White-Label SAT Margin Economics: How MSSPs Price Phishing Simulations Profitably

The most common reply we get from MSSP buyers evaluating HailBytes SAT is some variation of: “What does the white-label margin actually look like at scale?” It’s the right question. An MSSP isn’t buying a security awareness training platform to run on their own staff. They’re buying a billable line item they can attach to every SOC 2, HIPAA, and cyber-insurance compliance package they sell. The platform earns its place in that bundle on margin and renewal mechanics, not feature checklists.

What follows is the unit economics. Concrete pricing tiers, a sample 200-seat P&L, the renewal dynamics that make SAT one of the stickiest add-ons in an MSSP catalog, and the cost structure that lets you bid against KnowBe4 and Proofpoint without compressing margin to zero.

Why the per-seat SaaS model breaks for MSSPs

KnowBe4 and Proofpoint Security Awareness sell direct to enterprises at $18–$30 per user per year. When an MSSP tries to resell that, the math falls apart fast: you’re paying $18 in cost to sell something at $25 to your client, netting maybe $5–$7 per seat with all of the program-management cost coming out of that thin slice. At 500 client seats that’s $2,500–$3,500 of gross margin annually, and you still have to write the campaign calendar, build the report, sit on the kickoff call, and answer the auditor questions.

HailBytes SAT prices on infrastructure, not seats. The marketplace meter is $0.24/vCPU-hour on both AWS Marketplace and Azure Marketplace, and a single 2-vCPU instance handles unlimited users for one client. All-in that’s ~$435/month for the single-shape deployment (infra ~$85 + meter ~$350) regardless of whether you’re running 50 seats or 5,000. The cost basis stops scaling once you hit one instance per client. Your gross margin on a 500-seat client looks completely different when your input cost is fixed at ~$5,200/year per client instead of $18 × 500.

This is the structural reason MSSP-friendly white-label SAT works at margins per-seat SaaS vendors literally cannot match. They can’t cut their own pricing to your reseller cost without nuking their direct-sales motion. You can charge what the market bears and keep the spread.

Three pricing tiers MSSPs actually win with

The following tiers come from what we see MSSPs successfully selling on HailBytes SAT today. Adjust the numbers to your market, but the structure holds.

Tier 1: Compliance Baseline ($2–$4 per user/year)

Quarterly phishing campaigns, standard template library, summary report sized for an auditor. This is the SKU you attach to every SOC 2 Type II and HIPAA engagement automatically. Most clients in this tier never log into the platform. They just need an evidence packet at audit time. Low touch, high attach rate, and margin that lives in volume.

Tier 2: Active Program ($5–$8 per user/year)

Monthly campaigns, industry-specific templates (healthcare, finance, SaaS), department-level reporting, repeat-offender tracking, and a recurring quarterly readout call with the client’s security or IT lead. This is the pricing tier where MSSPs build real recurring revenue. The client feels actively managed; you feel like you’re running a service, not just resending CSV exports.

Tier 3: Premium / Executive Coverage ($10–$15 per user/year)

Everything in Tier 2, plus targeted spear-phishing campaigns for executives and finance teams, custom-branded templates per client, one-on-one remediation coaching for repeat offenders, and audit-ready evidence packages mapped specifically to SOC 2, HIPAA, ISO 27001, NIST CSF, or PCI DSS controls. This is the tier you sell into regulated industries and clients with cyber-insurance carriers asking pointed questions about user training.

Sample P&L: 200-seat client at the Active Program tier

Concrete numbers, mid-market client, single-shape HailBytes SAT instance running in the MSSP’s AWS or Azure account (procurement-grade m6i.large / Standard_D2s_v5, 2 vCPU). Annualized. Pricing per COST_SHAPES.md in the Terraform modules repo.

That math says loudly what every MSSP service-line lead already knows: small clients on the single-shape deployment do not work at $6/user/year if you carry the marketplace meter yourself. There are two ways out, and most MSSPs blend them:

1. Pass the marketplace meter through to the client via AWS CPPO or Azure MPO. The client buys the marketplace subscription on their own AWS / Azure invoice (under your resale authorization), pays the per-vCPU meter from their EDP/MACC committed spend, and you charge a clean managed-service fee on top. That removes ~$5,200/yr of platform cost from your P&L and routes it through the customer’s committed cloud budget. Your gross margin on the 200-seat client goes from −$5,660 to −$460, and a $500–$1,500 setup fee lands you positive in year one. Most MSSPs run small clients exclusively this way.
2. Move 200-seat clients to Tier 1 ($3/user/year, quarterly campaigns, automated reporting) and pass the meter through. Revenue $600 + $500 setup − $720 analyst time (~$60/hr at 1 hr/mo) = $380 gross margin. Thin but positive, and the client renews automatically because their auditor demands it.
3. Run Tier 2 only at 1,000+ seats when you absorb the meter: 1,000 × $6 = $6,000 revenue against ~$5,200/yr platform cost and 2 hr/mo analyst time (~$2,160). Net ~−$1,360 if you eat the meter, but with CPPO/MPO pass-through the platform line disappears and you net ~+$3,840 gross.

Where the model really earns its keep is at 2,000+ seats with the meter passed through via CPPO/MPO: 2,000 × $6 = $12,000 in annual managed-service revenue, the same fixed analyst-time line ($2,160), and the customer carries the per-vCPU meter on their committed cloud spend. Net margin lands in the $8,000–$10,000 range per client, and every client at this tier is a multi-year compliance customer.

