The MSP QBR Playbook: How to Fill Every Annual Technology Plan with Cross-Sell

A great MSP QBR fills the client's annual technology plan with ranked, dollar-sized opportunities — not status updates. The four sections that should appear in every QBR: (1) what shipped vs what was promised, (2) the security and infrastructure gap report, (3) the next 12 months of opportunities ranked by impact, and (4) a single-decision ask from the client. Most MSPs skip section three, which is why their annual technology plans stay thin, their ARR stays flat, and their vCIO conversations stay surface-level.

What is a QBR in the MSP Context?

A quarterly business review is a structured meeting between your account team and the client's buying committee — typically the CEO, CFO, and IT lead — held every 90 days to review performance, close gaps, and plan the next investment cycle.

That is the definition. Here is the reality: most MSPs run QBRs that look like glorified status calls. A technician walks through open tickets, the client nods, and everyone agrees to meet again in 90 days. No opportunities are surfaced. No decisions are made. The account manager leaves without a signed SOW or even a verbal commitment.

The MSP QBR should function as a sales meeting that opens with proof of value. Your vCIO or AE owns the agenda. The goal is a signed or verbally committed opportunity before the meeting ends. The delivery review earns you the right to recommend. Everything else drives ARR.

If your QBR agenda does not include a 12-month opportunity slate with dollar figures attached, you are running a status call with a nicer name.

Why Most MSP QBRs Fail to Drive Cross-Sell

Three patterns kill cross-sell in QBR meetings.

No pre-meeting research. The account manager walks in with last quarter's ticket summary and a gut feeling about what the client might need. The client's IT lead has done more homework on their own environment than your team has. That dynamic inverts the trust relationship. Your vCIO should walk in already knowing the client's current gaps, their risk posture against NIST CSF controls, what cloud platforms they are running, and where they are exposed on telephony or backup.

No dollar-sized recommendations. Telling a client "you should probably think about upgrading your EDR" is not a recommendation. A recommendation has a dollar figure, a timeline, and a business reason. "Based on your current endpoint count, upgrading to a managed XDR platform runs $X per month and closes three of your top-five gap categories from last quarter's security review" is a recommendation.

No single ask. QBRs that end with three to five items on a follow-up list close none of them. The client leaves with homework. You leave with open loops. The meeting that closes with one decision — even a small one — builds the habit of commitment and creates momentum toward the larger annual technology plan.

Fix all three and your QBR becomes the most productive sales meeting on your calendar.

The Four Sections of a Great QBR

Section 1 — Delivery Review: What Shipped vs What Was Promised

Open with proof that you did what you said you would do. This section runs eight to ten minutes and covers three things: projects completed since the last QBR, SLA performance against the contract, and any open items with updated ETAs.

Keep this section tight. The client wants to see a scoreboard, not a project retrospective. A simple table works:

• Column 1: Committed deliverable
• Column 2: Status (Shipped / In Progress / Delayed)
• Column 3: If delayed, new date and reason

Your vCIO or account manager presents this, not the help desk lead. Framing matters. You are presenting business performance, not technical outcomes.

If something slipped, own it in one sentence and state the resolution. Do not spend more than 60 seconds on any single missed item. The client hired you for reliability. Show reliability in how you handle the exception, not just in the streak.

Section 2 — The Security and Infrastructure Gap Report

This is the section that establishes your vCIO authority and sets up the opportunity slate that follows. Run through the client's current posture across your core coverage areas: endpoint protection, backup and recovery, access management, network security, and any compliance frameworks relevant to their vertical (NIST CSF, HIPAA, PCI-DSS).

Present gaps as business risk, not technical findings. "Your MFA coverage drops to 60 percent on mobile devices" is a technical finding. "Sixty percent mobile MFA coverage means a credential compromise on any mobile endpoint bypasses your perimeter controls, which in your industry carries a regulatory notification cost of $X per record affected" is a business risk statement.

You do not need to scare the client. You need to connect the technical gap to a business consequence they already care about. The CFO in the room does not think about MFA. The CFO thinks about liability, audit exposure, and cyber insurance premiums. Speak that language.

