< Back to Blog
Incident Response

Your IT Company Is Not Your Incident Responder. And That Gap Is Costing Businesses.

April 14, 2026

This is not a criticism of IT companies or managed service providers. Most of them do exactly what they are supposed to do. They keep your systems running, manage your devices, handle your Microsoft 365 licenses, and make sure your email works on Monday morning. The problem is that what they do and what incident response requires are two fundamentally different skill sets.

What an MSP or IT Company Actually Does

A managed service provider is built around stability and availability. Their job is to keep things running. They provision accounts, manage software updates, handle help desk tickets, configure your firewall, and respond when something breaks. They are reactive by nature and operational by design. When your printer stops working or a new employee needs a laptop set up, your IT company is exactly who you call.

Many IT companies also provide some level of Microsoft 365 management. They set up accounts, configure basic security settings, and may handle your email filtering. Some of the better ones have started adding security monitoring to their offerings. This is a good thing. It is not the same as dedicated incident response.

What Incident Response Actually Requires

When a Microsoft 365 account is compromised, the clock starts immediately. Every minute the attacker remains in the environment is another minute they are reading emails, learning your business relationships, and positioning themselves to cause damage. Effective incident response requires specific skills that most IT generalists are not trained for:

  • Knowing where to look in Microsoft 365 audit logs and understanding what you are seeing
  • Familiarity with attacker tactics specific to identity-based attacks — inbox rule manipulation, session hijacking, lateral movement through shared mailboxes, lookalike domain registration
  • The ability to contain an active attacker without tipping them off prematurely
  • Forensic discipline to preserve evidence for insurance claims or law enforcement
  • Speed. Not ticket-queue speed. Not next-business-day speed. Minutes and hours.

The Gap in Practice

Here is what typically happens when a business with an IT company gets hit with a business email compromise. A customer or vendor notices something wrong and calls. The business contacts their IT company. The IT company logs a ticket, remotes into a machine, resets a password, and considers the issue resolved. The inbox rules the attacker created are still there. The attacker's session tokens may still be active. The lookalike domain registered to impersonate the business is still sending emails to vendors. The full scope of the compromise has not been investigated because the IT company does not have the tooling or training to conduct that investigation.

This is not negligence. It is a scope problem. The IT company was hired to keep things running, not to conduct forensic investigations of identity-based attacks.

The Moment It Becomes Clear

In one incident we were brought in after a law firm's IT company had already handled an account compromise. They reset the password and closed the ticket. What they did not find was a hidden inbox rule that was still active, forwarding emails from the firm's real estate team to an external address. The attacker continued operating for days after the password reset because the persistence mechanism was never removed. By the time we were engaged the situation had escalated into a $7 million wire fraud attempt.

The IT company was not incompetent. They just were not doing incident response. Those are different jobs.

What the Right Structure Looks Like

Your IT company and your incident responder are not competitors. They serve different functions and both have a role. Your IT company manages your environment day to day. Your incident responder investigates, contains, and remediates when something goes wrong. Ideally they have a relationship and can work together when an incident occurs.

The businesses that recover fastest from security incidents are the ones that do not try to make their IT company be something it was not designed to be. They have the right resource for the right job before they need it.

The question worth asking your IT company is simple: if one of our Microsoft 365 accounts was compromised right now and the attacker had been inside for two weeks, what would your response look like? Their answer will tell you everything you need to know about whether you have a gap.

Need help securing your environment?

Book a free 30-minute consultation. We will assess your Microsoft 365 environment and tell you where the gaps are.

Book Free Consultation