled review. Verifying security earlier gives you time to fix issues instead of having to deal with gaps later.

The fastest way to understand your real posture is to ask for proof. The checklist below shows what your MSP should be able to demonstrate, and how to validate it. Use the following questions to guide your evaluation and ensure your MSP meets essential security standards.

If you’re unsure what your MSP does, it may be time to make the switch to Zip Security’s MSP alternative. Book a demo.

Here are five things you should ask your MSP in order to validate whether your security is actually working, plus how you can verify each one yourself, manually. Your MSP should be able to answer questions clearly and thoroughly, demonstrating both their expertise and reliability.

1. Can you make a list of everyone who has admin access to Google/Microsoft, whether they’re still employed, and whether or not they have 2FA enabled?

Your MSP should be able to prove they know exactly who has access to what. If they need a spreadsheet and a week to “pull reports,” they don’t actually know.

How to check this manually

• Pull admin role assignments from:
  
  • Microsoft Entra ID (Azure AD)
  • Google Workspace
• Export group membership for:
  
  • VPN access
  • Cloud and production admin groups
  • Finance and HR applications
• Ask for a list of service accounts and where they authenticate
• Spot-check 10 random users:
  
  • Does their access match their role?
  • Do former employees still appear anywhere?

If you can’t answer this quickly, attackers already can.

2. Which of our endpoints run EDR? 

Buying security tools doesn’t protect you. Coverage does. Your MSP should be able to prove your security controls apply everywhere they should. 

Other things your MSP should be able show you to prove your security controls are working:

• Which devices enforce MDM policies
• Which users require MFA
• Which applications are not protected by our identity provider 

One unmanaged device is all it takes.

How to check this manually

• Export device inventories from:
  
  • Your EDR tool
  • Your MDM platform
• Compare those lists to:
  
  • Your identity provider’s device list
  • Any asset inventory you maintain
• Look for:
  
  • Devices inactive for 14+ days
  • Unmanaged devices accessing email or SaaS
  • BYOD machines with no policy enforcement
• Review MFA enforcement:
  
  • Conditional Access policies or 2SV rules
  • All exemptions, and why they exist

If you find gaps, attackers will too.

3. When there’s a threat, which alerts fire, who reviews them, and how fast do they respond? 

Detection without response equals expensive logging. Your MSP should be able to prove that your security detects and acts on real threats. 

Your MSP should also be able demonstrate what actions the responsible party takes to resolve the threat. 

If alerts pile up with no clear ownership, no one protects your environment.

How to check this manually

• Ask for:
  
  • A list of alert sources
  • The last 30 days of high-severity alerts
  • Sample incident tickets with timestamps
• Validate:
  
  • Time from alert to triage
  • Time from triage to containment
  • Whether incidents escalated to you
• Pick three alerts and ask:
  
  • What happened?
  • What did you do?
  • How do you know it worked?

If they can’t walk you through real incidents, response doesn’t exist.

4. How do you disable compromised accounts? 

When something breaks, minutes matter. Your MSP should be able to prove that you can contain an incident quickly. 

Other ways you can ask your MSP to show this:

• How do you isolate infected devices?
• How do you revoke active sessions?
• How do you prevent lateral movement?

If containment depends on calling the right person, you don’t have readiness. You have luck.

How to check this manually
Run a tabletop exercise and make the MSP narrate every step.

Scenario: A user clicks a phishing link and the attacker logs into email.

• How fast can you disable the account?
• How fast can you revoke sessions?
• How do you confirm no forwarding rules exist?

Scenario: A laptop shows ransomware behavior.

• Can you isolate it immediately?
• Who has permission to do that?
• What happens if the device is offline?

Strong MSPs answer without improvising.

5. How do you prove security gets better every month?

Security should improve continuously. Otherwise, risk quietly stacks up.

Your MSP should track:

• Reduced exposure over time
• Access cleanup progress
• Coverage improvements
• Faster response metrics

If reports look identical every month, security stagnates.

