HailBytes SAT for MSSPs: Running Multi-Client Phishing Simulations at Scale

Managed security service providers face a specific challenge with phishing simulations: they need to run campaigns across dozens of clients with complete data isolation, different template sets, different schedules, and different reporting requirements — without the cost structure of a per-seat SaaS platform multiplied across every client. At $5–$30 per user per year across a client base totaling 10,000 employees, that’s $50,000–$300,000 annually in platform licensing alone. Most MSSPs absorb that cost and deliver thin margins, or they skip phishing simulations entirely.

HailBytes SAT changes the economics. The marketplace meter is $0.24/vCPU-hour — about $350/month on a 2-vCPU instance — and a single instance handles unlimited users and campaigns for a single client. Your cost scales with the number of clients, not the number of employees. A 20-client MSSP portfolio costs a fraction of what a per-seat SaaS vendor would charge, and you keep full control over the infrastructure, the data, and the reporting.

The other thing that has changed since this article was first written: HailBytes now ships official Terraform modules for the three deployment topologies MSSPs actually use in production. You don’t build the IaC; you adopt it. The modules live at github.com/HailBytes/hailbytes-terraform-modules under MPL-2.0.

MSSP Multi-Client Architecture - Isolated Environments, Shared Infrastructure

Per-client groups in HailBytes SAT - segment each client's departments inside their dedicated instance.

Pick a deployment shape: three topologies, one per-vCPU meter

The same marketplace image deploys into one of three reference topologies. Same product, same per-vCPU meter rate across all three — the delta is infrastructure shape, not licensing. Pick the shape that matches the client’s SLA, not their seat count:

• Single instance per client — ~$435/mo all-in (infra ~$85 + per-vCPU meter ~$350). The classic white-label model. Each client gets a clean tenant boundary in your AWS/Azure account or theirs. Best margin shape for clients under ~5,000 seats. Tears down cleanly on churn. Terraform: sat-aws-single / sat-azure-single.
• HA hot-hot per client — ~$1,215/mo all-in. For clients with formal uptime SLAs in their MSA (regulated industries, healthcare, financial services). Adds an ALB, Multi-AZ RDS, and a shared Redis session store. Pre/post-patch SSM verifiers ship with the Terraform module so your rolling-update cadence is documented and auditable. Terraform: sat-aws-ha / sat-azure-ha.
• Auto-scaling (one tenant, many clients) — from ~$2,250/mo at 3-instance steady state, scales linearly. For regional MSSPs serving 20+ clients from a single shared tenant. Read replicas, rolling instance refresh with auto-rollback on 5xx, ElastiCache shared session store. Common shape for MSSPs running 100+ campaigns/month or seasonal load. Terraform: sat-aws-autoscale / sat-azure-autoscale.

Cross-cloud parity is intentional: an AWS HA deployment and an Azure HA deployment land within ~6% of each other at procurement-grade sizing. Pick whichever cloud the client’s finance team already has committed spend on. The COST_SHAPES.md table in the Terraform repo has the full side-by-side, and the marketplace topology page has customer-shape examples for each.

Architecture: One Instance Per Client (Single + HA shapes)

For the per-client tenant model, the cleanest multi-client architecture uses dedicated HailBytes SAT instances per client. Each client gets their own EC2 / Azure VM from the marketplace image, running in your MSSP’s cloud account (or the client’s, depending on your service model). Data isolation is physical — no shared databases, no shared credentials, no risk of campaign data leaking between clients.

This approach has operational benefits beyond isolation. When a client churns, you terraform destroy and all associated data is gone. When a client requests a penetration test that includes phishing, you spin up a fresh instance with the same module, run the engagement, export the report, and tear it down. No cleanup, no data retention concerns, no shared infrastructure to audit.

New client onboarding is a single terraform apply. The module handles VPC selection, security groups, encrypted storage, IMDSv2, KMS-backed Postgres, and (on the HA shape) the ALB, Multi-AZ RDS, ElastiCache, pre-patch S3 backup bucket with Object Lock, and the SSM pre/post-patch verifier scripts. Tag instances by client name, engagement type, and status; aws ssm or Azure Run Command from there.

Template Management Across Clients

Phishing templates are the core intellectual property of an MSSP’s simulation practice. Build a master template library organized by difficulty level (easy, moderate, hard, spear-phish), scenario type (credential harvest, malware download, BEC), and industry vertical (healthcare, finance, technology, government). Store templates as HTML files in a Git repository, version-controlled and reviewed by your red team.

When onboarding a new client, deploy the appropriate template set based on their industry and maturity level. A healthcare client gets templates themed around EHR system updates, HIPAA training notifications, and insurance provider communications. A financial services client gets wire transfer confirmations, audit request notices, and regulatory compliance alerts. Customization is the difference between a generic simulation and one that tests whether employees recognize the threats they actually face.