For clients that need an uptime SLA (regulated industries, healthcare, financial services), step up to the HA hot-hot shape (~$1,215/mo all-in) and price the bundle higher to match. Or, for MSSPs running 20+ clients off shared infrastructure, the auto-scaling shape (~$2,250+/mo at 3-instance steady state) amortizes the platform line across the whole book rather than per client. The right shape is a function of the SLA the client wants, not the seat count.

The renewal mechanics no one talks about

Most MSSP product lines have a renewal-rate problem. Endpoint detection, SOC monitoring, vulnerability scanning: clients churn out when budget tightens or a competitor underbids you on a renewal. Phishing simulation is structurally different.

• The auditor demands it. SOC 2 Type II, HIPAA Security Rule, PCI DSS 12.6, ISO 27001 A.7.2.2, NIST CSF PR.AT: every framework your clients comply with explicitly requires periodic security awareness training. The client cannot drop the line item without a control-failure finding at their next audit.
• The cyber-insurance carrier demands it. Since 2022, every major cyber-insurance carrier has added phishing simulation and user training as a required control on policy renewals. Dropping it means a higher premium or a denied claim, both of which cost the client more than the SAT line item.
• The CFO can’t cut it without their CISO objecting on the record. Unlike most security spend, SAT has visible compliance evidence attached to every campaign. Cutting it requires the CFO to override the CISO in writing, which almost never happens.

Add it up and the picture is clear: MSSPs running HailBytes SAT report renewal rates above 95% on the SAT line item specifically, even when other parts of the bundle churn. That makes SAT one of the highest-LTV add-ons an MSSP can attach. The platform cost is fixed, the revenue is multi-year, and the only way the client leaves the line item is by leaving you for another MSSP, at which point they’re a churn problem rather than a SAT problem.

Cost basis: why the marketplace billing path matters

The HailBytes SAT marketplace listing on AWS and Azure puts the platform cost into a billing channel your clients (and your own finance team) already accept. Three things this gets you that direct vendor billing doesn’t:

• AWS EDP / Azure MACC committed-spend credits apply to the marketplace subscription. If your client has committed cloud spend they need to draw down, the SAT per-vCPU meter burns it down instead of coming out of discretionary opex. That alone closes deals that would have stalled at procurement.
• Procurement gets out of the way. No new vendor onboarding, no security review for a new SaaS app, no MSA negotiation. The cloud provider has already done that work. Net deal velocity for the line item goes from weeks to a click.
• Per-instance billing is predictable. Unlike per-seat SaaS where a client adding 50 users mid-year quietly increases your cost, an instance is an instance. You quote the client a per-seat rate and the unit economics don’t change underneath you.

The CPPO / MPO move: where the real MSSP margin lives

The biggest unlock for MSSPs running HailBytes SAT isn’t the per-vCPU price — it’s the channel-partner private-offer path on both clouds. AWS Channel Partner Private Offers (CPPO) and Azure Multiparty Private Offer (MPO) let HailBytes (the ISV / seller of record on the marketplace listing) authorize you as a reseller to extend a private offer to your end customer. You set the resale price — HailBytes wholesale plus your margin — and the term. The customer transacts through their own AWS or Azure account, the purchase decrements their EDP / MACC committed spend, and the cloud provider splits the revenue: HailBytes gets the wholesale share, you keep the resale margin.

What this means for the unit economics:

• The ~$5,200/yr per-client platform line in the P&L above moves to the customer’s cloud invoice. Your gross margin column above immediately improves by ~$5,200/yr per client.
• You add a 20–30% resale margin on top of HailBytes wholesale inside the private offer. On a 20-client portfolio at ~$5,200/yr each, that’s an additional $21K–$31K of pure resale margin per year without any service delivery work behind it.
• You keep your managed-service ARR on top of that — campaign management, reporting, remediation coaching. Those services bill on your own MSA, not through the marketplace.
• The customer sees one cloud invoice with one private-offer line item. The Microsoft or AWS account team gets co-sell credit, which makes them allies on growing the deal. Procurement sees committed-spend drawdown rather than a new vendor relationship.

Setting up CPPO / MPO authorization is the lowest-effort, highest-leverage operational change an MSSP running HailBytes SAT can make. Register on the partner program page with your AWS account ID or Azure tenant ID and we’ll issue resale authorization — first private offer usually ready within one business day.

What this means for your sales motion

Three concrete operational changes most MSSPs need to make to capture the margin this product structure makes available:

1. Stop selling SAT à la carte. The product is a bundle attachment, not a standalone SKU. Every SOC 2 readiness engagement, every HIPAA program, every vCISO retainer should include SAT as a default line item the client opts out of, not into.
2. Tier by client size, not feature. Use Tier 1 for sub-300-seat clients (compliance-driven, low-touch). Use Tier 2 for 300–1,500 seats (active program, where the margin lives). Use Tier 3 for 1,500+ seat clients and any client in a high-regulation industry (healthcare, financial services, defense supply chain).
3. Charge a setup fee. A $500–$1,500 one-time setup fee covers your first-year analyst-time exposure on smaller clients and signals that you’re running a managed service, not a tool license. Clients who balk at a setup fee are the ones who will burn analyst time later in the relationship.