IT Disaster Recovery Services: A Melbourne SME Buyer’s Guide

Melbourne SMEs buying disaster recovery for the first time get stuck between three product categories, unrealistic RTO numbers, and a Microsoft 365 backup conversation nobody told them about. This is the buyer’s guide: what you are choosing between, the realistic 2026 price brackets, and the eight questions to ask any DR vendor before signing.

What this guide is and is not

This is not a planning guide. It is not ‘how to write a business impact analysis.’ It is the conversation you have once you have decided you need to buy something and you are trying to work out what to buy.

Three product categories cover almost every Melbourne SME DR purchase in 2026:

1. DRaaS – replicating production workloads to a cloud target so they can be failed over (Azure Site Recovery is the dominant Australian play, with VMware Cloud Disaster Recovery and Zerto in specialised cases)
2. On-premises BCDR appliances – a local appliance that backs up your servers and can stand them up locally or in the vendor’s cloud (Datto, Axcient, Acronis, Arcserve, Veeam with a hardware partner)
3. SaaS backup – third-party backup for Microsoft 365 and Google Workspace, which the platform vendors do not back up for you (Keepit, Backupify, CloudAlly, Veeam for M365, AvePoint, Dropsuite)

Most SMEs need pieces of all three, in different combinations. A 60-staff professional services firm in Richmond probably needs Azure Site Recovery for the two on-premises servers, a third-party M365 backup, and not much else. A 90-staff manufacturer in Dandenong with a line-of-business ERP, a SQL database, and a need for fast local recovery probably needs a BCDR appliance plus SaaS backup. A 100% cloud-native software company needs SaaS backup plus a workload-specific backup of their cloud database. The product mix follows the workload.

For the planning side of the conversation – the BIA, the RTO and RPO targets, the runbook – see our backup and disaster recovery 2026 guide, which is the companion piece to this one.

Category 1: DRaaS (Disaster Recovery as a Service)

The model is: your production workload runs where it is (on-prem, in Azure, in AWS), and a replication layer copies it continuously to a standby environment in a cloud target. When something fails, you fail over to the standby and run there until you can return to primary.

Azure Site Recovery (ASR)

The default option for Australian SMEs running on Hyper-V or VMware on-prem, or running production workloads in Azure. Replicates VMs to a secondary Azure region (typically Australia East to Australia Southeast, or vice versa). Failover is orchestrated, and you can test failover into an isolated network without disrupting production.

Strengths:

• Native Microsoft, integrates with the rest of the Azure estate
• Australia-sovereign target regions
• Pricing is genuinely SME-friendly: about $25 to $30 per protected instance per month for ASR itself, plus the storage and (during failover) the compute
• Failover testing is non-disruptive and well-supported

Weaknesses:

• RPO is typically 5 to 15 minutes for app-consistent recoveries; not the sub-minute that some marketing claims
• Complex to configure properly; SMEs often deploy it half-configured
• The compute cost during a real failover catches CFOs off guard – if you fail over 12 VMs and run them in DR for two weeks while you rebuild, that is a real Azure bill
• Requires Azure expertise that not every MSP has at the level needed for reliable orchestration

VMware Cloud Disaster Recovery

For SMEs running VMware on-premises with a meaningful estate. Replicates to a VMware Cloud target on AWS or to an alternative pilot-light site. Usually overkill for under-50-VM environments.

Zerto

The premium DRaaS choice. Continuous data protection rather than scheduled replication, RPOs measured in seconds, mature failover orchestration. Priced accordingly. We deploy Zerto for clients who genuinely need sub-minute RPO on critical workloads; it is not the right answer for an average SME.

Category 2: On-premises BCDR appliances

The model is: a physical or virtual appliance lives at your office or data centre, takes regular image-level backups of your servers (and often endpoints), and can either restore locally (fast) or stand the workloads up in the vendor’s cloud (slower, but works if your office is gone).

Datto

The category-defining product. Datto Siris appliances are sold exclusively through MSPs. The local appliance has its own compute, so it can stand up a failed server as a virtual instance on the appliance itself within minutes. Off-site copies replicate to Datto’s cloud (in Australia, hosted in Sydney and Melbourne data centres).

Strengths:

• Fast local recovery; the on-appliance virtualisation actually works
• Cloud failover is real, not theoretical, and Datto runs the orchestration
• Hardware refresh is part of the agreement; the appliance gets replaced on a cycle without a capex spike
• Good for SMEs that want a single thing to point at when the auditor asks ‘show me your DR’

Weaknesses:

• Per-protected-server pricing; can become expensive for environments with many small servers
• Vendor lock-in; getting your backup data out of Datto if you change providers is a project
• Local appliance is a single point of failure for local recovery; needs the off-site copy to be real
• The MSP-only sales channel means you cannot evaluate it without going through a partner

Axcient

Similar concept to Datto, with the local appliance and the cloud failover. Often the right answer for slightly smaller environments where Datto’s pricing is over the budget. The cloud failover capability is solid; the on-appliance virtualisation is functional but slightly less polished.

Veeam with hardware

The build-your-own option. Veeam is the backup software, paired with a Dell PowerEdge or HPE ProLiant or a purpose-built backup appliance (Dell PowerProtect, HPE StoreOnce). More flexible and often cheaper at scale than the all-in-one appliances, but requires the MSP or internal team to design, build, and operate the stack rather than buying it as a service.

This is what we recommend for clients who already have Veeam expertise and who want to avoid the vendor lock-in of the all-in-one appliances. It is what we run in our own environment.

Acronis and Arcserve

Adjacent options in this category, both with valid use cases. Acronis Cyber Protect adds a security overlay (anti-malware, anti-ransomware) on top of the backup product, which appeals to SMEs that want fewer products to manage. Arcserve UDP has a strong reputation for hybrid workloads. Both worth evaluating if Datto and Axcient don’t fit.

Category 3: SaaS backup (the conversation nobody told you about)

The single most common gap we see in Melbourne SME DR posture: Microsoft does not back up your Microsoft 365 data in a way that helps you recover from accidental deletion, ransomware encryption, malicious insider activity, or a SharePoint policy gone wrong. They protect their infrastructure, not your content. This is the Microsoft 365 shared responsibility model, and it is documented in their own service description.

What Microsoft does:

• Geo-redundant storage so a data centre failure does not lose your data
• Retention policies you configure (litigation hold, retention labels)
• Recycle bin and version history for a default period
• Point-in-time recovery for Exchange Online within a window

What Microsoft does not do:

• Full long-term backup of your mailboxes, OneDrive, SharePoint, and Teams content
• Granular recovery to a point earlier than the retention or recycle bin window
• Recovery of an entire tenant if it is wiped by a compromised admin
• Export of mailbox data in a portable, restorable format outside of Microsoft’s tooling

The conversation to have with your IT lead: ‘If a user gets compromised and the attacker deletes the contents of their OneDrive and emails, and we do not notice for 45 days, can we recover the data?’ The honest answer from native Microsoft is usually no – the 30-day default retention window has passed.

Third-party M365 backup tools solve this. Pricing is per-user-per-month, typically $3 to $6 in the Australian market, retention is configurable up to ‘forever,’ and recovery is granular (a single email, a single OneDrive file, a single Teams chat). The leaders:

For every Melbourne SME we manage that uses Microsoft 365 – which is all of them – a third-party M365 backup is part of the baseline stack. We default to Keepit for new deployments because the Australian data residency, retention model, and recovery experience are the best of the options, and the pricing is defensible for SME budgets.

Realistic price brackets for 2026

The number that comes out of a vendor sales call is rarely the number you end up paying once setup, support, replication storage, failover compute, and the inevitable additions are included. Approximate all-in monthly numbers for a 60-user Melbourne SME with 4 production VMs:

Add the implementation cost (typically $4,000 to $15,000 one-off depending on complexity) and the annual failover test (typically half a day of MSP time, billed at the going rate). For most 60 to 100 staff Melbourne SMEs, total DR spend lands between $14,000 and $30,000 per year all-in.

RTO and RPO: what vendors quote versus what they deliver

Vendor marketing materials quote ‘RTO of 5 minutes’ or ‘RPO of seconds.’ These numbers refer to the absolute best-case mechanical capability of the product under controlled conditions on the vendor’s test bench. They are not what you get in a real disaster.

Realistic numbers for the three categories under SME conditions, based on incidents we have run for clients:

The gap between vendor-quoted and realistic is not the vendor lying; it is the difference between the mechanical recovery time and the business-readiness time. When you negotiate, make sure the RTO in the contract is the business-readiness time, not just the time for the system to come up. Otherwise you are signing for a number that does not mean what you think it means.

The eight questions to ask any DR vendor before signing

1. What is your contracted RTO and RPO, and is it measured to system-online or business-ready? If they cannot answer this clearly, walk away.
2. Where is the off-site copy stored, and is the storage in Australia? Sovereign data residency matters for many SMEs, especially those with health, legal or government-adjacent data.
3. What is the additional cost during a real failover (compute, egress, storage)? The DR product price is the steady-state cost; the failover cost can be substantial.
4. How often do you test failover, who tests it, and what is the success rate? Untested DR is a hope, not a plan. Insist on at least an annual test.
5. What does it cost to extract our data if we leave? Vendor lock-in is real. Get the exit number on the contract.
6. What is the support model during an incident – phone, ticket, named engineer? When you are actually failing over, the time to get a human matters more than any other metric.
7. Who else like us are you protecting in Melbourne, and can we speak to them? Reference checks from similar-sized businesses cut through the marketing fast.
8. What is the upgrade and hardware refresh cycle, and who pays? For appliance-based products, this affects the multi-year total cost.

One client of ours – a 40-staff law firm in Kew – went to contract with a national MSP that quoted a 30-minute RTO. The contract small print clarified that 30 minutes was system-online. When we ran their first DR test under our co-managed arrangement, business-ready was 5 hours. We renegotiated the contract on renewal to specify business-ready RTO with measurable check points. Different number, more honest contract.

Sample DR scope checklist (30 to 100 user SME)

The scope of work conversation with a DR vendor is where mistakes get baked in. Use this as a starting checklist:

If a vendor proposal does not cover every row of this table or does not explicitly note items as out of scope with a reason, ask before signing. A DR proposal that omits Microsoft 365 backup is a flag, not because the vendor is dishonest but because the gap will surface during a real incident at the worst possible time.

How TechAssist delivers this

We are vendor-agnostic on DR. Our default stack for a typical Melbourne SME is Azure Site Recovery for IaaS, Keepit for M365 backup, and Veeam for environments that need a richer on-prem appliance story. We also run Datto where it is the right answer and Zerto where the RPO requirement justifies it.

The delivery is what makes the difference. Our 24/7 NOC at Tecoma monitors backup jobs and replication health on every managed client, with sub-15-minute response for P1 events. When a real incident hits, our 13 Australian engineers (no offshore tier-one queue) take the call, and the same-business-day on-site response in Melbourne metro means an engineer can be at your office before lunchtime if hands on the equipment are needed. The per-user fixed monthly pricing model includes the DR management on managed engagements; the DR product cost is a separate, transparent line item passed through at the vendor rate. The two Melbourne offices – Tecoma and 575 Bourke Street CBD – give clients access in both directions of the metro area, with the CBD office useful for CBD-based clients who want a quick face-to-face during planning.

Founded in 2014, our DR practice has now run incidents across professional services, healthcare admin, manufacturing, and not-for-profit clients. The pattern across all of them is the same: the DR posture that works is one that has been tested, documented, owned, and reviewed annually. The product choice matters less than the discipline around it. To talk through your specific environment, our team is reachable through the contact page, or for the broader managed services context the Melbourne managed IT services page covers how DR sits in the overall engagement.

Frequently Asked Questions

Is Microsoft 365 backup really necessary if we have litigation hold?

