White-Label SAT Margin Economics: How MSSPs Price Phishing Simulations Profitably

The most common reply we get from MSSP buyers evaluating HailBytes SAT is some variation of: “What does the white-label margin actually look like at scale?” It’s the right question. An MSSP isn’t buying a security awareness training platform to run on their own staff — they’re buying a billable line item they can attach to every SOC 2, HIPAA, and cyber-insurance compliance package they sell. The platform earns its place in that bundle on margin and renewal mechanics, not feature checklists.

This article walks through the unit economics. Concrete pricing tiers, a sample 200-seat P&L, the renewal dynamics that make SAT one of the stickiest add-ons in an MSSP catalog, and the cost structure that lets you bid against KnowBe4 and Proofpoint without compressing margin to zero.

Why the per-seat SaaS model breaks for MSSPs

KnowBe4 and Proofpoint Security Awareness sell direct to enterprises at $18–$30 per user per year. When an MSSP tries to resell that, the math falls apart fast: you’re paying $18 in cost to sell something at $25 to your client, netting maybe $5–$7 per seat with all of the program-management cost coming out of that thin slice. At 500 client seats that’s $2,500–$3,500 of gross margin annually, and you still have to write the campaign calendar, build the report, sit on the kickoff call, and answer the auditor questions.

HailBytes SAT prices on infrastructure, not seats. Each AWS or Azure marketplace instance is a flat per-instance cost, regardless of how many users that instance handles. The cost basis stops scaling once you hit one instance per client. Your gross margin on a 500-seat client looks completely different when your input cost is the price of a single t3.medium-equivalent VM plus a marketplace subscription, instead of $18 × 500.

This is the structural reason MSSP-friendly white-label SAT works at margins per-seat SaaS vendors literally cannot match. They can’t cut their own pricing to your reseller cost without nuking their direct-sales motion. You can charge what the market bears and keep the spread.

Three pricing tiers MSSPs actually win with

The following tiers come from what we see MSSPs successfully selling on HailBytes SAT today. Adjust the numbers to your market, but the structure holds.

Tier 1 — Compliance Baseline ($2–$4 per user/year)

Quarterly phishing campaigns, standard template library, summary report sized for an auditor. This is the SKU you attach to every SOC 2 Type II and HIPAA engagement automatically. Most clients in this tier never look at the platform — they just need an evidence packet at audit time. Low touch, high attach rate. Margin lives in volume.

Tier 2 — Active Program ($5–$8 per user/year)

Monthly campaigns, industry-specific templates (healthcare, finance, SaaS), department-level reporting, repeat-offender tracking, and a recurring quarterly readout call with the client’s security or IT lead. This is the pricing tier where MSSPs build real recurring revenue. The client feels actively managed; you feel like you’re running a service, not just resending CSV exports.

Tier 3 — Premium / Executive Coverage ($10–$15 per user/year)

Everything in Tier 2, plus targeted spear-phishing campaigns for executives and finance teams, custom-branded templates per client, one-on-one remediation coaching for repeat offenders, and audit-ready evidence packages mapped specifically to SOC 2, HIPAA, ISO 27001, NIST CSF, or PCI DSS controls. This is the tier you sell into regulated industries and clients with cyber-insurance carriers asking pointed questions about user training.

Sample P&L: 200-seat client at the Active Program tier

Concrete numbers, mid-market client, single-tenant HailBytes SAT instance running in the MSSP’s AWS account. Annualized.