HailBytes SAT’s template system supports merge fields for per-client personalization. Build templates with variables for company name, internal system names, and sender identity. A single template becomes instantly reusable across clients by swapping the merge field values. Your red team builds templates once; your delivery team deploys them everywhere.

Role-based User Management per client instance - give the client's security team read-only access while your analysts keep admin rights.

Reporting That Your Clients Will Actually Use

MSSPs live and die by their reports. HailBytes SAT exports campaign data as CSV, which gives you raw material but not a client-ready deliverable. The recommended approach: build a reporting template in your preferred tool (Google Slides, PowerPoint, or a BI dashboard) that pulls from HailBytes SAT’s CSV exports and auto-populates the metrics.

A strong MSSP phishing report includes five sections: executive summary (one paragraph, one key number), campaign details (template used, timing, target count), results breakdown (click rate, credential submission rate, time-to-click distribution), department comparison (which departments are most vulnerable), and recommendations (specific next steps with urgency ratings). The report should take 30 minutes or less to produce per client per month - if it takes longer, your template needs work.

For clients who want real-time visibility, HailBytes SAT’s web dashboard can be accessed directly. Set up a reverse proxy with HTTP basic auth or VPN access so the client’s security team can watch campaign results in real time without needing SSH access to the underlying instance. This self-service access reduces your support burden and makes clients feel ownership over their security awareness program.

Per-client Audit Logs - JSON and CSV exports, plus REST API and webhooks, plug straight into your MSP SIEM or client-facing reporting pipeline.

Pricing Your Phishing Simulation Service

The standard MSSP pricing model for phishing simulations is per-employee per-year, matching how the enterprise SaaS vendors price. The difference is your margins. If KnowBe4 charges $18–$30 per user and your cost basis with HailBytes SAT is roughly $435/mo per single-shape instance (regardless of user count), your margin on a 500-person client is substantial.

A typical MSSP tiered offering: Basic (quarterly campaigns, standard templates, summary report) at $2–$4 per user/year. Professional (monthly campaigns, industry-specific templates, department-level reporting, repeat offender tracking) at $5–$8 per user/year. Premium (monthly campaigns plus targeted spear-phishing for executives, custom templates, remediation coaching for repeat offenders, compliance-ready evidence packages) at $10–$15 per user/year.

At the Professional tier, a 1,000-person client generates $5,000–$8,000 in annual revenue against a single-shape infrastructure cost basis of ~$5,200/year and approximately 2–3 hours of analyst time per month for campaign execution and reporting. Above ~1,000 seats the unit economics get materially better; below ~500 seats most MSSPs run the Basic tier so the analyst-time line doesn’t eat the margin. The companion article on white-label SAT margin economics has the full P&L by seat band.

Reselling through AWS CPPO or Azure Multiparty Private Offer

The marketplace path most MSSPs miss until late in their evaluation is the channel-partner private-offer flow on both AWS and Azure. It is what lets you mark up the platform, capture the resale margin, and have the customer’s purchase still count toward their EDP or MACC commitment — without the customer having to onboard HailBytes as a new vendor.

• AWS Channel Partner Private Offers (CPPO) — HailBytes (as the ISV / seller of record on the AWS Marketplace listing) authorizes you as a channel partner to extend a private offer to your end customer. You set the resale price (HailBytes wholesale + your margin) and the term. Your customer transacts through their own AWS account, the purchase decrements their AWS EDP or PPA commitment, and AWS routes the wholesale share to HailBytes and the resale margin to you. You stay the contracting party for service delivery.
• Azure Multiparty Private Offer (MPO) — the Microsoft equivalent, launched on Azure Marketplace in 2024. HailBytes (ISV) + you (CSP / managed-service partner) + the customer transact through a single private offer. Customer purchase decrements their MACC, HailBytes is paid the wholesale share, you keep the resale margin. The Microsoft seller gets co-sell credit on the deal, which keeps them aligned with you on growing the account.

Practically: a 20-client portfolio running the Professional tier on single-shape deployments looks like ~$5,200/yr wholesale infra-and-meter per client. Add your 20–30% resale margin into the CPPO/MPO offer and your managed-service fee on top of that, and the entire stack still rolls onto one AWS or Azure invoice per client. The customer’s procurement team sees one line item; their CFO sees committed-spend drawdown; their CISO sees the audit-ready evidence packet. You see retained margin on the platform plus the managed-service ARR.

To get authorized to resell HailBytes through AWS CPPO or Azure MPO, register through the channel partner program — we issue resale authorization keyed to your AWS account ID or Azure tenant ID and can have your first private offer ready within a business day.