Co-Managed IT: What Stays In-House, What Goes to the MSP
Kristina Shkriabina
Co-managed IT splits day-to-day support between your internal team and an MSP. A practitioner's guide to what stays in-house, what the MSP owns, and where the handoff breaks down.
Co-managed IT is the model where you keep an internal IT team and pay an MSP to own a defined slice of the work, usually the after-hours, the deep-bench tooling, or the projects nobody on staff has time to finish. It sounds simple until you try to draw the line on a whiteboard. Six months in, nobody is sure who owns patch failures, the help desk is double-ticketing the same printer, and your sysadmin is quietly resentful that "the MSP" exists at all. The thing the SERP keeps glossing over is that co-managed lives or dies on the handoff, not the contract. This guide walks through what the split usually looks like in 2026, where it tends to fall apart, and how to tell whether the model fits your shop or you're better off with fully managed or fully in-house.
TL;DR: Co-Managed IT in One Screen
| Question | Short answer |
|---|---|
| What is co-managed IT? | A split where an MSP owns defined IT functions and your internal team owns the rest, with both sides working on the same tickets and stack. |
| Who is it for? | Companies with at least one internal IT person who need extra coverage, depth, or tooling without hiring a full second-tier team. |
| When does it fail? | When ownership lines are vague, the MSP is treated as an overflow queue, or the two teams run separate tools that never reconcile. |
| What does it cost? | Roughly $50 to $200 per user per month for the MSP slice, on top of your internal payroll, depending on scope and tooling. |
What Co-Managed IT Means in Practice
Co-managed IT, sometimes written "comanaged IT," is a contract where an MSP picks up part of the IT workload that an internal team would otherwise carry alone. The split is negotiated, not standard. One company gives the MSP after-hours tier-1 and patching; another gives them the entire security stack and keeps everything user-facing in-house. The label covers both.
The model sits between two extremes. Fully managed services hand the entire IT function to an outside provider, and the customer's role shrinks to vendor management. Fully in-house keeps every ticket, every license, every late-night reboot on staff. Co-managed is the middle: shared tooling, shared visibility, two teams pointed at the same backlog.
The r/msp thread that ranks first for the term ("Co-Managed IT," 669 monthly visits) is full of operators arguing about whether the work is real consulting or "just selling licenses with a phone number attached." That argument is the giveaway: there isn't one definition because the line moves with every client. What stays constant is the shape: internal owns some things, MSP owns others, both can see the same dashboards.
Co-Managed vs Fully Managed vs In-House: How They Compare
A vendor roundup post would put this table at the end. For a definitional piece, it belongs near the top, because most readers land here trying to figure out which of the three columns describes their shop.
| Dimension | In-House IT | Co-Managed IT | Fully Managed IT |
|---|---|---|---|
| Who owns daily tickets | Internal team | Split by tier or function | MSP |
| Who buys the tooling | Internal team | Usually MSP, billed through | MSP |
| Who owns escalations | Internal team | Defined by contract | MSP |
| Best for headcount | 3+ IT staff | 1 to 5 IT staff | 0 to 1 IT staff |
| Typical cost shape | Salaries + licenses | Salaries + per-user MSP fee | Per-user or per-device fee only |
| Hardest failure mode | Burnout, no after-hours | Unclear handoff lines | Vendor lock-in, slow change requests |
| Best when | You have deep institutional knowledge to protect | You need depth or coverage your team can't hire fast enough | IT is a cost center, not a capability |
The middle column is the one most people are quietly drifting into. They hired one IT generalist five years ago, the company doubled, and now that person can't carry the load alone but the budget won't support a second hire. Co-managed is the cheap escape valve from that bind. It also has the highest failure rate of the three, because the boundary is invented per contract.
What Internal Teams Usually Keep
The internal team almost always owns the work that requires institutional memory or physical presence. That tends to look like:
- Strategy and budget. Roadmap, vendor selection, renewals, capex requests. The MSP can advise but doesn't sign the PO.
- User-facing IT. Onboarding, offboarding, executive support, the "I'm in the lobby and my laptop won't boot" tickets. Co-managed clients almost never outsource the receptionist call.
- Line-of-business apps. The custom ERP module, the homegrown billing tool, the integration with the warehouse scanner. The MSP doesn't have context to debug these without a long ramp.
- Compliance ownership. Auditors want a name on the SOC 2 or HIPAA control owner. That name is almost always internal.
