Most UK SMEs frame the IT decision as a binary: hire an in-house IT manager, or outsource the lot to an MSP. There is a third model that fits more businesses than either, and most internal IT decision-makers don't know it has a name: **co-managed IT**. Your internal IT person (or 2-3 person team) keeps the parts of the job they're best at (user support, business knowledge, vendor relationships) and an outsourced partner takes the parts they can't realistically do solo (24/7 cover, deep cyber-security operations, specialist projects, after-hours escalation). Below: the honest maths for all three models for a 20-100 user UK SME, when each one wins, and what a working co-managed split looks like in practice.
The three models, defined
Before the maths, terms.
In-house IT. You hire a permanent IT manager (and sometimes a junior). They sit in the office, they know your team and systems, they answer the printer questions. Loaded annual cost for a competent solo IT manager in the South West or M4 corridor is £50,000 to £75,000. For two people (manager + junior) you're at £80,000 to £110,000.
Fully managed IT (outsourced). You hand the IT function to a managed service provider (MSP). The MSP runs the helpdesk, the patching, the security, the strategy, the lot. No internal IT presence required. Typical UK pricing in 2026 sits between £39 and £120 per user per month depending on tier, with our entry point at £39 and the market median around £60-£80. For a 30-user SME, expect £1,200 to £2,400 per month all-in.
Co-managed IT. Your internal IT person (or small team) stays. An MSP partner sits alongside them. The MSP brings tooling, 24/7 cover, specialist skills, project capacity and after-hours escalation. The internal team keeps day-to-day user support, vendor management and the business knowledge that takes years to build. Pricing varies because the scope varies, but most co-managed engagements for a 20-100 user UK SME land between £1,000 and £4,000 per month plus a project budget for the heavier lifting. Materially less than fully managed; materially more capable than in-house alone.
The market frames the choice as one-versus-the-other. In our experience working with 200+ UK SMEs, the more accurate framing is: which model fits the team you have today and the business you're trying to be in 18 months.
The honest maths for a 20-100 user UK SME
Real numbers, mid-range scenarios, before any negotiation.
Option A: In-house only (1 person)
- Salary: £55,000 (typical mid-level South West / Midlands IT manager)
- National Insurance + pension + benefits: £8,500
- Recruitment cost amortised: £3,000/year
- Training + certifications: £2,500/year
- Tools the person needs (RMM, ticketing, EDR, M365 admin, monitoring): £6,000-£15,000/year
- Total: £75,000-£84,000/year. Coverage: 1 person, 40 hours/week, no nights, no holidays, no specialism in cyber.
If they hand in notice the day a ransomware incident lands, you're improvising. We covered the failure mode in our ransomware playbook.
Option B: Fully managed (no internal IT)
- Per-user managed IT contract: 30 users × £60/user/month = £21,600/year
- Per-device endpoint cover (servers, network kit, mobile): £3,000-£8,000/year
- Cyber security stack (EDR, MDR, DLP, MFA enforcement): often bundled; assume £5,000-£10,000 incremental
- Total: £30,000-£40,000/year. Coverage: 24/7 helpdesk + monitoring, specialist skills on tap, no internal management overhead.
The trade-off is that nobody inside the business knows your environment deeply. New starter onboarding, vendor-specific application quirks, the historical reasons a particular workflow exists, all live with the MSP. Most SMEs accept this, some don't.
Option C: Co-managed
- Internal IT manager: £55,000 + £8,500 employment costs = £63,500/year
- Co-managed MSP retainer: ~£2,000/month average for a 30-user business = £24,000/year
- Tooling (provided by MSP, no separate licence costs to the business): £0
- Project budget for cloud migrations, M365 rollouts, CE+ certification etc: £5,000-£15,000/year, used as needed
- Total: £92,500-£102,500/year. Coverage: 1 internal person + a 200+ client MSP bench. 24/7. Specialist skills on tap. Internal continuity preserved.
