IT Support vs. Managed IT Services: What's the Difference?

"I need IT support." It is the most common first sentence I hear from a small business owner who has decided their current setup is not working. It is also one of the least specific sentences in the small-business vocabulary. "IT support" can mean a freelance computer guy who comes when called, a national MSP with a 24/7 NOC, a security operations firm with cleared engineers, or your nephew who is good with computers. They are all "IT support." None of them is interchangeable.

This article is the version of the conversation I have with owners who are trying to figure out what they actually need to buy. I will walk through the six common categories, what each one actually does, what they cost, and which one fits the typical Salinas / Monterey / Santa Cruz / Santa Clara County small business. By the end, you should be able to tell whether you need break-fix, managed IT, an MSSP, or something else, and you should be able to ask vendors specific questions instead of asking "do you do IT support?"

The terminology, decoded

"IT support"

The umbrella. Anything anyone calls "IT support" falls inside the box. The reason it confuses owners is that the same words mean entirely different things in different vendor pitches. A national chain that does break-fix calls itself "IT support." So does a $500/month MSP. So does a $20,000/month MSSP. Same label, different products.

When a vendor says "we provide IT support," your follow-up question is: "What model? Break-fix, managed, or co-managed?" If the vendor cannot answer that in one sentence, the rest of the conversation is going to be confusing.

Break-fix (also called "pay-as-you-go" or "time and materials")

You pay only when you call. The provider bills hourly, typically $125 to $200 per hour on the Central Coast in 2026, plus parts. There is no monthly contract. There is no proactive work. The provider does not log into your environment unless you ask them to. They show up when something is broken and they fix it.

What you get:

• Reactive fixes for problems you notice.
• No monthly bill when nothing is wrong.
• No relationship overhead, no quarterly reviews, no strategic guidance.

What you do not get:

• Patch management. Your Windows updates run when Microsoft says, not on a tested cadence.
• Security tooling. EDR, MFA enforcement, security awareness training are not happening.
• Backup verification. You may have backups; nobody is testing them.
• 24/7 monitoring. The provider learns about problems when you call them.
• Anyone who actually understands your environment beyond the last ticket they solved.

Break-fix works for the smallest businesses (1-5 users with a couple of laptops and no customer data) and for very specific one-off needs (set up a new office, replace a server, audit a network). It does not work as the long-term IT model for any business with employees, customer data, or downtime sensitivity. The reason is the math of prevention: a single ransomware incident at break-fix rates can cost more than five years of managed IT services. The break-fix provider gets paid to fix the ransomware. The managed IT provider gets paid to prevent it. Different incentives, different outcomes.

Managed IT services (MSP)

The dominant model for small business IT in 2026. An MSP (Managed Services Provider) charges a flat fee, usually $125 to $250 per user per month on the Central Coast (we wrote the full pricing breakdown in the managed IT cost guide). The relationship is recurring and proactive. The MSP runs your environment day-to-day, prevents most problems before they hit, and is responsible for the operational health of your technology.

What you get inside the monthly fee:

• Unlimited remote helpdesk for users. Tickets for "how do I do X" go to the MSP, not to your IT-savvy office manager.
• 24/7 monitoring (RMM). Agents on every endpoint report health and alert the MSP when something is wrong, often before the user notices.
• Patch management. Windows, macOS, Office, third-party apps, and firmware patched on a documented cadence.
• Endpoint security (EDR). Behavior-based detection, not 2010-era antivirus. With a 24/7 SOC reviewing alerts.
• Backup management. Daily backups with restore testing and documented recovery time objectives.
• Microsoft 365 administration. Tenant configuration, license management, identity hardening, user lifecycle.
• Reasonable on-site visits. Hardware failures, new-employee setups, cabling, etc.
• Monthly reporting and quarterly business reviews. You get a written summary of what happened and what is recommended next.
• Strategic IT advice (vCIO). The MSP helps you plan IT spend, prioritize projects, and avoid making expensive mistakes.

What an MSP is not:

• It is not break-fix with a recurring invoice. If your "MSP" still bills hourly for routine tickets, that is break-fix.
• It is not "we have antivirus and we patch sometimes." That is a managed-IT-shaped product without the substance.
• It is not a single helpdesk technician with a recurring fee. A real MSP is a team with depth in networking, security, cloud, and helpdesk.

For most small businesses with 5 to 100 users, an MSP is the right answer. We covered the broader scope of managed IT on the managed IT services page.

MSSP (Managed Security Services Provider)

An MSSP is the security-focused version of an MSP. Same recurring model, deeper investment in cybersecurity tooling and operations: managed SIEM, identity threat detection, threat hunting, 24/7 security operations center (SOC), incident response retainers, compliance support.

