There’s a common misconception in security procurement: that signing a contract with a Managed Security Service Provider (MSSP) transfers not just the work, but the accountability.
It doesn’t.
Your MSSP manages your security. You own it.
In 2026, with threat actors moving faster, regulatory scrutiny tightening, and supply chain compromises making headlines, the gap between an MSSP that’s genuinely proactive and one that’s quietly reactive can be the difference between a contained incident and a board-level crisis.
So here are the questions you should be asking yours. Not at the next quarterly review.
1. “What did you detect last month that you didn’t alert us on?”
This isn’t a trick question. It’s a calibration one.
Every mature SOC team will have a tier of low-confidence signals, tuning suppressions, or contextual detections they don’t escalate. The question is whether they can articulate what those are, why they made that call, and whether the thresholds are still appropriate for your environment. If they can’t answer this, you don’t have visibility. You have the illusion of visibility.
What good looks like: A clear account of suppressed rule categories, tuning decisions made in the last 90 days, and a conversation about whether your risk appetite still aligns with those decisions.
2. “How are you tracking changes to my threat landscape, not just the general one?”
Threat intelligence is only useful if it’s contextualised. Generic TI feeds tell you what’s happening in the world. What you actually need to know is what’s relevant to your sector, your supply chain, and your technology stack.
If your MSSP is serving clients across 15 sectors, are they adapting detection content for you specifically? Are they aware of advisories from NCSC or CISA that directly reference technologies you run? Are they cross-referencing threat actor TTPs against your actual asset inventory?
What good looks like: Sector-specific threat briefings, evidence of detection rule updates in response to emerging intelligence, and a named analyst who can speak to your threat profile.
3. “Walk me through what would happen if we were hit by a ransomware precursor tonight.”
Not a tabletop exercise. Just a conversation. Ask them to describe, step by step, how they’d identify the early stages of a ransomware deployment (credential harvesting, lateral movement, staging), what their escalation path looks like, who calls who, and what decisions they own versus what requires your sign-off.
The hesitation in the answer is often more revealing than the answer itself.
What good looks like: A clear, rehearsed response, because they’ve genuinely thought about it. Defined escalation playbooks, named contacts, and agreed SLAs at each decision point.
4. “What have you proactively changed in our environment in the last quarter?”
This one separates monitoring-as-a-service from genuine security management.
Proactive MSSPs don’t just watch the dashboard. They review your detection coverage against the current threat landscape, identify gaps, and come to you with recommendations before an incident reveals them. They tune alerts. They update playbooks. They flag configuration drift. They advise on exposure.
If your MSSP’s answer to this question is silence, or a list of reactive changes only, you’re paying for a very expensive alert-forwarding service.
What good looks like: A documented change log with business justification. Evidence of coverage gap analysis. Recommendations raised by them, not prompted by you.
5. “How would we know if you were compromised?”
This is uncomfortable to ask. Ask it anyway.
MSSP supply chain risk is real. If your MSSP’s tooling, infrastructure, or personnel accounts were compromised, what controls exist to prevent lateral movement into your environment? How is their access to your systems provisioned, monitored, and reviewed? Do they have MFA and PAM controls on accounts that touch your estate? When did you last audit their access?
What good looks like: A clear answer, because they’ve been asked before and have mature third-party assurance controls. ISO 27001 or SOC 2 certification helps, but it’s not a substitute for the conversation.
6. “What are your metrics telling you about us, and what’s your interpretation?”
SLA reports showing 99.7% uptime and mean-time-to-acknowledge figures are table stakes. They tell you whether the MSSP is meeting contractual minimums. They don’t tell you whether your security posture is improving.
Push for trend analysis: Is the volume of low-fidelity alerts increasing, which might indicate configuration drift or tool sprawl? Are certain user accounts or endpoints repeatedly appearing in incident data? Is your patching cadence creating detection blind spots?
What good looks like: Monthly or quarterly reporting that includes analytical commentary, not just metrics. An MSSP that says “we’ve noticed a pattern and want to discuss it” is worth keeping.
What Should They Be Doing Proactively, Without You Having to Ask?
Beyond answering these questions well, a genuinely proactive MSSP should already be doing the following:
- Horizon scanning and translation. Monitoring NCSC, CISA, vendor advisories, and sector ISACs, translating relevant alerts into action for your environment within 24–48 hours, not waiting for you to forward a news article.
- Regular detection coverage reviews. Mapping your current detection rules against MITRE ATT&CK and identifying gaps, at least quarterly. Threat actors evolve; your detection logic should too.
- Attack surface monitoring. Flagging new exposures as your environment changes: new SaaS tools, shadow IT, expired certificates, internet-facing misconfigurations. All before they become incidents.
- Relationship continuity. Ensuring that whoever is in the SOC knows your environment. Not just has access to a CMDB, but actually understands your crown jewels, your critical processes, and your risk tolerance.
- Pre-incident engagement. Running through ‘what if’ scenarios with you periodically, not to sell more services, but because rehearsed relationships perform better under pressure.
The Bottom Line
Your MSSP should be one of the most informed voices in your security conversations, not the quietest. If you’re consistently driving the agenda, chasing for updates, or finding out about threats from LinkedIn before your security partner mentions them, something’s wrong.
These questions aren’t adversarial. They’re the conversations a good MSSP wants to have, because they demonstrate the value they’re delivering.
If they don’t want to have them, that’s your answer.