🇨🇦Vancouver🇨🇦Toronto🇺🇸Miami🇺🇸Orlando🇺🇸Los Angeles
1-855-KOO-TECH
KootechnikelKootechnikel
SearchKFree Health Check
Insights · Field notes from the SOC
Plain-language briefings from the people watching the alerts.
Weekly · No spam
Read4
Field GuideNewEngineer-written playbooks.Blog & Field NotesWeekly threat briefings.WhitepapersDeep dives on Secure AI, Zero Trust.Case StudiesReal clients, real numbers.
Watch & listen3
WebinarsMonthly · live Q&A with the team.PodcastNew"Stronger.Smarter" · biweekly.Quick Clips90-second how-tos on YouTube.
Use3
Free Vulnerability Scan30-sec domain + email check.Compliance ChecklistsSOC 2, HIPAA, PCI printable.ROI CalculatorEstimate cost-of-incident savings.
New series
Field Guide
Engineer-written playbooks for the problems 30-100 person companies actually hit.
MFA rollouts, SOC 2 timelines, M365 backup, HIPAA/PHIPA, CIS Controls, AI governance — specific, narrow, practical.
Open the Field Guide
Subscribe to weeklyAll resources
NO SPAM · UNSUBSCRIBE IN ONE CLICK
Volume 04IT Strategy·6 min read·1,400 words

Flat-rate vs per-user vs co-managed IT pricing: the 2026 buyer’s worksheet

The three prevailing MSP pricing models compared on real engagement data — when each wins, break-even math, and the hidden line items that move the real cost by 20-30%.

Rami Friedman
Sr. Security Engineer · Kootechnikel Solutions
Published April 22, 2026
Quick answer

Flat-rate (unlimited support, fixed monthly fee) wins for firms with predictable IT patterns and no in-house IT team. Per-user pricing wins for fast-growing companies where user count drives cost fairly. Co-managed wins when you have an internal IT lead who needs senior backup. The break-even between flat-rate and per-user usually lands at ~85 employees; past that, flat-rate costs more than it saves.

Flat-rate vs per-user vs co-managed IT pricing: the 2026 buyer\u2019s worksheet

You'll learn

  • What each pricing model actually includes, and the line items that vendors hide in footnotes.
  • The math to figure out where your business lands on the flat-rate-vs-per-user break-even.
  • The three questions to ask during the proposal review that expose undisclosed costs.

Why this matters

IT budgets are one of the last big categories in a 30-100 person company where pricing is still actively opaque. RFPs get three proposals from three MSPs, each in a different pricing model, and none of them comparable without three hours of spreadsheet work. The "we price every engagement custom" answer — which we use ourselves — is honest but puts the burden of comparison on the buyer.

This is the worksheet version of the conversation. If you\u2019re evaluating MSPs, or just re-benchmarking your existing one, this is how to think about it.

The three models, honestly

Flat-rate / unlimited

A fixed monthly fee covers "everything" — help-desk, monitoring, patching, standard projects. Usually excludes: hardware (you buy), specialty project work (quoted separately), after-hours emergencies beyond SLA (sometimes included, sometimes not). Also usually excludes security tooling licenses passed through at cost.

Fits when: You have fairly predictable IT patterns, no internal IT team, and you want budget certainty over cost optimization.

Breaks when: You grow fast or your usage is genuinely heavy (12+ tickets per user per year). The MSP\u2019s margin erodes and you\u2019ll notice: response times slip, scope creep gets pushed back.

Typical range: $2,500-$8,000/month for a 40-60 person firm depending on inclusion breadth.

Per-user / per-device

A fixed rate per seat per month, sometimes with separate tiers for "full support" vs "basic." Usually scales linearly, though some MSPs tier (first 50 users at $X, next 50 at $Y).

Fits when: You\u2019re growing fast, want a pricing model that doesn\u2019t penalize scaling, and want the MSP incentivized to keep headcount accurate.