Litigation hold is a retention control, not a backup. It prevents end users from permanently deleting items, but it does not protect against a compromised admin wiping the tenant, does not give you a portable export, and does not provide point-in-time recovery for arbitrary historical states. For any SME holding meaningful business data in M365 – which is all of them – a third-party backup is a baseline control, not an option.

Can we just rely on the local appliance and skip the cloud failover?

If the disaster is a ransomware attack that encrypts the local appliance, or a fire that takes the office, the local-only configuration is no protection at all. The cloud or off-site copy is what makes the DR posture survive a real disaster. Local appliance plus cloud copy is the minimum; local-only is not DR, it is backup with extra steps.

What is the difference between backup and disaster recovery?

Backup is the data; DR is the ability to operate from that data after a major incident. A nightly backup of your server is backup. The ability to fail that server over to a working environment within a contracted time is DR. Most SMEs need both, in coordinated form, not one or the other.

How often should we test failover?

At least annually for a full test, quarterly for component tests, and continuously for the automated health checks the platform should be running. A DR plan that has not been tested in 18 months is no plan; it is a hope.

Will our cyber insurance cover the cost of a DR failover?

Sometimes yes, sometimes no. Read the policy. Many cyber policies cover business interruption losses but exclude or limit the actual restoration costs. The cleanest approach is to budget for the failover cost as a separate line, and treat any insurance recovery as upside.

Does the same DR product work for our on-premises servers and our Azure workloads?

Mostly no. The categories were designed for different starting points. Azure Site Recovery covers both Azure-native and on-prem to Azure. The appliance-based BCDR products are typically on-prem first, with limited cloud-native coverage. If your workload split is meaningful in both directions, expect to run two products. Our Melbourne cloud services page has more on hybrid architecture.

Most Microsoft 365 vs Google Workspace comparisons are written by Microsoft Partners and read like a sales pitch. Here is the straight version. Google wins for sub-15-person startups, design agencies, and web-native teams. Microsoft wins for anything compliance-driven, anything with Windows endpoints, and anything that touches Excel-heavy finance or operations tooling.

That is the headline. The rest of this article shows the working. We will cover the licensing reality in 2026, the Copilot versus Gemini story without the marketing gloss, the security and admin gap that has quietly widened, Australian data residency and Privacy Act considerations, and the genuine cost of switching either direction. Spoiler: it is almost always three to five months of dual-running, and the migration is rarely the expensive part.

TechAssist has been running these conversations with Melbourne SMEs since we were founded in 2014. Our managed IT services Melbourne team has migrated firms in both directions, so the bias here is genuinely thin. If anything, our preference leans Microsoft for clients in regulated sectors and Google for clients whose entire workflow lives in a browser, but the answer depends on what you actually do for a living.

The Honest Summary Up Front

If you want the verdict before the detail, here it is. Pick Google Workspace if you are under 15 staff, your team lives in Chrome, you do not run any line-of-business application that requires Windows, and you do not have meaningful compliance obligations beyond the Australian Privacy Act baseline. Pick Microsoft 365 if you have Windows endpoints, finance staff who live in Excel, ISO 27001, Essential Eight or sector-specific compliance ambitions, or any line-of-business application that integrates with Outlook calendars, SharePoint document libraries, or Power BI.

The grey zone is the 15-to-50-staff Melbourne SME with mixed Mac and Windows endpoints, a handful of legacy Office documents, and a desire to use Gmail because the founder likes it. That is the zone where the decision actually matters, and where most of our consulting time goes.

Licensing and Pricing in 2026

The headline SKUs have not changed dramatically, but the value gap inside each plan has. Microsoft has loaded more security and compliance into the mid-tier Business Premium plan, while Google has shifted more of its AI value into the Gemini Business and Enterprise add-ons. The result is that the apples-to-apples comparison is genuinely harder in 2026 than it was two years ago.

Here is the realistic comparison for a 30-person Melbourne SME at current AUD list pricing, rounded for clarity. Your actual prices via a partner will be slightly lower, but the ratios hold.

The numbers look close. They are not. The security-grade tier comparison is the one most decision-makers get wrong. Business Premium on Microsoft includes Intune device management, Defender for Business endpoint protection, conditional access, Azure AD Premium P1 (now Entra ID P1), and Purview data loss prevention. Google Business Plus includes Vault retention, advanced endpoint management, and Drive labels, but it does not include the equivalent of conditional access without stepping up to Enterprise Standard or Plus, which approximately doubles the per-user cost.

For a 30-person firm in Cremorne with Windows laptops, Business Premium replaces three or four separate tools that you would otherwise buy: a mobile device management product, an endpoint security product, a multi-factor enforcement layer, and a data loss prevention tool. That is the bundle value that has widened. It is not visible in the headline SKU price.

Where Google Wins, Honestly

Google Workspace genuinely wins in three scenarios, and we recommend it for all three.

The first is the sub-15-person startup. If you are five to twelve people, you live in a browser, you collaborate constantly in shared documents, and your security threat model is mostly phishing and credential theft, Google Workspace is faster to deploy, easier to administer without an IT team, and the collaboration UX is better. Docs and Sheets real-time editing remains a notch ahead of Word and Excel on the web, and the unified search across Drive, Gmail, and Calendar is excellent.

The second is the design or creative agency. If your team is on Macs, you use Figma, Adobe Creative Cloud, and Slack, and your finance person is the only one who touches a spreadsheet seriously, the Microsoft stack is overkill. Google Workspace plus a third-party MDM like Kandji or Jamf will serve you well. We have a 22-person creative agency client in Fitzroy that runs exactly this stack and has zero appetite to switch.

The third is genuinely web-first businesses. SaaS companies, marketing agencies, online publishers, e-commerce operators. Teams whose entire workflow is browser tabs and where Microsoft’s deep desktop integration provides no value. Google is leaner here, and Gemini’s integration with Search and YouTube is genuinely useful for these workflows in ways that Copilot’s Office integration is not.

Where Microsoft Wins, Also Honestly

Microsoft 365 wins in more scenarios than Google fans like to admit, and the gap has widened in 2024 and 2025.

The first and biggest is compliance. If you are pursuing ISO 27001, aligning with the Essential Eight, or operating in a sector with specific data handling requirements (legal, health, financial services, government supply chain), Microsoft Purview, Defender, and Entra ID together give you the audit trail, the controls, and the certifications evidence that auditors expect. Google can technically achieve much of this, but the auditor-readiness gap is real, and we have seen it cost clients during certification.

The second is Windows endpoint reality. Most Australian SMEs run Windows. Intune is now genuinely good. Autopilot deployment for a new laptop is a fifteen-minute experience for the user, and the device arrives at the desk pre-enrolled and pre-configured. Google’s endpoint management story for Windows is workable, but it is not in the same league. If your fleet is Windows, this matters every single week.

The third is finance and operations integration. Power Query, Power Pivot, Power BI, and the broader Power Platform tie into Excel and Outlook in ways that have no Google equivalent. If your finance manager is building cashflow models, your operations team is reconciling job costing across two systems, or your sales lead lives in pipeline spreadsheets, the Microsoft ecosystem is genuinely more productive.

The fourth is line-of-business application integration. Practice management systems in Melbourne law firms, patient management in healthcare practices, ERP and MRP systems in manufacturing, and most Australian accounting and payroll platforms integrate more deeply with Microsoft than Google. The Outlook calendar plug-in, the SharePoint document repository, the Teams meeting integration. These are table stakes for serious vertical software.

Copilot vs Gemini: The Honest Take

Both AI assistants are useful. Both are overhyped by their vendors. Both will be markedly better in twelve months than they are today. Here is what we are seeing in actual SME use in 2026.

Copilot in Microsoft 365 is genuinely useful when it can see across your tenant. Drafting emails from meeting notes, summarising long Teams threads, generating first-draft PowerPoint from a Word brief, and pulling figures from Excel into commentary. The killer use case for SMEs is Teams meeting summaries with action items. Once finance and operations staff have used this for a month, taking it away is painful. The weak spot is reliability on numerical reasoning in complex spreadsheets, and the occasional confident hallucination when pulling data from SharePoint sites it should not be searching.

Gemini in Workspace is strong on text generation in Docs, summarising Gmail threads, and the integration with Google Search for research is genuinely useful. The meeting note-taking in Meet is good. The weak spot is that Gemini in Sheets is not yet at Copilot in Excel parity for serious analytical work, and the Drive search story is less mature than SharePoint plus Copilot for document-heavy organisations.

The honest answer on cost-benefit: at $46 per user per month for Copilot, you need each user to save roughly 45 minutes a week to break even on a $100k salary. We are seeing that achieved in about 60 percent of seats in client deployments, with marketing, sales, and executive assistants getting the highest return, and field-based staff getting the lowest. Gemini at $34 per user per month has a slightly easier payback maths but a slightly narrower set of killer workflows. If you are deciding whether to buy AI for your suite at all, the answer in 2026 is yes for office-based staff and no for field, retail, or shop-floor staff.

The Security and Admin Gap

This is the section where we annoy Google fans. The security and administration gap between Microsoft 365 Business Premium and Google Workspace Business Plus has widened, and pretending otherwise is not helpful to clients.

Conditional access is the clearest example. On Microsoft, you can write a policy that says “users in the finance group can only access the payroll system from a managed device, on a trusted network, with a fresh MFA challenge, between business hours, from Australia.” That policy is enforced at the identity layer for any application using Entra ID for sign-in. On Google, the equivalent context-aware access requires Enterprise tier, and the policy expressiveness is meaningfully thinner.

Endpoint management is the second example. Intune with Defender for Business gives you device compliance evaluation, attack surface reduction rules, controlled folder access, web content filtering, and integration with conditional access in one stack. Google’s endpoint management is fine for Chromebooks, workable for Mac, and basic for Windows.

The third is data loss prevention. Purview DLP can scan content in SharePoint, OneDrive, Exchange, Teams, and increasingly third-party SaaS via Defender for Cloud Apps. Google DLP works well within Drive and Gmail but does not extend as broadly.

None of this means Google is insecure. It is not. It means that if your cybersecurity services Melbourne requirements include detailed conditional access policies, device-based access controls, or aligning to Essential Eight Maturity Level Two, Microsoft gets you there with less bolting-on. Read our zero trust security model explained guide for the framework view.

Australian Data Residency and the Privacy Act

Both Microsoft and Google host Australian customer data in Australian data centres for the core services. Microsoft uses the Australia East and Australia Southeast regions for Exchange Online, SharePoint Online, OneDrive, and Teams. Google uses Australian data centres for Workspace core data at rest. So far, so similar.

The differences appear at the edges. Microsoft publishes detailed data location commitments for each workload, and the Advanced Data Residency add-on lets you pin certain services more strictly. Google’s data residency commitments are good but less granular below the core service level. For most SMEs, this does not matter. For clients we work with in government supply chain or in regulated sectors where data sovereignty questionnaires come up, it matters significantly.

Both vendors comply with the Australian Privacy Act and the Notifiable Data Breaches scheme as data processors. Your obligations as a data controller do not go away by choosing either. If you handle personal information at scale, read our Australian Privacy Act for SMBs guide for the practical checklist.

The Real Cost of Switching

This is where most articles lie to you. They quote the migration tooling cost, which is small, and ignore the dual-running cost, the retraining cost, and the lost-productivity tail, which are large.

Here is the realistic switching cost for a 50-person Melbourne SME moving from Google Workspace to Microsoft 365 or vice versa. We will use a worked example: a 50-person property services firm in Hawthorn we migrated in early 2025 from Google to Microsoft because they had taken on a client who required vendor security questionnaires they could not answer cleanly.

That is the real cost. The migration project line is the only one most quotes show you. The dual-licensing, the productivity dip, and the change management are usually invisible until you are deep in the project. We had this client back to full productivity by week eight, and the ROI is positive within the second year because they retained the client whose questionnaire triggered the move. But if you switch suites without that kind of trigger, the payback is much harder to justify.

