SAT · MSSP
Margin Math
White-Label SAT Margin Economics
Concrete tier math, sample 200-seat P&L, and the renewal mechanics that make HailBytes SAT a high-margin add-on for client compliance bundles.
Read More →For MSSPs
Resources for MSSPs Running HailBytes SAT as a White-Label Service
Phishing simulation, training, and audit-ready reports under your brand. Built for managed security providers attaching SAT to client compliance bundles.
Why MSSPs run HailBytes SAT
Every MSSP client buying SOC 2 Type II, NIST CSF, HIPAA, PCI-DSS, or cyber-insurance compliance support (and ISO 27001 for international clients) is required to demonstrate periodic security awareness training and phishing simulation. The auditor demands it, the cyber-insurance carrier demands it, and increasingly the client’s board demands it. That means the SAT line item is one of the highest-attach, highest-renewal SKUs an MSSP can carry, provided the platform underneath it has the right cost structure.
Per-seat SaaS platforms like KnowBe4 and Proofpoint Security Awareness price for direct enterprise sales, not for white-label resale. By the time you mark up their per-seat license enough to cover your program-management cost, the client’s netting numbers that don’t justify the program. HailBytes SAT prices on infrastructure, not seats: one AWS or Azure marketplace instance handles unlimited users for a single client. The cost basis stops scaling once you hit one instance per client, so your gross margin on a 500-seat client looks completely different than it does on a per-seat reseller agreement.
The platform deploys to your AWS or Azure account (or the client’s, depending on your service model) in minutes via the marketplace listing. Each instance is a clean tenant boundary (no shared databases, no risk of campaign data crossing client lines) and tears down cleanly when a client churns. The reporting is CSV-exportable and feeds into whatever client-facing report template you already use.
The two conversations to have first
Most MSSPs evaluating HailBytes SAT need answers to two specific questions before they’ll commit to standing up the first client instance. We wrote articles on both:
- What does the white-label margin actually look like at scale? Concrete tier math, a sample 200-seat P&L showing why small clients are loss leaders without the right tier mix, and the renewal mechanics that drive >95% renewal rates on the SAT line item.
- How do you run multi-client deployments operationally? One-instance-per-client architecture, template management across clients, role-based access for client security teams, and the reporting cadence that scales without burning analyst time.
If you’d rather scope white-label terms on a call than read about it, the HailBytes SAT product page has a 15-minute demo slot. We’ll walk through your client portfolio and build a tier-mix recommendation on the call.
Which deployment topology fits your service model?
MSSPs land on one of three shapes depending on the client portfolio and tier mix. All three deploy from the official Terraform modules at github.com/HailBytes/hailbytes-terraform-modules (MPL-2.0):
- Single instance per client (~$435/mo all-in) — Terraform:
sat-aws-single/sat-azure-single. The classic white-label model. Each client gets a clean tenant boundary in either your AWS/Azure account or theirs. Best margin shape for clients under ~5,000 seats. Tears down cleanly on churn viaterraform destroy. - HA hot-hot per client (~$1,215/mo all-in) — Terraform:
sat-aws-ha/sat-azure-ha. For clients with formal uptime SLAs in their MSA (regulated industries, healthcare, financial services). Adds an ALB / Standard LB, Multi-AZ RDS / Zone-Redundant Postgres Flex, and shared Redis. Pre/post-patch SSM verifiers ship with the module so your rolling-update cadence is documented and auditable. - Auto-scaling (one tenant, many clients) (from ~$2,250/mo at 3-instance steady state) — Terraform:
sat-aws-autoscale/sat-azure-autoscale. For regional MSSPs serving 20+ clients from a single shared tenant. Read replicas, rolling instance refresh with auto-rollback on 5xx, ElastiCache shared session store. Scales linearly; common shape for MSSPs running 100+ campaigns/month.
Per-vCPU marketplace meter ($0.24/vCPU-hour) applies identically across all three; the delta is infrastructure, not licensing. Cross-cloud parity is intentional: AWS HA and Azure HA land within ~6% of each other at procurement-grade sizing. Full topology comparison and customer-shape examples →
Resell through AWS CPPO or Azure Multiparty Private Offer
The marketplace path most MSSPs miss until late in evaluation is the channel-partner private-offer flow on both clouds. It is what lets you mark up the platform itself, capture the resale margin, and have the customer’s purchase still count toward their EDP or MACC commit — without the customer having to onboard HailBytes as a new vendor:
- AWS Channel Partner Private Offers (CPPO) — HailBytes (ISV / seller of record on the marketplace listing) issues you a resale authorization keyed to your AWS account, scoped to SAT and/or ASM, with a minimum acceptable price. You create a private offer at your resale price (typically wholesale + 15–30% margin), the customer accepts from their AWS account, and AWS splits proceeds: wholesale share to HailBytes, resale margin to you. Customer purchase decrements their AWS EDP commit.
