Getting your Trinity Audio player ready...

Underwriting Your MSP Prospects

MSP prospects are few and far between. When one finally shows interest, it is tempting to push for the close without asking the harder question: what kind of customer will this actually be? That urgency gets amplified when your team is involved in the sales process. Employees are often focused on the win, not the long-term relationship. And that can lead to deals you later regret.

I can still remember one prospect from my own MSP that always felt a little too good to be true. They checked every box, moved quickly, and sounded eager to get started. But from the moment the contract was signed, things went sideways. There was no handoff from their previous provider. Systems were undocumented, credentials were missing, and expectations were already misaligned. That initial excitement turned into an uphill battle we should have avoided in the first place.

Anup Ghosh, Co-Founder and CEO of ThreatMate, would call that a classic case of skipping the underwriting process. “You definitely want to look behind the curtain a little bit and see what’s going on. By scanning all their assets, you’ll quickly get a good idea of whether things are clean or a complete mess,” Anup says.

He’s right. Skipping that step not only exposes you to technical surprises, it can also hide signs that the client is not ready to take accountability for their environment. “There is a time to say no. You may not want to take certain clients because they might cost you more than you’re making, and you better understand that upfront before you get into that relationship,” he explains.

So what does client risk really look like before the deal closes? Here are five of the most common warning signs to watch for and how to spot them early on: 

Early Warning Signs Of Client Risk

Reluctance To Invest In Cybersecurity

There’s a certain type of prospect that raises red flags almost immediately, and for Ghosh, it often starts with how they talk about cybersecurity. If a client downplays risk or fails to take recommendations, that’s likely a mindset issue. “Prospects who push back on cybersecurity investments often underestimate their own risk exposure. If they won’t invest proactively now, you’ll likely be paying for their shortcuts later,” says Anup.

Before you take on any client, you need to know what kind of environment you’re inheriting, what it’s going to cost to stabilize it, and whether the prospect is even willing to make that investment. As Anup puts it, “Before you say, ‘Sure, I’ll manage your network,’ you should know exactly what baggage comes along with it and present a cost proposal to clean it up. If they say no, that’s your first indicator that maybe you don’t want this client.”

The most expensive clients aren’t always the ones with the biggest infrastructure. They’re the ones who see every security tool as an optional add-on. “Cybersecurity isn’t optional anymore; it’s essential. Clients who view it as just another expense instead of an investment usually become your most expensive customers in the long run.”

Poorly Managed Or Disorganized Network

You can tell a lot about a business just by scanning their network. According to Anup, that initial assessment is one of the fastest ways to uncover what kind of client you’re really dealing with. When endpoints are neglected, firmware is out of date, or there’s no rhyme or reason to the device landscape, it can make onboarding that much more difficult.

“When you scan a network, you also learn a lot about the MSP managing it, including whether they’re taking care of things or leaving ports open and devices unprotected. It gives you a good sense of how well the IT assets are managed,” Anup explains.

At first glance, a messy network might seem like an opportunity. After all, more problems mean more billable work, right? Not always. A sloppy environment often signals much deeper dysfunction. “A poorly maintained network is often the tip of the iceberg. When you see basic issues like unmanaged endpoints or outdated software, expect much deeper problems beneath the surface.”

That surface-level chaos tends to ripple outward. Documentation is usually a mess (or non-existent). Credentials are scattered. And if there was a previous MSP in place, they likely left you with half-configured tools and no way to trace what’s been done. Taking on clients like this might feel like an opportunity at first, but what you’re really stepping into is someone else’s half-baked project.

Inaccurate or Missing Asset Inventory

For Ghosh, there is no better opportunity for a risk assessment than when a prospect can’t tell you what’s even on their network. If the asset inventory is incomplete, out of date, or totally missing, you’re looking at a business that’s flying blind and probably relying on third parties to document and steward their own infrastructure. 

Missing asset data doesn’t just make onboarding harder. It puts your entire profitability and service model at risk. Also, if you don’t know what you’re responsible for, how can you secure it? And if the client doesn’t have any process in place for tracking devices and software, you can almost guarantee there’s no process for managing access, updates, or compliance either. “Accurate asset inventory is foundational to good security. If your prospect doesn’t have a grip on what devices and software they own, they’re inviting trouble, and you’re the one who will have to deal with it.”

This is the type of thing that will show up on your doorstep in the form of repeated surprises. Unpatched servers. Forgotten machines. Devices that should have been decommissioned years ago. Every one of them is a potential liability, both for the client and for you.