The honest test we run with clients: if you cannot articulate a specific business reason for the switch that is worth at least 1,500 dollars per user, do not switch. Stick with what you have and make it better.

Melbourne Examples: When We Recommend Each

A 12-person digital marketing agency in Collingwood. All Macs, Slack, Figma, web analytics tools, two finance staff using Xero. We recommended Google Workspace Business Plus plus Kandji for Mac MDM. Total stack cost roughly $850 per month. They are happy, audit-clean for their compliance needs, and the founder loves the Gmail UX.

A 35-person mechanical engineering consultancy in Box Hill. Windows fleet, AutoCAD and Revit, project management in a Microsoft-integrated platform, finance team building project costing models in Excel. We recommended Microsoft 365 Business Premium, Intune-managed Windows 11 devices delivered via Autopilot, Defender for Business, and Copilot for the senior engineers and finance team only. Total stack cost roughly $2,800 per month for the M365 layer. They cleared an ISO 27001 surveillance audit cleanly last quarter.

A 28-person allied health practice in Camberwell. Mixed Mac and Windows, patient management system that integrates deeply with Outlook calendars, NDIS and Medicare claiming. We recommended Microsoft 365 Business Premium for the integration reasons, Intune for device management, Defender for endpoint protection, and a structured Purview information protection deployment because patient information requires strict handling. Total cost slightly higher than Google would have been, but the integration requirements ruled Google out at the discovery stage.

For our broader take on choosing partners and platforms, see how to choose an MSP Melbourne and our top managed service providers Melbourne overview.

How TechAssist Approaches the Decision

We are platform-agnostic for genuine reasons. We were founded in 2014, we have 13 Australian engineers between our Tecoma office and our 575 Bourke St CBD office, and we operate a 24/7 NOC out of Tecoma. We migrate clients in both directions every quarter. Our per-user fixed monthly pricing does not change based on which suite you choose, so we have no commercial incentive to push either.

For new clients in our MSP Melbourne programme, we run a one-day platform assessment. We look at your endpoint fleet, your line-of-business applications, your compliance trajectory, your team’s working style, and your current pain points. We recommend Microsoft or Google based on the answer, not based on the margin. We respond to P1 incidents in under 15 minutes, and we run same-business-day on-site visits across Melbourne metro when something needs hands on hardware. The platform under the hood matters less than the discipline around it.

Our cloud services Melbourne team can scope a migration in either direction with a realistic dual-running budget and a change management plan, not just a tooling quote. Our co-managed IT support model also works if you have an internal IT lead who wants to keep the strategic decisions in-house and outsource the operational lift.

Frequently Asked Questions

Can a small business get away with just the entry-level plan?

For a five-to-ten-person business with low compliance requirements, the entry-level plan plus a third-party MFA enforcement layer and a basic backup tool will work. For anything more, the security and management gap between the entry tier and the security-grade tier is large enough that the entry tier is a false economy. We see clients spend more remediating after a security incident than they saved over three years of running on the entry tier.

What about Outlook on Mac with Google Workspace?

It works, but it is not great. If your team is on Mac and your founder wants Gmail, lean into the Google ecosystem fully rather than trying to bridge Outlook to Gmail. The hybrid setup creates calendar invitation issues, contacts sync issues, and frustrating support tickets. Pick one ecosystem.

Is Copilot worth it for a 20-person business?

For ten of those twenty people, yes. For the other ten, probably not. Buy Copilot for the seats where it will see daily use: executive assistants, sales, marketing, finance leads, and anyone whose job involves drafting documents, summarising meetings, or building reports. Do not buy it for field staff, warehouse staff, or part-time admin staff. The per-seat economics only work when actually used.

How long does a Microsoft to Google or Google to Microsoft migration actually take?

The migration tooling runs over a weekend. The dual-running window is three to five months. The team is at full productivity on the new platform by week eight to twelve. The cleanup of the old tenant takes another month or two. Anyone who tells you it is a one-month project is selling you a migration, not a successful outcome.

What about hybrid: some users on Microsoft and some on Google?

Avoid it unless you have a genuinely good reason, like a recent acquisition you are integrating. Hybrid creates shared calendar friction, email signature inconsistency, document collaboration confusion, and double the admin workload. We have a few clients running hybrid for legitimate transitional reasons. None of them are happy about it.

How do I get an honest scoping conversation?

Talk to us. We will tell you which platform fits your business and which one does not, and we will do that regardless of what you end up choosing. Reach our team via the contact page or call the office. The conversation is free and the recommendation will be straight.

For Australian SMEs under 200 seats, the four real cloud phone options in 2026 are Microsoft Teams Phone, 3CX, RingCentral, and Aircall. Each one is the right answer for a specific business profile and the wrong answer for others. This buyer’s guide compares them honestly on cost, fit, number porting, and resilience for Australian conditions.

Why this guide exists

Most Australian buyer’s guides for cloud phone systems read like a vendor brochure with a different cover. The advice is generic, the comparisons are shallow, and the local detail (porting timelines with TPG or Aussie Broadband, ACMA implications, what happens during an outage on the NBN) is missing. We have deployed and supported all four of these platforms inside our managed IT engagements since founding TechAssist in 2014, and the local detail is where most of the cost and risk hides.

This guide is opinionated. We will tell you which platform we recommend by default for which profile, and where we have seen each one go wrong. The goal is not to sell you on a particular vendor; it is to help you make a defensible choice that you will still be happy with in three years.

The four real options

Microsoft Teams Phone

The right answer for businesses that already run Microsoft 365 E3 or E5, want one platform for chat, video, and voice, and have a relatively standard office and remote staff mix without heavy call centre or sales dialler requirements.

Strengths:

• Single identity, single client, single admin centre with the rest of your Microsoft estate
• Native Teams app on every device people already have
• Tight integration with calendar, presence, and meeting recording
• Operator Connect or Direct Routing options give flexibility on the carrier side
• Compliance and call recording aligned to the broader Microsoft 365 compliance stack

Weaknesses:

• Native call queueing and IVR are basic compared to a dedicated UCaaS or contact centre platform
• Real call centre features (skill-based routing, advanced wallboards, supervisor monitoring) require add-ons or a third-party contact centre integration
• Sales-dialler workflows are clunky; no native power dialler
• Voice quality depends heavily on the network and the device; soft phones on personal Wi-Fi can be unreliable

Best fit: professional services, accounting, legal, healthcare admin, and any organisation where the phone is a normal-volume business tool rather than the primary production system. For a 38-staff South Yarra law firm we recently deployed, Teams Phone with Operator Connect through an Australian carrier was the obvious answer because the firm already had M365 Business Premium and the call volume was about 40 inbound calls per partner per day.

3CX

The right answer for businesses that want maximum control, are comfortable with a more technical platform, and either want to self-host or run on a tightly managed instance. Also the right answer for businesses migrating from a legacy on-premises PBX who want a familiar feature set.

Strengths:

• Strong feature parity with traditional PBX systems (call queues, ring groups, advanced IVR, hot desking)
• Can be self-hosted in Azure, AWS, or on-premises; or run on a 3CX-hosted instance
• Per-system pricing rather than per-user pricing, which can be significantly cheaper at scale
• Strong third-party SIP trunk support, so you can choose your Australian carrier
• Good softphone and mobile apps; reasonable Teams integration if needed

Weaknesses:

• Requires technical administration; not a ‘set and forget’ platform
• Self-hosted instances need patching, monitoring, and backup (real infrastructure work)
• UI is functional rather than polished; staff onboarding is harder than Teams
• 3CX itself has had security incidents in recent years (the 2023 supply chain compromise) which raised concerns; subsequent response has been adequate but worth noting

Best fit: businesses that already have IT capacity (internal or co-managed), value control over the platform, and have specific feature requirements that consumer-grade UCaaS platforms do not meet. We run 3CX in our own environment and for a number of clients where the cost model and the feature set are right. For a 65-staff manufacturing business in Dandenong South, 3CX with SIP trunks from an Australian carrier and a redundant pair of instances in Azure was the right call because the on-premises requirement (a few hundred handsets across two sites with paging integration) ruled out the pure-cloud UCaaS options.

RingCentral

The right answer for businesses that want a full unified communications-as-a-service experience with a polished UI, strong analytics, and built-in contact centre options for when the business grows into them.

Strengths:

• Polished, consumer-grade user experience across mobile, desktop, and web
• Built-in video, messaging, fax, SMS, and voice in one platform
• Strong analytics and reporting out of the box
• Contact centre add-on (RingCX) is mature and integrates natively when needed
• Strong CRM integrations (Salesforce, HubSpot, Zoho) without third-party connectors

Weaknesses:

• Per-user pricing is at the higher end of the market
• Australian carrier and number porting flexibility is more limited than 3CX
• Bundle includes features many SMEs do not use, which inflates the per-seat cost
• Account management can be inconsistent; SMEs sometimes feel underserved

Best fit: customer-facing businesses with 30 to 150 staff that have outgrown a basic phone system, want a single platform across all communication channels, and have a clear customer service or sales operation. For a 72-staff e-commerce business in Cremorne we work with, RingCentral with the contact centre module was the right call because the customer service team needed proper queueing, wallboards, and supervisor monitoring that Teams Phone could not match.

Aircall

The right answer when sales or customer experience is the dominant phone use case, when CRM integration is the highest priority, and when you are willing to add another tool to your stack to get a sales-optimised experience.

Strengths:

• Built specifically for sales and CX teams; the workflows reflect that
• Excellent CRM integration (Salesforce, HubSpot, Pipedrive, Zendesk) with screen pops and automatic logging
• Power dialler, click-to-call, and call coaching features are native
• Fast to deploy; user onboarding is friendly
• Good analytics for call outcomes and rep performance

Weaknesses:

• Not designed as a general business phone system; not the right tool for receptionist or main-line scenarios
• Australian number availability and porting can be slower; mostly serves international and metropolitan use cases
• Per-user pricing is competitive but stacks with whatever else you use for general office calling
• Voice quality is heavily dependent on the user’s network

Best fit: dedicated sales or customer success teams within a larger business that already has a general phone system. We have deployed Aircall for the sales team at a Hawthorn SaaS business while leaving Teams Phone as the general business platform. The two run side by side, the sales team gets the dialler experience they need, and the cost is contained to the 12 sales seats.

Side-by-side cost comparison

The table below assumes a 50-user Australian SME with a standard mix of office calling. Prices are 2026 Australian list, GST exclusive, and assume an annual commitment. Real negotiated prices for SMEs are often 10% to 20% below list.

The cost comparison hides important differences. Teams Phone looks cheap on this view because much of the platform cost is already paid for in your Microsoft 365 licence. 3CX looks cheaper still on a pure platform basis, but the operational cost of running and maintaining the platform is real and not captured in the per-user price. Aircall is the most expensive per seat, but in practice you only deploy it to a sales team subset, not the whole business.

Number porting timelines and carriers

Number porting in Australia is the most underestimated risk in a phone system change. Promised porting timelines and actual porting timelines often diverge by weeks. The factors that matter:

Carrier of the losing number

Porting away from Telstra is typically 4 to 8 weeks for a complex port (multiple numbers on a hunt group) and 1 to 3 weeks for a simple port (single number). Porting away from Optus or TPG is similar. Smaller wholesale carriers can be faster (1 to 2 weeks) but the process is also more dependent on the human being on the other side.

Carrier of the gaining number

For Teams Phone, you can use Operator Connect carriers (multiple Australian options including TPG, Vonage, and several smaller providers) or Direct Routing through your own carrier. Operator Connect is faster to provision but you trade flexibility. Direct Routing requires a session border controller setup but gives you choice of carrier.

