How MSPs can bundle security awareness training without losing margin

TL;DR

Bundling security awareness training is not mainly a content problem. It is a packaging problem.

MSPs can make SAT part of every managed service package when the cost model is predictable, the client-facing experience is branded, and the delivery workflow does not create a new admin queue. The danger is buying SAT per user, selling it as a fixed managed service, and hoping user counts, client onboarding, reminders, and reports do not quietly eat the margin.

The safe model is simple: define the package, protect the commercial boundary, standardize delivery, and link the offer to a flat-fee platform built for MSPs.

The wrong question: “Can we afford to include SAT?”

Most MSPs ask the SAT question too late.

They already have a managed security package. They already have clients asking about phishing, cyber insurance, onboarding, and employee mistakes. They already know a yearly slide deck does not look like a serious security service.

Then the question becomes: “Can we afford to include security awareness training for everyone?”

That question sounds commercial, but it is usually a packaging problem in disguise. If the MSP pays for SAT per user and sells managed services at a fixed monthly fee, every user added to the platform can become a small vendor cost the MSP did not price properly. One client growing from 30 users to 45 users is not the issue. The issue is that the same pattern repeats across the book.

Security awareness training should be easier to include than another endpoint agent or a complex professional service. NIST defines awareness training as the foundational cybersecurity or privacy training program for all personnel, designed to help people understand their role in protecting information, cybersecurity, and privacy assets. The FTC also tells small businesses to train staff regularly and track participation as part of making security business as usual.

For an MSP, that makes SAT a natural part of the service stack. The question is not whether it belongs. The question is whether the MSP can include it without turning a good security idea into a margin leak.

The packaging economics of SAT for MSPs

Bundled SAT works when 4 layers line up.

Layer	What the client sees	What the MSP must protect
Commercial package	“SAT is included in our managed security plan.”	Margin does not fall every time users are added.
Delivery model	“Our people get regular training and phishing readiness.”	Setup, reminders, reporting, and onboarding are repeatable.
Brand experience	“This is my MSP helping us reduce human risk.”	The MSP, not the vendor, owns the client relationship.
Proof and reporting	“We can see participation and evidence.”	Reporting does not become spreadsheet work before every QBR.

If one layer breaks, the bundle becomes awkward.

If the commercial package is fixed but the vendor cost is variable, the MSP owns the seat tax. If delivery is manual, every new client creates recurring work. If the training portal is vendor-branded, the MSP loses some of the relationship value it is trying to build. If reports need manual cleanup, QBR proof becomes another task list.

That is why this article is not another per-seat-vs-flat-fee comparison. The pricing model matters, but only because it affects the whole package.

An MSP owner should be able to answer one question before adding SAT to a plan:

If every client said yes, would this service get more profitable, or just busier?

Where margin leakage actually starts

Margin leakage rarely announces itself.

It usually comes from small mismatches between how the MSP buys the service and how the MSP sells it.

Mixed pricing

The most common mismatch is simple: the MSP sells a fixed managed service but buys SAT on a per-user basis.

Per-user pricing can be reasonable when the MSP passes the cost through cleanly or sells its own package per user. It becomes risky when SAT is “included” and the contract does not account for user growth, seasonal workers, contractors, client acquisitions, or user-list cleanup.

That is when a training product becomes a cost that moves faster than the client package.

Seat-count conversations

Seat-count admin is not only a billing problem. It changes the sales conversation.

If every extra learner creates a vendor charge, the MSP has to decide who gets covered, who is excluded, and when to true up. That can turn a simple security service into a coverage negotiation. It also creates the wrong incentive: limiting training to protect margin.

For a service that is supposed to improve client-wide security behavior, that is the wrong pressure.

Client-by-client setup

A bundled service should not require the MSP to rebuild the campaign for each client from scratch.

A good MSP delivery model needs reusable defaults: baseline modules, onboarding flows, reminder logic, reporting cadence, and client-specific settings only where they matter. CISA’s anti-phishing program support description is useful here because it frames the operating work clearly: program management, simulated phishing support, dashboards, and reporting. Those are real service components, not afterthoughts.

If the MSP has to touch every component manually for every client, the bundle is not scalable yet.

Reporting drag

Reporting is where good bundles often become noisy.

Clients want evidence that training is happening. MSPs want QBR material, cyber insurance support, and a way to show that human-risk work is active. But if every report requires export, cleanup, interpretation, and a custom client deck, the service becomes more labor-heavy than the sales deck promised.

The MSP does not need to overclaim outcomes. It does need a repeatable way to show participation, gaps, and next actions.

A safer way to bundle SAT

The safest way to package SAT is to make the offer boringly clear.

Not vague. Not over-engineered. Clear.

1. Decide where SAT sits in the package

SAT should not float around as a random add-on.