It looks more expensive than fully managed because it is, in cash terms. The argument for co-managed is the value the internal person provides that an outsourced partner can't replicate: institutional memory, immediate physical presence, relationships with the team, accountability inside the business. The argument against is that for some businesses the internal person isn't actually adding £63,500 of value, and the right answer is fully managed.
When in-house only is the right answer
Three scenarios.
1. Sub-15 users with predictable IT, no compliance pressure. A small professional services firm with 10 users, no regulated data, a stable Microsoft 365 setup, and no public-sector tenders to win can run perfectly well on a part-time IT contractor or a competent in-house generalist. Spending £30,000/year on a managed contract is over-tooling the problem.
2. Highly specialised in-house technical stack. If your IT is built around niche software that an MSP would have to learn from scratch, the internal person who already knows it is the right answer. Often true in manufacturing, certain healthcare specialisms and bespoke-software shops.
3. Strong internal IT culture you don't want to dilute. Some businesses have an IT manager who is a real internal leader, sits on the senior team, and shapes the company strategically. Bringing in an MSP can dilute that voice in the room. Rare but real.
Outside these three, in-house only typically becomes the worst-of-both-worlds option somewhere between 20 and 50 users.
When fully managed is the right answer
1. No existing internal IT and headcount discipline. If you don't currently have an IT person and don't want one, fully managed is the obvious answer. It's also the right answer when the alternative is hiring a junior who would need supervision the business can't provide.
2. Multi-site or distributed teams without local IT presence. Fully managed scales across locations naturally. An in-house IT person tied to a single site doesn't.
3. Heavy compliance requirements without specialist in-house capability. ISO 27001, Cyber Essentials Plus, DSPT, FCA-aligned controls. Building these in-house is achievable but expensive in time. An MSP that runs them as standard for 100+ clients gets you there in months instead of years.
4. Cost-predictability is non-negotiable. Fully managed gives you a per-user-per-month figure. In-house costs vary with sickness, holidays, leavers and projects. Co-managed costs are predictable but higher.
When co-managed is the right answer
This is the section internal IT managers and SME owners should read most carefully, because the answer for many businesses is "co-managed" and the model isn't well advertised.
You have an internal IT person who is good but overstretched. They handle the user-support queue, but they're never on top of patching. They want to roll out CE+ but the project keeps slipping. They're on call 24/7 and burning out. They quit and you replace them every 18 months. Co-managed gives them the bench they need to actually do the strategic work, while we run the patching and monitoring underneath.
You have a 2-3 person internal IT team that needs specialist skills it doesn't have. A generalist team can't realistically build deep capability in cyber, cloud architecture, Microsoft Power Platform, M365 governance, and incident response all at once. Co-managed plugs the specialist gaps without forcing the business to hire 5 specialists it doesn't need 5 days a week.
You have a regulated-sector requirement (financial services, healthcare, legal, supply-chain into the public sector) that needs evidence the internal team can't produce alone. The MSP brings the ISO 27001 and CE+ frameworks, the audit trail, the documented incident response, the formal Service Level Agreement. The internal team brings the business knowledge that makes the controls actually work in your environment.
You are growing fast and the internal team can't scale at the same speed. Hiring takes 90+ days. Onboarding the new hire takes another 60. If headcount is doubling in a year, the internal IT team needs help today, not in six months.
You want internal IT to grow into strategic leadership, not stay stuck on the helpdesk. Co-managed is the model that preserves the internal IT person's career. We've watched several internal IT leads progress from "I am the helpdesk" to "I run IT strategy for a 200-person business with a co-managed partner doing the heavy lifting." That career trajectory is one of the reasons co-managed retains the internal person rather than burning them out.
What a working co-managed split looks like in practice
The split that works varies by team, but the pattern is consistent. Here's the typical division for a 30-user UK SME with one internal IT manager.
