How to Vet a Contractor, Broker, or MSP

The hardest part of buying professional services is that you're being asked to evaluate competence in a field where you don't yet have the competence to evaluate. The contractor knows more about construction than you do. The broker knows more about real estate than you do. The MSP knows more about cybersecurity than you do. That asymmetry is the entire reason you're hiring them in the first place — and it's also the reason the conversation is so easy to lose.

This is a buyer's guide. It is written for the homeowner, the investor, the small business owner, the office manager — anybody about to sign a six-figure agreement they're not technically qualified to read. The goal isn't to make you an expert in their field. The goal is to make you a competent buyer in any field. The skills transfer.

The structure is the same across all three industries. There are questions you ask up front. There are credentials you verify before signing. There are red flags you watch for during the conversation. There are contract terms you negotiate before initialing. Skipping any of those four buckets is how buyers end up regretting a relationship for the next two years.

1. Start with the same five questions

Before you ask anything industry-specific, ask these five. They work the same regardless of what you're hiring for.

"Walk me through a project like mine that you completed in the last twelve months." You're listening for specificity. A real answer includes a location, a timeline, a budget range, the actual problem solved, and what they would do differently. A bad answer is generic and ends in a price.

"What's the typical reason a project like mine goes off the rails?" A confident professional answers this without hesitation, because they've seen it happen. They name the failure mode and how they prevent it. Somebody who can't name the failure mode hasn't seen enough projects to be useful to you.

"What part of this should I be most worried about?" If they say "nothing," they're selling. The honest answer is always specific: the permit timeline, the appraisal gap, the data classification, whatever the genuine risk actually is.

"What do you not do?" Specialists know their limits. The professional who claims to do everything is rarely the professional you want.

"Can I talk to two references from projects that didn't go perfectly?" Anybody can produce happy references. The professional who can produce a reference from a difficult project — and explain what they learned from it — is operating at a different level than the rest of the market.

2. Vetting a contractor

For general contractors, sub-contractors, and remodelers, verify these items in writing before signing:

License. Confirm the license number is active, in their legal business name, and in the correct class for your project. Most states have a public lookup. A lapsed or wrong-class license invalidates much of the legal protection you'd otherwise have.

Insurance. General liability is mandatory. Workers' compensation is mandatory if they have employees on your site. Ask for a Certificate of Insurance naming you as additional insured — for the project, not as a permanent endorsement. If they push back on producing one, they probably don't have it.

Lien history. A quick search of the county recorder's office tells you whether the contractor has been involved in mechanic's lien disputes. One isolated case isn't necessarily disqualifying. A pattern is.

Subcontractor stack. Most general contractors are largely managing other people's labor. Ask who their electrician is, who their plumber is, who their HVAC tech is. A GC with no answer to those questions is a GC who's planning to find the cheapest sub the week before the work needs to happen.

Payment schedule. Reasonable: deposit (10-20%), milestone payments tied to verifiable completion, holdback until final inspection. Unreasonable: more than 30% up front, payment based on calendar rather than completion, no holdback. The payment schedule tells you more about the contractor's cash flow situation than they'll admit out loud.

3. Vetting a real estate broker or agent

Real estate is the industry where the buyer most often picks the wrong professional, because most agents look alike on paper and the friction to switch feels high. The vetting questions cut through that:

"How many transactions did you personally close in the last 12 months?" "Personally" is the operative word. Team production hides individual production. You want the number the IRS would see.

"What's your average days on market relative to the area average?" If they don't know, they aren't measuring. If they know and it's worse than the area average, ask why.

"What's your list-to-sale price ratio?" For sellers, this tells you whether they price aggressively and discount, or price accurately and hold. Both can work, but you should know which one you're hiring.

"How do you handle multiple offers?" The mechanics of multiple-offer situations are where agents either earn their commission or expose themselves as inexperienced. Listen for a real process — escalation clauses, contingency analysis, lender vetting. Not just "we'll see what comes in."

"Who answers when I call after 7pm on a Saturday?" If the honest answer is "nobody until Monday," that's fine — but you should know that before you sign. If the answer is "me, always," that's also fine — but understand they're probably stretched thinner than they're letting on.

License and discipline history. Every state real estate commission publishes complaint and disciplinary history. A clean record is the baseline. Any disciplinary action deserves a direct conversation before you sign anything.

