What Does Managed IT Support Actually Include?
Choosing between what does managed IT support include options is one of the biggest IT decisions an SME makes. Most Edinburgh business owners who switch to managed IT do it after a bad incident – a ransomware attack, a failed backup, a critical server going down over a bank holiday. They know they need something better than “call someone when it breaks.” What they’re often less clear on is exactly what a managed service agreement covers, what it doesn’t, and what “included” actually means when it’s 11pm on a Friday.
The ambiguity is costly. A 2024 ITIC survey found that a single hour of IT downtime costs businesses with fewer than 25 employees approximately £79,000 in lost productivity, revenue, and recovery time (ITIC Hourly Cost of Downtime Report 2024). Understanding exactly what your managed service covers – before you need it – is how you avoid discovering the gaps at the worst possible moment.
This guide breaks down every standard component of a managed IT service, maps them to the three tier levels Edinburgh businesses typically encounter, and gives you the seven questions to ask before signing anything.
Complete it Support Guide Edinburgh
TL;DR: Managed IT support covers continuous monitoring, patch management, helpdesk, backup, and a security stack – but the scope depends heavily on tier. A full managed service at £60 – £110/user/month typically includes EDR, MFA, email filtering, and disaster recovery planning. Hardware, software licences, major projects, and on-site visits are almost always billed separately. 42% of UK small businesses experienced a cyber breach in 2025 (DSIT, 2025) – having the right tier matters.
What Is RMM and What Does It Actually Do?
Remote Monitoring and Management (RMM) is the technical backbone of every managed IT contract, according to industry (2025). An RMM agent runs silently on every managed device and sends real-time telemetry to your IT provider’s dashboard – reporting on disk health, CPU load, memory usage, patch status, service availability, and dozens of other metrics. When something drifts outside a defined threshold, an alert fires and a ticket is raised, typically before the end user notices anything is wrong.
Our experience: RMM vendors promise seamless, invisible patching, but legacy Scottish law firm case management software almost always breaks after an automated update.
In practice, RMM is why a well-run managed service catches problems proactively. In our first 30 days with new Edinburgh clients, we almost always find at least one device showing early SMART failure warnings on its hard drive – something that would have been discovered only when the drive failed and data was lost. With RMM in place, the drive is replaced before the failure.
The most widely deployed RMM platforms in the UK MSP market include NinjaOne (consistently rated the top platform for the last six years) and Datto RMM. What matters to you as a client isn’t the platform name – it’s confirmation that every device your business relies on is covered, and that your provider can show you real-time health status for any asset on demand.
RMM is included at all tier levels. It’s the minimum viable managed service offering.
What Does Patch Management Cover – and What Gets Missed?
Forrester (2025) found that Patch management is the systematic process of identifying, testing, and deploying software updates across all managed endpoints. It matters because unpatched vulnerabilities are the most exploitable attack surface available to criminals. The Verizon 2024 Data Breach Investigations Report found that exploitation of known vulnerabilities as an initial breach vector nearly tripled year-on-year, and that it takes organisations without managed patching an average of 55 days to patch 50% of critical vulnerabilities after patches are released (Verizon DBIR 2024). That 55-day window is where most ransomware lands.
Under a managed service, patch management typically runs on two cycles:
Monthly OS patching: Microsoft releases security patches on the second Tuesday of every month (“Patch Tuesday”). A managed service deploys these to all Windows endpoints within a defined window – typically within 7 – 14 days of release, after a brief testing period.
Third-party application patching: Browser updates, PDF readers, Office applications, and line-of-business software are patched on a separate cycle managed by the RMM platform’s automation rules. This is where the tier distinction matters.
What the tier difference looks like:
| Tier | OS Patching | 3rd-Party App Patching | Zero-Day / Emergency Patches |
|---|---|---|---|
| Essential (Light) | ✓ Included | ✗ Not included | Manual, billed separately |
| Professional (Full) | ✓ Included | ✓ Included | Included, deployed within 4 – 8 hrs |
| Comprehensive | ✓ Included | ✓ Included | P1 – deployed within 1 – 2 hrs |
Our view: A contrarian view is that not every single device needs to be managed; some legacy endpoints are perfectly fine left air-gapped and excluded from the RMM tax.