For 3CX, you choose your SIP trunk carrier independently. Aussie Broadband, Maxotel, and TPG Wholesale are common choices for Australian SMEs. Maxotel in particular has a reputation for responsive porting support among smaller deployments.

For RingCentral and Aircall, the carrier is bundled. You do not choose; you accept the carrier the platform uses. This simplifies the buying decision but reduces flexibility.

The porting risk plan

Whichever platform you choose, plan the port itself as a discrete project with its own risk management. Recommended practice:

• Submit port requests at least 30 days before go-live
• Keep the old service active and paid until 7 days after port completion
• Test inbound calls from at least three external networks (mobile, landline from a different carrier, international if relevant) before decommissioning the old service
• Plan a fallback path: divert old numbers to mobile during the cutover window in case of disputed port
• Have a written escalation path with both carriers; know who to call when something stalls

For complex multi-site deployments, factor in 6 to 8 weeks of porting lead time. Trying to compress this is a frequent source of go-live failures.

ACMA and ATO implications

ACMA

The Australian Communications and Media Authority regulates how Australian businesses can use phone numbers and what carriers must do. The relevant points for a cloud phone deployment:

• You must use Australian-registered numbers for Australian business operations (you cannot just use a US-issued RingCentral or Aircall number for your Australian customers)
• Emergency calling (Triple Zero) must work and must report a usable location. Many cloud phone systems require explicit configuration of E000 location data per device or per user
• Lawful intercept obligations apply to carriers, not to you directly, but your carrier must be compliant

The E000 location requirement is the one most often missed. If your staff are working from home with a softphone, the system needs to know their location at sufficient detail that emergency services can be dispatched correctly. RingCentral and Teams Phone both handle this; 3CX requires explicit configuration; Aircall is more limited.

ATO and record keeping

The ATO requires businesses to maintain records of business transactions, which can include call records for sales and customer service interactions. Cloud phone systems typically retain call records and recordings for a default period (30 to 90 days), which is shorter than the typical ATO retention requirement of 5 years.

If you record calls, you need to store the recordings somewhere durable for the retention period. Most platforms offer extended retention as an add-on or via export to your own storage. Build this into the deployment design.

Fallback plans for outages

Cloud phone systems fail. They fail less often than on-premises PBXs, but when they fail they fail completely. Your fallback plan needs to be:

• Documented in writing and tested at least annually
• Triggerable by a non-IT staff member if needed
• Capable of routing inbound calls to mobiles within 5 minutes

The standard fallback is a carrier-level call forwarding rule that activates on platform unreachable. Most Australian carriers support this for inbound DID numbers. The rule sends all inbound calls to a designated mobile (usually the reception manager) when the cloud platform stops responding. When the platform recovers, the rule deactivates.

For businesses where the phone is mission-critical (medical practices, professional services with tight client SLAs, customer service operations), consider running two carriers in active-passive configuration. The cost is meaningful but the resilience is the highest you can achieve outside of a dedicated contact centre platform.

For a Camberwell healthcare practice we manage, the phone system runs Teams Phone with Operator Connect through one carrier and a secondary direct route through a different carrier as failover. The cost premium is about $400 a month for the secondary path. They have used it twice in 18 months and both times the failover saved the day.

How to decide

The decision tree we use with clients is:

1. Do you already have Microsoft 365 E3 or E5, or Business Premium with Teams Phone add-on? If yes, start with Teams Phone unless there is a specific reason not to.
2. Is your call volume primarily sales-driven, with CRM integration as a top requirement? If yes, evaluate Aircall as a sales-team overlay on top of a general phone system.
3. Do you have a customer service team of 5 or more that needs proper queueing, wallboards, and supervisor features? If yes, evaluate RingCentral or RingCX.
4. Do you have specific feature requirements (paging integration, dense IVR, hot desking) that consumer-grade platforms do not meet, and do you have or want technical control over the phone platform? If yes, evaluate 3CX.
5. If none of the above clearly dominates, default to Teams Phone for the Microsoft 365 integration alone.

Implementation realities

Cloud phone deployments fail more often than they should, almost always for the same reasons. The four to plan against:

• Underestimating the porting timeline. Already covered above. Treat it as the critical path.
• Underestimating user training. Phone behaviour is muscle memory. Switching staff to a new system without dedicated training results in two months of awkward calls and lost business.
• Underestimating the network impact. Voice traffic competes with Teams meetings, file syncs, and everything else on the network. QoS is essential; on a typical NBN connection, prioritising voice traffic prevents call quality degradation during peak hours.
• Underestimating the headset standard. A $35 headset is not the same as a $180 business headset. Voice quality complaints are 50% headset and 50% network in our experience. Standardise on a known-good business headset and budget for it.

This kind of deployment work sits naturally inside a managed IT services arrangement with per-user fixed monthly pricing. Our 13 Australian engineers handle cloud phone deployments out of our 24/7 NOC in Tecoma and our 575 Bourke Street CBD office, with sub-15-minute P1 response when something goes wrong post-go-live. The same-business-day on-site capability for Melbourne metro matters when you have 40 desk phones to physically replace.

If you want a sharper conversation about which of the four platforms is the right fit for your specific business, get in touch. The right answer depends on context that a buyer’s guide cannot fully cover.

Frequently Asked Questions

Can we keep our existing PBX and just add cloud features?

Yes, with hybrid models. 3CX in particular supports a hybrid mode where some users are on the cloud client and others remain on legacy SIP handsets. This is a sensible transition path for businesses with significant existing handset investment. Teams Phone also supports a hybrid model through Direct Routing, where your existing PBX can serve as the gateway during migration. The hybrid period typically lasts 3 to 6 months.

What about Zoom Phone?

Zoom Phone is a legitimate fifth option that we deliberately excluded from the main comparison because in our experience it sits awkwardly between Teams Phone and RingCentral without clearly winning on either dimension for Australian SMEs. If your business is Zoom-first for meetings (which is unusual in Australian SMEs but happens), Zoom Phone is worth evaluating. For most Australian SMEs already on Microsoft 365, the simpler answer is Teams Phone.

How do we handle remote and hybrid staff with the chosen platform?

All four platforms support remote work natively through softphone clients. The practical issues are home network reliability, headset quality, and emergency calling location data. The home network reliability question often pushes businesses toward providing a mobile data backup option for staff who do customer-facing calls from home.

What is the typical implementation timeline?

For a 50-seat deployment, expect 6 to 10 weeks end to end. Two weeks for design and procurement, two weeks for tenant configuration and pilot user testing, four to six weeks for porting (often the long pole), and one week for cutover and immediate post-cutover support. Rushed implementations are the single largest source of go-live failures.

How does the choice of cloud phone system intersect with cybersecurity?

Cloud phone systems are an identity surface and a data surface. Voicemail recordings, call recordings, and contact lists are all sensitive data subject to the Privacy Act. The platform’s identity model should integrate with your existing identity provider (Microsoft Entra ID in most cases), and the call recording retention and encryption should align with your broader data protection posture. This is why we evaluate cloud phone choices as part of a broader cybersecurity conversation rather than as a standalone procurement.

What is the right number of carriers to use?

For most SMEs, one carrier with carrier-level failover (call divert on unreachable) is sufficient. For mission-critical phone use cases, two carriers in active-passive configuration. Three or more is over-engineered for sub-200-seat businesses. The marginal resilience past two carriers does not justify the cost or complexity.

If your Melbourne SME handles routine business data with sensible security baked into IT operations, an MSP is usually the right call. If you’re regulated, a frequent target, or you’ve had an incident, you likely need MSSP-grade detection and response on top. The honest answer for most 50-300 staff businesses sits between.

That middle ground is where most of the confusion lives. The acronyms get used interchangeably by sales teams, the pricing models look superficially similar, and the marketing pages all promise the same outcomes. But the operational reality is very different, and choosing the wrong model leaves you either overpaying for capability you can’t consume, or underprotected against threats your provider was never set up to catch.

This post compares the three operating models — MSP, MSSP, and internal security team — through the lens of risk profile rather than feature list. If you’ve already read our cost comparison between managed security and an in-house team, this is the companion piece: same decision, different angle.

What each model actually does in practice

Before we get to the comparison, it’s worth being concrete about what these labels mean on the ground in 2026, because the definitions have drifted.

MSP (Managed Service Provider)

An MSP runs your IT. That covers user onboarding and offboarding, endpoint management, Microsoft 365 administration, server and network operations, backup, patching, vendor liaison, and the help desk your staff ring when their laptop won’t connect to the printer. A modern MSP also runs a competent security baseline as part of that work — and this is the part most decision-makers misunderstand. A capable Australian MSP in 2026 should be delivering, as standard:

• MFA enforcement across all identity surfaces, with conditional access policies tuned to your risk
• EDR (endpoint detection and response) deployed and managed on every endpoint
• Patch management on a defined cadence, with exception reporting
• Backup with immutable copies and tested restore procedures
• Email security with sandboxing and impersonation protection
• Alignment to the Essential Eight at a documented maturity level
• Quarterly security reviews and a documented risk register

That’s not a security service in the MSSP sense — it’s hygiene. But it’s the hygiene that prevents most incidents. The Australian Cyber Security Centre’s annual reporting consistently shows that the bulk of compromises against SMEs come through gaps in exactly these controls, not through sophisticated targeted attacks.

MSSP (Managed Security Service Provider)

An MSSP doesn’t run your IT. It runs your detection and response capability. The core deliverables look like this:

• 24/7 Security Operations Centre (SOC) staffed by analysts whose entire job is watching alerts
• SIEM (security information and event management) — ingesting logs from your endpoints, identity, network, cloud, and SaaS, and correlating them in real time
• MDR (managed detection and response) — active threat hunting and containment, not just alerting
• Vulnerability management as an ongoing programme with prioritised remediation
• Incident response with defined containment playbooks and a retainer for serious events
• Threat intelligence specific to your sector and geography
• Compliance reporting against frameworks like ISO 27001, SOC 2, APRA CPS 234, or the Privacy Act

That’s a different operation entirely. The skill set is different (security analysts, not generalist engineers), the tooling is different (SIEM platforms cost serious money before you’ve hired anyone), and the operating model is different (event-driven, 24/7, with measured time-to-detect and time-to-contain).

Internal security team

An internal security team is exactly what it sounds like — people on your payroll who own security as their job. In Australian SME context, the entry point is usually a single security manager or CISO-equivalent, supported by IT staff who pick up some security work. A proper internal capability that can actually detect and respond to incidents needs at minimum three to four people to cover a 24/7 roster, plus tooling — and at that point you’re looking at $700k-$900k a year in salary and licences before you’ve turned the lights on.

The comparison by risk profile

The right model depends on your risk profile, not your headcount. A 60-person law firm dealing with sensitive client matters has a different threat picture to a 250-person manufacturer making widgets. Here’s how the three models map against typical Melbourne SME risk profiles.

How to read your own risk profile honestly

The question isn’t “are we at risk” — every business is. The question is what kind of risk, and what level of capability that justifies. A few practical tests we use when scoping work for new clients:

What’s the data you actually hold? A 120-staff accounting firm holding trust account data, ATO records, and personal financial information for several thousand clients has materially different exposure to a 120-staff industrial supplier. The former is a high-value target with legal obligations; the latter mostly needs to not be the easiest door on the street. We’ve written separately about accounting firm data security and trust account protection because that sector’s risk profile is genuinely different.

What’s your regulatory exposure? If you’re subject to APRA CPS 234, the Privacy Act notifiable breach scheme with material consequences, ISO 27001 certification for tendering, SOC 2 for SaaS customers, or sector-specific obligations (healthcare, legal, financial services), you need defensible detection and response. An MSP security baseline won’t pass that audit. You need MSSP-grade logging, retention, and incident handling.

Have you been hit before? Past incidents are the strongest predictor of future ones. If you’ve had a serious phishing-led compromise, a business email compromise event, or a near-miss with ransomware, your risk profile has changed. Threat actors share target lists. Going back to baseline hygiene after an incident is rarely sufficient.

