Unlimited user security training fair use policy explained

TL;DR

Unlimited user security training fair use policy explained: unlimited should mean MSPs can train every real user across every real client without a seat tax.

Fair use is the guardrail that keeps that promise honest. It is not supposed to be a hidden cap. It is supposed to separate genuine MSP growth from abuse, fake tenants, load-test behaviour, standalone resale, and non-training use.

That distinction matters because security awareness training works better when coverage is broad. NIST, CIS, CISA, and the FTC all point in the same direction: people need regular security education, phishing awareness, and clear reporting habits. If the pricing model punishes every extra learner, MSPs are pushed toward narrower coverage.

For MSPs, the right question is not only "Is it unlimited?" It is "What does fair use mean, who decides when it applies, and what happens if usage grows fast?"

What unlimited user security training means for MSPs

Unlimited user security training means the MSP does not pay the vendor a separate fee for every learner.

That changes the commercial shape of SAT.

Under a per-seat model, a client with 40 users costs less than a client with 400 users. That is familiar and fair for many direct buyers. It also gives vendors a clean way to align revenue with learner count.

KnowBe4 is a clear example. Its public SAT pricing page lists monthly pricing per seat, with seat bands and different content levels. Huntress describes its managed SAT pricing as a per-learner, per-month subscription billed annually, with volume tiers and active-user handling.

Those models can make sense for internal IT teams buying for one company.

MSPs have a different job. They package training across many clients while protecting margin, managing user churn, separating tenants, producing reports, and avoiding a new quote every time a client hires staff.

That is why unlimited-user SAT is attractive for MSPs. It removes the seat tax from the vendor side. If the MSP pays one predictable platform price, every extra real learner does not create a new vendor-cost event.

But unlimited pricing cannot mean "anything, forever, for anyone, under any use case." That is where fair use comes in.

What a fair use policy is, and what it is not

A fair use policy explains the boundary between normal customer usage and activity that breaks the commercial or technical model.

In SaaS, this is common. Unleash says its SaaS subscriptions do not limit feature toggles, variants, activation strategies, or monthly traffic, but it does constrain API requests and can reach out to outliers under its fair use policy.

The point is not to surprise normal customers. The point is to stop one abnormal use case from degrading the service or economics for everyone else. Plain-language acceptable-use policies serve a similar role by setting expectations for allowed behaviour, prohibited behaviour, and consequences.

For MSP security awareness training, a fair use policy should answer 5 questions:

1. Who is the platform built for? Genuine MSPs training real client users, not SAT resellers selling the platform to other MSPs.
2. What counts as normal use? New clients, new users, regular campaigns, reminders, reports, and genuine client growth.
3. What counts as abnormal use? Fake tenants, shell users, scripted bulk creation, non-training content, resale outside the intended model, and activity that looks more like a load test than service delivery.
4. What triggers a review? A clear threshold or behaviour pattern, not a vague "we can decide anything at any time" clause.
5. What happens next? A conversation first for normal edge cases, and immediate action only for abuse, security issues, illegal content, or serious platform risk.

A fair use policy is not the same as a hidden seat cap.

A hidden cap says, "Unlimited, until you hit a number we did not explain clearly."

A fair-use policy says, "Train your real clients. Grow. Add users. If usage stops looking like MSP training, we will talk."

That is a very different promise.

Why fair use matters for MSP security awareness training

Fair use matters because MSPs need 2 things at once: broad training coverage and predictable cost.

External guidance keeps pushing businesses toward regular staff education. NIST SP 800-50 Rev. 1 describes a lifecycle approach to building a cybersecurity and privacy learning program, with behaviour change, security culture, metrics, and regular program improvement. CIS Control 14 tells organisations to establish and maintain a security awareness program to influence workforce behaviour and reduce cybersecurity risk. CISA tells SMBs that phishing training helps staff recognize and report scams, and that once-a-year training is not enough as threats evolve.

That is the security side.

The MSP side is margin.

If training is priced per user, the MSP has to decide who gets covered. Every new learner has a cost. Every stale account needs cleanup. Every client expansion changes the gross margin on the package.

That creates the wrong incentive.

The safest training posture is usually broad coverage. The margin-safe posture under per-seat billing is often controlled coverage. Those 2 instincts fight each other.

Flat-fee, unlimited-user SAT tries to align them again. The MSP can say:

"Training is included. We cover every real user across your organisation. We will report on it every month or quarter."

Fair use is what keeps that offer sustainable.

Without fair use, the model is exposed to obvious abuse: fake client organisations, standalone resale, scripted bulk creation, non-training content, and outlier-scale AI or infrastructure use far beyond normal MSP delivery.

