Co-Managed IT Services
Augment — do not replace — your internal IT team. We own Tier 2 and Tier 3 escalation, 24/7 GSOC, M365 and Google Workspace depth, and the security and compliance layers your team does not have the depth to cover. Powered by GITD — our AI-augmented delivery platform.
You Have an IT Director. You Need a GSOC.
Co-managed IT is for firms whose internal team owns the user experience — password resets, onboarding, basic troubleshooting — but cannot economically staff 24/7 monitoring, security operations, or specialized escalation. We pick up where they leave off, and the dividing line is written into the agreement.
Four Tiers. One Rate Card. Clear Hand-Off.
Each tier specifies what ICS owns and what your internal team retains. No overlap, no scope drift. Default term is 36 months; 12-month terms available at +15%.
Standard
Internal IT team that owns Tier 1 — needs depth on escalation
From 50 users
From $3,250/month
- Tier 2 and Tier 3 escalation
- Remote monitoring across endpoints and infrastructure
- Automated patching and update management
- M365 and Google Workspace L3 escalation included
- Monthly operational review
Advanced
Internal team that needs security depth on top of escalation
From 50 users
From $5,250/month
- Everything in Standard
- EDR and XDR with active response
- 24/7 GSOC L2 monitoring
- Automated incident response runbooks
- Quarterly tabletop exercises
Premier
Internal team supporting a formal compliance program
From 75 users
From $10,875/month
- Everything in Advanced
- SIEM with 24/7 SOC analyst coverage
- Identity and access management hardening
- vCIO Lite — quarterly strategy and roadmap
- Compliance reporting (HIPAA, NIST CSF, SOC 2)
Enterprise
Custom split with internal team; multi-site or multi-country footprint
From 250+ users
- Everything in Premier
- Custom division of responsibility with internal IT
- Named vCIO with executive cadence
- Dedicated GSOC pod
- On-site presence at HQ
- Quarterly business reviews with leadership
What's Included — and What's Not
We tell you up front what is in the per-user rate, what is pass-through, and what is project work. No surprise line items.
Included in the per-user rate
Escalation & operations
- •Tier 2 and Tier 3 escalation from your internal helpdesk
- •On-call after-hours response for P1/P2 incidents
- •Documented runbooks shared with your internal team
- •Monthly operational review with your IT leadership
Microsoft 365 & Google Workspace depth
- •L3 escalation for tenant administration questions
- •Identity, conditional access, and security operations support
- •License and architecture advisory (no separate retainer)
- •Tenant hygiene and rightsizing recommendations
Security & monitoring
- •Endpoint detection and response (EDR) operation
- •24/7 environment monitoring with automated remediation
- •Identity threat monitoring and alerting
- •Quarterly security posture review with your team
Strategy & reporting
- •Defined RACI between ICS and your internal team
- •Asset and license inventory shared with your team
- •Documentation kept current in a customer-accessible platform
- •vCIO touchpoints per tier
Pass-through or scoped separately
- •Endpoint security licenses (CrowdStrike Falcon Pro or equivalent) — pass-through at MSRP, or BYOL if you have entitlement
- •Microsoft 365 and Google Workspace licenses — keep your existing CSP/reseller; we work alongside them
- •Backup licenses (M365 backup, endpoint backup) — pass-through at MSRP
- •Hardware procurement — coordinated with your existing supply chain
- •Tenant migrations, M&A merges, conditional access redesign, Intune greenfield — scoped as fixed-bid projects
- •Tier 1 service desk (your internal team owns this); ICS-only Tier 1 available as an add-on
Pass-through items are billed at vendor MSRP or your existing license entitlement. Project work is scoped as fixed-bid or T&M against published advisory rates.
Microsoft 365 and Google Workspace L3 depth is included in every Co-Managed tier — there is no separate admin retainer. Project work and architecture changes are scoped as fixed-bid against our published advisory rate card (provided with proposals).
Both Platforms Supported. Admin Is in the Rate.
Microsoft 365 and Google Workspace day-to-day administration are included in the per-user rate — no separate admin retainer. Project work, tenant migrations, and major architecture changes are scoped separately.