Lack Of Cooperation With Current IT Provider

Selling Managed Services would be a lot easier if prospects came with clean documentation and a full report from their last provider. But in reality, most prospects are hesitant to engage their current IT team, especially if they’re still under contract or trying to avoid conflict. According to Anup Ghosh, this kind of hesitation is often a sign that things may get complicated very quickly.

“A major point of friction in the MSP sales process comes from prospects not fully understanding their own IT landscape. They hesitate to approach their current provider to avoid rocking the boat. This hesitation creates paralysis, and unfortunately, it often results in them taking no action at all,” Anup explains.

This limbo state leaves you guessing. Without the full picture, it is impossible to scope accurately, and even harder to predict how much resistance you will face once the engagement begins. Sometimes the real problem is not the prospect, but the incumbent team protecting their turf. “When an incumbent MSP or internal IT team isn’t cooperative, it’s usually a red flag indicating they might have something to hide. Tools like the ThreatMate Pi allow you to discreetly uncover the real state of the network without alerting them prematurely.”

When current providers go dark or get defensive, it is not always about turf wars. It could be that they have simply let things slip. And if that is the case, your first few weeks in the door could be a forensic dig through half-finished projects and undocumented workarounds.

Excessive Vulnerabilities and Exploitable Risks

It is common for MSPs to run into vulnerabilities during a risk assessment or automated pen-test. But when the results come back looking like a vulnerability bingo card, that is reason for concern. According to Ghosh, it is a window into the client’s operational culture, and usually not a good one.

“When an automated pen test reveals dozens of easily exploitable vulnerabilities, it’s a sign of chronic neglect. Clients who let problems pile up this way often resist the level of proactive management that MSPs need to provide,” says Anup.

There is a difference between a network that needs work and one that has been completely ignored. When risk accumulates at this scale, it suggests the client either has no process, no visibility, or no interest in fixing what is broken. That attitude rarely changes just because you sign a contract. “The sheer number of vulnerabilities you find during an assessment isn’t just a technical detail. It’s a strong signal of the client’s attitude toward security. If they’ve tolerated excessive risk until now, they’ll probably expect you to do the same.”

For MSPs who take a proactive approach, this kind of mindset can be a total mismatch. It leads to constant pushback on remediation, chronic underinvestment, and an endless cycle of preventable issues. The earlier you can spot a tolerance for risk, the easier it is to avoid getting pulled into firefighting mode on a permanent basis.

Building Ground Truth Into Your MSP Sales Process

Let’s be honest. Leading with cybersecurity doesn’t always land. For many prospects, risk still feels abstract. Unless they have been burned before, they may not be in the mindset to proactively protect their business. That makes a traditional pitch around cyber, pen-testing and risk assessments a tough first move.

But framing changes everything. According to Anup, the value of automated pen-testing is not just in uncovering vulnerabilities. It is in using the scan as a discovery tool that benefits both sides of the conversation. “Most MSPs talking to a prospect have to ask them, ‘What do you have on your network?’ The person you’re talking to literally doesn’t know. You’re basing your proposal off that number, and the number is always wrong, usually in the wrong direction. By scanning, you understand what’s out there and get ground truth.”

When you position the assessment as a shared discovery process, it becomes a logical first step. The client gains clarity around their environment, and you gain the ability to accurately underwrite the relationship. You are not selling fear. You are offering insight. Most importantly, you are surfacing action items that would have remained invisible without this level of visibility.

This approach makes your proposal more accurate and completely changes the nature of the conversation. Instead of asking for a commitment based on assumptions, you are building trust around facts. That shift can turn a once skeptical prospect into a collaborative partner and often reveals project opportunities that neither side had originally considered.

Conclusion

Pursuing every prospect might feel like growth, but in reality it can be a trap. For MSPs focused on sustainable success, learning how to identify poor-fit customers is critical. As Anup Ghosh has shared throughout this conversation, the clues often appear early. You just have to be willing to recognize them and act accordingly.

“For the longest time, cybersecurity has been considered a necessary burden by MSPs. But no longer. Now, cybersecurity is a profit-driving tool in your toolkit of MSP growth hacks. You really need to think about it that way,” Anup says.

A risk assessment provides clarity. It shows the true condition of a prospect’s environment and helps both sides understand what is required to move forward. It also brings to light technical issues that can lead to valuable projects and well-scoped solutions. When used intentionally, this discovery process becomes a strategic filter that protects your time, improves client quality, and positions your MSP for long-term success.