- Azure Multiparty Private Offer (MPO) — the Microsoft equivalent, launched on Azure Marketplace in 2024. Three parties on a single private offer: HailBytes + you + the customer. Microsoft Marketplace splits proceeds the same way, and the customer’s purchase decrements their MACC commit. The Microsoft account team gets co-sell credit, which keeps them aligned with you on growing the deal.
What that looks like in unit economics: on a 20-client portfolio running single-shape per-client deployments (~$5,220/yr each in HailBytes wholesale), a 20% CPPO/MPO resale margin is ~$20,880/year in pure resale margin, layered on top of your managed-service ARR with zero incremental service-delivery cost. Customer sees one cloud invoice; their CFO sees committed-spend drawdown; you keep the platform margin as well as the service margin.
Register on the partner program page with your AWS account ID or Azure tenant ID and we’ll issue resale authorization. First private offer usually ready within one business day. Full mechanics, worked examples, and procurement-language scripts are in the SAT Partner Brief and the ASM Partner Brief.
Going deeper: 25+ tenant resale and white-label substrate
The 20-client example above is the entry case for the CPPO/MPO motion. The full operational deep-dive — multi-year discount tiers (10/15%), volume bands (25-99, 100-499, 500-1199, 1200+), partner-billed ARR worked examples up to $42M at 5,000 tenants, and the white-label substrate (BrandingSettings, ProjectQuota, /billing/projects/) — lives on the dedicated partner resell page. If you are modeling a multi-tenant rollout above 25 tenants or evaluating the platform-fee white-label tier, that page is what you should be reading next.
If you are pre-selling to a client on a PoC window, the PoC process page documents the 14-day and 30-day scoping options, deliverables, and the four-stage rollout decision gates (PoC → 10 tenants → 100 tenants → 1,200+) that map directly to the volume bands above.
Articles for MSSPs
Multi-Client
Running Multi-Client Phishing Simulations at Scale
One-instance-per-client architecture, template management, per-client reporting, and pricing tiers that work for 20-client MSSP portfolios.
Read More →SAT vs KB4
Comparison
HailBytes SAT vs KnowBe4 vs Proofpoint
Honest feature-by-feature comparison covering pricing, deployment, customization, and reporting for MSSP white-label resale.
Read More →12-Month Plan
Program Design
12-Month Phishing Simulation Program
Month-by-month blueprint for a phishing program that progresses from baseline through advanced scenarios with audit-ready reporting milestones.
Read More →Measurement
Reading SAT Campaign Data Like a Security Engineer
Move beyond click rates: time-to-click, repeat offenders, and longitudinal trends that drive measurable security outcomes for clients.
Read More →SOC 2 / PCI
Compliance
Meeting SOC 2 and PCI-DSS with SAT and ASM
How to use HailBytes SAT and HailBytes ASM together to satisfy SOC 2 Type II, PCI-DSS, and ISO 27001 with auditor-ready evidence.
Read More →Q2 2026 — HailBytes ASM
ASM Now Has a Triage-First Dashboard Built for MSSP Operators
The Q2 2026 ASM release shipped a full dashboard redesign and multi-tenant management tooling explicitly designed for MSSP workflows.
Triage-First Dashboard
Redesigned for MSSP operators: triage banner with diff-from-last-scan summary, status-filtered findings at a glance, real-time scan progress bars, and attack-path visualization with MITRE ATT&CK badges — giving analysts a client-ready narrative beyond a CVE list.
Per-Client Quota & Retention
ProjectQuota enforces per-client target and scan ceilings across multi-tenant environments. Automatic 90-day scan history retention with durable ScanSnapshot aggregates keeps client SLA reporting intact even after data purges.
11 Compliance Frameworks (NA-first)
Ordered for US Enterprise procurement: SOC 2 CC7.x, NIST CSF 2.0, HIPAA, GLBA, PCI DSS 11.3, FedRAMP, NYDFS 500, and CIS Controls v8 IG1+IG2 (North American), then LGPD (Latin American), then ISO 27001:2022 and GDPR Art. 32 (global) — all generating exportable evidence reports your clients can hand to auditors.
Scope White-Label Terms or Try It Yourself
Spin up a 30-day free trial through the AWS or Azure marketplace, or book 15 minutes to walk through tier mix and white-label arrangements for your client portfolio.