Those behaviours are not "MSP growth." They are a different use case. A clear fair-use policy protects honest MSPs because it stops the edge cases from forcing everyone back to per-seat pricing.

Normal use versus abuse: the practical difference

The easiest way to judge a fair-use policy is to compare normal MSP activity with behaviour that should trigger a review.

Scenario	Normal unlimited-user MSP use	Fair-use concern
New client onboarding	Adding a real client organisation after a signed managed-service agreement	Creating shell client organisations with no real customer behind them
User growth	Adding new hires, seasonal staff, contractors, or acquired-company users for an existing client	Generating fake users or bulk importing non-existent learners
Campaign cadence	Running monthly, quarterly, onboarding, or role-based training campaigns	Running automated campaign creation at a volume that looks like a test script
Reporting	Producing branded client reports and evidence packs for each tenant	Scraping, exporting, or processing data in a way that harms platform performance
White-label delivery	Offering SAT as part of the MSP's managed security service	Reselling the platform as a standalone SAT product to other MSPs
Portal content	Hosting awareness training content, reminders, and evidence	Uploading file storage, pirated material, harassment, or non-training content
Fast growth	A real MSP wins several clients and usage doubles or triples in a quarter	Sustained outlier-scale usage far outside the MSP model without notice

This is the key point for MSP owners: fair use should not make honest growth feel risky.

If a policy treats a real 500-user client win like abuse, the policy is not MSP-friendly. If it asks questions when usage looks automated, fake, or outside the promised use case, that is reasonable.

The test is not "Can I imagine a limit?" The test is "Can I understand the line before I cross it?"

What MSPs should look for in a fair-use policy

Not all fair-use language is equal.

Some policies are plain. Some are vague. Some are really caps wearing an unlimited hat.

Before building an unlimited-user SAT offer into your managed services package, read the policy like an operator. You are not only checking legal wording. You are checking whether the pricing promise holds under normal client growth.

1. Plain definition of normal use

A strong policy should say what normal MSP usage looks like.

For SAT, that should include onboarding real client organisations, adding learners as clients grow, running training campaigns, sending reminders, and generating client reports.

If normal use is not defined, you are guessing.

2. Clear abuse examples

The policy should call out what breaks the deal.

Good examples include shell tenants, fake users, non-training content, automated abuse, reverse engineering, illegal content, harassment, and attempts to bypass platform security.

Specific examples protect both sides. The vendor can act when needed. The MSP can avoid accidental misuse.

3. Review trigger, not surprise shutoff

A fair policy should explain what causes a review.

Defendwise's fair use policy, for example, says sustained outlier-scale usage above 20 times the median MSP on the platform over a rolling 30-day window is a trigger to talk. It also says this is not a cap, but a signal to discuss whether the account needs an enterprise arrangement.

That is the right kind of clarity. It lets a normal MSP understand that growth is allowed, while outlier-scale use gets a human conversation.

4. Human-first response

For ordinary edge cases, the first step should be contact.

Fast client growth can be legitimate. A bulk import can be a messy onboarding project. A usage spike can come from a major client rollout.

A fair policy should leave room to explain that before anyone reaches for suspension. Immediate suspension should be reserved for serious abuse: illegal activity, platform attacks, harassment, security bypassing, or infrastructure risk.

5. No contradiction with the sales promise

If the sales page says "unlimited users" but the fair-use page quietly says "up to 1,000 users," that is not fair use. That is a cap.

Caps are not always bad. They can be perfectly fine if they are visible.

The problem is when a cap is buried under unlimited language.

How MSPs should package unlimited-user SAT safely

Unlimited-user SAT is not a licence to be loose.

It works best when the MSP treats it as a managed service with clean scope, clean records, and clean client reporting.

1. Define eligible users in your client package

Write down who is covered.

For most MSPs, that means employees, contractors, seasonal staff, and other workers the client wants trained. You may also define what does not count, such as shared mailboxes, service accounts, ex-employees, or test accounts.

That definition protects your client and your team.

2. Keep tenants tied to real client organisations

Every tenant should map to a real client.

That sounds obvious, but it matters. Multi-tenant SAT only works when client separation is clean. It protects reporting, evidence, privacy expectations, and fair-use clarity.

If a tenant does not represent a real client or internal MSP use case, it probably should not exist.

3. Automate user lifecycle where possible

Stale accounts create confusion. The FTC tells small businesses to train staff on a regular schedule and track participation. That is hard if your user list is full of people who left 9 months ago.

A good MSP workflow keeps onboarding, offboarding, and group changes close to the source of truth. For MSPs comparing platforms, this is where automated onboarding, sync options, and repeatable client setup matter.

4. Report by client, not only by global usage

Unlimited-user pricing removes seat anxiety, but it does not remove accountability.