What’s the impact of 72 hours of downtime? If a ransomware event would cost you tens of millions in lost revenue, contractual penalties, or customer churn, the maths on MSSP coverage gets simple very quickly. If three days of disruption would be painful but survivable, you can probably tolerate the slightly longer response curve of MSP-managed security with on-call escalation.

A concrete example: 120-staff CBD financial services firm

To make this less abstract — we onboarded a financial planning firm in the Melbourne CBD last year, about 120 staff across two offices, holding personal financial data and SOA documentation for around 4,000 clients. They came to us convinced they needed a full MSSP engagement because their incumbent IT provider had been quietly running on autopilot for years and they’d had a phishing scare.

What they actually needed was different. Their immediate exposure was the hygiene gap — MFA was inconsistent, EDR was deployed but never reviewed, patch cadence had slipped, and there was no documented backup test in the previous twelve months. We spent the first 90 days closing that gap as part of standard managed IT work, and aligned them to Essential Eight Maturity Level Two.

Six months in, with the baseline solid, we added managed SOC services through our Tecoma facility — SIEM ingestion of their identity, endpoint, and Microsoft 365 logs, 24/7 monitoring, and a defined incident response runbook. Total annual spend ended up roughly $190k for managed IT plus $95k for the SOC overlay. A full MSSP-only engagement would have cost similar money but left their underlying IT untouched, which was the actual source of risk.

That’s the pattern we see most often. The MSP-versus-MSSP framing is usually a false choice. What most Melbourne SMEs need is a strong MSP foundation with security overlays added where the risk justifies them.

Where the hybrid model fits

The integrated approach — MSP with embedded or overlaid SOC services — is increasingly common among Australian providers, and for good reason. The handoff problem between an MSP and a separate MSSP is real: when a SIEM alert fires at 2am, who patches the server, who isolates the endpoint, who talks to the client? Two providers means two contracts, two sets of runbooks, and a coordination gap right at the worst moment.

TechAssist runs an integrated model out of our Tecoma facility. The 24/7 NOC handles infrastructure monitoring and the managed SOC services overlay handles security event detection and response, with the same engineering team handling containment and remediation. Sub-15-minute response on P1 events. Essential Eight aligned by default. Thirteen Australian-based engineers, no offshore tier-one. We’ve been operating this model since 2014 and the integration matters — it’s the difference between a fast alert and a fast response.

This isn’t the right answer for every business. If you’re a 500-staff financial services firm with mature internal IT and you need to overlay specialist detection, a pure MSSP engagement on top of your existing team makes sense. If you’re a 60-staff professional services firm where IT is one person plus a help desk, the integrated MSP-plus-SOC model is usually a better fit than trying to manage two providers.

The decision framework

If you take nothing else from this post, work through these questions in order:

1. What’s our current security maturity? If you don’t have MFA universally enforced, EDR managed and reviewed, current patching, tested backups, and Essential Eight alignment, that’s where to start. No amount of SOC monitoring compensates for missing baseline. This is MSP territory — see our managed IT services page for what that scope looks like.
2. What’s our regulatory and contractual exposure? If audits, certifications, or customer contracts require defensible detection and response, you need MSSP-grade capability. Document the specific clauses driving this — it sharpens the conversation.
3. What’s the business impact of a serious incident? Run the numbers honestly. Lost revenue per day of downtime, customer churn, contractual penalties, regulatory fines, remediation costs, reputational damage. If that number is significant relative to your annual revenue, the maths on 24/7 SOC coverage works.
4. Do we have the internal capacity to consume security services? An MSSP that ships you a hundred alerts a week is worthless if nobody on your side reads them. You need either an internal point of contact or an MSP partner who can act on the alerts. Our managed cyber security services are designed around this — SIEM, MDR, and EDR delivered as a managed service so you’re not drowning in alerts.
5. What’s our growth trajectory? A 100-staff business heading to 250 over two years has different needs to one that’s stable. Build the operating model for where you’ll be, not where you are.

Cost reality check

The pricing in the comparison table reflects what we see in the Australian market in 2026, but ranges hide a lot. A few honest observations on cost.

MSP pricing in Melbourne for 100 staff is genuinely competitive — the market has matured and rates have compressed. $120k-$220k a year all-in is realistic for managed IT with a good security baseline. If you’re paying less, check what’s missing (almost always EDR management, backup testing, or genuine 24/7 escalation). If you’re paying significantly more, check what you’re getting that justifies it.

MSSP pricing is harder to benchmark because the deliverables vary wildly. Some “MSSP” offerings are essentially log forwarding with email alerts and a pretty dashboard — at $40k a year, you get what you pay for. Genuine 24/7 SOC with named analysts, MDR, and incident response retainer runs $80k-$180k for a 100-staff environment. The gap between cheap and credible MSSP is bigger than the gap between cheap and credible MSP.

Internal teams remain expensive. The economics only work at scale or when you have specific reasons (sovereign data, board mandate, M&A history that built a team) that make outsourcing untenable. For most Melbourne SMEs in the 50-300 staff range, the build-versus-buy maths favours managed services by a wide margin. We’ve gone deeper on this in the co-managed versus managed versus internal IT comparison.

What good looks like

A useful test when you’re evaluating any provider — MSP, MSSP, or hybrid — is to ask specific questions and listen for specific answers:

• What’s your time-to-detect and time-to-contain on a typical credential compromise event? (Vague answers are a red flag.)
• How do you ingest and retain logs, and what’s the retention period?
• What’s your incident response runbook? Walk me through the first hour of a ransomware event.
• What’s your Essential Eight maturity assessment for your own operations?
• Who’s on shift at 3am on a Sunday, and what’s their authority to act?
• What’s your escalation path to my team, and at what point do you involve us?
• Can I see a sanitised incident report from a real event you’ve handled?

Providers who can answer these crisply have operational maturity. Providers who deflect or speak only in marketing language don’t. This applies equally to MSPs claiming security capability and MSSPs claiming SOC depth.

Frequently asked questions

What’s an MSSP and how is it different from an MSP?

An MSP (Managed Service Provider) runs your IT operations — endpoints, identity, infrastructure, help desk, backup, and patching — with a security baseline built in. An MSSP (Managed Security Service Provider) is specialised in security detection and response: 24/7 SOC, SIEM operations, threat hunting, incident response, and vulnerability management. The MSP keeps the lights on; the MSSP watches the perimeter and inside the network for active threats.

Do we need both an MSP and an MSSP?

Most Melbourne SMEs in the 50-300 staff range don’t need two separate providers. The two common solutions are either an MSP with a strong managed security baseline (suitable for standard risk profiles) or an integrated provider offering both MSP and managed SOC services from one operations centre. Running two separate providers introduces coordination problems during incidents, which is exactly when coordination matters most. The exception is larger or highly regulated businesses where deep MSSP specialisation justifies the handoff complexity.

What does an MSSP cost in Australia?

For a 100-staff Australian SME, credible MSSP services run $80k-$180k per year on top of existing IT spend. That covers 24/7 SOC monitoring, SIEM ingestion across endpoints and identity, MDR, vulnerability management, and incident response retainer. Cheaper offerings exist but usually reduce to log forwarding with email alerts — not the same thing. Pricing scales with log volume, endpoint count, and the breadth of sources ingested (cloud, SaaS, network, identity, endpoint).

When is an internal security team the right answer?

An internal team makes sense when you’re at 500+ staff, have specific sovereign data or regulatory obligations that prevent outsourcing, have board-level mandate for in-house capability, or have inherited a team through acquisition. Below that, the economics rarely work — a credible 24/7 internal capability costs $700k-$900k a year before tooling, and Australian security talent is in short supply. Most SMEs are better served by managed services and selectively building internal capability (typically a security manager or CISO) on top.

How do we know if our current MSP is doing enough on security?

A few quick tests. Ask for evidence of: MFA enforcement across all users with conditional access policies, EDR deployed and actively managed with monthly reviews, current patch status report, last successful backup restore test (within 90 days), Essential Eight maturity assessment, and quarterly security review meetings. If your provider can’t produce this evidence within a week, security is not being actively managed regardless of what your contract says.

Where to start

If you’re trying to work out which model fits your business, the most useful first step is an honest assessment of where you are now — current controls, current gaps, current risk profile, and current regulatory exposure. From there the right operating model becomes clearer. We do this assessment as part of scoping for new clients, and it doesn’t commit you to anything.

Have a look at our cybersecurity services overview for the broader picture of what we cover, or get in touch if you’d rather have a direct conversation. Phone 1300 028 324 — we’ll tell you straight whether you need MSP, MSSP, the hybrid, or none of the above.

Strategic problem (cloud migration, M&A, compliance) and an internal team to execute? Hire an IT consultant. Day-to-day breaking and nobody monitoring? You need an MSP. Both true — as for most growing Melbourne SMEs — you need both, without paying two firms for the overlap.

This is the question I get asked most often by owners and GMs of 20-200 person Melbourne businesses, and the answer is genuinely “it depends”. So let’s pull the two roles apart properly, because the marketing copy on both sides of the fence has muddied the water.

The honest definition: consultant vs MSP

IT consultancy in Melbourne — at least the version worth paying for — is strategic advisory work. A consultant comes in with a defined scope, a defined deliverable, and a defined exit. They don’t answer your password reset tickets. They don’t patch your servers at 2am. They tell you what to do, why, in what order, and roughly what it should cost. Then they hand over to someone (your internal team or an MSP) to actually build it.

A managed service provider, by contrast, runs the lights. Monitoring, patching, helpdesk, backups, identity, endpoint security, server and network operations. An MSP is measured on uptime, response time, ticket resolution, and whether your staff can actually get their work done. The relationship is ongoing — usually a monthly fee per user or per device.

The confusion comes from the fact that a competent MSP will do some consulting (you can’t run someone’s IT well without thinking strategically about it), and a competent consultant will sometimes get hands-on (especially on smaller engagements). The overlap exists. But the centre of gravity for each role is clearly different.

What an IT consultant actually does

The clearest way to think about consultancy work is by deliverable. A consultant is usually engaged to produce one of these:

• An IT strategy or roadmap. A 12-36 month plan covering infrastructure, applications, security posture, and budget. This is the closest to “permanent” consulting work, often delivered as part of a strategic planning engagement.
• A specific transformation business case. Should we move from on-prem to Azure? Replace Citrix with AVD? Migrate from on-prem Exchange to Microsoft 365? The consultant writes the business case, costs the options, and recommends a path.
• Vendor selection. Independent assessment of which line-of-business platform, MSP, or telco to pick. Genuine independence here is rare and worth paying for — most “consultants” who do vendor selection are receiving a kickback from the chosen vendor. Always ask.
• M&A IT due diligence. You’re buying or selling a business. What’s the state of the target’s IT estate? What are the integration risks? What’s the cost to get it to your standard? This is a defined-scope engagement that wraps up when the deal does.
• Regulatory and compliance projects. Essential Eight uplift, ISO 27001 readiness, IRAP, APRA CPS 234, ASD-aligned controls for a government tender. The consultant maps where you are, where you need to be, and what the gap costs to close.
• Architecture review. A second opinion on a design your internal team or current vendor has produced.

Notice what’s not on that list: running your helpdesk, fixing the printer in the Hawthorn office, doing the Windows updates, monitoring whether your firewall is alive at 3am. A pure consultant won’t touch any of that, and arguably shouldn’t, because the day rates don’t make sense for operational work.