That math says quietly what every MSSP service-line lead already knows: 200-seat clients are loss leaders at $6/user/year if you staff them with senior analyst time. The fix isn’t to charge more — the market won’t accept it on a 200-seat compliance-driven SKU. The fix is operational. Two changes flip this P&L:

1. Move 200-seat clients to Tier 1 ($3/user/year, quarterly campaigns, automated reporting): revenue drops to $600 but analyst time drops to ~30 minutes per quarter (~$180/year). Now: $600 + $500 setup − $360 − $180 − $180 = $380 gross margin. Thin but positive, and the client renews automatically because their auditor demands it.
2. Run Tier 2 only at 500+ seats: 500 × $6 = $3,000 revenue, same instance cost ($540 total infrastructure), analyst time scales to ~3 hr/mo because batching the bigger campaign is barely more work than the small one. $3,000 + $500 − $540 − $3,240 = break-even at $90/hr loaded analyst rate, ~$1,200 positive at $60/hr.

Where the Tier 2 model really earns its keep is at 1,000+ seats: $6,000 in annual revenue against the same single-instance cost basis ($540) and analyst time that scales sub-linearly because you’re running the same campaign cadence with bigger user lists. Net margin lands in the $2,500–$4,000 range per client, and every client at this tier is a multi-year compliance customer.

The renewal mechanics no one talks about

Most MSSP product lines have a renewal-rate problem. Endpoint detection, SOC monitoring, vulnerability scanning — clients churn out when budget tightens or a competitor underbids you on a renewal. Phishing simulation is structurally different.

• The auditor demands it. SOC 2 Type II, HIPAA Security Rule, PCI DSS 12.6, ISO 27001 A.7.2.2, NIST CSF PR.AT — every framework your clients comply with explicitly requires periodic security awareness training. The client cannot drop the line item without a control-failure finding at their next audit.
• The cyber-insurance carrier demands it. Since 2022, every major cyber-insurance carrier has added phishing simulation and user training as a required control on policy renewals. Dropping it means a higher premium or a denied claim, both of which cost the client more than the SAT line item.
• The CFO can’t cut it without their CISO objecting on the record. Unlike most security spend, SAT has visible compliance evidence attached to every campaign. Cutting it requires the CFO to override the CISO in writing, which almost never happens.

The combined effect: MSSPs running HailBytes SAT report renewal rates above 95% on the SAT line item specifically, even when other parts of the bundle churn. This is the structural reason SAT is one of the highest-LTV add-ons an MSSP can attach. The platform cost is fixed, the revenue is multi-year, and the only way the client leaves is by leaving you for another MSSP — in which case they’re a churn problem, not a SAT problem.

Cost basis: why the marketplace billing path matters

The HailBytes SAT marketplace listing on AWS and Azure puts the platform cost into a billing channel your clients (and your own finance team) already accept. Three things this gets you that direct vendor billing doesn’t:

• AWS / Azure committed-spend credits apply to the subscription. If you or your client has an EDP, the SAT marketplace subscription burns down committed spend instead of coming out of opex. The effective cost basis drops.
• Procurement gets out of the way. No new vendor onboarding, no security review for a new SaaS app, no MSA negotiation. The cloud provider has already done that work. Net deal velocity for the line item goes from weeks to a click.
• Per-instance billing is predictable. Unlike per-seat SaaS where a client adding 50 users mid-year quietly increases your cost, an instance is an instance. You quote the client a per-seat rate and the unit economics don’t change underneath you.

What this means for your sales motion

Three concrete operational changes most MSSPs need to make to capture the margin this product structure makes available:

1. Stop selling SAT à la carte. The product is a bundle attachment, not a standalone SKU. Every SOC 2 readiness engagement, every HIPAA program, every vCISO retainer should include SAT as a default line item the client opts out of, not into.
2. Tier by client size, not feature. Use Tier 1 for sub-300-seat clients (compliance-driven, low-touch). Use Tier 2 for 300–1,500 seats (active program, where the margin lives). Use Tier 3 for 1,500+ seat clients and any client in a high-regulation industry (healthcare, financial services, defense supply chain).
3. Charge a setup fee. A $500–$1,500 one-time setup fee covers your first-year analyst-time exposure on smaller clients and signals that you’re running a managed service, not a tool license. Clients who balk at a setup fee are the ones who will burn analyst time later in the relationship.