This section also earns the transition into section three. The gap report is the evidence base for your recommendations.

Section 3 — The 12-Month Opportunity Slate (Ranked, Dollar-Sized)

This is the section most MSPs skip, and skipping it is why their annual technology plans stay thin.

The opportunity slate is a ranked list of investments the client should make over the next 12 months, each with a dollar range and a business justification. Present it as the client's plan, not your sales pipeline. The framing is: "Here is what we recommend for your environment over the next four quarters, ordered by impact."

A well-built slate for a 75-seat professional services client might look like this:

• Q3 2026: Managed XDR rollout — closes endpoint and SOC gaps from the security review. $X MRR.
• Q3 2026: Cloud backup migration — replaces aging on-prem backup with immutable cloud storage. $X MRR.
• Q4 2026: Microsoft 365 Business Premium upgrade for 20 remaining standard-license seats — enables Purview compliance features needed for the upcoming audit. $X MRR.
• Q1 2027: vCIO annual technology plan refresh — full business and technical baseline, updated opportunity scoring, board-ready report. Included in managed services tier.
• Q2 2027: VoIP/UCaaS migration — legacy phone contract expires March 2027. Begin evaluation 90 days prior.

Every item has a quarter, a business reason, and a dollar range. The client's IT lead and CFO can see the full 12-month picture. The CFO can put numbers in next year's budget. Your AE has a roadmap to work against.

This is the annual technology plan. You built it in the QBR meeting by connecting the gap report to a sequenced, priced investment list.

Section 4 — The Single-Decision Ask

End every QBR with one ask. One. Not a list of follow-ups. Not a "we'll send over some options." One decision the client can say yes or no to before they leave the room.

The ask should come from the top item on the opportunity slate. "Based on everything we covered today, the highest-impact move in Q3 is the XDR rollout. We can have a SOW to you by Friday. Can we get a verbal to move forward so we can hold the implementation slot?"

A verbal yes lets you send a SOW. A no surfaces the real objection — budget, timing, internal politics — so you can address it in the next 30 days instead of letting it drift for 90.

If the client is not ready to commit on the top item, drop down to the smallest item on the slate. Get one yes. Build the habit. The habit compounds.

How to Build the Opportunity Slate in 15 Minutes, Not 4 Hours

The reason most MSPs skip the opportunity slate is prep time. Pulling together a gap report and opportunity list for a 75-seat client used to mean four hours of research across the client's PSA notes, RMM data, last year's QBR deck, and whatever the account manager remembers from their last visit.

MSProspector changes that math. Run a baseline scan on the client before the QBR. In 15 minutes you get a 10-page business and technical profile that covers 22 opportunity categories: cybersecurity, cloud infrastructure, AI readiness, telephony, marketing, print, AV, and more. Each category flags gaps with source citations, so your vCIO walks in with evidence, not assumptions.

The scan output maps directly to sections two and three of the QBR framework. The gap report is built. The opportunity categories are scored. Your account manager takes that output, prices the top three to five items against your line card, and the slate is ready.

That is the difference between a QBR that closes business and one that generates a follow-up email nobody reads. If you have not run a baseline on your top 20 accounts, start with a free report before your next QBR cycle.

For a deeper look at what the 22 opportunity categories surface in a typical SMB environment, see our guide to MSP cross-sell opportunities.

Filling the Annual Technology Plan with High-Margin Solutions

The annual technology plan is not a document you hand the client at the end of the year. It is a living roadmap you build in the first QBR and update at every subsequent meeting.

High-margin cross-sell categories that belong in most annual technology plans:

Managed security services. EDR, MDR, and XDR all carry strong margins and strong retention. Clients who add a security layer to their managed services agreement churn at significantly lower rates. The gap report in section two gives you the on-ramp.

Cloud migration and optimization. Most SMB clients are in some state of partial cloud adoption. A full Microsoft 365 or Azure rationalization is a natural follow-on to any active migration project.

Compliance-driven projects. Clients in healthcare, finance, or professional services have regulatory timelines. HIPAA assessments, PCI scope reductions, and SOC 2 readiness projects land in the $15,000 to $60,000 range for a mid-market client. Your vCIO surfaces the compliance gap; your AE closes the project.