Keep your CSP — or move it
On Co-Managed IT, Microsoft CSP consolidation is recommended but not required. Keep your existing reseller and we will work alongside them, or move licensing to ICS for licensing-level support escalation and same-day adjustments. Either path is documented in the SOW so there is no ambiguity.
Google Workspace, fully co-managed
ICS is a Google Cloud Partner. We provide L3 depth on Workspace IAM, messaging, mobile management, and security — at the same per-user rate. Your internal team stays close to the user experience; we hold the security and architecture layers.
Stack What You Need On Top of the Base Tier
Add-ons are named SKUs with published pricing — not custom line items. Your account team can model the monthly impact in minutes, not weeks.
ICS Tier 1 Helpdesk Overflow
From $25/user/moLive overflow service desk during business hours when your internal team is overloaded or short-staffed.
After-Hours Tier 1
From $18/user/moBranded after-hours helpdesk routed through ICS, escalating to your team only when required.
Email Signature Management
From $3/user/moBranded, compliance-ready email signatures across Microsoft 365 and Google Workspace.
Conditional Access Hardening
Fixed-bid projectPolicy redesign and enforcement pack — phishing-resistant MFA, device compliance, legacy auth shutdown.
Information Protection / DLP
Fixed-bid + monthlyMicrosoft Purview or Google DLP rollout, label taxonomy, and ongoing classification operations.
Phishing Simulation & Training
From $4/user/moMonthly campaigns, role-based training, and risk-scored user reporting your IT lead can act on.
Microsoft 365 + Endpoint Backup
From $5/user/moIndependent backup of Exchange, SharePoint, OneDrive, Teams, and endpoints with restore SLA.
Compliance Program Operation
From $2,500/moSOC 2, HIPAA, or PCI evidence collection and audit support layered onto your internal program.
AI Readiness & Copilot Rollout
Fixed-bid projectMicrosoft 365 Copilot or Gemini for Workspace readiness, governance, and pilot operation in partnership with your team.
Pricing is indicative. Exact rate depends on user count, license entitlement, and term. We will publish your add-on totals in the one-page proposal.
Beyond steady-state ops
Every managed services contract — ours and every reputable competitor's — carves out specific categories of work that sit outside the monthly rate. Here is exactly when you will see a separate quote. We disclose this before you sign so it is never a surprise.
New deployments and migrations
Standing up something new across the boundary. Your team usually owns user-facing workstreams; ICS owns the architecture, security, and identity layers.
Typical examples
- ›M365 or Google tenant migrations and M&A merges
- ›Intune or MDM greenfield deployment
- ›New-site stand-ups and network refreshes
- ›SIEM, SOAR, or backup product onboarding
- ›EDR/XDR product migrations
How it's priced
Fixed-bid against a written SOW with a defined RACI. Your team’s in-scope hours are documented, not assumed.
Major redesigns of an existing platform
Re-architecting something already in production. Co-managed redesigns specifically document which redesign tasks each side owns so there is no double-billing or coverage gap.
Typical examples
- ›Conditional Access or zero-trust policy overhaul
- ›Active Directory to Entra ID consolidation
- ›Network re-segmentation and IP plan rework
- ›Email security gateway swap
- ›Privileged access management (PAM) rollout
How it's priced
Fixed-bid against a written SOW. Steady-state operation of the redesigned system returns to MRR under the existing RACI.
Incident response beyond a defined runbook
Confirmed breach, ransomware, business email compromise, or insider investigations. ICS leads response under our IR retainer; your team supports user comms and business continuity decisions.
Typical examples
- ›Ransomware containment and recovery
- ›Business email compromise investigations
- ›Forensic image collection and chain-of-custody work
- ›Sustained P1 after-hours work outside the published SLA window
- ›Data exfiltration assessments
How it's priced
Hourly at published incident-response rates with an optional retainer. Routine GSOC monitoring and ordinary P1 SLA response stay in MRR.
Hardware, licenses, and third-party services
Goods, not service fees. On Co-Managed, your team often handles procurement directly — we will receive, image, and operate whatever you buy without re-quoting the license.