How to check this manually

• Ask for a monthly security review showing:
  
  • Patch compliance trends
  • MFA adoption over time
  • EDR and MDM coverage trends
  • Number of privileged accounts
  • Incidents and time-to-contain
• Compare month over month:
  
  • Does risky access shrink?
  • Do exceptions disappear?
  • Do repeat issues persist?

If nothing changes, the program isn’t working.

How Zip Security proves your controls are working

You can validate all of this manually—but manual checks don’t scale. They rely on exports, point-in-time reviews, and someone remembering to look in the right place.

Zip exists to prove, continuously, that security controls actually work. Zip’s software-as-your-MSP platform provides ongoing support for companies of all sizes, ensuring that their security posture remains strong and up-to-date.

Here’s how Zip verifies each of the five proof points above:

• Access clarity (Who has access to what) Zip maps every identity, permission, and access path across your environment, including mapping entities such as users, devices, and applications, so you can see exactly who has access, why it exists, and where it creates risk—without spreadsheets or guesswork.
• Control coverage (What’s protected and what isn’t) Zip’s continuous monitoring platform correlates identities, devices, and tools to surface coverage gaps immediately instead of hiding them across disconnected dashboards, leveraging advanced technology behind Zip's unified platform.
• Detection and response (Alerts that lead to action) Zip connects alerts to real access paths and blast radius, making it obvious whether detections result in meaningful response or just noise.
• Incident containment (Can you stop damage fast) Zip visualizes exposure and lateral movement in real time, helping teams shut down the right access first and contain incidents faster.
• Continuous improvement (Is security actually getting better) Zip tracks exposure, access risk, and control effectiveness over time, giving you clear evidence that risk goes down, not just that tools remain installed. This process is backed by Zip's expertise in security, ensuring best practices are always followed.

Zip doesn’t ask you to trust that security works. It allows you to prove it yourself, with evidence easy to access in one place, at any time.

Ready to get started? Book a demo today.

‍

‍

Frequently Asked Questions

What does an MSP do?

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) are on the front lines of defending your business against cyber threats. As organizations rely more on digital tools and cloud services, the security of customer data and IT infrastructure becomes increasingly crucial. MSPs must implement robust security measures to protect sensitive data from evolving risks, including ransomware, phishing, and insider threats. This means going beyond basic protections—conducting regular security audits, penetration testing, and vulnerability assessments to identify weaknesses in network security before attackers do. By prioritizing strong cybersecurity protocols, MSPs help ensure the integrity of your data, reduce potential risks, and build lasting trust with clients. In today’s threat landscape, security is mission critical—proactive security isn’t optional; it’s essential for every business that values its reputation and customer relationships.

What are some typical cybersecurity protocols?

Cybersecurity protocols are the backbone of any effective security strategy. These protocols define the procedures and measures MSPs use to protect sensitive data and defend against threats. Key elements include encryption to safeguard data in transit and at rest, firewalls to block unauthorized access, and access controls to ensure only approved users can reach critical systems. MSPs also establish procedures for detecting and responding to suspicious activities, such as malware infections or unusual login attempts. By adhering to industry regulations and best practices, MSPs keep their cybersecurity protocols current and effective, helping organizations stay compliant and resilient in the face of ever-changing cyber risks.

What is penetration testing and security evaluation?

Penetration testing and security evaluation are essential tools for finding vulnerabilities before attackers do. By simulating real-world cyber attacks on your networks and systems, MSPs can identify weaknesses and potential risks that might otherwise go unnoticed. Regular penetration testing, combined with comprehensive security evaluations, allows MSPs to develop targeted solutions—whether that means updating security measures, refining existing protocols, or providing employee training to address human error. This proactive approach ensures your IT infrastructure remains secure, your data stays protected, and your organization is prepared to defend against the latest cybersecurity threats. For businesses that handle sensitive information, from intellectual property to patient records, ongoing security evaluation is a necessity.