Co-managed IT is a service model where an external managed service provider (MSP) supplements—rather than replaces—an organization’s internal IT team, handling specific functions such as security monitoring, endpoint management, or Tier 2/3 escalation support. Co-managed IT pricing typically ranges from $45 to $175 per user per month for mid-market organizations, depending on which functions the MSP owns, the pricing model used (per-user, per-device, or hybrid), and whether cybersecurity services such as SOC monitoring or EDR are included. Understanding which model fits your environment before you request a quote is the difference between a budget you can defend and a contract that surprises you in Q2.
You have a budget meeting in two weeks, an IT team that’s already stretched, and every vendor you’ve called has responded to “what does it cost?” with some variation of “well, it depends.” That answer isn’t wrong—but it’s not useful when you need a number you can defend.
This post breaks down the three co-managed IT pricing models with actual mid-market benchmarks, explains what typically falls outside the quoted rate, and gives you a five-question framework for building a number before you talk to anyone. Read it before your next vendor call.
Co-managed IT pricing isn’t a mystery—it’s just rarely explained at the level of specificity that mid-market IT directors actually need to build a defensible budget.
Why Are Mid-Market IT Teams Reconsidering Co-Managed IT in 2026?
Mid-market IT teams are revisiting co-managed IT because three converging pressures—rising security engineer salaries, tightening cyber insurance underwriting standards, and expanding SaaS attack surfaces—have made internal-only IT coverage structurally unsustainable for organizations with fewer than five IT staff.
Three forces are making this problem worse in 2026, not better.
First, the hiring math no longer works. A mid-level security engineer now costs between $136,000 and $168,000 annually in base salary before benefits, according to Glassdoor’s March 2026 dataset of 6,226 reported salaries—and the average tenure for a CISO, the role responsible for owning the security program your co-managed partner would support, is under two years, per Cybrary’s workforce retention analysis. You’re not just buying a salary. You’re buying a recurring recruiting cycle with a predictable expiration date.
Second, cyber insurance carriers have raised the bar in ways that are now explicit and documented. According to Munich Re’s 2025 Cyber Insurance Risk and Trends Report, the global cyber insurance market reached $15.3 billion in 2024, and carriers have responded to rising claims frequency by converting what were once recommended controls into near-mandatory underwriting requirements. In 2026, carriers now require documented evidence of phishing-resistant MFA across all privileged accounts and remote access, Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) deployed across all endpoints including servers and cloud workloads, immutable offline backups with documented restoration tests, and a written and tested incident response plan—not assertions of these controls, but proof. If your internal team can’t produce that documentation, your renewal conversation gets expensive fast.
Third, every SaaS tool your organization approved in the last two years created a new managed endpoint. Microsoft 365 Copilot deployments, Azure Active Directory-connected applications, and BYOD enrollments through Microsoft Intune each expand the attack surface that someone on your team is responsible for monitoring—without expanding the team. Under the NIST Cybersecurity Framework 2.0, that monitoring responsibility falls under the Detect function, specifically control DE.CM (Continuous Monitoring)—a control that requires persistent, tool-supported coverage your internal team may not have the bandwidth or tooling to maintain.
For organizations pursuing a Zero Trust Architecture—now a baseline expectation in federal contractor environments under OMB Memorandum M-22-09 and increasingly adopted by regulated private-sector organizations—co-managed IT also provides the continuous verification and least-privilege enforcement that internal teams rarely have capacity to operate independently.
The result: internal IT staff who are competent, experienced, and structurally unable to cover everything their organization now requires. That’s the operational problem co-managed IT support solves. But the pricing model you choose determines whether the arrangement actually works.
Is Your IT Team Stretched Too Thin?
What Do Co-Managed IT Providers Charge That Isn’t in the Monthly Rate?
Most co-managed IT quotes cover steady-state management only. Project work, vCIO time, after-hours incident response, compliance documentation, and software licensing are commonly excluded from the base monthly rate—and discovering these exclusions after signing is one of the most frequent sources of budget variance in co-managed IT engagements.
When Meriplex engineers conduct an initial scoping assessment with a prospective co-managed client, the first thing we ask for is a copy of their existing MSP or internal IT contract—not because we’re looking for competitive intelligence, but because the scope exclusions buried in section 4 of most agreements tell us more about where a client’s real costs live than anything else. In a typical scoping engagement, we find at least two or three cost categories the client assumed were covered and weren’t: most commonly, after-hours incident response, compliance documentation work, and any infrastructure project that touches more than five devices at once.
