The cybersecurity market is large, competitive, and full of impressive-sounding products. Vendors are skilled at creating urgency, citing headline breach statistics, and presenting their solution as the one thing standing between you and catastrophe.

Before you sign anything, here are five questions that will cut through the pitch and tell you whether a contract is genuinely in your interest.

1. "What happens if this doesn't work — and how is that defined in the contract?"

Every cybersecurity vendor will tell you their product or service works. Ask them what "works" means contractually. What are the specific, measurable SLAs? What happens if they miss them? Is there any financial remedy, or just a commitment to investigate?

Most contracts in this space define failure so narrowly that there is essentially no scenario in which the vendor is liable for anything. That's not necessarily wrong — security is probabilistic, not guaranteed — but you should understand exactly what you're buying before you sign.

2. "What commission or incentive do you receive from the vendors you're recommending?"

This question makes many people uncomfortable to ask. Ask it anyway.

A large proportion of cybersecurity resellers, MSPs, and "independent" consultants have formal vendor partnerships that pay commission, rebates, or sales incentives. This isn't secret — but it isn't usually volunteered either. If someone is recommending a product and earning money from selling it, you deserve to know that before you take the advice.

A genuinely independent advisor should be able to answer this question with a simple "no" and explain their fee structure clearly. If the answer is evasive, treat that as information.

3. "What is the exit process and what data do you hold about us?"

Switching cybersecurity providers is significantly harder than switching, say, a printer supplier. Many vendors build switching friction into their contracts deliberately — multi-year terms, data portability restrictions, or proprietary formats that make migration expensive.

Before you sign, understand:

4. "Can you give me two or three reference clients in a similar sector who I can speak to directly?"

Any vendor with genuinely satisfied clients should be able to provide references without hesitation. Pay attention to whether the references are in a similar sector and of similar size to your business — a testimonial from a 5,000-person enterprise means very little if you're a 100-person professional services firm.

When you speak to the reference, ask them the same questions you'd ask the vendor. How did they handle a problem? Were the SLAs met? Would they sign the same contract again?

5. "What does your service not cover, and what would cause you to say an incident was outside your scope?"

Exclusions clauses in cybersecurity contracts are often broader than clients realise. Common exclusions include:

Ask the vendor to walk you through a realistic incident scenario — ransomware delivered via a phishing email, for example — and explain exactly what their service covers and doesn't cover in that scenario. The answer will tell you a great deal about what you're actually buying.

The goal isn't to catch vendors out. The goal is to ensure you know exactly what you're signing before you commit budget to it. A vendor who can't answer these questions clearly is a vendor you should think twice about.
One more thing: If you're not sure whether a vendor's answers to these questions are reasonable, that's exactly when independent advisory adds value. An hour's consultation with an advisor who has no stake in the outcome can save you months of a contract you wish you'd never signed.