Typical examples
- ›Workstations, servers, switches, firewalls, access points
- ›Microsoft 365 and Google Workspace licenses (your CSP or ours)
- ›EDR licenses (CrowdStrike Falcon Pro or equivalent)
- ›Backup, phishing simulation, and DLP product subscriptions
- ›ISP, MPLS, and SD-WAN circuits
How it's priced
Pass-through at vendor MSRP if procured through ICS. BYOL is fully supported — we operate licenses you already own at no additional service fee.
On-site dispatch outside contracted scope
Most co-managed clients keep on-site work in-house — it is one of the reasons they have an internal team. When ICS goes on-site, it is by request and quoted up front.
Typical examples
- ›After-hours physical equipment swaps
- ›New office build-out support
- ›Multi-site hardware refresh tours
- ›Specialty dispatch where your team lacks coverage
How it's priced
Quoted as scheduled visits, or rolled into a project SOW. No surprise truck-roll fees — we agree on it before we drive.
Compliance audits and assessments
Defined assessments with defined deliverables. Operating a compliance program day-to-day is the Compliance Program add-on; the audits themselves are scoped projects.
Typical examples
- ›SOC 2 Type II readiness assessments
- ›HIPAA risk assessments
- ›PCI ROC support and gap assessments
- ›IT due diligence for M&A buy-side or sell-side
- ›Insurance-driven security control assessments
How it's priced
Fixed-bid against a written SOW. Includes the assessment, the report, and one round of findings remediation guidance.
On Co-Managed engagements every project SOW names which work your internal team owns and which ICS owns. We do not bill for hours your team is already covering, and we do not assume your team is covering hours we end up doing. Advisory rate card provided with proposals.
Published, Contracted, Measured
Every tier is backed by the same SLA matrix — written into the agreement, reported on monthly, and enforced.
| Severity | Definition | Standard / Advanced | Premier / Enterprise |
|---|---|---|---|
| P1 — Critical | System down, loss of operations, security incident | 30 minutes | 15 minutes |
| P2 — High | Significant operational impact; could lead to outage or breach | 1 hour | 30 minutes |
| P3 — Moderate | Moderate loss of functionality | 4 hours | 2 hours |
| P4 — Low | Information / behavior notification | 8 hours | 4 hours |
| Service request | Non-incident standard request | 4 hours | 2 hours |
Tickets in "Awaiting Client Response" auto-close after 3 business days across all tiers.
A Predictable First 90 Days
Onboarding is a fixed scope with a fixed fee — one month of MRR. You see the project plan before you sign, not after.
RACI & access
- •Define division of responsibility with your internal IT team
- •Tenant access, network discovery, asset inventory
- •Documented hand-off boundaries written into the SOW
- •Onboarding fee billed: 1× monthly recurring revenue
Tooling & integration
- •EDR deployed; GSOC pipelines connected
- •Escalation routing wired to your team and to ours
- •Runbooks shared with your internal IT lead
- •First operational review with your IT leadership
Steady state & first QBR
- •Tier SLA in full effect for ICS-owned scope
- •vCIO touchpoint cadence locked
- •Joint runbooks reviewed quarterly with your team
- •First quarterly business review with your IT leadership and executive sponsor
What This Looks Like in Production
Anonymized snapshots from current ICS clients. Logo case studies are released as clients approve them — these outcomes are verified in our reporting platform.
16 months of continuous co-managed coverage
52 escalations to ICS in the trailing 90 days, all closed. Their team owns Tier 1 and on-site work; ICS owns Tier 2/3, EDR, identity, and 24/7 GSOC. Same RACI since onboarding — no scope drift.
24/7 after-hours coverage for a 2-person team
ICS picks up tickets the internal team cannot get to during the day and owns nights, weekends, and identity escalations. Five months under coverage; 9 escalations in the last 90 days — a calm queue is the goal.
11 escalations from internal helpdesk in 90 days
Their internal helpdesk handles Tier 1; ICS picks up Tier 2/3, EDR, and M365 L3. Tier 1 Helpdesk Overflow add-on is engaged during outages and PTO so SLA does not slip.
