Best option for MSPs: unlimited users or per-seat billing?
Best option for MSPs: compare unlimited users and per-seat billing by margin, coverage, reporting, and client growth.
DefendWise
DefendWise
TL;DR
The best option for MSPs choosing unlimited users or per-seat billing depends on the service model.
If security awareness training is sold as a fixed-fee managed service, unlimited users usually fits better because user growth does not automatically tax margin. If training is resold as a separate per-user line item, per-seat billing can work, as long as every added user is billed back cleanly.
The wrong model is the one that makes an MSP choose between full coverage and margin.
For most MSPs trying to bundle SAT across many clients, pricing has to support 3 things: predictable cost, broad user coverage, and low admin drag.
What unlimited users or per-seat billing means for MSPs
MSPs do not buy security awareness training the way a single company buys it.
A direct buyer asks, "How many employees do we have?" An MSP asks a harder question: "How do I package this across 10, 30, or 100 clients without turning every new hire into a margin event?"
That is why the billing model matters.
Per-seat billing
Per-seat billing charges by user, learner, employee, or active account. The language varies by vendor.
KnowBe4 says its security awareness subscription is a "monthly per seat price, billed annually" on its security awareness training pricing page. Huntress describes its SAT pricing as a per-learner, per-month subscription billed annually, with active-user handling as part of the model.
That can be fair. A vendor carries more usage as user count grows, and some buyers prefer a unit cost they can map back to each client.
The MSP problem starts when the vendor bills per user but the MSP sells fixed monthly value.
Active-user pricing
Active-user pricing is a better version of per-user billing when inactive accounts are excluded automatically. Huntress, for example, talks about a per-active-user model with daily directory syncs.
That reduces waste. It does not remove the link between client headcount and MSP cost.
If a client grows from 80 users to 120 users, the MSP still has a larger underlying training bill unless the contract passes that cost through.
Unlimited user pricing
Unlimited user pricing removes the seat count from the monthly price, usually subject to fair-use terms.
For an MSP, that changes the packaging logic. The MSP can include every relevant user without asking whether a marginal seat is worth the cost. Growth still matters for service delivery, reporting, and support, but it does not automatically raise the SAT licence bill.
That matters when SAT is bundled into a managed security package.
Flat-fee MSP pricing
A flat-fee MSP model goes one step further: one predictable monthly platform cost for the MSP, built around multi-client delivery.
Defendwise uses this model: $399/month flat pricing, unlimited users, fair-use terms, multi-tenant management, and white-label delivery.
The point is not that every MSP should buy the same way.
The point is that SAT pricing should match how the MSP earns margin.
Why per-seat billing becomes a margin problem
Per-seat billing looks tidy in a spreadsheet.
One user. One price. Multiply.
MSP services are messier than that.
A client hires 9 people mid-contract. A seasonal workforce comes online. A client forgets to tell the MSP about new starters. A vCISO asks for everyone with email access to be in scope. An insurer asks whether all staff receive phishing training.
Each of those moments creates a decision.
Do you add the users and absorb the cost? Do you bill the client for a small seat increase? Do you train only the people already licensed? Do you wait until renewal?
None of those answers is free.
The simple margin math
Here is a plain example.
An MSP supports 40 clients with an average of 35 trained users each. That is 1,400 users.
At $2 per user per month, the training platform costs $2,800 per month. If the client base grows 20%, the same unit price becomes $3,360 per month before any extra admin time.
If the MSP sells SAT as a pass-through line item, that may be fine.
If SAT is bundled into a fixed managed security package, that $560 increase comes out of margin unless the MSP has a clean way to bill it back.
Now add admin.
Someone has to reconcile users, answer client questions, chase overdue learners, pull reports, and fix exceptions. Even if the vendor has strong content, the MSP still owns the service outcome.
That is the seat tax: the combined cost of user growth, licence reconciliation, and service admin inside a fixed-fee MSP model.
Per-seat billing can discourage full coverage
The worst outcome is not a higher invoice.
The worst outcome is rationed coverage.
