The Anatomy of a £35-Per-User MSP Quote: A Forensic Look at What Has Been Removed
Below £50 per user per month outside London, or £75 inside it, after stripping out Microsoft licensing, an MSP contract has had something removed.
This is not an aesthetic claim. It is arithmetic. You can object to the conclusion, but you have to argue with the cost lines, and the cost lines are public. Vendor pricing is published. Engineer salaries are on every UK job board. The numbers are not in dispute. The only question is which of those numbers a given provider has chosen to delete.
What follows is a forensic look at where the money actually goes inside a security-first managed service contract, why the bargain providers cannot match the headline figure honestly, and what you should be asking before you sign.
The conservative tooling stack
Forget margin. Forget engineering salary. Strip the question down to the wholesale cost of the platforms a security-first MSP needs to run before they have done a single thing for you.
Remote monitoring and management. RMM is the central nervous system of any modern MSP. It pushes patches, raises alerts, inventories devices, and gives the engineering team a way to act at scale. It runs at roughly £3 to £5 per endpoint per month at standard market rates. Patch management is normally bundled in, which is the bit that catches buyers out. Strip out the RMM and patching quietly disappears with it.
Endpoint detection and response. EDR is what replaced traditional antivirus. Behaviour-based, capable of stopping novel ransomware in flight rather than waiting for a signature update. Where it is not bundled into a broader endpoint suite, dedicated EDR products like SentinelOne start around £5 per endpoint per month and rise materially with managed response features attached.
DNS filtering. Around £1.50 per user per month. Cheap, effective, blocks a meaningful share of phishing payloads at the network edge.
Email security. If you are not on a Microsoft 365 plan with Defender for Office 365, a dedicated third-party email security product runs £5 or more per mailbox per month. Email is still the primary attack vector, and the difference between basic spam filtering and proper inbound protection is the difference between a phishing scare and a phishing breach.
Application control. Tools like ThreatLocker, sitting at £8 plus per endpoint per month, prevent unauthorised executables from running. They are the most effective single defence against ransomware payloads that get past every other layer. They are also operationally demanding, which is why bargain providers tend to skip them entirely.
Security awareness training. Around £7.50 plus per user per month for a proper rolling programme. Phishing simulations, micro-learning, reporting infrastructure. The DSIT 2025 survey found phishing remains the most disruptive type of attack against UK businesses. Training is the cheapest control that addresses it.
Backup. £3 to £5 per endpoint per month if it is not already bundled into another platform. Note this is the licensing cost only, not the storage. And note the verb that matters: the service is “backup tested,” not “backup hopeful.”
SOC monitoring. Genuine 24x7 security operations centre coverage runs anywhere from included in larger bundles up to roughly £10 per endpoint per month for a full managed detection and response service.
Add it up at the conservative end. £3 + £5 + £1.50 + £5 + £8 + £7.50 + £3 + included SOC = around £33 per user per month. Take a sensible, more bundled view, and £20 to £25 per user per month is a defensible floor. A genuinely best-of-breed stack with dedicated EDR, application control, and full SOC monitoring lands at £40 plus per user before a single engineer is paid.
The arithmetic is the arithmetic. A provider charging the same number with all of those line items intact has built a different cost base, not a more efficient one.
Then the platform layer the MSP runs themselves
A professional services automation tool, or PSA, is what the MSP uses to track tickets, log time, evidence work, and produce the audit trail that any insurance claim or regulatory enquiry will eventually demand. PSA platforms cost £40 to £80 per technician per month. Documentation systems sit on top at another £5 to £10 per technician.
These costs do not appear on your bill as a line item, but they are the difference between an MSP that can show you what they did last quarter and one that cannot.
And the human cost
Industry benchmarks for unlimited remote support for general SMB users land at roughly one hour per user per month on average. Some users will be lighter, some far heavier, but one hour averaged across the seat count is a fair planning figure.
A competent Level 2 engineer in the UK costs around £35,000 a year at salary level. Divided across 2,080 working hours, that is £17 an hour at salary cost alone. Real cost is significantly higher: employer’s NI, pension contributions, holiday cover, sickness, training, certifications, professional indemnity, desk, equipment, software licences for the engineer themselves. By the time the cost of an engineer’s hour reaches the customer, you should expect £25 plus an hour as a realistic, sustainable figure for a properly run team.
So labour, at a fair price, costs another £17 to £25 per user per month on top of tooling.
The price floor that makes sense
Tooling: £20 to £25 per user per month at the conservative bundle level. Labour: another £17 to £25 per user per month. PSA and documentation overheads: another few pounds. That is before any margin, premises, management overhead, or money for the business to actually grow.