Pick the role it plays:

• Included in every managed security package.
• Included only in premium packages.
• Sold as a standard add-on with a fixed monthly price.
• Bundled into a cyber insurance or compliance-readiness package.
• Used as a white-label service under the MSP’s brand.

For most MSPs, the strongest commercial position is inclusion inside a managed security package. It makes SAT part of the MSP’s standard of care, not a discretionary training add-on clients can remove when budgets tighten.

But inclusion only works if the MSP’s own cost model stays predictable.

2. Define coverage in client language

The client should not need to understand your vendor billing model.

Write the coverage rule in normal language:

• All active client employees.
• New starters added through onboarding.
• Admins, contractors, and seasonal users where the client treats them as part of the workforce.
• Client organizations and subclients where the MSP manages them as part of the service.

That language should be paired with a fair-use boundary. A fair-use policy is not the enemy of unlimited pricing. It is what keeps a flat-fee model honest.

DefendWise’s fair-use posture is built around this idea: MSPs running SAT for their real clients should train every user at every client site. The policy exists to stop abuse, not to turn normal MSP growth back into per-seat billing.

3. Separate the client promise from the vendor mechanics

Clients buy a service outcome. They do not need a line-by-line view of the MSP’s tool stack.

A good SAT bundle might promise:

• recurring security awareness training;
• phishing readiness support;
• branded learner experience;
• onboarding for new users;
• participation and progress reporting;
• evidence that supports QBRs or client security reviews.

It should not promise unsupported outcomes the MSP cannot prove or control. Those claims need evidence and can create avoidable risk.

The public promise should be operational and defensible: this is how the MSP includes, delivers, and reports SAT.

4. Use one delivery pattern across clients

The more each client gets a custom SAT process, the harder the bundle is to scale.

Standardize the base pattern:

1. Default training path for all users.
2. New-user onboarding through directory sync or a repeatable user import process.
3. Reminder cadence for incomplete training.
4. Reporting rhythm for account reviews.
5. Escalation path for exceptions.
6. Client-facing language the MSP can reuse.

Then customize only the parts that matter: brand, client organization, reporting audience, and specific risk focus.

This is where multi-tenant SAT matters. Multi-tenant control is not a feature checklist item. It is the operating structure that lets an MSP manage many client organizations from one place.

5. Make the MSP brand visible

If SAT is part of the MSP package, the client experience should look like the MSP’s service.

That means the visible surfaces matter:

• portal;
• emails;
• reports;
• certificates;
• login URL;
• client-facing exports.

White-label delivery is not vanity. It protects the MSP’s role in the relationship. If the training portal, email reminders, and reports all point back to the vendor, the client learns the vendor’s name at the exact moment the MSP is trying to prove service value.

A branded experience helps the MSP make SAT feel like part of the managed service, not an outsourced tool bolted onto it.

What to include in the client package

A clean SAT bundle should include enough to be valuable, but not so much that every client becomes a custom project.

Use this as a packaging checklist.

Package element	Include by default?	Why it matters
Baseline awareness modules	Yes	Gives every client a consistent starting point.
Phishing and social engineering topics	Yes	Matches common client concern and user-facing risk.
New-user onboarding	Yes	Prevents training from becoming stale as client teams change.
Reminders	Yes	Keeps participation moving without manual chasing.
Branded portal/emails	Yes, where possible	Makes the service feel owned by the MSP.
Branded reports	Yes	Gives account managers and clients visible evidence.
Client-specific custom campaigns	Optional	Useful for premium packages, but risky as a default promise.
Control-level compliance mapping	Optional / reviewed	Useful when sourced, risky if overclaimed.
Guaranteed outcome claims	No	Avoid promises the MSP cannot prove or control.

This table is deliberately practical. The goal is not to build the most impressive SAT package on paper. The goal is to build one the MSP can sell repeatedly and deliver without margin surprises.

How to position bundled SAT to clients

Do not lead with the platform.

Lead with the service problem the client already understands.

Client employees make security decisions every day: opening attachments, approving payment changes, scanning QR codes, using personal devices, joining public Wi-Fi, sharing files, and reporting suspicious messages. Technical controls matter, but users still need clear expectations and repeated training.

NIST’s awareness and training material frames training around roles and responsibilities. The FTC tells small businesses to make staff training a regular security habit. CISA’s anti-phishing support model treats awareness, simulated attacks, dashboards, and reporting as parts of one program.

That gives MSPs a simple client narrative:

• Your technology stack reduces risk.
• Your people still need to know what to do.
• We include training as part of the managed service.
• You get regular coverage and reporting without managing another vendor.

That is enough. No scare stats required.

Pricing models MSPs can use

There is no single correct client pricing model. There are safer and riskier fits.

Option 1: Include SAT in every managed security package

This is the cleanest offer.