CISA warns small and medium businesses that phishing is often the entry point for stolen credentials, ransomware, and harmful links, and says ongoing reinforcement matters because once-a-year training is not enough. CIS Control 14 says organisations should establish and maintain a security awareness program for the workforce, with training at hire and at least annually, and with completion measures tracked across workforce members in CIS Control 14.
That language points toward broad coverage, not selective licensing.
If pricing makes an MSP think twice before adding a part-time admin, field worker, finance assistant, or executive assistant, the pricing model is shaping the risk model.
That is backwards.
Unlimited users vs per-seat billing: MSP comparison table
Use this table before comparing vendor demos.
| Question | Unlimited users / flat fee | Per-seat or active-user billing | What the MSP should watch |
|---|---|---|---|
| Cost predictability | Monthly platform cost is easier to forecast when user counts grow. | Cost rises with user count, contract terms, or active learners. | Match billing to how clients are charged. |
| Full coverage | Easier to include every relevant user by default. | Coverage can be narrowed to control cost. | Do not let licensing define the risk boundary. |
| MSP margin | Better fit for fixed-fee bundles and standard packages. | Better fit for pass-through resale or itemised client billing. | Check whether seat growth becomes unrecovered COGS. |
| Admin load | Less need to reconcile small seat changes for billing. | User lifecycle accuracy affects both cost and evidence. | Directory sync helps, but reconciliation still matters. |
| Client growth | Growth can improve margin if package revenue scales while licence cost stays flat. | Growth usually increases vendor cost. | Decide how mid-term growth is billed. |
| Compliance evidence | Broad coverage is easier to defend in audit, insurance, and QBR contexts. | Evidence can be strong if every in-scope user is licensed and tracked. | Partial coverage creates awkward proof gaps. |
| Sales packaging | Simple to explain: SAT included for all users in the package. | Easy to price per user when clients expect line-item billing. | Avoid quotes that need too many footnotes. |
| Vendor fit | Needs fair-use clarity, multi-tenancy, and MSP-first reporting. | Needs strong sync, minimum clarity, and renewal discipline. | The model is only good if operations hold up. |
There is no universal winner.
There is a common mismatch: per-seat vendor cost inside a fixed-fee MSP bundle.
That mismatch is where margin disappears.
What frameworks and clients actually expect
Most client questions about SAT are not really about the vendor.
They are about proof.
- Did everyone in scope receive training?
- Can the client show completion?
- Is the content current enough for the risk?
- Can the MSP produce reports without scrambling?
- Does the program support insurance, audit, or QBR conversations?
NIST's SP 800-50 Rev. 1 describes a lifecycle approach to a cybersecurity and privacy learning program in Building a Cybersecurity and Privacy Learning Program. NIST CSF 2.0 also includes awareness and training under the Protect function in the Cybersecurity Framework 2.0.
ISO 27001:2022 Annex A 6.3 covers information security awareness, education, and training. ISMS.online summarises the control as requiring personnel and relevant stakeholders to be suitably educated for their information security responsibilities in its Annex A 6.3 explainer.
The commercial takeaway for MSPs is simple: proof gets weaker when coverage gets narrower.
A per-seat model can still support strong evidence. The MSP just has to keep every in-scope user licensed, synced, trained, and reportable.
Unlimited user pricing makes that easier because the MSP does not need to treat every user as a cost exception.
How to choose the best option for your MSP
Do this before asking for another demo.
1. Define how SAT is sold
Start with packaging.
Is SAT included in a managed security bundle? Is it an add-on? Is it resold per client? Is it used to support vCISO, compliance, or cyber insurance work?
If SAT is bundled, predictable cost matters. If SAT is itemised, per-seat billing may fit.
2. Map the users who should be covered
List the user groups that should receive training.
Include full-time staff, part-time staff, executives, finance users, new starters, contractors with access, and any other workforce group the client expects to include.
Then ask the uncomfortable question: would you train all of them if each added user raised your vendor bill?
If the honest answer is no, the pricing model is already influencing coverage.
3. Check the contract mechanics
Per-seat billing can work when contract mechanics are clean.
You need to know:
- Minimum seat commitments.
- Annual versus monthly billing.
- Mid-term true-up rules.
- How inactive users are handled.