The distinction matters when the business has:

• Compliance scope — HIPAA for medical practices, PCI for any business that processes cards, CMMC for defense contractors, SOC 2 for SaaS companies, C-TPAT for cross-border logistics.
• Higher-value data — law firms with client confidentiality, accounting firms with tax records, financial services firms with non-public information.
• Higher attack surface — businesses with public-facing applications, internet-exposed infrastructure, or known threat-actor interest.

Modern MSPs increasingly include MSSP-level security as part of their offering. Ghosxt is structured this way: managed IT and managed cybersecurity are one product, not two. We wrote about why in the identity hardening post and the ransomware post.

Helpdesk

Just the reactive support layer. "User can't log in" tickets get answered. Password resets, printer drivers, "how do I share this folder" questions, software installation. A helpdesk is one piece of an MSP, sold separately. It is rarely a complete IT solution.

Where you encounter standalone helpdesk: large companies that have an in-house IT engineer or director but want to outsource the volume of Tier 1 tickets. For a typical small business, "I just need helpdesk" usually translates to "I want managed IT but I want it to be cheap." It rarely ends well; the underlying environment still needs to be maintained.

Co-managed IT

A partnership between an in-house IT person (often a junior generalist) and an MSP. The in-house person is your daily face: helpdesk tickets, new-employee setups, on-site presence, vendor relationships. The MSP provides the depth and the 24/7 coverage: networking, security, after-hours emergencies, strategic planning, cloud architecture.

Co-managed is the right answer for businesses in the 50 to 100 user range where:

• Pure in-house is too thin (one person cannot do networking + security + cloud + helpdesk + after-hours).
• Pure MSP does not have enough on-site presence for the business's pace.
• The business wants someone in the building it knows by name, plus a team behind that person.

Cost is roughly the in-house salary (typically $65,000-$85,000 fully loaded for a junior tech) plus a slimmed-down MSP contract (typically $75-$125 per user per month, since the MSP is not running helpdesk).

In-house IT

The traditional model. One or more IT employees on payroll. Right for businesses at 100+ users where a single dedicated person can specialize and where the regulatory or operational complexity justifies keeping IT inside the building. We covered the four-option breakdown in detail in the Salinas IT support options post.

The five-second decision rule

If you only remember one thing from this post:

• 1-5 users, no customer data: break-fix is fine.
• 5-50 users, any customer data: managed IT services (MSP).
• 5-50 users with compliance scope: MSP that includes MSSP-level security, or a dedicated MSSP.
• 50-100 users with industry complexity: co-managed IT (in-house tech + MSP).
• 100+ users or heavy regulation: in-house IT lead plus an MSP for depth.

The transition from "break-fix is fine" to "we really need an MSP" usually happens around 10 users, sometimes sooner. The signs:

• Tickets are piling up. The IT-savvy office manager is spending hours per week resetting passwords.
• You realize you do not know if your backups work.
• You receive a cyber-insurance renewal questionnaire and realize you cannot answer half the questions.
• Something breaks and you do not know who to call.
• You hire your 10th or 15th employee and the casual setup that worked at five does not scale.

The vocabulary that vendors use to confuse you

A short field guide to the labels small businesses encounter:

"Tech support" vs "IT support"

Used interchangeably in casual conversation. In vendor pitches, "tech support" sometimes specifically means consumer-grade end-user support (think Geek Squad). "IT support" usually means business-grade. Both are still umbrella terms; ask which model is underneath.

"Outsourced IT"

Generic. Could be break-fix, managed, or anything in between. If a provider says "we offer outsourced IT," ask: "Is that managed services or break-fix?"

"IT consulting"

Project-based engagements (server migrations, network builds, cloud migrations) usually billed by the hour or as a fixed-fee project. Not a recurring relationship. A consultant might be excellent at the one project they were hired for; they are not running your environment day-to-day.

"NOC" and "SOC"

NOC = Network Operations Center (people watching the network and infrastructure for problems). SOC = Security Operations Center (people watching for security threats). Both are pieces of a real MSP/MSSP. When a vendor says "we have a 24/7 NOC," ask: "Is that your team or a third-party service you resell?" Both can be legitimate, but you should know which one you are buying.

"Proactive monitoring"

A real MSP table-stake. Means RMM agents on every endpoint reporting health and alerting humans. The phrase is so overused it has lost meaning; ask the vendor for their specific RMM product and what their alert review process is.

"Cybersecurity-included"

Ambiguous. Could mean a basic antivirus license, or could mean a full security stack (EDR + MFA + SIEM + identity threat detection + 24/7 SOC). Ask for the list of specific products and what tier you are getting. We wrote more about this on the cybersecurity services page.

How to evaluate a vendor's actual model

Five questions that cut through the labels:

1. "How do you bill?" Hourly = break-fix. Flat per-user monthly = MSP. Hybrid = ask for the exact structure.
2. "What's included in the monthly fee?" Should be a specific list. EDR brand, RMM brand, backup brand, helpdesk SLA, on-site policy. Vague answers are informative.
3. "What's a project versus what's included?" Should be a clear exclusion list. If anything not in the monthly is "we will quote that separately," ask for examples.
4. "What's your response-time SLA?" Should be specific by ticket priority. "We respond quickly" is not an SLA.
5. "Show me a sample monthly report." A real MSP has one. A break-fix provider does not. The contents of the report tell you what they actually measure.