The gap most Edinburgh SMEs don’t realise they have is third-party application patching. The entry-level contract patches Windows – but leaves browsers, PDF readers, and Office plugins unmanaged. Browser vulnerabilities consistently account for a significant share of initial access vectors in SME-targeted attacks. If your contract doesn’t explicitly state third-party application patching, assume it’s not included.
Citation capsule: The Verizon 2024 Data Breach Investigations Report found that exploitation of known vulnerabilities as an initial attack vector nearly tripled year-on-year, accounting for 14% of all breaches. Organisations without managed patching take an average of 55 days to patch half their critical vulnerabilities after a fix is released – a window that most ransomware attacks are designed to exploit. (Verizon DBIR 2024)
What Helpdesk Tiers Do You Actually Get?
The UK IT services market research (2025) shows that Helpdesk support is structured in tiers – L1, L2, and L3 – and which tier your contract covers determines the complexity of issue your provider will handle within the monthly fee.
!IT support engineer at a workstation resolving a client helpdesk ticket remotely
L1 – First-line support handles the high-volume, low-complexity requests: password resets, account unlocks, printer connectivity, basic software queries, and guided troubleshooting. These are resolved by junior technicians, often within minutes, via phone or ticketing portal. L1 is included at all tiers.
L2 – Second-line support covers issues requiring specialist knowledge: network faults, server errors, VPN connectivity problems, Microsoft 365 configuration issues, Exchange problems, and application errors requiring technical investigation. L2 requires a skilled remote engineer and takes longer to resolve. It’s included in full managed and comprehensive tiers but typically absent from light/essential packages.
L3 – Third-line support covers complex engineering: infrastructure changes, server migrations, cloud architecture, vendor escalations, and anything requiring senior-engineer or architect-level involvement. L3 is usually scoped separately as a project and billed accordingly, even under comprehensive agreements. Expect a statement of work and a project quote for L3 work.
Industry SLA benchmarks that a well-run MSP should be able to demonstrate:
- P1 Critical (server down, active security incident): 15-minute response, 4-hour resolution target
- P2 High (key app down, 5+ users affected): 1-hour response, 8-hour resolution target
- P3 Medium (single user, workaround available): 4-hour response, 24-hour resolution target
- P4 Low (general queries, minor issues): Next business day response, 72-hour resolution target
Ask any prospective provider for their actual SLA compliance rate from the previous quarter, not just their stated targets. The number that matters is the one they achieved – not the one on the service description.
Comparing it Support Providers in Edinburgh
What Security Stack Is Included vs Charged Extra?
Security capability varies significantly between tiers, and the marketing language – “comprehensive cyber protection” – tells you almost nothing useful (industry, 2025). What you need to know is which specific tools are included in your monthly fee and which require an add-on.
The security stack in a managed service typically covers some or all of these layers:
Endpoint protection (EDR): Modern endpoint detection and response tools – such as Microsoft Defender for Business, SentinelOne, or CrowdStrike Falcon Go – monitor device behaviour and detect threats that traditional antivirus misses. Basic antivirus is included at the entry tier; EDR is typically full managed and above.
Email security and anti-phishing: Filtering at the email gateway level catches malicious links, spoofed sender addresses, and phishing payloads before they reach the inbox. Microsoft Defender for Office 365 Plan 1 is standard in Microsoft 365 Business Premium; advanced filtering tools like Mimecast or Proofpoint are add-ons or bundled into comprehensive tiers.
Multi-factor authentication (MFA): Enforcing MFA across Microsoft 365 and other cloud services is a configuration task your MSP should handle and maintain – not just deploy once. Full managed tiers include MFA management; it shouldn’t be optional.
Dark web credential monitoring: Automated scanning of breach databases for your staff’s email addresses and passwords. Alerts your provider when credentials appear in known data dumps, allowing immediate password resets before attackers use them. Typically included only in comprehensive tiers.
DNS filtering: Blocks malicious domains at the DNS resolution layer – stopping connections to known command-and-control infrastructure and phishing sites before any content loads. Often an add-on or comprehensive-tier feature.
