Free IT security check as a lead magnet: the CheckUp widget for MSP websites

Most MSP websites have a contact form and a phone number. So when a mid-market managing director honestly wants to know how badly their IT security is sitting, they’re asked to book a sales call — the kind no one likes booking, because everyone knows it’ll end with a five-figure quote.

There’s an easier on-ramp. A self-service test the prospect can click through from home in under three minutes, that gives them an honest maturity score, and that gives you — the MSP — a fully qualified lead in your pipeline: PDF report, industry, company size, per-category score breakdown, cross-tenant benchmark. We rolled this out as a one-click widget for every MSPercury workspace this week.

What your prospect sees

You paste a single iframe snippet onto your marketing site — typically near the bottom of the homepage, or as a dedicated “IT security check” landing page. Inside the iframe runs the full multi-step flow:

1. Enter email — your prospect types in their business email
2. Enter the 6-digit code sent to that email — kills bot spam, qualifies the address
3. Answer 23 questions with “Yes / No / Unsure” — live score in real time, progress bar, optional help text per question
4. Four context fields (company name, industry, size, optional phone)
5. Score reveal with maturity badge (🥇 Gold / 🥈 Silver / 🥉 Bronze / 🚨 Acute), position on the 0–100 scale, score explanation, optional cross-tenant benchmark against other companies in the same industry and size, per-category breakdown
6. PDF report is delivered by email in the background

The entire flow including PIN entry runs inside the iframe on your site. The visitor never leaves your domain. Your logo, your brand colour, your company name appear at the top — the CheckUp feels like your own tool, not an embedded third-party widget.

What you as the operator get

The moment the prospect submits, a new entry lands on your lead pipeline at /leads:

• Full transcript of all 23 answers
• Total score plus per-category breakdown (Security, Backup, Compliance, Infrastructure, Users)
• Industry, company size, phone (if provided)
• First-touch attribution: UTM source, UTM medium, UTM campaign, referrer host, landing URL — captured automatically via signed cookie so you can tell whether the lead came from a Google ad, a newsletter campaign, or a LinkedIn bio
• GDPR consent timestamped with IP and user agent for audit trail
• PDF report in your inbox, mirroring the one delivered to the prospect

The lead lands in the kanban board’s “New” column. Drag it to “Contacted” once you’ve reached out, “Proposal” once a quote is out, “Customer” once it converts. A “Convert” button on the detail page automatically creates a customers record in your workspace and links it back to the original lead.

How the score is calculated

The CheckUp ships with 23 curated questions across 5 categories:

• Security: multi-factor authentication, password manager, phishing-awareness training, endpoint protection, MFA coverage
• Backup: presence, test cadence, off-site location, encryption
• Compliance: GDPR processing record (Art. 30), DPA contracts with cloud vendors, cyber insurance, recovery time objective known, incidents in the last 12 months
• Infrastructure: patch management, RMM coverage, hardware lifecycle, network segmentation
• Users: onboarding/offboarding process, device encryption, privilege separation

Each question has a weight (Secondary / Standard / Critical). Three risk-flagged questions (incident occurred, RTO known, cyber insurance) are inverse-weighted — a “Yes” on these lowers the score because it indicates real exposure or past damage. Three follow-up questions appear only when the parent question has a specific answer — answer “MFA = no” and a phishing-protection follow-up appears; this improves diagnostic accuracy without burdening the average user.

The catalog is editable per workspace. You can rephrase questions, reassign categories, change weights, add your own questions, or delete our defaults. On first open, the curated catalog is cloned into your workspace table — from then on it’s yours. A “Reset to defaults” button (with RESET-typed confirmation gate) restores the original at any time.

GDPR: what’s shared, what isn’t

The CheckUp is privacy-compliant by design:

• Consent: on submit, the privacy click is captured with timestamp + IP + user agent (Art. 7 GDPR proof requirement). The email-entry step also carries a discrete privacy notice with link to the full policy
• Tenant isolation: lead data lives only in your workspace database. Other MSPercury tenants see nothing
• Cross-tenant benchmark: the one documented exception — on the score page we optionally show your prospect an anonymous comparison against other companies of the same industry and size. Aggregated, anonymous, with a hard minimum sample size (no number is shown until at least N anonymous records exist in the comparison group)
• Sub-processor relationship: a ready-made DPA template (Art. 28) is downloadable at /legal/dpa, which you embed in your own privacy policy toward your end customers as the controller-processor chain

Setup: 5 minutes from zero to live

1. Set the slug in /settings#publiccheckup — e.g. your-shop. Produces https://mspercury.com/check/your-shop. Slugs are workspace-unique
2. Apply branding in /settings#branding — logo (PNG/JPEG/WebP/SVG, max 2 MB) and brand colour (hex). Both appear on the CheckUp landing page and on the PDF report
3. Optionally customise the intro text per locale (DE/EN/ES) — the default with your workspace name is sensible out of the box, but per-locale override is available if you have specific sales copy
4. Copy the iframe snippet from the green block at /settings#publiccheckup — ready-made line to paste:

   <iframe src="https://mspercury.com/check/your-shop/embed"
           style="width:100%;min-height:780px;border:0"
           title="IT CheckUp" loading="lazy"></iframe>

5. Embed it in your marketing site’s HTML — homepage, dedicated landing, footer. The embed endpoint is iframe-optimised (X-Frame-Options: ALLOWALL, Content-Security-Policy: frame-ancestors *) and works on any host without further configuration

Optional: append UTM parameters to the iframe URL — e.g. ?utm_source=homepage&utm_medium=embed — and you’ll see per-lead which landing it came from. On /leads we aggregate the top-5 sources as clickable filter pills.

Why this works (vs. sales-call-first)

A traditional MSP contact form qualifies nothing. Whoever fills it out expects a sales call and braces accordingly. The CheckUp inverts that:

• Lower friction: 3-minute self-test with an honest diagnosis, instead of a calendar invite with an unclear outcome
• Pre-qualified: before the first contact you can already see which categories the prospect is weak in, whether their industry matches your sweet spot, whether their size fits your service profile
• Concrete conversation opener: instead of “tell me about your IT” you talk specifics from the report — “you marked MFA as ‘no’ — what’s the current state there?”
• Audit trail from day one: answers and score snapshot stay on the lead record even after conversion. When you cut the first proposal, you read the same data; you don’t have to re-collect it

Security for the prospect, pipeline for you

We built the CheckUp first for our own MSP practice (IT Systeme Flores UG), because we couldn’t keep scaling the manual 30-minute first-meeting any longer. It now runs on every MSPercury workspace with one click. Drop the link into your email signature, embed it on your marketing site, print a QR code on your business card. What comes back are leads that already started the journey — and that you can greet on the first call with the right data already on the screen.

More in the Public CheckUp setup guide →

— Lucas