Clients still need to know who was assigned training, who completed it, who needs a reminder, and what changed since the last report.

That reporting should be tenant-separated and client-ready. A global dashboard is not enough when a client asks for evidence.

This is why automated reports matter for MSP delivery. The value is not a pretty PDF. The value is reducing the number of times your team has to assemble proof by hand.

5. Put fair-use language into your internal runbook

Your service desk does not need a legal memo.

It does need simple rules:

• Only create tenants for real clients, prospects in an agreed pilot, or approved internal use.
• Do not upload non-training content.
• Do not bulk-create fake learners for demos.
• Do not script user or campaign creation without checking platform limits.
• Ask before using the training portal for anything outside client SAT delivery.

That is enough for most teams.

6. Explain unlimited carefully in sales conversations

Do not oversell it.

The clean line is:

"We can train all your real users under our managed training program. We are not charging you a surprise seat fee every time you add staff. Normal use is covered. Abuse, fake users, or non-training use is not."

That is honest. It sets the client expectation. It also keeps the MSP from promising a use case the platform was not built to support.

What good fair-use-backed unlimited SAT looks like

Good unlimited-user SAT should feel boring in day-to-day use.

The MSP adds clients. Users come and go. Training runs. Reminders go out. Reports get produced. Client QBRs have evidence. Nobody opens a spreadsheet to ask whether the next 37 learners will blow up the vendor bill.

That is the point.

A mature setup has these traits:

• Predictable platform cost. The MSP knows the monthly vendor cost before new users arrive.
• Broad learner coverage. Training is not limited to the few users the client was willing to buy seats for.
• Clean tenant separation. Each client has its own reporting, settings, and evidence view.
• Written scope. The MSP knows who is covered and what is outside the managed service.
• Plain fair-use rules. The vendor's terms are readable and do not hide a normal seat cap.
• Human review for edge cases. Legitimate growth starts with a conversation, not a lockout.
• Clear abuse boundary. Fake tenants, non-training workloads, security attacks, and standalone resale are not tolerated.

That is how unlimited stays unlimited for honest MSPs.

Mistakes to avoid with unlimited user security training

Mistake 1: Treating fair use as legal fine print

Fair use is part of the product promise.

If your sales team is going to sell unlimited training, your ops team needs to understand the boundary. Otherwise, one sloppy workflow can create avoidable friction with the vendor or confusion with clients.

Mistake 2: Ignoring per-seat alternatives completely

Per-seat pricing is not evil.

KnowBe4 has a large training and phishing feature set. Huntress has a managed SAT model that reduces some admin load and bills by learner. For some buyers, those trade-offs are fine.

The MSP question is different: does the model help you package SAT across many clients while protecting margin and coverage?

If yes, use it. If no, look at flat-fee or active-user alternatives.

Mistake 3: Selling unlimited without defining scope

"Unlimited" does not mean "anything the client can imagine."

Define covered users, supported training use cases, reporting cadence, and client responsibilities. That turns unlimited from a risky promise into a clean managed-service line.

Mistake 4: Letting fake demo tenants pile up

Demo clutter can become reporting clutter. Keep prospect pilots time-bound, delete old test tenants, and do not use fake client organisations to simulate scale unless the platform explicitly supports that test environment.

Mistake 5: Using the training portal for non-training work

A SAT portal is not a file store, intranet, HR archive, or general content library. Using it that way weakens the fair-use case and creates security, privacy, and support confusion.

Mistake 6: Focusing only on price

Unlimited-user pricing matters, but it is not the whole job.

An MSP still needs multi-tenant control, branded delivery, reminder workflows, exportable evidence, and clean reporting. Otherwise, the seat tax is gone but the admin tax remains.

If you are choosing a platform, compare both economics and operating workflow. Multi-tenant control matters because MSPs do not deliver training to one company. They deliver it across a client fleet.

Framework and insurance pressure: why coverage keeps mattering

The reason this pricing question matters is not abstract.

Security awareness training has become part of the expected security baseline.

NIST SP 800-50 Rev. 1 frames cybersecurity and privacy learning as a program lifecycle, not a one-off module. NIST's Cybersecurity Framework maps awareness and training into the Protect function. CIS Control 14 focuses directly on security awareness and skills training to influence workforce behaviour.

CISA tells small and medium businesses to train employees to recognize phishing, keep them informed as threats change, and build a culture of cybersecurity. The FTC says businesses should train staff on a regular schedule, track participation, and include phishing and ransomware awareness in regular training.

That all points to one operational reality for MSPs:

Training evidence is becoming part of normal client security hygiene.

Clients ask for it in QBRs. Auditors ask for it. Insurers may ask how staff are trained, how participation is tracked, and how phishing or ransomware awareness is handled. The FTC's own small business guidance includes both cyber insurance considerations and staff training expectations in the same practical resource.

