· RNITS · Cybersecurity Service  · 16 min read

Why We're the Un-MSP: No Lock-In, No Upsell, No Tool Sprawl

Most MSPs grow revenue by overselling tools and locking clients into multi-year contracts. We're the un-MSP. Here's what that actually means in practice.

Why We're the Un-MSP: No Lock-In, No Upsell, No Tool Sprawl

The invoice always lands on the first of the month.

A 12-person law firm in New Hampshire opens the PDF, scrolls past the line items, and stops at the total. It is higher than last year. Headcount has not moved. No new services were added. But there are nine tools on the invoice, and nobody at the firm could name what most of them do if you asked them. Their IT provider has been there for six years. The contract auto-renews. Their cyber insurance premium went up at the last renewal anyway.

That is the conversation that prompts the call to us. Not a breach. Not an outage. An invoice that does not match the value the business is getting, paired with the dawning suspicion that something is wrong with the relationship.

We hear a version of that story almost every week from small businesses in NH and MA. Tool sprawl. Three-year contracts with no exit ramp. A managed service provider that grows its margin by adding line items rather than by genuinely improving the security posture or the operational reliability. The owner does not know how to push back because the MSP is the one with the technical vocabulary.

That is the gap we exist to fill. We are the un-MSP. This post is about what that actually means in practice — not as a tagline, but as three concrete promises that you can hold us to. No lock-in. No upsell. No tool sprawl. For the full version of the pitch, our un-MSP manifesto on the why-rnits page lays out every commitment in one place. This post is the long-form companion that explains the operating philosophy behind it.

The traditional MSP playbook (and why it produces the invoice problem)

To understand the un-MSP frame, you have to first understand how a typical MSP makes money. It is not a moral failing. It is a business model.

A traditional managed service provider grows revenue in three predictable ways.

First, by locking in multi-year contracts. Three years is the most common term in our market, sometimes five. The contract usually has a hard penalty clause for early termination — often the remainder of the contract billed up front, sometimes a percentage of remaining revenue. The MSP’s account executive is incentivized to close the longest term they can. From the MSP’s perspective the contract creates predictable revenue and protects against client flight. From the small business’s perspective it removes the most important form of accountability: the ability to walk away when service quality drops.

Second, by upselling tier upgrades. Most MSPs sell their service in tiers — bronze, silver, gold, or something like it. The base tier covers the bare minimum and the higher tiers add features the client probably needs. The sales motion is “you really should be on Silver, that is where the better SLA and the security tools live.” Over time most clients drift up because the next tier is always being framed as where the responsible choice lives.

Third, by stacking add-on tools. This is the one that compounds the fastest. Every new threat, every compliance requirement, every cyber insurance questionnaire becomes a justification for a new line item on the monthly invoice. Some of the tools are genuinely necessary. Many of them duplicate things the client is already paying for inside their existing licensing — Microsoft 365 Business Premium and Google Workspace Business Plus both include a meaningful security stack that most MSPs do not bother to configure because it does not generate a new line item.

None of those motions are illegal or even unusual. They are the default. The result is that a small business with twelve employees can end up with a tool stack that an enterprise CISO would call rich, while still having half of those tools either misconfigured, redundant, or completely unmonitored. The bill keeps climbing. The security posture stays roughly where it was.

The un-MSP is not a different ethics statement on top of the same playbook. It is a different playbook.

No Lock-In

Every contract we write has an exit clause. We will repeat that because it is the foundation of the rest of the model. Every contract. Every client. No exceptions, no special terms, no fine print that quietly removes it for the larger accounts. If a client decides we are not the right partner, they can give us notice and leave. The clause is not buried — it is in the first page of the agreement.

We also offer a no-contract option. Some small businesses do not want to sign anything beyond a month-to-month service agreement, and that is a legitimate position. We work with those clients on the same terms as the contract clients. They are not penalized with worse SLAs or higher pricing. The choice belongs to the business.

This produces three things that are worth being clear about.

Retention is earned, not enforced. Our retention rate sits at roughly 100 percent — not because the contract makes leaving expensive, but because clients who can leave at any time and choose not to are telling you something real about the service. We have an unusual amount of feedback signal because of this. When a client is unhappy we hear about it early, because the alternative for them is just leaving. That is a feature, not a bug.

Boomerang clients exist and are common. Some clients have left us — usually because a private equity acquirer mandated a different IT provider, or because internal IT was rebuilt and they wanted to bring everything in-house. A meaningful number of those clients have come back, sometimes years later, when the new arrangement did not work out. The exit ramp goes both ways.

References are available on request. Not curated. Not just the wins. If a prospect wants to talk to a client who has been with us for five years, we can connect them. If they want to talk to a client who left and came back, we can usually arrange that too. The reason we can do this is that the relationships are real, not contractual.