The internal IT manager keeps:
- Day-to-day user support (Tier 1) during business hours
- New starter and leaver onboarding (decision and process, with MSP tooling underneath)
- Vendor management for line-of-business applications, where they have established relationships
- Hardware decisions (the MSP runs procurement implementation)
- Microsoft 365 admin for day-to-day tasks
- Cyber Essentials Plus evidence-gathering and day-to-day controls
- First-responder role in incident response (the person who sees it first)
- Strategic IT roadmap input from the business perspective
- Project sponsorship for cloud migrations and big rollouts
The co-managed MSP runs:
- Overflow and out-of-hours helpdesk
- Tooling and automation for onboarding, RMM, ticketing, asset management
- Patching across every endpoint
- Endpoint protection (EDR, MDR or XDR)
- 24/7 monitoring and SOC
- Cyber Essentials Plus and ISO 27001 framework, audit prep, certification renewal
- Microsoft 365 advanced architecture and security configuration
- Disaster recovery operations and testing
- Strategic IT roadmap input from the technical and benchmark perspective
- Incident response forensics, recovery and communications
- Project delivery for migrations and rollouts
The internal team owns what they're closest to. The MSP owns what scales better when run across 200 clients on shared tooling. The boundary moves over time. Some businesses start with the MSP doing more and the internal team doing less; others move the other way as the internal team grows.
How we work alongside an internal team
Our co-managed model is structured around three things.
A named Technical Account Manager for your internal IT lead. Not for the CEO or operations director. For the IT manager. The TAM is their peer, their backup, the person they call when they need a second pair of eyes on a security alert at 9pm. This is the relationship that makes co-managed work or fail.
Shared tooling. Your internal IT person logs into the same RMM, ticketing system, SIEM, endpoint manager and patching platform we use for our 200+ clients. They see what we see. We see what they see. There is no information asymmetry, no "the MSP knows things we don't". Shared tooling is what turns co-managed from "two teams shouting at each other" into "two teams operating the same environment".
A quarterly business review with the internal IT lead and (where appropriate) the SME owner. Not for sales. For reviewing the roadmap, the spend, the incidents, the renewals, the team's capacity, and what's coming. The QBR is where co-managed prevents drift.
We hold ISO 27001 and Cyber Essentials Plus ourselves, which means our co-managed controls are audit-grade by default. Our internal team-counterparts at client businesses have used us to pass their own CE+ and ISO 27001 certifications inside the partnership.
The honest caveat
Co-managed is not the right answer for every business. It is more expensive in cash terms than fully managed, and the maths only works if the internal IT person is actively adding value the MSP cannot replicate. If your internal IT person is on the way out, demotivated, or doing work the MSP could do more efficiently, the honest answer is to move to fully managed. We have had that conversation with clients more than once.
The right test: would you keep your internal IT person if they cost you 20% more next year? If yes, co-managed is your model. If no, fully managed is the lower-stress, lower-cost answer.
Bottom line
The decision isn't in-house versus outsourced. The decision is which mix of in-house, outsourced and co-managed best fits the team you have today and the business you're trying to be in 18 months.
If you've been told it's a binary choice, you've been talking to the wrong people.
About this article
Sources:
- Cyber Security Breaches Survey 2024 (UK Government)
- Managed IT Services market data UK 2026 (Connection Technologies analysis)
- Hybrit: Co-Managed IT Explained, Working Alongside Your Internal IT Team
Companion posts:
About Inflection Point
Inflection Point is a UK managed-IT and cyber-security firm. 200+ active clients across the UK, 16+ years EOS-run, founder-led with 25 years industry experience. ISO 27001 certified, Cyber Essentials Plus, Microsoft Solutions Partner, rated 4.9/5 across 150+ Trustpilot reviews. We deliver fully managed IT from £39 per user per month, and a co-managed partnership model for UK SMEs with an existing internal IT team. Under-15-minute remote response, 1-hour on-site SLA.
If you have an internal IT person who is overstretched, or you're trying to decide between hiring a second IT manager and bringing in an MSP partner, book a 30-minute discovery call. We will tell you which of the three models fits your business and what a co-managed engagement would look like for your specific team. No sales pitch.
Iain Godding is the founder of Inflection Point. He has 25 years of UK IT and cyber-security industry experience.