First: match the provider type to the problem
An MSP fits if you need ongoing IT: devices, helpdesk, patching, plus access as part of the package. A penetration tester fits if you need your defenses attacked and a vulnerability report. A compliance auditor fits if you need a certification like SOC 2. A specialist access audit fits if the question is narrower: who and what can reach our systems right now, and should they? Buying the wrong type is the most expensive mistake on this list.
The six criteria
1. Fixed scope, in writing
Systems, user counts, deliverables, exclusions, and fee agreed before work starts. Open-ended hourly discovery on a problem like this is a budget leak. If the provider cannot state what is out of scope, they have not scoped it.
2. Their own access handling
Anyone auditing your access will hold some access. Ask how: MFA, least privilege, time-boxing, named accounts, and removal at engagement end should be immediate, specific answers. A provider who asks for a shared admin password has failed the interview.
3. A deliverable you can act on
Ask for a sample report before you buy. It should show findings with evidence, risk levels, recommended actions, owners, and sequencing, something a non-technical owner can approve and a technical person can execute. A tool export with a logo on it is not an audit.
4. Coverage that matches how you actually work
Identity platforms are the start, not the whole job. If your team runs on SaaS tools, automations, and AI assistants, the audit needs to cover OAuth grants, connected apps, workflow ownership, and AI tool access, or it will miss where your real exposure lives.
5. Implementation, separated from findings
Someone has to fix what is found. A provider who can implement, under a separate approved scope with change control, saves you a handoff. But findings and implementation should be priced separately, so the audit is never an excuse to sell work you do not need.
6. Size and incentives
Big firms bring process and bench depth, and cost accordingly. Founder-led specialists give you the actual expert, lower overhead, and no junior team learning on your systems, at the cost of one person's bandwidth. Also ask what else the provider sells: audits that feed a license resale or retainer business have a thumb on the scale.
Questions to send any provider
- What exactly is in and out of scope, and what does it cost? One number or a tight range.
- What access do you need, and how is it protected and removed?
- Can we see a sample deliverable first?
- Do you cover OAuth grants, automations, and AI tools, or identity platforms only?
- Who does the work: the person selling, or a team we have not met?
- If we approve fixes, who implements, and how are changes controlled?
Where VXSec sits
For transparency: VXSec is a founder-led specialist. Fixed fees, read-only audits, published access-handling rules, a public sample report, and separately scoped implementation. VXSec is best suited for agencies and teams of roughly 20 to 150 people on Google Workspace or Microsoft 365 with SaaS, automation, and AI tools in the mix. Teams needing 24/7 support coverage, device management, or formal compliance certification need a different provider type, and VXSec will say so at the scope check.
Put VXSec through the six criteria
The 15-minute scope check is the fastest way to test the answers above against your actual environment.
Book a 15-minute scope check