What an MSP actually does

The MSP world has its own jargon, but the core functions of a Melbourne managed services engagement are reasonably consistent:

• Service desk. Your staff have a number to call or an email to send when something breaks. Tickets get triaged, prioritised and resolved against an SLA.
• Monitoring and remediation. Servers, network, endpoints and cloud services are watched 24/7 by a NOC. Alerts are triaged and either auto-remediated or sent to an engineer. TechAssist runs a 24/7 NOC out of our Tecoma operations centre for exactly this reason — alerts at 3am still get acted on.
• Patch management. OS updates, third-party app updates, firmware, browser updates, deployed and validated on a schedule.
• Backup and recovery. Configured, tested, monitored, restored when needed.
• Identity and access. Microsoft Entra, conditional access, MFA, joiner/mover/leaver workflows.
• Endpoint security and SOC. EDR/XDR rollout, alerts triaged, incidents responded to. The good MSPs run this as a proper security operation, not just “we installed Defender”.
• Procurement and lifecycle. Buying the laptops, the licenses, the firewalls. Replacing them on a sensible cycle.
• Documentation. If your MSP can’t show you the current network diagram and your asset register on demand, fire them.

The MSP relationship is ongoing because IT operations are ongoing. You can’t outsource Tuesday’s printer problem to a consultant and Wednesday’s password reset to a different one — the economics fall apart, and nobody owns the overall environment.

The overlap zone: vCIO services

Between pure strategy and pure operations sits the role most likely to confuse buyers: the virtual CIO. A vCIO is a part-time, fractional strategic advisor — usually delivered by an MSP as either an included or paid extra on top of operational services.

If you want the full breakdown, we wrote a plain-English guide to virtual CIO services separately. But for this article the short version is: vCIO is the consultancy work an MSP does for its own clients as part of the ongoing relationship. Quarterly business reviews, roadmap planning, budget input, risk register, technology refresh planning. It’s lighter-touch than a standalone consultancy engagement, and it’s biased toward the MSP’s own service catalogue.

That bias isn’t necessarily bad — your MSP knows your environment better than anyone — but it’s worth being clear-eyed about. If you need a genuinely independent view on a major decision (especially “should we replace our MSP?”), you want an outside consultant, not your incumbent MSP’s vCIO.

A real Melbourne example

A 55-person professional services firm in Hawthorn came to us last year. They had an existing MSP doing reasonable operational work — service desk, patching, backups, the usual. The owner had been told by his accountant to “talk to a consultant” because they were planning to acquire a smaller firm in Geelong and the IT side felt risky.

What they actually needed was three distinct things:

1. Pre-deal IT due diligence on the Geelong target — a defined consultancy piece, two weeks, fixed fee.
2. A post-acquisition integration plan — another consultancy deliverable, with a clear handoff to the operations team that would execute it.
3. Ongoing operational support for the combined entity once the deal closed — pure MSP work.

They could have hired three different firms. They could have stretched their existing MSP into consultancy work they weren’t really set up for. Or they could have brought in a Big Four consultant who would have charged them roughly four times the going rate and then handed an unimplementable PowerPoint to the same internal team that was already overloaded.

What we did: ran the due diligence as a fixed-scope consulting engagement, produced the integration plan, then transitioned them onto our managed IT services with a vCIO included. Same firm, two separate deliverables, no double-charging because the operational team already had the context from the consulting work.

That’s the case for “both” — but it’s also the case where it makes sense to have both functions sit under one roof. It doesn’t always.

Decision matrix: which do you actually need?

Here’s the cheat sheet I’d give an owner trying to sort this out internally. The scenarios are real ones I see across our Melbourne client base.

How to avoid paying twice for the same thing

This is the practical problem most buyers don’t see coming. You hire an MSP. The MSP includes “strategic reviews” or vCIO time in the contract. Six months later you also hire a consultant for a specific project, and the consultant’s first three weeks are spent doing exactly the discovery work the MSP already documented. You’re paying for both.

A few rules to keep this honest:

• Make your MSP’s documentation a contract deliverable. Network diagrams, asset register, application list, identity model, security posture document, backup runbook. If a consultant comes in later, this is their starting point.
• Scope consulting engagements tightly. Defined deliverable, defined timeline, defined exit. “Help us with IT strategy” is not a scope. “Produce a three-year infrastructure roadmap with costed options, presented to the board by 30 September” is a scope.
• Be clear who owns implementation. A consultant who produces recommendations they can’t or won’t help implement is half a service. Either they hand off cleanly to your MSP, or they’re set up to execute themselves.
• Don’t let the MSP grade their own homework. If you need an independent view on whether your MSP is performing — particularly during a contract renewal — get an outside consultant. The conflict of interest in asking the incumbent is obvious.
• Push back on day rates that don’t match the work. Consultant day rates are appropriate for strategy and design. They are not appropriate for ticket work. If you’re being charged consultant rates for operational tasks, you’ve got the wrong engagement model.

Where TechAssist sits

Honest disclosure: we do both. We’ve been a Melbourne MSP since 2014, and we run the operational side — 13 Australian-based engineers, sub-15-minute response on P1 incidents, 24/7 NOC at our Tecoma operations centre — as our core service. The consultancy work sits alongside it: vCIO for clients on our managed services, defined-scope consulting engagements for organisations that just want the strategic deliverable, and IT due diligence work for businesses going through M&A.

What we don’t do is pretend the two functions are the same thing. If you come to us for a fixed-scope consulting piece and you don’t want to be on managed services, that’s a perfectly reasonable engagement and we’ll quote it that way. If you’ve got a good incumbent MSP and you just want an independent architecture review, we’ll do that too. The aim is to size the engagement to the actual problem.

Frequently asked questions

Is an MSP cheaper than hiring an IT consultant?

For ongoing work, almost always yes. MSP pricing is per-user or per-device per month, and the operational economics work because the MSP spreads cost across many clients. Consultant day rates make sense for defined deliverables that need senior thinking. Trying to use a consultant for operational work, or an MSP for genuinely strategic independent advice, is where the cost-benefit breaks down.

Can I just use my MSP for everything strategic too?

For most things, yes — a good MSP’s vCIO function will cover roadmap, budget, refresh planning and quarterly reviews competently. Where you genuinely need an outside consultant: independent vendor selection, M&A due diligence, a review of the MSP itself, or compliance work where an independent attestation is required.

What’s the difference between a vCIO and a CIO?

A full-time CIO is on your payroll, in your meetings, accountable for IT outcomes across the business. A vCIO is fractional — usually one to four days a month — delivered by an MSP or consultancy. For SMEs under about 250 people, a vCIO is usually the right answer. Above that, you start needing the full-time role. We covered this in detail in our virtual CIO guide.

How do I know if my current MSP is strong enough on the consulting side?

Ask for the last twelve months of quarterly business reviews. If they exist, are written down, and contain actual recommendations with timelines and costs — you’ve got a strong vCIO function. If your MSP can’t produce them, or they’re a template with your logo on it, the strategic side is weak and you’ll need to supplement.

Should I hire a consultant before I hire an MSP?

If you’re starting from scratch — new business, no incumbent — usually no. Pick a competent MSP, get the operational basics running, and let the vCIO function handle initial strategy. Bring in a consultant if and when a specific large decision sits outside the MSP’s competence or independence. If you’re replacing an existing MSP, a short consulting engagement to define what you actually need before going to market is often worth the money.

A sensible next step

If you’re not sure whether you need a consultant, an MSP, or both, the cheapest first move is a conversation. We do these for free — half an hour, no obligation, honest read on whether the problem you’ve described is operational, strategic, or both. If we’re the right fit, we’ll tell you. If you’d be better off with a different model, or a different firm, we’ll say that too.

Reach the team on 1300 028 324 or via the contact page and we’ll get back to you the same business day.

Per-user fixed monthly suits most Australian SMEs with 15-150 staff and standard office setups. Per-device works for shops heavy on servers, kiosks or shared workstations. Hourly retainers fit businesses with internal IT who only need overflow help. Hybrid models suit complex environments mixing cloud, on-prem and field staff.

If you’ve put three Melbourne MSPs in front of your finance team, you’ve probably had three completely different quote structures land in your inbox. One charges $135 per user per month. Another quotes $89 per device. A third wants a $4,500 monthly retainer plus T&M on anything outside scope. They’re all “managed IT” — but the way they bill changes everything about how the relationship actually plays out.

This post is about managed it pricing models as a structural choice, not the totals. If you want the dollar ranges Melbourne MSPs typically charge in 2026, read our Melbourne managed IT pricing breakdown first. What follows is about which billing mechanism actually suits your business, and why the wrong structure leaves you either overpaying or fighting your MSP every month over what’s in-scope.

Why the billing model matters more than the headline price

Two MSPs can quote the same monthly total and deliver wildly different experiences. The billing model dictates three things that compound over the life of the contract: what counts as “included,” how the MSP’s incentives line up with yours, and how predictable your IT line item is when you grow, shrink or change.

I’ve seen a 40-staff accounting firm in Hawthorn switch from per-device to per-user and watch their monthly bill drop 18% — not because the new provider was cheaper, but because they had a lot of part-time staff sharing workstations. The per-device model was counting hardware their team barely used. Conversely, a manufacturing client in Dandenong South tried to move from per-device to per-user and the numbers blew out — they had two PLCs, six shop-floor terminals and a server room per staff member, and per-user pricing assumed a desk-and-laptop world that didn’t exist in their business.

The model has to match the shape of your environment. Here’s how each one actually works.

Model 1: Per-user fixed monthly

You pay a flat fee per active staff member each month. That fee covers everything the MSP defines as standard support — typically one or two devices per user, mobile device management, email, identity, common SaaS apps, security stack, helpdesk, after-hours coverage and patching.

How it actually works

The MSP audits your headcount monthly. New starter joins on the 14th? You’re billed pro-rata. Someone leaves? Their licence is decommissioned and they come off the next invoice. The price is fixed per person regardless of how many tickets they raise, which is the whole point.

Most Australian per-user agreements sit between $110 and $185 per user per month in 2026, depending on stack inclusions and SLA. The number on the proposal isn’t really negotiable — what you negotiate is what’s inside the bundle.

What’s typically included

• Helpdesk during business hours and after-hours P1 response
• Endpoint security (EDR), patching, monitoring
• Microsoft 365 or Google Workspace administration
• One or two endpoints per user (laptop + phone, or desktop + laptop)
• Identity and access management
• Backup of cloud data (sometimes excluded — check the SOW)
• Onboarding and offboarding of staff

Who it suits

Knowledge-work businesses with 15-150 staff, mostly cloud-based, fairly uniform setups. Professional services, agencies, advisory firms, allied health, NFPs, small wholesalers. If your people each have a laptop and a phone and they live in Microsoft 365 or Google Workspace, per-user is almost always the cleanest fit.

Where it fails

It falls apart when your headcount understates your IT footprint. A 25-staff manufacturer with 80 devices on the floor will get murdered on per-user pricing — or, more accurately, the MSP will quietly add a “per-device surcharge” for non-user devices, which makes the whole thing less transparent than per-device would have been. Same problem for retail with POS, hospitality with kiosks, or logistics with handheld scanners.

TechAssist runs per-user fixed monthly as our standard model. We chose it because it makes our incentives line up with the client’s — we get the same revenue whether your staff raise three tickets a month or thirty, so we’re motivated to fix root causes, not to keep the lights flickering. It also means finance teams know exactly what next month looks like.

Model 2: Per-device

You pay a fee per managed endpoint — server, workstation, laptop, sometimes mobile. Each device class usually has its own rate. Servers might be $250-$450/month, workstations $55-$95, laptops similar, mobiles $15-$25.

How it actually works

The MSP runs discovery, builds an asset register, agrees the per-device rates with you and then invoices monthly based on what’s under management. You add a device, it gets onboarded and added to the bill. You retire a device, it comes off. Users are basically invisible to the billing — the MSP doesn’t care if one person uses ten laptops or ten people share one.