Any vendor who answers all five clearly is at least operating in good faith. Vendors who deflect on any of these are either inexperienced or hoping you will not ask again later.

What Ghosxt sells, in this vocabulary

For the record, since this is our site: Ghosxt is a managed IT services provider (MSP) with managed cybersecurity (MSSP-level security) built in. We bill flat-rate per user per month, published on the pricing page. We do not do break-fix as a primary model, though we will quote project work (server migrations, M365 migrations, network builds) separately.

The reason we structure it this way: small business IT in 2026 cannot be operated reactively. Patch cadence has to be days, not months (covered in the Claude Mythos patch-cadence post). Security has to be proactive (covered in the identity hardening post). Continuity has to be planned in advance (covered in the PSPS preparedness post). Break-fix simply cannot deliver any of those.

How to use the rest of our content

If you are still figuring out what your business needs:

• Best IT support options in Salinas — the four models (in-house, break-fix, MSP, hybrid) with cost ranges and decision criteria.
• How much does managed IT cost in Salinas in 2026 — real per-user-per-month pricing, what should be included, and the hidden line items.
• Top 5 managed IT providers in Salinas and Monterey Bay — profiles of five real local providers including Ghosxt.
• Switching IT providers: a checklist — if you have an MSP already and you are unhappy with the relationship.
• Our services page — the specific industries and service lines we cover.

FAQs about IT support vs. managed IT services

What's the difference between IT support and managed IT services?

IT support is the umbrella term for any help you get with technology problems. Managed IT services (also called "managed services" or "MSP services") is a specific kind of IT support: a recurring monthly relationship where the provider proactively monitors, patches, secures, and maintains your environment for a flat fee, instead of waiting for things to break and billing hourly when they do. Every managed IT service includes IT support; not every IT support arrangement is managed IT services.

What does "MSP" mean and what's the difference from an MSSP?

MSP stands for Managed Services Provider. It is a company that delivers managed IT services on a recurring monthly contract. MSSP stands for Managed Security Services Provider — same model, but specifically focused on cybersecurity (EDR, SIEM, security operations, incident response). Many modern MSPs include MSSP-level security as part of their offering. The distinction matters when the business has compliance requirements (HIPAA, PCI, CMMC) that demand dedicated security expertise.

Is break-fix IT cheaper than managed IT services?

On the headline number, yes. Break-fix has zero monthly cost; you only pay when you call. In practice, the all-in cost over a year is almost always higher for any business with more than a handful of users because break-fix providers do not run prevention. Patch management does not happen. Security tooling is not in place. Backups are not verified. When something goes wrong, the bill is large and the downtime is real. Managed IT services trades a predictable monthly cost for the prevention work that keeps the large bills from happening.

What is co-managed IT?

Co-managed IT is an arrangement where you have an in-house IT person (often a junior tech or a generalist) and an MSP working in partnership. The in-house person handles daily tickets, new-employee setups, and the physical presence in the building. The MSP handles strategy, cybersecurity, after-hours coverage, and the depth of expertise that one person cannot reasonably provide. It is the right answer for businesses in the 50 to 100 user range where pure in-house is too thin but pure MSP does not have enough on-site presence.

Which one does my small business actually need?

Below 5 users with no customer data: break-fix is usually fine. 5 to 50 users, or any business with customer data, compliance scope, or downtime sensitivity: managed IT services from an MSP. 50 to 100 users with industry complexity: co-managed (in-house tech + MSP). 100+ users: in-house IT lead plus an MSP for depth. The "I just need to fix a printer" phase of the business gives way to "I need someone who keeps the whole thing running" surprisingly fast, usually around 10 users.

Do I really need MFA, EDR, and all that security stuff?

Yes, in 2026, for any business with customer data, employees, or cyber-insurance. Cyber-insurance carriers have shifted from asking "do you have antivirus" to asking "do you have phishing-resistant MFA, EDR, and managed SIEM." If you cannot answer those questions affirmatively, your premium goes up, your retention goes up, or your renewal is denied. We covered the identity controls specifically in the identity hardening post.

Can an MSP handle both IT and cybersecurity?

The good ones do. The structural argument for combining them is that 90 percent of small business cybersecurity is operational hygiene (patch management, MFA, backups, identity hygiene), which is also 90 percent of managed IT. Splitting the work between two vendors usually results in gaps at the boundary — the MSP assumes the MSSP is patching the firewall and vice versa. A single provider with both responsibilities is usually cleaner for SMBs.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501. Based in Salinas, serving Monterey, San Benito, Santa Cruz, and Santa Clara counties (including San Jose, Gilroy, and Morgan Hill).