Telephony and UCaaS. Legacy phone contracts expire. When they do, the client either renews automatically or goes out to bid. If you flag the expiration 90 days out in the annual technology plan, you own the conversation.

AI readiness and productivity. Microsoft Copilot rollouts, AI-assisted help desk triage, and automated documentation tools are increasingly landing on annual technology plans for clients in the 50-to-250-seat range. They are not commoditized yet. They carry strong implementation margin.

The annual technology plan works because it turns your QBR from a backward-looking review into a forward-looking roadmap. The client stops thinking of you as a vendor and starts thinking of you as the person who runs their technology strategy.

How to Run the QBR Meeting Itself

Total time: 60 minutes for most accounts. 90 minutes for complex environments or first-year clients.

Who attends on the client side: CEO or business owner, CFO or controller, IT lead or operations manager. If the CFO is not in the room, the budget conversation happens without you.

Who attends on your side: vCIO or account manager (owns the agenda), AE (owns the close), optional technical lead if the gap report includes items that need engineering explanation.

Suggested agenda:

• 0:00 — 0:08: Delivery review. What shipped, SLA scorecard, open items.
• 0:08 — 0:20: Security and infrastructure gap report. Three to five gaps, business risk framing.
• 0:20 — 0:45: 12-month opportunity slate. Walk each item. Pause for questions. Let the CFO react to the dollar figures.
• 0:45 — 0:55: Single-decision ask. Present the top-of-slate recommendation. Ask for the verbal.
• 0:55 — 1:00: Next steps and next QBR date confirmed.

Do not let the delivery review run long. Do not skip the CFO conversation on the slate items. Do not leave without a verbal or a clear objection to address.

Send a one-page meeting summary within 24 hours. Include the opportunity slate, the agreed next steps, and the SOW timeline if you got a verbal. Clients who receive a clean written summary the next morning close faster and refer more.

FAQ

How long should a QBR be?

Sixty minutes for established accounts. Ninety minutes for new clients or accounts with complex multi-site environments. If your QBR is running two hours, the delivery review is too long or you are presenting too many opportunity slate items. Cap the slate at five items. The rest goes in the appendix.

Who should attend the QBR from the client side?

The business owner or CEO, the CFO or whoever controls the budget, and the day-to-day IT or operations contact. Three people. If you are meeting with only the IT lead, you are not running a QBR — you are running a technical review. You cannot close budget-level decisions without the person who controls the budget in the room.

What is the difference between a QBR and a vCIO meeting?

A QBR is the format. The vCIO is the role that runs it. In practice, many MSPs use the terms interchangeably. The distinction worth holding onto: a vCIO meeting can happen any time — to review a project, respond to a security event, or walk through a compliance audit. A QBR is a scheduled, calendar-anchored meeting that covers all four sections on the same cadence every 90 days. The QBR is the structural habit. The vCIO relationship is what gives that habit strategic weight with the client.

How do I bring up cybersecurity gaps without scaring the client?

Connect the gap to a business consequence they already understand, then immediately attach a solution. "Your current backup retention policy means a ransomware event would put you 30 days back at minimum. We can close that with immutable cloud backup for $X per month" is a business conversation, not a scare tactic. The goal is informed decision-making, not anxiety. Present the gap, quantify the exposure in terms the CFO tracks — downtime cost, regulatory penalty, insurance premium impact — and follow immediately with the fix.

How often should we run a full QBR versus a quick check-in?

Full four-section QBR: once per quarter for accounts above your MRR threshold, typically your top 20 to 30 percent of accounts by revenue. Quick check-in (30-minute call, delivery review only): mid-quarter for smaller accounts or accounts where nothing significant has changed. Never go more than 90 days without a structured conversation that includes at least one forward-looking opportunity. Accounts that go dark for six months are the accounts that churn.

---

MSProspector is built by Marketopia, the channel's leading marketing and growth firm. The platform generates a 10-page business and technical baseline on any prospect or client in 15 minutes, covering 22 opportunity categories with source citations and a custom sales playbook. Run your first report free.