Here’s what typically lives outside the monthly rate:
- Project work—infrastructure migrations, office buildouts, major software deployments—is almost always billed separately, at rates ranging from $150–$275/hour or scoped as fixed-fee projects. A server migration isn’t a support ticket; most contracts define it that way explicitly.
- vCIO and strategic planning time—if you need someone to own your IT roadmap, present to your board, or drive vendor negotiations, ask whether that’s included and how many hours. Many providers offer this in name and deliver it in 30-minute quarterly calls.
- After-hours emergency response—most co-managed agreements default to a P1 response time of four hours during business hours, with after-hours P1 coverage available only as a paid add-on or reserved for clients on premium tiers. For healthcare organizations running 24/7 operations, verify your P1 and P2 SLA coverage windows explicitly before you sign.
- Compliance-specific deliverables—HIPAA requires a signed Business Associate Agreement (BAA), a documented Security Risk Assessment (SRA) updated annually under 45 CFR §164.308(a)(1), and audit-ready access logging under the Technical Safeguards standard at §164.312. Some providers include healthcare-specific compliance tiers. Others treat these as add-ons. Verify before you assume your base rate covers them.
- SOC 2 and CMMC obligations—Organizations subject to SOC 2 Type II audits or Cybersecurity Maturity Model Certification (CMMC) requirements face additional documentation and evidence-collection obligations that most base co-managed rates do not include. If your organization is pursuing SOC 2 or CMMC Level 2, ask prospective providers specifically whether audit evidence preparation and continuous control monitoring are in scope.
- Software licensing and hardware—the co-managed fee covers the management layer. Endpoint protection platforms such as CrowdStrike Falcon or Microsoft Defender for Business, backup tools such as Datto SIRIS or Veeam, and RMM platforms such as ConnectWise Automate or NinjaRMM are typically pass-through costs billed at cost or with a markup. Ask for the full cost stack, not just the management rate.
Know these gaps before you build your budget, or you’ll be explaining a variance in Q2.
The Three Co-Managed IT Pricing Models
Per-User Pricing
Per-user pricing charges a flat monthly rate per employee covered, regardless of how many devices that person uses.
How it works in a co-managed context: Your internal team handles Tier 1—password resets, basic troubleshooting, onboarding. The MSP owns Tier 2 and Tier 3 escalations, security monitoring, and specialized functions your team doesn’t have the depth to cover: endpoint detection and response via tools like SentinelOne or CrowdStrike, automated patch management through an RMM platform, and compliance reporting against frameworks such as HIPAA or NIST CSF.
Mid-market benchmarks for 2026:
| Scope | Per-User/Month |
|---|---|
| Escalation support + basic RMM monitoring | $45–$75 |
| Escalation + EDR + automated patching | $85–$130 |
| Full co-managed stack with SOC/SIEM layer | $130–$175 |
Best fit for: Organizations where headcount drives complexity—professional services firms, physician practices, office-based teams with relatively uniform device environments.
Watch for: Per-user pricing undercounts complexity when users run multiple devices or manage servers. If your device-to-user ratio exceeds 2:1, per-user pricing may look cheaper upfront and create scope disputes later.
Per-Device Pricing
Per-device pricing charges based on managed endpoints—workstations, servers, network devices, sometimes mobile devices—rather than headcount.
How it works in a co-managed context: The MSP takes ownership of monitoring and managing the device layer. Your internal team retains user-facing support. This typically means the MSP deploys and manages an RMM agent such as NinjaRMM or ConnectWise Automate on each covered endpoint, with automated patch deployment, health monitoring, and alert triage handled on the MSP side.
For organizations with significant mobile device fleets, per-device pricing should also account for Mobile Device Management (MDM) coverage—typically handled through platforms such as Microsoft Intune or Jamf—which may be priced separately from workstation and server endpoints.
Mid-market benchmarks for 2026:
| Device Type | Per-Device/Month |
|---|---|
| Workstation (RMM monitoring + automated patching) | $30–$55 |
| Server (full management including backup monitoring) | $90–$180 |
| Network device (firewall, managed switch, AP) | $25–$45 |
Best fit for: Organizations with distributed infrastructure, multiple locations, or high device-to-user ratios—multi-site healthcare groups, manufacturing environments, logistics operations.
Watch for: Per-device pricing scales faster than most organizations expect once you inventory everything. Get explicit definitions of which device categories the contract covers, whether cloud-hosted virtual machines in Azure or AWS count as billable endpoints, and how mid-term device additions are handled.
Hybrid Pricing
Hybrid pricing combines per-user and per-device components with flat-rate add-ons for specific services. Each layer covers a defined function, which makes scope clearer and billing easier to audit.