42% of UK small businesses suffered a cyber breach or attack in 2025, with phishing remaining the most common vector (DSIT Cyber Security Breaches Survey 2025). An entry-tier managed service with basic antivirus and no email filtering doesn’t adequately address that risk profile.
Citation capsule: 42% of UK small businesses and 67% of medium-sized businesses identified a cyber breach or attack in 2025, according to the UK Government’s DSIT Cyber Security Breaches Survey. Only 22% of UK businesses have a documented incident response plan. For Edinburgh SMEs, the minimum viable security stack under a managed IT agreement should include EDR, email filtering, and MFA – not just traditional antivirus. (DSIT Cyber Security Breaches Survey 2025)
What Is NOT Included in a Managed IT Contract?
URM Consulting enforcement data (2026) reports that This is where most disputes between Edinburgh businesses and their IT providers originate. The monthly fee covers the services defined in the schedule of services. Everything else is either in scope by explicit agreement or billable as a separate project.
Common exclusions that surprise clients:
Hardware procurement and replacement: Your MSP will identify hardware that’s failing or end-of-life, but buying the replacement is a separate transaction. Some providers offer hardware-as-a-service add-ons; most don’t include it in the base contract.
Software licences: Microsoft 365, Adobe Creative Cloud, line-of-business applications, antivirus licence fees – these are your costs to bear, not your MSP’s. Your provider will manage the software but you pay the vendor directly. The one exception: some comprehensive tier packages bundle Microsoft 365 Business Premium into the per-user fee.
IT projects: Migrating to a new server, setting up a new office location, deploying a new application, onboarding 20 new users simultaneously – these are projects, not support. A well-structured contract will include an agreed volume of onboarding (e.g., “up to 2 new user setups per month included”), beyond which a statement of work applies.
Structured cabling and physical network infrastructure: Your MSP supports what’s already installed. Running new network points, installing switches, or rewiring an office is a physical works project.
Third-party vendor management beyond escalation: If your line-of-business application vendor is non-responsive, your MSP can help escalate but can’t solve the vendor’s problem for them. Managed support covers your infrastructure and Microsoft stack – it doesn’t extend to custom software vendors.
Our experience: The second biggest gap is backup verification – most MSPs run backups but never test a full restore until a client actually needs one.
The most common billing surprise we see when Edinburgh businesses switch providers is discovering that their previous MSP was charging project rates for every new user setup, every device build, and every application installation – tasks most clients assume are included. Read the “exclusions” schedule in your contract as carefully as the inclusions list.
What Does Backup and Disaster Recovery Look Like Under a Managed Service?
According to UK IT services market research (2025), backup and disaster recovery (DR) is the difference between a 4-hour recovery and a 4-week one. Under a managed service, backup coverage varies significantly by tier.
!A professional business team reviewing an IT strategy document at a meeting table
What should be defined in your contract:
- Recovery Point Objective (RPO): How much data can you afford to lose? If backups run every 24 hours and your server fails at 11pm, you lose a full day of work. Essential tiers often offer daily backups. Full managed tiers offer 4 – 6 hour increments. Comprehensive tiers can offer near-continuous replication.
- Recovery Time Objective (RTO): How long until systems are back up? Restoring from a local backup to an identical server is faster than restoring from cloud to new hardware. Your contract should specify a tested RTO, not a theoretical one.
- Where your backups live: Local-only backup fails if your office has a fire, flood, or ransomware that encrypts your backup location. A full managed service uses the 3-2-1 rule: three copies, two media types, one offsite.
- Has it been tested? The NCSC recommends quarterly restoration testing. In our experience onboarding Edinburgh clients, roughly 60% of businesses claiming to have working backups have never successfully run a full restore test. The backup process runs – but whether the data is actually recoverable is unknown until it’s tested under pressure.
46% of firms using managed services have cut annual IT expenditure by 25% or more, in part because proactive backup monitoring prevents the catastrophic recovery events that cost orders of magnitude more than prevention (CompTIA, cited via Channel Futures).
Seven Questions to Ask Before Signing an MSP Contract
The service description tells you what they offer, according to UK IT services market (2025). These questions reveal whether they can deliver it.
1. What was your SLA compliance rate for P1 and P2 incidents last quarter?
A legitimate provider tracks this and will share it. If they can’t produce the number, it means they’re not measuring performance against their own commitments.
