What Co-Managed IT Actually Is
A co-managed IT services contract supplements — rather than replaces — your internal IT team, with the external provider handling specific functions such as security monitoring, endpoint management, or Tier 2 and Tier 3 escalation support. It is the middle path between fully retained IT and full outsourcing, and it suits organisations that have capable internal staff but lack depth in security, cloud architecture, or after-hours coverage. Because responsibility is shared rather than transferred, the contract structure matters even more than in a full IT outsourcing deal — ambiguity here means work falls through the cracks between two teams.
The Responsibility Split
The defining decision is where the line sits. Typically the internal team handles Tier 1 — password resets, basic troubleshooting, onboarding — while the MSP owns Tier 2 and Tier 3 escalations, security monitoring, and specialist functions such as endpoint detection and response, automated patch management, and compliance reporting against frameworks like NIST CSF. The contract must state this split explicitly against each function, not in general terms, so accountability is unambiguous. This is the same scope-line discipline that governs cloud managed services contracts, applied to a shared-team model.
In co-managed IT, the gap between the two teams is where incidents live. If the contract does not say who owns patching, who owns the SOC alert, and who owns the after-hours call, both teams will assume the other has it — write the split function by function.
Pricing and the Exclusion Trap
Co-managed IT typically ranges from $45 to $175 per user per month for mid-market organisations, with a common band of $65 to $120 where the MSP provides after-hours coverage, specialist work, tooling, and escalation. The trap is exclusions: most co-managed quotes cover steady-state management only, and project work, vCIO advisory time, after-hours incident response, compliance documentation, and software licensing are commonly excluded from the base rate — the single most frequent source of budget variance in these engagements. Require the contract to list inclusions and exclusions explicitly and to set a rate card for excluded work, then benchmark the all-in figure as you would in outsourcing benchmarking.
| Element | Typical 2026 position | Buyer note |
|---|---|---|
| Tier 1 support | Internal team | Password resets, onboarding |
| Tier 2 / 3 escalation | MSP | Specialist and after-hours |
| Per-user price | $45–$175 / user / mo | Common band $65–$120 |
| Common exclusions | Projects, vCIO, after-hours IR, licences | Top cause of budget variance |
RACI and Decision Rights
A shared model needs a shared map. A RACI matrix across incident response, change control, security, patching, and reporting removes the ambiguity that a co-managed structure invites, and it should sit inside the same governance framework — dashboards, monthly reviews, and a quarterly business review — you would apply to any outsourcing relationship. Define who is accountable for each function, who is consulted, and who is merely informed, so a security alert at 2am has an owner before it arrives, not after.
Security and Exit
Co-managed providers often own the security stack — EDR, SOC monitoring, patch management — which makes the security and exit terms critical. Hold the MSP to the same standards as a full provider: the right-to-audit, annual assurance, and remediation SLAs set out in security requirements, and the data-return and tooling-handover obligations in your exit strategy, so a change of provider does not leave you locked out of your own monitoring. For the full structure, download the IT Outsourcing Negotiation Guide, explore our IT outsourcing negotiation service, or request a confidential briefing on your co-managed agreement.