Most managed IT contracts include remote monitoring as a standard feature. An agent is installed on your devices and your provider can see what's happening. In theory. What I actually see when I review monitoring setups varies enormously: from genuinely proactive oversight to an agent that fires alerts into a queue that nobody checks until something breaks.
Here's what should be happening, and a simple way to find out if it is.
The basics your provider should never miss
Disk space approaching capacity should generate an alert well before it becomes a problem. Something like 80% full as a warning, 90% as urgent. A server running out of disk space causes cascading failures, and it should never be a surprise. If your provider has been caught off guard by a full disk, the monitoring isn't configured properly.
Backup success and failure is the one I check first with every new client. Every backup job should produce a clear pass or fail result, and your provider should be alerting on failures the same day they occur. A backup that silently fails for two months before someone notices it is a disaster waiting for a trigger. Ask your provider unprompted when your backups last succeeded. If they have to look it up, that's already a warning sign.
Critical service health (email, databases, Active Directory) should be monitored for availability with alerts in minutes. CPU and memory: spikes are normal, sustained elevation over days or weeks is a signal worth investigating.
Where monitoring usually breaks down
Security monitoring is where the gap between contracted and actual is widest. Basic monitoring tells you when something has already failed. Genuine security monitoring looks for early signals: unusual login times, unexpected outbound connections, authentication failure patterns.
If your provider supplies endpoint detection and response (EDR) software rather than traditional antivirus, ask specifically: when the EDR generates an alert, who reviews it and on what timescale? Many EDR tools produce alerts that get auto-acknowledged without anyone looking at them properly. That's not monitoring, that's creating audit trail paperwork.
Patch compliance is another area where "we have patching enabled" is not a meaningful answer. The number that matters is what percentage of your devices are fully patched against critical vulnerabilities. Anything below 90% warrants a conversation. Many monitoring setups cover Windows updates adequately and ignore third-party applications entirely: browsers, Adobe products, PDF readers, which are frequent attack vectors.
The question that tells you everything
Ask your provider to send you a monitoring report for the last month. It should show backup success rates, patch compliance percentages, any security alerts and their resolution, and ticket volume by category.
If they can produce that report quickly and clearly, monitoring is being managed actively. If they can't produce it, or need a week to pull it together, you have helpdesk support with a monitoring label on it.