If you are evaluating an MSP and the contract does not have a meaningful exit clause, that is a signal worth taking seriously. The dollars in the early-termination penalty are the explicit cost. The implicit cost is that the MSP has structurally lower incentive to keep service quality high once the ink is dry. We work the other way around on purpose.

No Upsell

The second un-MSP commitment is about what we recommend and, more importantly, what we do not.

When we begin a relationship with a new client, the first technical work is not procurement. It is an audit of what the business already owns. The reason is simple: most small businesses are running Microsoft 365 Business Premium or Google Workspace Business Plus, and both of those licenses include a security and productivity stack that the typical SMB is using maybe a third of.

Inside a Microsoft 365 Business Premium license that the client is already paying for, you usually find:

  • Microsoft Defender for Business. A real EDR product. Behavioral detection, central management, automated remediation for common threats. Most clients have it sitting unconfigured.
  • Conditional Access. The policy engine that enforces MFA, blocks legacy authentication, restricts sign-ins by location or device compliance. Often not turned on.
  • Intune device management. Patch policy, compliance baselines, application deployment. Frequently licensed but unused.
  • Exchange Online Protection plus Defender for Office 365. Email filtering, phishing protection, safe links, safe attachments. Configured to defaults that leave gaps.
  • OneDrive for Business with retention. Versioning, ransomware recovery for files, retention policies. Often not extended to the configurations that matter.
  • Azure Information Protection / Purview labeling. Data classification and DLP. Powerful and almost universally unused at SMB scale.

The pattern at most prospects we audit is that they are paying for sixty to seventy percent of the controls a 2026 cyber insurance questionnaire is asking for, inside a license they already have, and they do not know it. Their previous MSP did not configure those features because configuration does not generate a new invoice line item. Procurement does.

Our default is to spend the first weeks of an engagement turning on what is already paid for, before we recommend a single new product. If, after the existing license is configured properly, there is still a genuine gap, we will recommend filling it. The recommendations tend to be specific — a particular EDR overlay because the Defender features in the client’s tier do not extend to a specific OS, or a particular immutable backup product because the M365 retention does not cover what the cyber insurance carrier is asking for. They are not generic stack additions.

The honest framing matters here. We do not pretend we never add anything. We add things when there is a real gap. We do not add things to grow the line items. The audit gets done first, the configuration gets done second, the procurement comes last and only if it is genuinely needed.

No Tool Sprawl

The third commitment is the one that produces the most visible outcome. Right-sizing the existing stack.

We will tell the story of one client, because it is the cleanest example. A 12-person law firm in southern New Hampshire engaged us after the conversation we described at the top of this post. Their existing MSP had built a tool stack that included:

  • Two endpoint protection products running on the same machines — one signature-based antivirus and one EDR overlay — installed by different IT providers across the firm’s history and never deduped.
  • A standalone email security gateway sitting in front of their Microsoft 365 tenant, costing roughly $5 per user per month, providing protection that Defender for Office 365 inside their Business Premium license was already delivering.
  • Three backup products. One for desktops, one for the on-premises file server, one for Microsoft 365. The third was a duplicate of OneDrive retention that the firm did not realize they had.
  • A standalone phishing simulation platform with its own admin console, when the Attack Simulation Training inside Defender for Office 365 was already licensed.
  • A SIEM product with a per-seat monthly fee. Nobody at the firm or at the prior MSP was reading the alerts. The dashboard had not been logged into in seven months.
  • A vulnerability scanner running weekly. Nobody was triaging the output. The CSV reports were piling up in a shared folder.

The right-sizing exercise was straightforward in concept and painful in execution. We migrated email protection back to native Defender for Office 365 with proper configuration. We deduped the endpoint protection. We collapsed the backup stack to a single immutable-backup provider that covered all three workload types. We turned on the phishing simulation features inside their existing M365 license. We retired the SIEM and replaced it with a managed-detection arrangement that actually had a human reading the alerts. The vulnerability scanner output was integrated into the monthly patch cycle so it stopped piling up unread.

The bill dropped by roughly half. The security posture improved measurably because tools that nobody was monitoring stopped existing, and the tools that remained were actually configured and watched. Their cyber insurance questionnaire answers became defensible because we could produce real evidence for every “yes.”

Here is the honest part of the story. The right-sizing was not free. The work to dedupe endpoint agents, migrate backups, terminate vendor contracts, and retrain the firm’s staff on the consolidated tooling took several weeks of focused engagement. We charged for that work. There was real disruption during the cutover. Two of the vendor contracts had termination penalties because the prior MSP had locked those in on multi-year terms — the firm ate those penalties because the math still worked out, but they were real.

When we talk about right-sizing a stack, we are not selling a magic discount. We are saying that the run-rate on the wrong stack is high enough that the one-time cost of correcting it pays back inside a single year, and from that point forward the recurring bill is honest. That is what the un-MSP outcome looks like in practice. Savings happen as a byproduct of doing the work correctly, not as a discount on the same broken model.