- Whether user counts are synced automatically.
- Whether add-ons change the real cost.
- What happens at renewal.
KnowBe4 and Huntress both publish useful pricing-model language, but MSPs still need current quotes, partner terms, and renewal details before making a decision.
4. Count admin, not only licence
A cheaper seat price can still become expensive if the MSP has to babysit the service.
Look at the work behind the invoice:
- Tenant creation.
- User import and offboarding.
- Reminder emails.
- Exception handling.
- Report exports.
- Client branding.
- QBR evidence.
- Insurance questionnaire support.
The best pricing model is the one that protects both gross margin and team time.
5. Decide how client growth is handled
Every MSP has clients that grow.
Decide now whether growth triggers:
- An automatic client bill increase.
- A quarterly true-up.
- A package-tier move.
- No change until renewal.
- A margin hit absorbed by the MSP.
If nobody owns that answer, finance discovers the problem later.
6. Test the QBR story
Ask what the client sees at review time.
A good SAT package should show coverage, completion, overdue users, campaign activity, and next actions. It should not require a technician to rebuild evidence from 6 exports.
Reporting is part of the product the MSP sells, even when the vendor does not price it separately.
7. Pick the model that supports the behaviour you want
If you want every client fully covered, pick a model that makes full coverage natural.
If you want SAT to become a standard part of your managed security package, pick a model that sales can explain quickly.
If you want clean pass-through resale, per-seat pricing may be fine.
Do not pick a billing model that rewards under-training.
What good looks like in an MSP SAT package
The best option for MSPs is not only a pricing answer.
It is an operating model.
Full user coverage by default
A strong MSP package treats security awareness as a baseline service.
That means the default answer is yes when a client asks to add users who have meaningful access.
Multi-tenant control
MSPs need client separation.
One client should not bleed into another client's reports, branding, user list, or training status. A multi-tenant setup also helps the MSP manage a fleet without logging into a pile of separate client instances.
White-label delivery
If the MSP sells the service, the client experience should reinforce the MSP's brand.
White-label training, branded reports, and client-facing materials help keep the commercial relationship clear.
Reporting that supports proof
CIS, NIST, ISO, cyber insurance, and QBRs all push the MSP toward proof.
The report needs to answer who was covered, who completed training, who is overdue, what was assigned, and what changed since last time.
Pricing sales can explain
The pricing story matters because sales has to use it.
"Security awareness is included for all users in your package" is easier to sell than "training is included up to a seat threshold, with exceptions, add-ons, and annual true-ups."
There are times when the second answer is appropriate.
It is just harder to operate.
Common mistakes when comparing unlimited users and per-seat billing
Mistake 1: treating the lowest starting quote as the best option
A low per-user quote can look good at 100 users and painful at 1,000.
The only fair comparison is total cost at current user count, expected growth, admin time, reporting needs, and renewal terms.
Mistake 2: ignoring minimums and annual billing
Monthly per-seat language does not always mean monthly commitment.
KnowBe4 describes a monthly per-seat price billed annually. Huntress describes per-learner, per-month pricing billed annually. Those models may be perfectly reasonable, but the MSP should compare cash flow and commitment, not only the unit label.
Mistake 3: assuming active-user pricing removes the seat tax
Active-user pricing can reduce waste. It can also make user management cleaner.
It still charges by user.
For a fixed-fee MSP bundle, the margin question remains: who pays when active users rise?
Mistake 4: letting pricing narrow the training scope
This is the quiet failure.
The MSP trains the obvious users and leaves edge users out because they are "not worth another seat." Then an audit, insurance questionnaire, or incident review asks who was covered.
A pricing model should support the risk decision, not override it.
Mistake 5: forgetting the market is moving toward more training demand
Security awareness training is not shrinking.
Mordor Intelligence estimates the security awareness training market at USD 6.74 billion in 2026 and projects growth to USD 14.66 billion by 2031 in its market analysis. Verizon's DBIR page continues to describe human elements such as phishing, social engineering, and stolen credentials as common causes in breach analysis in its DBIR resource hub.
More demand usually means more coverage, more proof, and more client questions.
MSPs need a billing model that can handle that pressure.