Breaks when: You have heavy-user/light-user asymmetry — executives getting white-glove while 40 warehouse staff never touch IT. Per-user pricing averages you on the heavy side of every cohort.

Typical range: $85-185/user/month for a managed-IT engagement with security baseline included. The spread is meaningful — the low end is monitoring + help-desk; the high end is SOC + vCIO + compliance + endpoint security.

Co-managed

You have an internal IT lead (sometimes solo, sometimes a small team) and you buy senior-engineering backup, off-hours coverage, and strategic guidance from the MSP. Usually priced as a retainer + hourly with a committed monthly minimum.

Fits when: You have real in-house IT that knows your environment, and you want senior capability without the cost of hiring another full-time engineer.

Breaks when: The in-house IT lead leaves. Co-managed engagements presuppose an internal anchor; without one, you\u2019re suddenly paying retainer for gap-fill that used to be bonus capacity.

Typical range: $3,000-$12,000/month retainer for 20-60 hours of senior engineering, plus overage billed hourly. Often includes 24/7 SOC and specialty tools.

The math

For a 50-person firm, here\u2019s realistic 2026 pricing:

ModelMonthlyAnnual
Flat-rate (50 users)$4,500-6,500$54k-78k
Per-user @ $120/user/month$6,000$72k
Per-user @ $150/user/month$7,500$90k
Co-managed retainer$4,500-8,500$54k-102k

Per-user looks more expensive than flat-rate for a 50-person firm. But scale changes the answer fast.

Break-even calculation (flat-rate vs per-user):

break-even user count = flat_rate_monthly / per_user_monthly_rate

Example: $6,500/month flat-rate vs $120/user/month = 54 users. Below 54 users, flat-rate costs more per capita; above it, per-user does.

Most services firms hit the break-even point somewhere between 60 and 100 users. Which means if you\u2019re at 45 users today and on track for 70 by next year, lock in per-user pricing before you grow — the flat-rate that made sense at 45 will feel expensive at 70.

What "included" actually means

This is where the worksheet gets interesting. "All-inclusive" rarely is. Check each of these against your proposal:

Security tooling licenses

  • EDR / endpoint security (SentinelOne, Defender for Business, CrowdStrike). Often $8-15/user/month at MSP-channel pricing.
  • Email security beyond M365 defaults (Proofpoint, Mimecast, Abnormal). $4-8/user/month.
  • Password manager (1Password Business, Bitwarden Teams). $3-8/user/month.
  • Phishing simulation (KnowBe4, Hoxhunt). $2-5/user/month.

Some MSPs bundle these; some pass them through at cost with a markup; some don\u2019t quote them at all and they appear on month-one invoice. Ask explicitly: "Which security tools are included vs passed through?"

After-hours support

  • "Business hours" = 8-6 local time? 9-5? What about west-coast Friday 4pm emergencies if the MSP\u2019s HQ is EST?
  • After-hours rate: sometimes included, often $150-300/hour, sometimes tiered (first 2 hours free, rest billed).
  • Ask explicitly: "Walk me through what happens if our server goes down at 9pm on Friday."

Project work

  • "Everything day-to-day is included. Projects are separate" is the standard language. The line between them is blurry.
  • What counts as a project: new-user onboarding at scale, office moves, M365 migrations, security tool deployments, compliance remediation.
  • Ask explicitly: "Name three things I think are support but you think are a project."

Onboarding cost

  • Month 1-2 often involves discovery, documentation, runbook creation. Some MSPs include this; some quote it as a one-time $5-25k fee.
  • Newer MSPs often waive it to win the business; established ones charge it.
  • Ask explicitly: "What\u2019s the onboarding fee and what do I get for it?"