For a closer look at the pattern of redundant tools we typically find, our prior post on un-MSP tool sprawl in SMB security stacks walks through the categories in more detail.

Five questions to ask your current MSP this week

If you are reading this and wondering whether the pattern applies to your business, you do not have to commit to anything in order to find out. Five questions can usually surface the answer.

  1. What is the exit clause in our contract, and what is the penalty if I want to leave in the next twelve months? If the answer involves a number larger than a month of service, the structure is set up to disincentivize accountability.
  2. For every tool on my monthly invoice, what specific control is it providing, and is that control already included in my Microsoft 365 or Google Workspace license? Have them produce the answer in writing. Compare line by line.
  3. What is the last date the [tool name] dashboard was opened by someone on your team, and is there a record of an action taken from it? If tools are billed but not watched, they are billed for nothing.
  4. When my cyber insurance questionnaire arrives, will you provide written, verifiable answers to every control question, or will you ask me to attest to controls without proof? The attestation problem is real. The cyber insurance industry is denying claims over it.
  5. Of the controls the carrier is asking for, how many do I already have inside my existing licenses that just need to be configured? This is the question that exposes whether the MSP is leading with procurement or with configuration.

You do not need to be technical to ask any of these. The answers, or the unwillingness to provide answers, will tell you most of what you need to know.

A bright, clean photo of a small business team reviewing a simplified IT services agreement with an exit-clause section clearly visible

Frequently asked questions

What is an un-MSP?

An un-MSP is a managed service provider that operates on the inverse of the typical industry incentive structure. No lock-in contracts, no tier-upgrade upselling, no stacking of redundant tools to inflate the invoice. The model is built around configuring what the client already owns, right-sizing the stack, and earning retention through service quality rather than enforcing it through contract penalties. The savings are a byproduct of the model, not the marketing claim. The marketing claim is honesty.

Can I leave my current MSP if I am under contract?

That depends on the contract. Most multi-year MSP contracts in our market have early-termination clauses that bill out the remaining months or a penalty percentage. You can usually leave, but it costs. Before signing anything new, read the termination clause in the existing agreement and calculate the actual exit cost. In several cases we have seen the math work in the client’s favor even with the penalty paid, because the run-rate on the right-sized stack is materially lower. In other cases it makes sense to wait for the renewal window. The right answer depends on the contract math, not on the MSP’s preference.

How do I know if my current MSP is overselling me?

Three signals. First, your monthly invoice has tools on it that nobody at your business or theirs can explain in plain language. Second, your cyber insurance renewal questions trigger an immediate “we should add a few things” conversation rather than a “let’s audit what you have” conversation. Third, the contract auto-renews and the exit clause is either missing or punitively expensive. Any one of those is a yellow flag. All three together is the pattern.

How much should a small business pay for managed IT services in 2026?

There is no single number. A reasonable benchmark in our market is one hundred to one hundred fifty dollars per user per month for a comprehensive managed service that includes cybersecurity, Microsoft 365 or Google Workspace management, endpoint protection, backup, and a real help desk. Below that you tend to find under-resourced shops. Well above that without a clear explanation of what is included tends to indicate tool sprawl. We publish our pricing on our pricing page because pricing transparency is part of the un-MSP model.

Does RNITS require a long-term contract?

No. We write contracts that have an exit clause on the first page, and we offer a no-contract month-to-month option for clients that want it. Retention sits at roughly one hundred percent under that model. We treat the absence of a lock-in as a feature, not a risk to mitigate.

A note for our NH and MA neighbors

We work with small businesses in southern New Hampshire and eastern Massachusetts, with onsite coverage from our Tyngsboro, MA headquarters out to a 150-mile radius. That puts most of the region inside our normal service area. The MSP market in this geography has a few large incumbents that are still operating on the traditional playbook, and the gap between that model and the un-MSP model is part of what created the demand for our practice in the first place.

For clients beyond the onsite radius we run the same model remotely. The right-sizing exercise, the audit-first approach, and the no-lock-in contract structure are not regional. They work the same way for clients in Georgia or Florida where we have remote relationships.

What to do next

If the picture in this post looks familiar — the climbing invoice, the unexplained tool stack, the contract with no obvious exit — the path forward does not have to be dramatic. Start with the five questions in the section above. Get answers in writing. Compare the answers to your existing licensing.

If you want a second set of eyes on the situation, we run a free cyber security audit that produces a written assessment of what controls you already have, what is configured versus what is licensed, and what the actual gaps are against current cyber insurance and compliance baselines. The output is yours to keep whether you ever work with us or not. No sales pitch attached.

For the full version of the un-MSP commitments — every promise we make in writing, with the reasoning behind each one — read our why-rnits manifesto. If you would prefer to just have a conversation, you can reach us through the contact page.

The Rnits Company. The un-MSP. (978) 226-8931.

Share:
Back to Blog

Related Posts

View All Posts »