2. Which security tools are included in my tier – and which are add-ons?
Get this in writing. “Comprehensive cyber protection” is not a technical specification.
3. Do you carry cyber liability insurance, and to what value?
Your MSP has access to your systems. If they suffer a breach that exposes your data, you need to know they’re adequately insured.
4. What is your patch management cadence, and who approves emergency patches?
You want a defined process, not “we patch things when needed.” Emergency patch deployment should require minimal approval to execute.
5. Is on-site attendance included or billed separately?
Remote support covers most issues – but not all. Know what triggers a site visit and who pays for it.
6. What are your exit terms and how do we recover our data and documentation?
Good MSPs make offboarding straightforward. Bad ones make it a negotiation. Read the exit clause before you’re in it.
7. Who is our named account manager and how often do we get a strategic IT review?
An MSP that just resolves tickets isn’t managing your IT – they’re doing break-fix with a monthly standing order. A named contact and a regular review are what distinguish managed from reactive.
IT support pricing in Edinburgh
Frequently Asked Questions
What’s the difference between managed IT support and break-fix IT?
Break-fix means you pay per incident – nothing is covered until something breaks. Managed IT means a fixed monthly fee covers proactive monitoring, patching, helpdesk, backup management, and a security stack. The Verizon 2024 DBIR found organisations take 55 days on average to patch critical vulnerabilities without managed support – the window in which most breaches occur (Verizon, 2024).
Is Microsoft 365 management included in a managed IT service?
Administration of your Microsoft 365 tenant – user accounts, licences, SharePoint, Teams configuration, security policies, and conditional access – is typically included in full managed and comprehensive tiers. The Microsoft 365 licence cost itself is separate and paid directly to Microsoft or through your provider’s reseller agreement. Copilot governance (sensitivity labels, data loss prevention) is usually a scoped project.
What is included in the security stack at the entry level?
Entry-level (Essential/Light) managed services typically include basic antivirus and patch management for the OS. They rarely include EDR, email filtering beyond Microsoft defaults, MFA management, or dark web monitoring. For Edinburgh businesses handling client data – financial, legal, healthcare – an entry-level security stack isn’t adequate. The full managed tier is the minimum viable security level for regulated sectors.
Do managed IT contracts include hardware replacement?
No. Hardware procurement and replacement is almost universally excluded from managed service agreements. Your MSP will identify failing hardware through RMM monitoring and alert you – but purchasing the replacement is a separate transaction. Some providers offer hardware-as-a-service or device-as-a-service add-ons where hardware is leased through the monthly agreement.
How do I know if my current IT provider is actually managing my IT?
Three indicators: (1) They proactively contact you about issues – you don’t hear about problems first. (2) They produce a quarterly IT health report showing patch status, ticket resolution times, and security posture. (3) They’ve conducted a backup restoration test within the last 12 months and can show you the results. If all three are absent, you have a reactive helpdesk on a monthly retainer, not a managed service.
Conclusion
A managed IT service is only as good as its scope – and the scope is only as good as what’s written in the contract. The distinction between an £8,000-per-year entry-level arrangement and a £20,000 comprehensive one isn’t just the price: it’s whether your business gets proactive patch management, a real security stack, tested backups, and an MSP that catches problems before you do.
For Edinburgh businesses in financial services, legal, or healthcare, the full managed tier is the floor, not the ceiling. The 42% of UK small businesses that experienced a breach in 2025 largely didn’t choose under-protected IT on purpose – they just didn’t know what their contract did and didn’t cover until they needed it.
Read the exclusions as carefully as the inclusions. Ask the seven questions above before signing. And if your provider can’t answer them clearly, treat that as a signal in itself.
Ready to compare what your current IT arrangement actually covers? Book a free 30-minute IT review with Virtually Pro. We’ll go through your existing contract or setup, identify the gaps, and give you a plain-English picture of your actual risk exposure – no obligation, no pitch.
Managed it Services Guide for Edinburgh Businesses
Published: 22 September 2026 | Author: Kris Wiselka, Managing Director, Virtually Pro – Edinburgh-based managed IT services provider | Last reviewed: September 2026