The client sees SAT as part of the MSP’s standard security service. The MSP avoids a separate sell every time. The account manager can position training, reporting, and onboarding as included.

This model works best when the MSP’s SAT platform cost is flat or easy to model.

Option 2: Include SAT in higher tiers only

This can work when the MSP has a clear package ladder.

The risk is that lower-tier clients remain uncovered, even when they still create support and security risk for the MSP. If SAT is treated as premium-only, the MSP should be clear about why and avoid implying that every client workforce is covered.

Option 3: Sell SAT as a fixed add-on

A fixed add-on can be a good bridge if the MSP is not ready to include SAT everywhere.

The add-on should still avoid per-user haggling where possible. A fixed monthly add-on is easier for clients to understand and easier for the MSP to manage.

Option 4: Pass through per-user pricing

This protects margin, but it weakens the bundle.

The client sees a variable line item. The MSP has to explain seat counts. User growth turns into billing maintenance. This can be fine for some commercial models, but it does not create the same “included security service” feel.

Where DefendWise fits

DefendWise is designed for the bundled model.

The public offer is simple: $399/month flat, unlimited users, unlimited client organizations/subclients, white-label delivery, and multi-tenant control. That matters because it lets an MSP model SAT as a predictable platform cost instead of a per-user vendor bill.

That does not mean the MSP should ignore packaging discipline. It means the MSP can make better packaging choices:

• include SAT across more clients;
• avoid per-user vendor charges;
• train every normal user covered by the client relationship;
• deliver under the MSP’s brand;
• manage clients from one MSP-oriented operating layer.

For a deeper pricing explanation, the natural next read is DefendWise’s flat-fee feature page. For the client-facing brand angle, the white-label feature page is the right support page. For unlimited-use questions, the fair-use page should be linked wherever the article mentions unlimited users or fair-use boundaries.

Conclusion: make SAT a standard, not a special project

The best bundled services are easy to understand and hard to quietly break.

Security awareness training belongs in the MSP security stack, but it has to be packaged like an MSP service. Predictable cost. Clear coverage. Repeatable onboarding. Branded client experience. Reporting that supports the relationship without creating another spreadsheet job.

If the economics are variable and the delivery is manual, SAT becomes another margin risk.

If the economics are flat and the operating model is built for MSPs, SAT can become part of the standard package: every client, every normal user, under the MSP’s brand.

Start there. Then sell the service with confidence.

Frequently asked questions

Should MSPs bundle security awareness training into every managed service package?

They can, if the commercial model supports it. Bundling works best when the MSP can include SAT without creating a new per-user vendor cost, a client-by-client setup process, or manual reporting work.

If the platform is per-seat, the MSP needs contract language, package pricing, or true-up rules that protect margin. If the platform is flat fee, the MSP has more room to include SAT across the client base.

What causes margin leakage when MSPs add SAT?

Margin leakage usually comes from mixed pricing. The MSP sells a fixed monthly package but buys SAT per user, so client headcount growth increases the MSP’s cost without automatically increasing revenue.

Other leak points include manual onboarding, reminder chasing, report cleanup, custom client campaigns, and seat-count disputes. These are operational costs as much as software costs.

How can an MSP price security awareness training safely?

Start by deciding whether SAT is included, tiered, a fixed add-on, or passed through per user. Then match the vendor model to the client promise.

If SAT is included in a fixed managed service package, flat-fee vendor pricing is easier to model. If the MSP uses per-user vendor pricing, the contract needs a way to handle user growth and inactive-user cleanup.

Does flat-fee SAT mean unlimited use with no rules?

No. A responsible flat-fee model should still have a fair-use policy.

The point is to remove per-user billing friction for normal MSP delivery. A fair-use policy protects that model from abuse while still letting the MSP train every real user across its client organizations.

What should be included in a bundled SAT service?

At minimum, include baseline training, phishing/social-engineering topics, onboarding for new users, reminders, participation reporting, and client-facing evidence.

White-label portal, emails, reports, and certificates are valuable because they make the service feel like the MSP’s service. Custom campaigns and compliance-specific mapping can be premium or reviewed items rather than default promises.

How should MSPs explain SAT to clients?

Keep it practical. Employees make security decisions every day, and training helps them understand what to do when something looks suspicious.

Position SAT as part of the managed security service: regular training, clear reporting, and less work for the client. Avoid unsupported outcome promises the MSP cannot prove or control.

How does DefendWise help MSPs bundle SAT?

DefendWise gives MSPs a $399/month flat fee, unlimited users, unlimited client organizations/subclients, white-label delivery, and multi-tenant control.

That makes it easier to include SAT inside managed service packages without per-seat vendor billing. MSPs can support the pricing story with the flat-fee feature page, the brand story with the white-label feature page, and unlimited-use questions with the fair-use page.