Why ICS — Different from a PE-Backed MSP
The MSP industry is consolidating. Most of the largest providers you will evaluate are private-equity-backed platforms that have acquired dozens of regional MSPs in the last three years. When you sign with one of those firms, you often inherit a brand change, a playbook change, and a billing system change inside 24 months. We do not work that way.
Founder-owned
We are not part of a private equity rollup. The vCIO who writes your roadmap is the same vCIO running your QBR three years from now.
Single brand, single playbook
Every client is delivered on the same platform with the same team structure. No acquired sub-brands, no inherited toolchains, no rebrand churn.
Published rate card
Our pricing, SLAs, and inclusions are on this page. You will not be quoted differently than the next buyer.
Measured monthly
Response times, ticket volumes, and resolution metrics are reported every month. The agreement and the dashboard match.
Co-Managed IT — Frequently Asked Questions
Where is the line between what my internal team does and what ICS does?+
Written into the SOW. The default split: your team owns Tier 1 (password resets, onboarding, basic troubleshooting, line-of-business apps) and on-site work. ICS owns Tier 2/3 escalation, 24/7 GSOC, EDR/XDR, identity hardening, and the M365/Google Workspace L3 layer. Enterprise customers can move the line — and we will negotiate it openly before signing, not after.
Do you include endpoint security (EDR) licenses in the per-user rate?+
No. EDR is required and we deploy and operate it as part of every Co-Managed tier, but the license is billed as a pass-through at vendor MSRP — typically CrowdStrike Falcon Pro or equivalent. If your team already owns EDR entitlement, we can use yours and skip the license line item.
Are Microsoft 365 and Google Workspace administration charged separately?+
No. M365 and Google Workspace L3 escalation, identity and conditional access support, and architecture advisory are included in the per-user rate. Project work — tenant migrations, M&A merges, CA redesign, Intune greenfield — is scoped separately as fixed-bid.
Do I have to switch my Microsoft CSP to ICS?+
No. On Co-Managed IT, CSP is recommended but not required. Many of our co-managed clients keep their existing reseller because the licensing relationship pre-dates us or is contractually committed. We will work alongside your CSP and document the boundary in the SOW.
Do you support Google Workspace as well as Microsoft 365?+
Yes. ICS is a Google Cloud Partner. Google Workspace administration, IAM, mobile management, and security operations are first-class on every tier. Hybrid M365 + Workspace environments are common in our co-managed book.
What if my internal team is overloaded — can ICS take Tier 1 too?+
Yes, as an add-on. We offer ICS Tier 1 Helpdesk Overflow (business hours) and After-Hours Tier 1 as named SKUs. Pricing is per-user and stacks on top of the Co-Managed base rate.
Is the 50-user floor strict?+
Yes for Standard and Advanced. Premier requires 75 users. Below ~50 users our delivery model carries margin we are not willing to underwrite — and below that scale a pure managed offering or per-project advisory is usually a better fit.
What does onboarding look like with an existing internal IT team?+
Onboarding is a fixed-fee project at one month of MRR. The first 30 days focus on RACI — defining and documenting the boundary between your team and ours — before any tooling deploys. By day 60 we are operating under the documented boundary; by day 90 we have run the first QBR with your IT leadership.
When will I see fees on top of my monthly per-user rate?+
Six categories of work sit outside steady-state co-managed operations and are quoted separately: (1) new deployments and migrations, (2) major redesigns of an existing platform, (3) incident response beyond a defined runbook — ransomware, BEC, forensics, (4) hardware and license pass-throughs at vendor MSRP, (5) on-site dispatch outside contracted scope, and (6) compliance audits and assessments. On Co-Managed specifically, every project SOW names which workstreams your internal team owns and which ICS owns — we do not double-bill for work your team is already doing, and we will not absorb work your team did not actually cover. This is industry standard — every reputable co-managed contract documents the same six buckets.
Keep Your IT Team. Add Our Depth.
Tell us how your internal team is structured. We will return a one-page proposal showing exactly which functions move to ICS and which stay in-house.