- Vendor relationships. Renewing Microsoft 365, fighting a Datto invoice, negotiating the firewall refresh. The MSP can run the project but the customer signs.
The bigger the company, the more of this list the internal team holds. A 200-person manufacturer with two IT staff might keep only the first two bullets. A 1,500-person law firm with twelve IT staff might keep everything except after-hours tier-1.
What the MSP Usually Owns
The MSP picks up the work that needs scale, specialization, or a 24/7 rotation that doesn't fit a small team. Common scope:
- 24/7 monitoring and tier-1. Phones answered after 6pm, alerts triaged overnight, simple tickets resolved without paging the internal team.
- Patch management and RMM. The MSP runs the agent, owns the patch ring, handles the failures. Internal IT gets a report.
- Backup and disaster recovery. Daily verification, restore testing, the runbook for when ransomware hits. Most internal teams don't have the bandwidth to test restores monthly.
- Security operations. EDR tuning, SIEM watch, vulnerability scans, the after-hours incident response retainer. This is where the most growth in co-managed scope has happened since 2023.
- Project capacity. The migration nobody on staff has time for: M365 tenant cleanup, Intune rollout, network refresh.
What the MSP does not own, in a healthy co-managed setup, is the relationship with the user. If the MSP starts taking credit with end users for fixes the internal team requested, the internal team turns hostile within a quarter. That dynamic is what fuels the "hard NO" thread on r/ITManagers that ranks for "it management services."
Where the Handoff Breaks Down
The r/ITManagers thread "If You're a Hard NO on Co-Managed IT" is worth reading in full if you're considering the model. The objections are consistent and they're not about pricing. They're about ownership.
The first failure pattern is the double-ticket loop. A user emails internal IT, also calls the MSP, and now two technicians are working on the same problem with different facts. The fix is a single shared ticketing system that both teams write into, plus a written rule about which channel the user is supposed to use. Most MSPs will push their PSA on you; some internal teams refuse on principle. Co-managed engagements that don't resolve this in the first 60 days rarely survive year two.
The second pattern is ownership ambiguity on incidents. A patch breaks something on Friday night. The MSP applied the patch but the internal team owns the application. Who's on the bridge? If the contract doesn't say, the default is "whoever has the least standing to push back," which is usually the internal sysadmin getting woken up. Spell out the on-call escalation chain in the SOW, not in a Slack thread three weeks in.
The third pattern is the slow scope drift. Co-managed contracts start tight. Then a senior internal person leaves, the MSP picks up that slack informally, never updates the contract, and a year later the MSP is doing 60% of the work for the price of 30%. Either renegotiate or watch the MSP quietly degrade service to the price they're being paid. Both happen often.
When Co-Managed IT Makes Sense
The honest filter is headcount and capability. Co-managed pays off in three patterns:
You have an internal team that's good at the work but can't cover 24/7. The MSP buys you nights and weekends without a second hire. This is the most common entry point and the easiest to scope.
You have an internal team that lacks one specific capability, usually security or cloud. Hiring a senior security engineer in 2026 costs $180K plus and takes nine months. A co-managed security tier from an MSSP-style MSP runs roughly $30 to $80 per user per month and is live in six weeks.
You have a parent company or board asking for SOC 2, HITRUST, or PCI, and the documentation work alone is a half-time job your sysadmin doesn't have. Co-managed providers with audit experience can build and maintain the evidence library while the internal team keeps running operations. If you operate in a regulated vertical like legal, accounting, or healthcare, our guide to co-managed IT for regulated firms covers the compliance-specific version of this split.
It does not make sense when there's no internal IT to coordinate with. At zero internal headcount, the MSP is essentially fully managed regardless of what the contract says, and you'll pay co-managed prices for fully managed service. It also doesn't make sense when leadership treats the MSP as a cost lever rather than a partner; squeezing the rate by 15% every renewal produces exactly the service quality you're paying for.
For more on the questions to ask before you sign anything, see our 12 questions to ask an MSP before signing a contract. If you're still weighing pure outsourcing against keeping the function in-house, the outsourced IT support vs in-house breakdown is the companion piece to this one.
How Pricing Really Works
Co-managed pricing in 2026 sits in a wide band because the scope sits in a wide band. The three shapes you'll see in quotes:
Per-user, per-month. The dominant model. $50 to $200 per supported user, depending on whether the MSP is covering tier-1 only, the full security stack, or everything except project work. This bills predictably and grows linearly with the company. It's the model most co-managed contracts default to. Our MSP pricing playbook covers the structural tradeoffs of each model in more depth.