What’s typically included

• Monitoring and patching on each managed device
• Endpoint security on each device
• Backup and recovery (usually charged separately for servers)
• Helpdesk for issues on managed devices
• Hardware lifecycle management

What’s usually NOT included on a strict per-device model: user support that isn’t device-specific (password resets, M365 admin, identity issues), project work, and after-hours unless explicitly bolted on.

Who it suits

Asset-heavy businesses where devices outnumber users — manufacturing, warehousing, retail chains, hospitality groups, healthcare with diagnostic kit, logistics. Also a reasonable fit for small businesses with very few staff but a couple of servers, where per-user feels like you’re paying for nothing.

Where it fails

Two places. First, user-centric problems don’t fit cleanly — a staff member who can’t log in isn’t a device problem, but they’ll still ring the helpdesk. Second, the asset register becomes a fight. Is the meeting room TV a managed device? The receptionist’s iPad? The MD’s home laptop? Per-device billing pushes both sides to argue about scope every time something new appears.

Model 3: Hourly retainer or block hours

You pre-purchase a block of engineering hours each month — say 20, 40 or 80 hours at a negotiated rate — and burn them down on whatever you need. Unused hours sometimes roll over (rarely past 30 days), sometimes expire.

How it actually works

The MSP quotes a blended hourly rate, usually $165-$235/hour in Melbourne in 2026 depending on seniority and after-hours loading. You commit to a minimum monthly spend. Tickets are logged with time, you get a monthly report showing burn-down, and you top up when the block runs low.

What’s typically included

Nothing is “included” in the per-user/per-device sense. You pay for what you use. Monitoring and security tooling are usually billed separately as monthly licence costs, then engineering time is drawn from your hour block.

Who it suits

Businesses with capable internal IT who only need overflow, escalation or specialist help. Government departments with their own IT but needing M365 specialist hours. Larger SMEs with a one-person internal IT lead who needs backup. Also fits businesses doing a project-heavy phase — migration, fit-out of a new office — where work is bursty rather than steady. This is the model most often seen in our co-managed IT engagements, where there’s an internal IT lead and we plug in capacity.

Where it fails

It penalises proactive work. If every hour the MSP spends gets billed, they have a perverse incentive to be reactive — and you have a perverse incentive to avoid calling them, which means small problems become big ones. It’s also brutal during incidents: a six-hour outage can chew through a month’s block in one afternoon. And it makes budgeting harder, not easier, because your spend tracks your bad weeks.

Model 4: Hybrid

A fixed per-user or per-device base for “everything routine” plus an hourly rate for project work, after-hours emergencies, or anything outside a defined scope. Probably the most common model in Australia in 2026, even when MSPs market themselves as pure per-user or pure per-device.

How it actually works

The contract defines an inclusion list — the routine stuff covered by the fixed fee — and an exclusion list, which is everything billable at T&M. The cleaner the inclusion list, the more predictable your bill. The fuzzier it is, the more arguments you’ll have.

What’s typically included in the fixed portion

• Helpdesk, monitoring, patching, security stack — same as per-user
• Routine admin (user adds/removes, password resets, standard config changes)
• Standard reporting and reviews

And billed hourly on top:

• Projects (migrations, new site fit-outs, hardware refreshes)
• After-hours work outside SLA
• Anything the SOW classifies as out-of-scope

Who it suits

Most growing SMEs eventually end up here, because pure per-user can’t absorb major project work without inflating the per-seat rate, and pure hourly is too volatile. A 60-staff law firm in South Yarra running a fixed per-user fee for day-to-day but commissioning us hourly for a Practice Evolve migration is a textbook hybrid scenario.

Where it fails

Scope creep on both sides. If the inclusion list isn’t tight, the MSP starts pushing routine work into project hours. If it’s too tight, the client feels nickel-and-dimed. The hybrid model is only as good as the SOW that defines it — read ours under our pricing and SLA terms before you sign anything from anyone.

The four models, side by side

The honest version: why TechAssist runs per-user fixed

We’ve used three of these four models across the business since we were founded in 2014. We settled on per-user fixed monthly as our standard because of incentive alignment more than anything else. With 13 Australian-based engineers and a 24/7 NOC in Tecoma, we carry the cost of being available whether or not your staff need us in any given month. Per-user fixed means we’re paid the same whether your team raises five tickets or fifty. So we spend our energy fixing root causes, building reliable platforms and reducing the ticket rate over time — because that’s how we stay profitable.

The other reason: it’s the model SMEs find easiest to justify to the board. “We pay $X per head per month, full stop” is a clean line item. It scales when you hire. It shrinks when you don’t. And it doesn’t generate surprise invoices that have your CFO ringing us in week three of the month.

It’s not the right model for everyone. We’ve recommended per-device or hybrid arrangements to manufacturing prospects where per-user would have understated their footprint and resulted in either a padded per-seat number or constant out-of-scope billing. The right billing model is the one that matches your environment honestly, and we’d rather refer that work than misprice it.

How to pressure-test an MSP’s quote

Before you sign anything, ask these questions in writing:

1. What’s the exact inclusion list? Not the brochure version — the SOW version.
2. What triggers an out-of-scope billable hour? Give me three examples.
3. What’s the after-hours and weekend loading on hourly rates?
4. How is a “user” or “device” defined? When does a contractor count? A shared workstation?
5. What happens to the bill if headcount drops 20% in a quarter?
6. What’s the SLA for P1, P2 and P3? What’s the credit if you miss it? (Ours sits under 15 minutes for P1 — see our SLA detail.)
7. What’s the minimum contract term, and what’s the exit clause?

An MSP that answers all of these clearly is operating an honest pricing model. One that gets vague on any of them is going to be vague on the invoice too.

Matching the model to your business

A few quick patterns we see in Melbourne SMEs:

• Professional services (legal, accounting, consulting), 20-100 staff: per-user, almost always.
• Allied health, NFP, education admin: per-user, with care taken on shared devices in clinics or classrooms.
• Manufacturing and warehousing: per-device or hybrid, with explicit server-class pricing.
• Retail and hospitality groups: per-device for POS-heavy sites, per-user for head office staff.
• Construction and trades with field staff: per-user works if everyone has a phone and laptop; hybrid if you’ve got site-based servers or specialty kit.
• Businesses with internal IT (1-3 person team): hourly block or co-managed arrangement, with the MSP handling escalation, security and after-hours. Worth reading our breakdown of co-managed IT pricing for Australian SMEs if this is you.

If you’re somewhere between two patterns — which is most growing businesses — hybrid is usually the right answer, with a tight SOW.

FAQ

Is per-user pricing always more expensive than per-device?

No. For knowledge-work businesses with one or two devices per user, per-user is usually cheaper because the MSP is sizing the contract to your actual support load — humans raise tickets, devices generally don’t. For asset-heavy businesses it can be more expensive, because you’ll either pay a higher per-seat rate or end up on a hidden hybrid. The right comparison is total cost over 12 months, not the headline rate.

Can I negotiate the per-user rate down?

A bit, but not much. The real negotiation is what’s inside the bundle. Push for explicit inclusions on after-hours, backup, M365 administration, security stack and onboarding/offboarding. Those clauses are worth more than $5-10 off the per-user fee.

What about pure break-fix (call us when something breaks)?

We don’t offer it and most credible MSPs won’t either. The economics don’t work for either side — you pay too much per incident, the MSP can’t invest in proactive monitoring, and security cover is patchy. If your IT spend is genuinely that small, you probably need a one-person IT contractor on retainer, not a full MSP.

If I have 200 staff but only 50 use computers regularly, do I pay for all 200?

You pay for active users — people who have an identity, a mailbox or a managed device. Shop-floor workers without a login don’t count. We define this in the SOW so there’s no ambiguity at month-end.

How often can I change billing models with my MSP?

Usually at contract renewal — most agreements run 12 or 24 months. Mid-term changes happen but require a fresh SOW. If your environment has changed materially (acquisition, new site, restructure), most MSPs will reopen the model rather than force you through to renewal on the wrong terms.

Where to next

If you want the dollar ranges to go with this structural picture, read our Melbourne managed IT pricing post for 2026. If you’ve got internal IT and you’re weighing co-managed options, the co-managed pricing breakdown is the right next read.

If you’d rather just have someone look at your environment and tell you which model actually fits, our managed IT team runs a 30-minute scoping call at no cost — we’ll be honest if per-user isn’t right for you. Get in touch or call us on 1300 028 324.

Under 15 staff with no IT person — fully managed IT usually fits. 30 to 150 staff with one or two internal techs drowning in tickets — co-managed vs managed IT tilts toward co-managed. 200+ with complex apps and strict compliance — a proper internal team, often backed by a partner, is the right call.

That’s the short answer. The rest of this post is the working — what each model actually means once the sales deck closes, what it costs in real AUD, where each one falls over, and a decision matrix you can take into your next board meeting.

We’ve helped Melbourne SMEs across Cremorne agencies, Dandenong manufacturers, and Box Hill medical practices move between all three models. None of them are inherently better. They suit different shaped businesses, and the wrong fit is expensive in ways that don’t show up on the invoice.

What each model actually means in practice

The three terms get used loosely, and MSPs are guilty of muddying the water. Here’s what’s really on offer when you strip out the marketing.

Internal IT

You employ your own IT staff. Could be one person doing everything from password resets to Azure tenant design, or a structured team with a help desk, sysadmins, and an IT manager reporting to the CFO or COO.

The pitch is control and institutional knowledge. Your IT person knows where the bodies are buried, sits in the lunchroom, and can be tapped on the shoulder. They learn your line-of-business apps deeply because they live with them every day.

The reality is that one person can’t cover everything. A solo internal hire is on-call 24/7 by default, can’t take a fortnight off without something burning, and is unlikely to be equally strong at Microsoft 365 hardening, network design, backup verification, server patching, and end-user support. You’re paying senior money for someone who’ll spend two thirds of their day on tickets a Level 1 should handle.

Fully managed IT

You outsource the lot to an MSP. They run your help desk, manage your devices, patch your servers, monitor your network, handle your backups, and own the relationship with Microsoft, your ISP, and your line-of-business vendors. You get a single number to call.

The pitch is predictable cost, broad skill coverage, and after-hours support without paying overtime.

The reality, when it’s done properly, matches the pitch. The reality when it’s done badly is ticket queues, junior engineers cycling through your account, and a feeling that nobody actually knows your business. The difference comes down to engineer-to-client ratios, whether the MSP is Australian-employed or offshored, and whether there’s a named technical lead on your account.

At TechAssist we run with 13 engineers, all Australian-employed, and clients get a named lead engineer who knows the environment. We charge per user, fixed, with no surprise hourly billing. The model only works if the MSP is genuinely incentivised to fix root causes rather than churn tickets.

Co-managed IT

You keep your internal IT person or team, and an MSP plugs in alongside them. Roles get carved up explicitly. The internal team usually owns user-facing work, line-of-business app knowledge, and project liaison. The MSP owns the heavy lifting — 24/7 monitoring, after-hours coverage, backup verification, security operations, escalations, and the deep technical work the internal person doesn’t have time for.

The pitch is “your internal IT, supercharged.” It’s accurate when the boundaries are clear and the MSP doesn’t try to land-grab. It falls over when nobody documents who owns what, and tickets fall between the cracks.

Co-managed is the fastest-growing of the three models in the Melbourne SME market, and it’s where we’re seeing the most thoughtful conversations. We’ve written a longer piece on how it works specifically for Melbourne SMEs that runs alongside this one — see co-managed IT for Melbourne SMEs: internal plus external for the operational detail.

Who each model actually suits

Forget headcount-only rules of thumb. The right model depends on a handful of factors that interact.

Fully managed: the sweet spot

Best fit: 5 to 50 staff, no internal IT, standard tech stack (Microsoft 365, some line-of-business SaaS, maybe a file server or two), and a leadership team that wants IT to “just work” without thinking about it.

