Why "Land and Expand" Is Hard in ServiceNow

MSPs are good at signing customers when there is a burning platform. A failed go-live, a botched upgrade, a security incident. The harder motion is the cold approach: a customer who is functionally ok on ServiceNow, has an incumbent partner, and is not actively shopping for help. In that conversation the prospect needs to see something they did not already know about their own instance, fast.

The Instance Audit motion solves that. A packaged, one-week audit, priced as a fixed-fee engagement, delivered against 500-plus granular checkpoints, produces a report that is genuinely harder for the prospect to dismiss than a sales deck. This article describes how MSPs are productising the Instance Audit Agent as a land-and-expand offer.

What the Instance Audit Agent Checks

The Instance Audit Agent is one of the two on-demand agents in the SnowCoder MSP Agents suite. It runs 500-plus granular checkpoints across an instance, covering eight broad domains.

Security: ACL coverage, public pages, elevated user counts, auth records, dormant admin accounts.
Performance: Long-running queries, missing indexes, slow Business Rules, large attachment tables.
Data quality: Orphan records, duplicate CIs, broken reference fields, stale lookup data.
Customisation health: Skipped upgrade artifacts, overridden OOB scripts, customisations on tables ServiceNow no longer recommends extending.
Process maturity: Workflow versus Flow Designer usage, legacy Workflow records still in production, business rule sprawl.
Integration hygiene: REST and SOAP endpoints, IntegrationHub spokes, MID server health.
License utilisation: Fulfiller usage versus subscriptions, role assignments that imply hidden license consumption.
Upgrade posture: Distance from current supported release, plugin compatibility flags, store app drift.

Each checkpoint produces a finding with severity, evidence, and a recommended remediation. The 500-plus number matters because it is the difference between a checklist a junior consultant might write up in a week and a report that surfaces things the incumbent missed.

The Packaged One-Week Offer

The MSPs running this motion price it as a fixed-fee engagement. The shape of the week is consistent across every customer.

Day 1: Onboarding call, read-only credentials issued, instance connected to SnowCoder workspace, Instance Audit Agent triggered.
Day 2: Findings reviewed by the lead architect. False positives suppressed, customer-specific context layered in.
Day 3: Top-ten findings drafted with prioritised remediation plans.
Day 4: Internal QA, formatting, branded deliverable produced.
Day 5: Readout call with the customer's ServiceNow lead and an executive sponsor.

The agent compresses what used to be three weeks of discovery into a day. The four remaining days are the work the customer is actually paying for: judgment, context, and a credible plan.

A Representative Finding

The reason the readout works is that the findings are concrete and evidenced. Generic statements like "your ACL coverage could be improved" do not convert. Specific findings like the one below do.

Finding: sn-sec-014 - Missing read ACL on custom u_payroll_export

Severity: High
Domain: Security

Evidence:
  Table: u_payroll_export (12,481 records)
  ACL coverage: write=admin only, read=NONE
  Effect: Any authenticated user with table list access can read
          payroll export staging records via REST.

Verification:
  REST GET /api/now/table/u_payroll_export?sysparm_limit=1
  returns rows when authenticated as a basic itil user.

Recommendation:
  Add a read ACL on u_payroll_export restricting to the
  payroll_admin role. Pattern:

// ACL: u_payroll_export.read
// Operation: read
// Role: payroll_admin
// Script (optional defence in depth):
(function() {
    if (!gs.hasRole('payroll_admin')) {
        return false;
    }
    // Restrict to records owned by user's company
    return current.company == gs.getUser().getCompanyID();
})();

That is a finding the prospect can verify in their own instance during the readout call. Once they have verified it, they have an emotional reason to ask what else the audit found. That is the moment the land becomes an expand.

The Commercial Mechanics

The Instance Audit is priced to clear the customer's procurement bar without a long approval chain. It is presented as a fixed-fee diagnostic rather than a consulting engagement. The deliverables are the audit report, the readout, and a prioritised remediation backlog. The remediation backlog is the bridge to the next engagement.

The MSPs running this motion at scale layer in two more moves after the readout.

Remediation sprint: A scoped two-week sprint to close the top-five findings. This is usually the first paid follow-on.
Managed service contract: If the audit finds enough operational gaps, a multi-month managed service contract becomes the next conversation.

Conversion rates from audit to remediation sprint are routinely above fifty percent in MSPs that pair the audit with a strong readout. The conversion rate from sprint to managed service contract is lower, but the contract values are an order of magnitude bigger.

Why This Works Better Than a Free Health Check

A lot of MSPs still offer a free health check. The free health check is a sales artifact. The customer treats it as one. A priced, fixed-fee audit is a procurement artifact. The customer treats it differently. There is also a depth difference. A free health check is usually a slide deck with twenty observations. The Instance Audit covers 500-plus checkpoints, with evidence, in a week. That is not a comparable artifact.

MSPs that have moved from free health checks to the paid Instance Audit motion have done so because the conversion math is better. Customers who pay for the diagnostic engage with it. Customers who get it for free file it and move on.

Instance Audit as a Service: The MSP Land-and-Expand Play