How it works in practice—example: 150-user organization with 200 devices:
| Layer | Rate | Monthly Cost |
|---|---|---|
| Per-user (escalation + M365 management) | $60 × 150 users | $9,000 |
| Per-device (EDR + automated patching) | $40 × 200 devices | $8,000 |
| SOC/SIEM monitoring via Microsoft Sentinel or Splunk (flat) | — | $2,500 |
| Total | $19,500/month |
That’s approximately $130/user/month—in the same range as full managed IT for a comparable organization, but with your internal team retained and every cost line tied to a specific function.
Best fit for: Mid-market organizations that need budget predictability, want to justify IT spend by function, and need to retain internal staff while closing specific coverage gaps.
Watch for: Hybrid contracts require a written RACI matrix—a Responsibility, Accountability, Consulted, Informed framework that defines exactly who owns each function. Ambiguity about who owns which function is the most common friction point in co-managed relationships. If a vendor resists putting it in writing, that tells you something.
Not Sure Which Pricing Model Fits Your Environment?
How Does Co-Managed IT Cost Compare to Fully Outsourced IT?
Co-managed IT and fully outsourced managed IT carry similar total monthly costs for mid-market organizations—typically $130–$175/user/month for co-managed versus $150–$225/user/month for full outsourcing—but the comparison changes significantly once internal headcount costs are included. For organizations with two or more existing IT staff, co-managed IT preserves institutional knowledge and on-site response capability that full outsourcing eliminates.
Full outsourcing for a 150-person mid-market organization runs $150–$225/user/month, or $22,500–$33,750/month. The hybrid co-managed example above runs $19,500/month—but your internal IT staff still cost money.
If two IT staff members cost $180,000/year combined in salary and benefits, that’s $15,000/month in headcount before you add the co-managed layer. Total cost of the co-managed model: approximately $34,500/month. Total cost of full outsourcing: $22,500–$33,750/month.
On paper, fully outsourcing to an MSP looks competitive. But that comparison omits three things:
Your internal team knows your environment, your users, and your history. A remote team learns all of that on your dime. Your internal team resolves routine issues faster because they’re on-site. And for regulated environments—healthcare especially—retaining internal expertise for HIPAA Privacy Officer and Security Officer responsibilities, which under 45 CFR §164.308(a)(2) must be formally designated to a named individual, is often a requirement, not a preference.
For mid-market organizations with existing IT staff, co-managed IT and full outsourcing carry similar sticker prices—but full outsourcing eliminates the institutional knowledge, on-site speed, and compliance ownership that internal teams provide and that no contract can fully replace.
The right comparison isn’t co-managed versus outsourced on monthly cost. It’s co-managed versus outsourced on total cost of ownership, transition risk, and what your organization loses if institutional IT knowledge walks out the door with a departing employee.
Five Questions to Build Your Co-Managed IT Budget Before You Talk to Anyone
- What does your internal team actually own today? List specific functions—Tier 1 help desk, Active Directory and Entra ID administration, server patching, SIEM alert triage, HIPAA SRA documentation. The clearer your scope definition, the more accurately a provider prices the gap instead of padding for uncertainty.
- What is your device-to-user ratio? Above 2:1, per-device pricing better reflects your actual management complexity. Near 1:1, per-user is simpler.
- What are your compliance obligations? HIPAA, SOC 2 Type II, NIST CSF, CMMC, cyber insurance policy requirements—identify them before you request a quote. They determine what must be contractually covered and will move the price.
- What does your organization require after hours? If you operate outside standard business hours, specify your required P1 response window and put it in every vendor conversation from the start.
- What would fall outside the monthly fee? Ask every prospective provider for three examples of work that would be billed separately. The specificity of their answers tells you more about how the relationship will actually work than any sales deck.
Ready to Build a Co-Managed IT Budget You Can Defend?
The Bottom Line
For most mid-market organizations running 100–500 users with two to five internal IT staff, a co-managed IT engagement covering Tier 2/3 escalation support, EDR-based endpoint security, and automated patch management through an RMM platform runs $85–$150/user/month. Add a 24/7 SOC layer using a SIEM platform and HIPAA-specific compliance documentation, and you’re closer to $130–$175/user/month.
That range moves down if your internal team owns more functions. It moves up if your compliance obligations are specific or your after-hours requirements are real. What it shouldn’t do is surprise you mid-contract because the scope wasn’t defined upfront.
The monthly rate in a co-managed IT proposal is a starting point, not a total cost—what falls outside that rate in project work, compliance deliverables, and after-hours response is where most mid-market IT budgets actually break down.