If training is a baseline expectation, seat-based coverage gaps become harder to defend.

An MSP should not have to decide whether a client's seasonal workers get phishing training because the vendor bill gets awkward. A flat-fee model with fair-use guardrails makes broad coverage easier to package.

How Defendwise approaches unlimited user fair use

Defendwise is built around a simple MSP bet: one flat platform price should let an MSP train every real user across every real client.

The price is $399/month. The model is flat-fee, white-label, multi-tenant, and designed for MSP packaging. The fair use policy exists to protect that model, not to turn unlimited into a mystery cap.

The policy says normal use includes:

• Onboarding new client organisations as you win business.
• Adding learners as clients grow.
• Running training campaigns at the cadence that makes sense for clients.
• Generating monthly compliance reports for every client.

It also names the behaviours that break the deal: standalone SaaS resale, fake or shell client organisations, sustained outlier-scale usage, automated bulk creation that looks like a load test, non-training content, reverse engineering, illegal activity, harassment, and platform risk.

Most importantly, it explains the response path. For normal edge cases, Defendwise talks to the MSP first. If the usage is genuinely outside the MSP model, the next step is a commercial conversation. Serious abuse can still lead to immediate suspension.

That is how unlimited-user SAT should work.

Not unlimited loopholes. Not hidden seat caps. Just a fair deal for MSPs that want to train every real user without paying a seat tax every time a client grows.

If you want to see how flat-fee SAT changes the MSP margin model, start with the flat-fee pricing overview or review the fair use policy before you package it for clients.

Frequently Asked Questions

What does unlimited user security training mean?

Unlimited user security training means an MSP can train every real learner across every real client without paying a separate vendor fee for each seat.

For MSPs, that makes training easier to include inside a managed security package and reduces the incentive to limit coverage.

Is a fair use policy just a hidden cap?

It should not be. A cap is a fixed limit. A fair use policy is a boundary around abusive, fake, automated, or outside-model usage. The difference is whether normal MSP growth is clearly allowed and review triggers are explained up front.

Why does unlimited SAT need fair use at all?

Unlimited SAT needs fair use because one abusive account can distort the economics for every honest customer. Fake learners, non-training content, and abnormal scripts are not normal MSP service delivery.

What usage should be normal for an MSP?

Normal MSP usage should include adding real client organisations, onboarding new users, covering seasonal staff and contractors, running campaigns, sending reminders, and producing client reports. Fast growth should also be normal when it comes from real client wins.

What should trigger a fair-use review?

A fair-use review should be triggered by activity that stops looking like managed security training.

Examples include fake tenants, shell users, non-training content, standalone resale, automated load-test behaviour, attempts to bypass platform controls, or sustained outlier-scale usage that needs a different commercial arrangement.

How should MSPs explain fair use to clients?

Keep it plain. Tell clients that training covers their real users as part of the managed service, and that fake accounts, unrelated content, resale, or abusive automation are outside scope.

How does Defendwise handle unlimited users and fair use?

Defendwise gives MSPs flat-rate security awareness training at $399/month with unlimited users and clients, backed by plain-language fair-use terms.

The model is built for genuine MSP use: real clients, real learners, real campaigns, and real reports. The fair-use policy protects that model from abuse so MSPs can keep training broadly without a per-seat vendor bill behind every new user.

Source notes

External sources used in this draft:

1. NIST SP 800-50 Rev. 1, Building a Cybersecurity and Privacy Learning Program: https://csrc.nist.gov/pubs/sp/800/50/r1/final
2. NIST Cybersecurity Framework Protect mappings: https://www.nist.gov/cyberframework/protect
3. CIS Control 14, Security Awareness and Skills Training: https://www.cisecurity.org/controls/security-awareness-and-skills-training
4. CISA, Teach Employees to Avoid Phishing: https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/teach-employees-avoid-phishing
5. FTC, Cybersecurity for Small Business: https://www.ftc.gov/business-guidance/small-businesses/cybersecurity
6. KnowBe4 SAT pricing: https://www.knowbe4.com/products/security-awareness-training/pricing
7. Huntress SAT pricing: https://www.huntress.com/pricing/sat
8. Unleash fair use policy: https://www.getunleash.io/fair-use-policy
9. SaaS acceptable use policy overview: https://www.privacypolicygenerator.info/saas-acceptable-use-policy/

Internal links used in this draft:

1. https://defendwise.com/fair-use
2. https://defendwise.com/features/flat-fee
3. https://defendwise.com/features/multi-tenancy
4. https://defendwise.com/features/automation
5. https://defendwise.com/features/automated-reports