Scope and the Shared-Responsibility Line
Every cloud managed services contract turns on one question: where does the shared-responsibility line sit? In an IaaS model the cloud provider secures the underlying infrastructure, but the customer — or the managed services provider acting for them — owns the operating system, middleware, runtime, applications, configuration, user access, and data. A managed services contract should state explicitly which of those layers the MSP takes, in writing, against each environment. Vague language such as "manage your cloud" is where buyers lose money and risk, because the gap between what the diagram implies and what the contract obliges is exactly where incidents land. This discipline mirrors the clause rigour set out for managed services contracts generally.
Pricing Models and What They Hide
The dominant 2026 model is per-user, used by around 22% of MSPs as their default, with managed services typically ranging from $110 to $400 per user per month depending on environment, risk profile, and compliance load. The main models are per-user, per-device, tiered bundles (Bronze/Silver/Gold), flat-rate all-inclusive, and outcome-based pricing tied to uptime or security posture. Each draws scope differently: a per-device deal can balloon as endpoints multiply, while a flat-rate "unlimited" deal is only unlimited inside a tightly defined scope. Benchmark the quoted rate against independent data before signing — the same discipline covered in outsourcing benchmarking — and compare against the wider IT outsourcing pricing models.
| Pricing model | How it is charged | 2026 buyer watch-out |
|---|---|---|
| Per-user | Flat fee per supported employee | Default for ~22% of MSPs; $110–$400/user/mo range |
| Per-device | Fee per supported endpoint | Scales with device sprawl; cap it |
| Tiered bundle | Bronze / Silver / Gold packages | Check what each tier adds before upselling |
| Flat-rate | One invoice, unlimited in scope | "Unlimited" only inside the defined scope |
| Outcome-based | Tied to uptime / security posture | Define the metric and the measurement source |
The cheapest line item is rarely the cheapest contract. A per-device rate that looks low at signing becomes the most expensive option once endpoint counts climb — cap the device count, define what a "user" is, and price the growth before you sign.
Exclusions That Inflate the Bill
Most cloud managed services quotes cover steady-state management only. Project work, cloud architecture changes, vCIO advisory time, after-hours incident response, and compliance documentation are routinely excluded from the base monthly rate — and discovering those exclusions after signing is one of the most frequent sources of budget variance. Insist that the contract lists what is in and out of scope, sets the rate card for out-of-scope work, and defines how change requests are priced and approved. Tie the change mechanism to the governance framework so scope creep is visible at the monthly review rather than discovered on the invoice.
The Security Baseline
Cyber-insurance carriers in 2026 now require documented evidence of phishing-resistant MFA across privileged accounts, endpoint detection and response across endpoints including servers and cloud workloads, immutable offline backups with tested restoration, and a written, tested incident-response plan. Your contract should require the MSP to operate and evidence each of these as a baseline, not an upsell, and to map its controls to the obligations in security requirements and the breach duties in data protection. Make the SOC 2 or ISO 27001 report an annual contractual deliverable.
Portability and Exit
Cloud lock-in is the quiet cost of a managed services deal. The contract must guarantee data portability in a usable format, configuration documentation, and transition assistance at termination, so you are never held hostage by proprietary tooling — the same exit discipline detailed in IT outsourcing exit strategy. For the full negotiation framework, download the IT Outsourcing Negotiation Guide, explore our IT outsourcing negotiation service, or request a confidential briefing on your cloud managed services agreement.