Per-device, per-month. Less common in co-managed than in fully managed. $25 to $75 per endpoint for RMM, patching, and monitoring; security add-ons priced separately. Useful when device counts don't track user counts (manufacturing, retail, kiosks).
Block hours plus a retainer. A monthly retainer that covers monitoring and a fixed bucket of hours, with overages billed at $150 to $250 per hour. This is the model MSPs prefer for accounts where they can't predict scope. Customers usually hate it because the overages compound, but it can be the right shape for one-off heavy project quarters.
What you'll almost never see anymore is true time-and-materials with no retainer. The MSPs that survived the 2023 to 2025 consolidation moved to recurring revenue and stopped quoting hourly except for project work.
Tools That Make Co-Managed Work
Co-managed lives or dies on shared visibility. If the internal team and the MSP are looking at different dashboards, you have two IT departments paying each other's overhead, not one team with a coverage extension. The minimum shared stack is a single RMM and a single ticketing system, both with read access for the internal team. PSA, documentation, and a shared password vault round out the baseline. For a category-by-category map of which tools the internal team should own outright and which belong to the MSP, see our co-managed IT tool-ownership breakdown.
The 2026 shift is platforms that collapse the RMM, PSA, and ticketing into one tool, so the internal team and the MSP work in the same pane of glass without managing five integrations. OpenFrame, Flamingo's AI-native all-in-one MSP and IT platform, ships native PSA alongside RMM and an AI co-pilot for triage, and is one of the affordable options for shops that want shared tooling without vendor lock-in. It's not the only choice in this category, but the "no lock-in" angle matters for co-managed in particular, because the internal team often inherits the tooling if the MSP relationship ends.
Whatever you pick, the test is the same: can the internal sysadmin pull up a ticket the MSP wrote and add a comment without asking for a license? If not, the tooling will quietly poison the relationship inside a year.
FAQ
Is co-managed IT the same as staff augmentation?
No. Staff augmentation places a contractor on your team who reports into your manager and works your tickets under your tooling. Co-managed is a separate organization with its own management, its own SLAs, and its own scope of ownership. The pricing models are different, and the legal liability is different.
Can a small business do co-managed IT?
Usually not below 50 employees. Below that, you typically don't have enough internal IT for the split to make sense, and fully managed is cheaper and cleaner. The sweet spot starts around 75 to 100 employees with one or two internal IT staff who can't cover everything alone.
How long does a typical co-managed contract run?
Most run two or three years with annual price adjustments and a quarterly business review. Some MSPs offer month-to-month after the first year. Avoid five-year terms without a clear off-ramp clause; the technology shifts fast enough that locking in 2026 scope through 2031 is a bad bet for both sides.
Who owns the tools if we leave?
This is the question to ask before you sign, not after. Default in most contracts: the MSP owns the licenses and the data exports go with you when you leave. Push for a written off-boarding clause that names the tools, the export format, and the timeline. Without it, the migration cost alone can keep you locked in.
Does co-managed include cybersecurity insurance compliance?
Usually, but it depends on the SOW. Most co-managed contracts now include the controls that cyber insurance underwriters require (MFA enforcement, EDR, patch SLA, backup testing) because the MSP can't afford the reputational risk of a client getting denied a renewal. Ask for the specific control mapping in writing.
What's the difference between co-managed IT and a CIO-as-a-service?
CIO-as-a-service is strategic advisory: roadmap, vendor selection, budget. Co-managed IT is operational: someone is actually answering tickets and patching servers. Some MSPs offer both as a bundle, but they're different services with different price points and different success metrics.
The Real Test
Six months in, every co-managed engagement settles into one of two shapes. Either the two teams are writing into the same ticket queue, complaining about the same vendor, and finishing each other's runbooks, or they're two separate IT departments staring at each other across a contract. The contract doesn't decide which one you get. The handoff design does, and the tooling that enforces it does. Get those two right and co-managed is the cheapest way to buy senior IT capability you can't hire fast enough. Get them wrong and you'll spend the renewal cycle pretending it was always going to work.
Kristina Shkriabina
Kristina runs content, SEO, and community at Flamingo and OpenMSP. She spent years as a correspondent for Ukraine's Public Broadcasting Company before making the jump to tech. Now she covers MSP stack decisions and strategy. You can connect with her in the OpenMSP community or on LinkedIn.