Outside London, a sustainable security-first MSP needs to charge meaningfully above £50 per user per month, after Microsoft licensing is stripped out, to deliver this without cutting corners. In London, where engineering salaries climb 30% to 50% above the national average, the floor is closer to £75.
If you are paying significantly less than that, somebody is absorbing the gap. It is not the vendor of your EDR product, who is being paid in full. It is not the salary expectation of a competent engineer, which is what it is. So either the tooling has been thinned out, the labour has been under-resourced, or both.
What gets cut first
The pattern is consistent across cheap providers, and once you know the order, you can spot it inside any contract.
MFA enforcement. Cheap providers will say MFA is “available.” A security-first provider will tell you which conditional access policies enforce it, on which user groups, in which apps, and under which conditions.
Patch management discipline. Bargain contracts have “updates” rather than a managed patching cadence. There is no monthly report. There is no defined window for critical patches. Patches happen when somebody happens to look.
Endpoint detection and response. Replaced by basic antivirus. The contract says “endpoint protection” because legally that includes both, but the gap in actual capability is enormous.
Application control. Skipped entirely. Operationally demanding to deploy and maintain, and most cheap providers neither have the staff capacity nor the skill set.
Documented incident response. No runbook. No tested escalation path. No drills. The plan is “we will respond to it when it happens,” which is not a plan, it is an aspiration.
Awareness training. Either absent or replaced by a one-off compliance video that staff click through to dismiss.
Active monitoring. Replaced by reactive ticket response. Cheap providers wait for the customer to ring up saying “everything’s gone weird.” Security-first providers see the indicators of compromise hours or days before the customer notices.
How to Turn This Into a Competitive Advantage
For most UK SMBs, the short version is: you are likely paying for less security than you think. The competitive opportunity is not in spending more. It is in spending the same money differently.
Start by asking your provider for a detailed line-item breakdown of your contract against the cost stack above. If the numbers tally, brilliant, you have evidence to take to clients and prospective clients in regulated sectors who increasingly ask. If they do not tally, you have the basis for either a renegotiation that increases capability without increasing total spend, or a proper market test against providers who can.
The clients you are competing against in tenders rarely understand any of this. The ones that do are winning the work. That is the opening.
How to Sell This to Your Board
Three points that finance directors actually engage with.
Cost transparency. A finance director who cannot see what is in the IT budget cannot manage it. A line-item view of tooling, labour, and platform costs creates the basis for proper governance. It also makes future contract decisions defensible.
Risk-adjusted spend. £10,500 of “savings” against an £8,260 average breach cost and a 43% twelve-month breach rate across UK businesses is not a saving once you risk-weight it. A board can grasp that argument far more easily than a vendor pitch.
Insurance integrity. If the cyber insurance policy mandates MFA, EDR, and patching, and the IT contract does not deliver them, the policy is not paying out. That is a board-level governance failure, not an IT one.
What This Means for Your Business
Five concrete actions for the next two weeks.
- Request a tooling line-item breakdown from your current provider. Ask for the specific products, their cost per user, and which controls they implement. Note which lines are “we use a platform” versus the actual product name.
- Cross-check against your cyber insurance policy schedule. Identify any control the policy requires that the contract does not explicitly deliver. That is your renegotiation list.
- Demand a recent patching report. Not promises. The actual report from the RMM, showing patch coverage, exceptions, and outstanding items. If the report does not exist, the discipline does not exist.
- Verify MFA enforcement. Have your provider walk you through the conditional access policies. Look for “enforced” rather than “available,” and note which user groups and applications are in scope.
- Run a basic price floor check. Take your monthly fee, strip out Microsoft licensing, divide by user count. If it sits below £50 per user outside London, or £75 inside it, ask the question that matters: what was removed to hit this number?
The maths is simple. The contracts that make it look complicated do so for a reason.
Related reading:
- Cheap IT, Expensive Breach: The Bargain That Bankrupts UK Small Businesses
- The RMM Nightmare: How DragonForce Just Showed Us We’re All Sitting Ducks
- ConnectWise ScreenConnect: The MSP Tool That Keeps Getting Hacked
Sources
| Source | Article |
|---|---|
| NCSC | 10 Steps to Cyber Security |
| NCSC | Cyber Essentials |
| NCSC | Multi-factor authentication for online services |
| DSIT | Cyber Security Breaches Survey 2025 |
| SentinelOne | Singularity Endpoint Protection |
| ThreatLocker | Application Allowlisting and Ringfencing |
| Microsoft | Microsoft Defender for Office 365 documentation |
| Microsoft | Conditional Access overview |
| NCSC | Offline backups in an online world |
| The Small Business Cyber Security Guy | Podcast: Cheap IT, Expensive Breach |