Hardware procurement

  • Most MSPs will procure on your behalf. Watch the markup — 10-25% is common, sometimes disclosed, sometimes not.
  • Dell / Lenovo have direct-business channels you can buy from; the MSP\u2019s procurement value is in specification + staging, not pricing advantage.
  • Ask explicitly: "What\u2019s your markup on hardware procurement? Can we buy direct and have you stage?"

The three questions that expose the real cost

When reviewing a proposal, ask these three questions. Watch the answers, not just the numbers.

1. "What\u2019s my first-year out-of-pocket cost, including everything?"

Monthly fee × 12 + onboarding + typical first-year project work + security tooling not included + likely hardware refresh. A 50-person firm often sees $20-40k over the headline monthly rate in year one. MSPs who answer this quickly and specifically are usually the ones whose numbers hold.

2. "Show me month 3 and month 9 typical invoice lines."

Month 3 = post-onboarding steady state. Month 9 = whether projects have crept up to 2x the baseline. If the MSP can\u2019t show you these, they don\u2019t track them — which means yours will be a surprise too.

3. "How does pricing change at 75 users? 100 users? 150?"

Forces the conversation about the growth curve. Flat-rate MSPs often won\u2019t commit; per-user MSPs will show you the tier table. Either way, you learn something about how they think about your trajectory.

The mistakes we see most often

  1. Comparing headline rates without checking inclusions. The $4,800/month proposal that excludes EDR and the $6,500 proposal that includes it aren\u2019t comparable without math. Always normalize.

  2. Under-weighting the "projects" bucket. In a growth year, project work adds 30-60% on top of baseline monthly. MSPs whose proposals look suspiciously cheap are usually the ones whose project work is where they make their margin.

  3. Optimizing pricing model for today\u2019s headcount. If you\u2019ll be 2x bigger in 24 months, pick the model that scales cleanly. Switching MSPs is expensive; switching pricing models with the same MSP is usually free.

  4. Ignoring the off-ramp. Every MSP proposal should specify: exit notice period, data portability terms, handoff support on termination. MSPs that bury these terms or charge for them are signaling how they\u2019ll behave if you try to leave.

  5. Not benchmarking the existing MSP on the same worksheet. The single most common finding when clients bring us in for a cost review: the current MSP is priced OK but missing security inclusions that make the effective value lower than a slightly-more-expensive competitor\u2019s.

If you want help with this

If you\u2019re actively evaluating MSPs, we\u2019re happy to review proposals as a third party — no pitch, just the analysis. Most firms find one or two meaningful improvements in their existing engagement that save more per year than the cost of the review. The free IT health check is where this conversation starts.

Further reading

  • Volume 2SOC 2 Type II cost breakdown. The compliance project that tests every MSP\u2019s "included" vs "project" line.
  • Volume 3M365 backup head-to-head. A specific pass-through cost you should ask about on every proposal.
  • Managed IT services — how we structure our own pricing (custom, but transparent, every time).
MSPIT pricingBudgetProcurementCo-managed IT
← Previous
Vol 03
Microsoft 365 backup that actually restores: Veeam vs Dropsuite vs Datto, tested on a real tenant
Next →
Vol 05
HIPAA + PHIPA for Ontario clinics: the 14 technical safeguards your MSP must implement

Related reading

Vol 02
SOC 2 Type II for a 50-person services firm: what 12 months actually costs
6 min read
Vol 03
Microsoft 365 backup that actually restores: Veeam vs Dropsuite vs Datto, tested on a real tenant
6 min read
Free self-serve tools

Score your risk. Price your downtime. No call required.

Two short diagnostics built by our senior engineers. Answer a handful of questions, get a scored report with next steps — yours to keep either way.

10 QUESTIONS · 3 MIN

IT Risk Calculator

Ten questions across MFA, backups, patching, access, response. Get a weighted score and a prioritized fix list.

Start the quiz
4 INPUTS · LIVE MATH

Managed IT ROI Calculator

Users, downtime hours, annual spend, loaded cost. We compute projected savings and payback months in real time.

Run the numbers