So, which is better for MSPs?
Choose unlimited users or flat-fee pricing when:
- SAT is bundled into managed security.
- You want full coverage without seat rationing.
- Clients are growing or changing headcount often.
- Your sales team needs a simple package story.
- You want to protect gross margin as adoption grows.
- You need to support QBRs, insurance, and compliance evidence across many clients.
Choose per-seat or active-user billing when:
- SAT is sold as a separate line item.
- Every seat is billed back to the client.
- Client headcount is stable.
- Your billing operations can handle true-ups cleanly.
- The vendor's content, reporting, or partner terms justify the model.
- You are comfortable with user growth raising vendor cost.
That is the fair comparison.
Per-seat billing is not bad. It is just dangerous when it is hidden inside fixed-fee MSP economics.
Unlimited user pricing is not magic. It still needs fair-use clarity, multi-tenant operations, reporting, and client-ready packaging.
But if the goal is to train more users across more clients without rebuilding the quote every time headcount changes, unlimited users is usually the cleaner MSP answer.
How Defendwise fits
Defendwise is built for MSPs that want SAT to behave like an MSP service: predictable cost, broad coverage, white-label delivery, and centralised management.
It is $399/month, with unlimited users, multi-tenant management, white-label delivery, automation, and automated reports.
If your current SAT model makes every new user feel like a margin decision, start there.
Frequently asked questions
What is the best option for MSPs, unlimited users or per-seat billing?
The best option depends on the MSP's service model. Unlimited users usually fits fixed-fee managed security bundles because the MSP can include every relevant user without a matching licence increase.
Per-seat billing can fit when training is resold as a separate line item and every added user is billed back to the client.
Why can per-seat billing hurt MSP margins?
Per-seat billing ties vendor cost to client headcount. If the MSP sells SAT inside a fixed managed service fee, user growth increases cost unless the MSP has a clean true-up or pass-through process.
That is the seat tax: user growth creates margin pressure even when the client package price stays the same.
Is unlimited user pricing always cheaper?
No. Unlimited user pricing is not automatically cheaper for a very small MSP or a narrow pilot.
It becomes more attractive when the MSP has many clients, growing user counts, broad coverage expectations, or a bundled service model where predictable cost is valuable.
When does per-seat SAT pricing make sense?
Per-seat SAT pricing makes sense when the MSP resells training per user, client headcount is stable, user sync is clean, and every additional seat is billed back.
It can also make sense when a vendor's content, reporting, or partner program is worth the cost structure.
What should MSPs compare besides licence price?
Compare total operating cost.
That includes admin time, tenant separation, reporting, white-label needs, user lifecycle work, annual billing, minimum commitments, renewal terms, and whether the model supports full coverage.
How does security awareness pricing affect compliance evidence?
Pricing affects who gets trained.
If a pricing model discourages full coverage, the MSP may end up with weaker evidence for clients that need proof for CIS Control 14, NIST CSF, ISO 27001, cyber insurance, or QBRs.
How does Defendwise price security awareness training for MSPs?
Defendwise is $399/month for MSPs with unlimited users, flat-fee pricing, multi-tenant management, white-label delivery, and fair-use terms.
That model helps MSPs package SAT without turning every new user into a per-seat margin decision.
Source notes
External source URLs used or checked:
- https://www.knowbe4.com/products/security-awareness-training/pricing
- https://www.huntress.com/pricing/sat
- https://www.huntress.com/platform/security-awareness-training/purpose-built-and-headache-free
- https://www.usecure.io/en/partner/uservice
- https://usecure.io/pricing
- https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/teach-employees-avoid-phishing
- https://cas.docs.cisecurity.org/en/latest/source/Controls14/
- https://csrc.nist.gov/pubs/sp/800/50/r1/final
- https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final
- https://www.isms.online/iso-27001/annex-a-2022/6-3-information-security-awareness-education-training-2022/
- https://www.verizon.com/business/resources/reports/dbir/
- https://www.mordorintelligence.com/industry-reports/security-awareness-training-market
- https://www.reddit.com/r/msp/comments/ycq7pa/cyber_awareness_per_user_charge/