4. Vetting an MSP or cybersecurity vendor

Cybersecurity vendors are the hardest of the three to vet, because the entire industry has been engineered to make vendor comparison difficult. The questions below cut through most of it:

"What size company is your ideal customer?" An MSP whose ideal customer is 200-500 employees is going to under-serve you at 30 employees. An MSP whose ideal customer is 10 employees is going to over-promise you at 200. Their honest answer to this question tells you whether you're a fit.

"What's not included in this proposal?" This is the single most important MSP question. Most proposals are bundled, and the exclusions are where the surprise invoices come from. After-hours response, on-site visits, project work, hardware refresh — these are often line items that aren't in the retainer. Ask explicitly.

"What's your incident response process?" Listen for specifics: who picks up the phone, what the SLA actually is in writing, who runs point on containment, when forensics get involved, what counts as a "covered" incident under the retainer. Vague answers here are catastrophic at 2am during an actual incident.

"How do you decide what to monitor and what to ignore?" SOC services produce floods of alerts. A real MSP has a defensible tuning methodology. A bad MSP forwards every alert to you and calls that "transparency."

"What happens at the end of the contract?" Data portability, account ownership, transition assistance, license assignability — these get negotiated up front or they don't get negotiated at all. The MSP that won't commit to clean offboarding is telling you something important.

Certifications, in context. SOC2 Type II for the MSP itself is meaningful. CISSP, CISM, OSCP on individual technicians is meaningful. A wall of vendor logos is mostly meaningless — those are sales partnerships, not credentials.

5. Universal red flags

Regardless of industry, the following are signals that something is wrong:

The first conversation is a quote. Anybody who quotes before they qualify is either guessing or fishing. Neither is a relationship you want.

The response is "trust me." Trust is what you earn after a relationship. It's never what a professional offers as a substitute for documentation.

The price drops sharply when you push back. A 30% discount after fifteen seconds of resistance means the original price was inflated. The new price is probably also inflated, just less.

The contract is one page or twenty pages. Both extremes are bad for different reasons. The one-pager has no protections. The twenty-pager has too many for any individual buyer to evaluate, which is exactly the goal.

Urgency is the closing tactic. Real urgency exists in the market sometimes. "If you don't sign today the price goes up" almost never represents real urgency. It represents a vendor running a closing playbook.

Bad reviews are blamed on the customer. Every professional has had difficult clients. The professional who explains a bad review by attacking the reviewer is telling you exactly what will happen when you have a complaint.

6. Contract terms to negotiate before signing

The cost of negotiating a contract before you sign is roughly zero. The cost of fixing a bad contract after you sign it is roughly everything. Negotiate these terms while you still have leverage:

Termination for convenience. A clean exit path with reasonable notice — typically 30 to 90 days depending on the industry — protects you from being stuck with a relationship that stopped working.

Scope changes in writing. Any expansion of the work requires a written, signed change order with revised pricing and timeline. Verbal changes are how relationships fail.

Caps on uncapped items. Hourly billing, time-and-materials arrangements, "as needed" services — all of these need a not-to-exceed ceiling. Even a generous ceiling is better than no ceiling.

Performance triggers. Where possible, tie payment to verifiable milestones. Project completion in construction. Days-to-close benchmarks in real estate. Uptime or response SLAs in cybersecurity.

Indemnification, both ways. The vendor's standard agreement usually indemnifies them at your expense. Push for mutual indemnification. Most professionals will accept it; the ones who won't are telling you about their risk tolerance.

Renewal terms. Auto-renewal with a 90-day-out window is reasonable. Auto-renewal with a 30-day-out window or shorter is a trap. Multi-year terms with mid-term price escalators are a worse trap.

7. The one test that catches almost everything

If you remember nothing else from this article, remember this: ask the question whose answer you don't know. If you ask a contractor what kind of paint they use, you've learned almost nothing — because you don't know what the right answer is. If you ask a contractor what their typical change order percentage is on a project of your size, you've learned almost everything — because the answer is verifiable, the number is meaningful, and the professional who has the answer is qualitatively different from the one who doesn't.

The same applies in real estate ("what's your list-to-sale ratio") and in cybersecurity ("what's your mean time to triage on a SOC alert"). The questions are different. The principle is the same: ask the operational questions, not the marketing questions. The honest professionals will produce numbers and stories. The dishonest ones will produce adjectives.

Vetting isn't about catching liars. It's about identifying competence. The market is full of competent professionals who will treat you well, and a smaller number of professionals who won't. The questions above filter for one and exclude the other. The cost of asking them is an hour. The cost of skipping them is the rest of the relationship.