Concrete example: a 22-person accounting firm in Camberwell running Xero Practice Manager, FYI Docs, and Microsoft 365. They don’t need a full-time IT person — that’d be 60% idle. They need someone to onboard new staff in a day, keep the laptops patched, run the backups, respond when someone can’t print, and lift their security posture so the cyber insurance renewal doesn’t bite. Fully managed is the obvious call. See our managed IT services for what’s included.

Also a strong fit: professional services firms, allied health practices, smaller manufacturers, and not-for-profits where IT isn’t a competitive differentiator and reliability matters more than bespoke control.

Co-managed: the sweet spot

Best fit: 30 to 150 staff, one to three internal IT people, and either a growth trajectory that’s outpacing the team or a skills gap (usually security, cloud architecture, or after-hours).

Concrete example: a 75-person engineering consultancy in Richmond with a solo IT manager. He’s good — knows the CAD pipeline, knows the Revit licensing, knows which director hates Teams. But he’s the only one. He can’t take leave, his security knowledge is patchy, and the directors won’t sign off on hiring a second IT person at $110k when they’re not sure it’s justified.

Co-managed lets him keep owning the user-facing work and the CAD environment, while an MSP runs 24/7 monitoring, handles after-hours incidents, owns backup verification, and gives him senior engineers to escalate to when something’s beyond his depth. He stops being a single point of failure, and the directors get sub-15-minute response times around the clock without hiring a second body. Our co-managed IT support page covers how the role split works in practice.

Also a strong fit: mid-sized law firms, multi-site retail, manufacturers with shift work needing after-hours coverage, and any business where the internal IT person is the bottleneck on growth.

Internal IT (sometimes plus a partner): the sweet spot

Best fit: 200+ staff, complex environment (multiple line-of-business apps, integrations, dev teams, regulated industry), and IT genuinely is a strategic function rather than a cost centre.

Concrete example: a 350-person specialist healthcare provider with multiple clinics across Victoria, a custom patient management platform, HL7 integrations with pathology and imaging providers, and ADHA compliance requirements. They need an IT manager, a help desk, sysadmins, and probably a developer or two. An MSP can’t run this — too much institutional knowledge required, too much custom work, decisions that need to be made in real time with clinical context.

What they often do have is a partner for specific functions: a security-focused MSSP for SOC services, a cloud partner for Azure architecture reviews, or an MSP backstop for after-hours help desk overflow. Pure internal is rare at this size; pure outsourced is dangerous.

Also a strong fit: financial services with regulatory complexity, large healthcare networks, businesses with significant in-house software development, and any organisation where the IT function is genuinely a strategic asset.

What each model costs (real AUD ranges)

Prices below are Melbourne market ranges as of mid-2026, for a representative SME profile. Your numbers will vary with complexity, but these are the right order of magnitude.

Internal IT cost

A solo internal IT generalist in Melbourne: $85k to $120k base salary, plus super, leave, training, and tools. All-in cost to the business is roughly $115k to $160k per year. Add the cost of the gear they need (admin licences, monitoring tools, backup software if you go DIY) and you’re closer to $130k to $180k.

For a 30-person business, that’s $360 to $500 per user per month, just for one person. And you’ve still got a single point of failure, no after-hours coverage, and skill gaps.

A structured internal team (IT manager + two help desk + one sysadmin) for a 200-person business: $450k to $650k all-in, or roughly $190 to $270 per user per month before tools and gear.

Fully managed IT cost

Quality Melbourne MSPs charge between $120 and $220 per user per month for fully managed, depending on scope, security inclusions, and whether 24/7 is bundled in. The cheap end ($60 to $100) usually means offshore help desk, shared engineer pools, and project work billed separately on top. The expensive end usually includes a vCIO function, security operations, and bundled project hours.

TechAssist sits in the middle — fixed per-user pricing, no hourly billing for in-scope work, 24/7 NOC included, and named engineers per client. Full breakdown on our pricing and SLA page.

For a 30-person business: roughly $3,600 to $6,600 per month, or $43k to $80k per year all-in. Less than half the cost of a solo internal hire, with broader coverage and no leave gaps.

Co-managed IT cost

Co-managed pricing varies more because the scope varies. Typical Melbourne ranges are $50 to $130 per user per month for the MSP portion, on top of your existing internal IT salary cost.

For the 75-person engineering consultancy above: $110k for the internal IT manager, plus roughly $4,500 to $9,000 per month for co-managed coverage. All-in cost in the $165k to $220k range, versus $220k+ for hiring a second internal person to fill the gaps.

The maths usually works out in favour of co-managed at this size, and you get 24/7 coverage, deep specialist skills on tap, and resilience the second hire wouldn’t have provided.

The comparison matrix

This is the table to take to your next leadership meeting. One row per decision factor, one column per model.

What breaks under stress in each model

Every model has a failure mode. Knowing them up-front saves grief.

Internal IT failure modes

The single-point-of-failure problem is the big one. When your solo IT person resigns, takes long-service leave, or gets hit by a bus, the institutional knowledge walks out the door. We’ve been called into Melbourne businesses where the internal IT manager left with three weeks’ notice and nobody else knew the admin passwords, the backup configuration, or which Azure tenant did what. Recovery takes months.

The other failure mode is skills atrophy. A solo IT person can’t be expert at everything. Their security knowledge gets stale, their cloud architecture is whatever they learned five years ago, and their backup verification is “I assume it’s working.” This bites hardest during incidents.

Fully managed IT failure modes

The classic failure is the help desk ticket queue. You log a ticket, it sits with a Level 1 engineer who doesn’t know your environment, it gets escalated, then re-escalated, and four days later somebody actually fixes it. This happens when the MSP’s engineer-to-client ratio is too high, or when accounts get bounced between engineers with no continuity.

The other failure is scope arguments. “That’s not in your agreement, that’ll be billable” gets old fast. The fix is choosing an MSP with broad fixed-scope inclusions and not the cheap-and-cheerful end of the market.

The third failure, less talked about, is loss of internal capability. After three years of full outsourcing, your team has forgotten how anything works. Switching providers or bringing it back in-house becomes a major project.

Co-managed IT failure modes

The biggest one is unclear boundaries. If the RACI matrix isn’t documented and reviewed quarterly, tickets fall between the cracks. The internal person thinks the MSP owns it, the MSP thinks internal owns it, the user waits two days, and trust erodes.

The second failure is ego. Some internal IT people see the MSP as a threat to their job. Some MSPs treat the internal person as a junior to be worked around. Either kills the model. It needs to be a partnership, with the internal IT person treated as the senior on-site contact and the MSP as the deep-bench backstop.

A worked example: which model would a Cremorne creative agency choose?

Imagine a 45-person creative agency in Cremorne. Adobe Creative Cloud across the studio, big shared storage for video projects, Microsoft 365 for everything else, hybrid working, and one part-time IT contractor who comes in two days a week.

The contractor handles user issues and the studio storage. He’s competent but works in a silo. The directors are nervous about security after a competitor got hit with a ransomware incident last year. They’ve never tested a backup restore. After-hours support is whatever the contractor picks up on his mobile.

Three honest options:

• Hire a full-time IT manager. $115k all-in. Still a single point of failure. Still no genuine after-hours. Probably overkill for the day-to-day load.
• Move to fully managed. Replace the contractor entirely. Roughly $6,500 a month all-in for a quality MSP. Lose the contractor’s accumulated knowledge of the studio storage and Adobe setup.
• Move to co-managed. Keep the contractor (maybe bump him to three days a week) and bring in an MSP for monitoring, after-hours, security operations, backup verification, and escalation. Roughly $4,500 to $5,500 a month for the MSP portion, on top of the contractor.

For this business, co-managed is usually the right answer. The contractor’s studio knowledge is valuable. The MSP fills the security, after-hours, and resilience gaps. The total cost is lower than hiring a full-time IT manager, and the risk profile is much better than the status quo.

For a different business — say, a 12-person Hawthorn architecture practice with no internal IT at all — fully managed would be the obvious answer, not co-managed.

How to actually decide

If you’re staring at the matrix and still not sure, work through these questions honestly.

Do you have someone internal already?

If yes, and they’re competent, the conversation should start with co-managed. Replacing a good internal IT person with an MSP almost always costs you institutional knowledge that’s hard to rebuild. Co-managed lets you keep what works and patch what doesn’t.

If no, fully managed is the default unless you’re large enough (200+) to justify building an internal team from scratch.

What’s your growth trajectory?

If you’re growing fast — say, doubling staff in 18 months — fully managed scales the easiest. You add users to the agreement. Internal hiring lags growth by months, which means IT becomes the bottleneck.

If you’re stable, the question is more about fit and cost.

How much does after-hours matter?

If you’re shift-based, multi-state, or your business loses meaningful revenue during downtime, after-hours coverage is non-negotiable. Internal-only struggles here. Both managed and co-managed models include 24/7 monitoring and response from a proper NOC.

What’s the compliance picture?

If you’re in healthcare, financial services, government-adjacent, or you handle sensitive client data with regulatory implications, get specific about what controls you need. Essential Eight maturity, ISO 27001, ADHA, APRA — these change the conversation. A good MSP will speak this language. An MSP that doesn’t is a red flag regardless of which model you choose.

FAQ

Can I switch from managed to co-managed later if I hire an internal IT person?

Yes, and a decent MSP will welcome it. The scope shifts — your internal person takes on the user-facing work, and we re-carve the responsibilities. Pricing usually drops because we’re doing less of the day-to-day, though not as much as you might expect, because the high-value work (monitoring, security operations, after-hours) stays with us. Get the boundary changes documented before the new hire starts.

What’s the minimum business size where fully managed makes sense?

Around 5 staff. Below that, the per-user pricing model can feel steep relative to the actual support load, and ad-hoc engagements often suit better. From 5 staff upward, the maths starts working — you’re getting a help desk, monitoring, patching, backups, security, and after-hours for less than you’d pay a junior IT person.

Does co-managed mean my internal IT person gets demoted or sidelined?

If it’s set up properly, no — the opposite. The internal person typically becomes the technical owner of the relationship, the person who decides priorities, and the senior point of contact. The MSP works to their direction on most things. Where it goes wrong is when the MSP tries to take over, or when leadership treats the internal person as redundant. Set the framing early and revisit it quarterly.

How do I tell if an MSP is good before signing?

Ask for the engineer-to-client ratio, where the engineers are employed (Australia or offshore), whether you’ll get a named technical lead, what’s actually in scope versus billable, and what their average response time is for high-priority tickets. Ask for two reference clients of similar size and industry. If they hedge on any of these, walk. At TechAssist we publish our response targets (sub-15-minute on high-priority), our team size (13 Australian-employed engineers), and our pricing structure publicly because we’d rather have those conversations up-front.

Can I run fully managed for the main business and internal IT for a specific division?

Yes, and it’s more common than people realise. A manufacturing business might run fully managed across head office and the warehouse, but keep an internal IT person dedicated to the production floor systems. A medical group might outsource the corporate office but keep clinical IT internal. The key is clean boundaries and a single point of accountability for cross-domain issues.

The honest answer

There’s no universally right model. There’s a right model for your business at its current size, with its current internal capability, in its current growth phase, with its current compliance burden. Two years from now the answer might be different.

The wrong model is usually expensive in ways that don’t show up immediately. A solo internal IT hire in a 25-person business looks like control — until they resign. A bargain-basement MSP in a 60-person business looks like savings — until the third major incident in a quarter. Hiring an internal team in a 40-person business looks like maturity — until you realise you’re paying $400k for capabilities a $90k-a-year MSP would have covered better.

If you want a second opinion that doesn’t end with us trying to sell you something you don’t need, give us a call on 1300 028 324 or get in touch via our contact page. We’ll tell you honestly which of the three models fits, even if it’s not us. If you’re specifically weighing up MSP options in Melbourne, our Melbourne managed IT services page lays out exactly what we cover, what we charge, and what the SLAs look like.