Resources for MSSPs Running HailBytes SAT as a White-Label Service

Why MSSPs run HailBytes SAT

Every MSSP client buying SOC 2 Type II, NIST CSF, HIPAA, PCI-DSS, or cyber-insurance compliance support (and ISO 27001 for international clients) is required to demonstrate periodic security awareness training and phishing simulation. The auditor demands it, the cyber-insurance carrier demands it, and increasingly the client’s board demands it. That means the SAT line item is one of the highest-attach, highest-renewal SKUs an MSSP can carry, provided the platform underneath it has the right cost structure.

Per-seat SaaS platforms like KnowBe4 and Proofpoint Security Awareness price for direct enterprise sales, not for white-label resale. By the time you mark up their per-seat license enough to cover your program-management cost, the client’s netting numbers that don’t justify the program. HailBytes SAT prices on infrastructure, not seats: one AWS or Azure marketplace instance handles unlimited users for a single client. The cost basis stops scaling once you hit one instance per client, so your gross margin on a 500-seat client looks completely different than it does on a per-seat reseller agreement.

The platform deploys to your AWS or Azure account (or the client’s, depending on your service model) in minutes via the marketplace listing. Each instance is a clean tenant boundary (no shared databases, no risk of campaign data crossing client lines) and tears down cleanly when a client churns. The reporting is CSV-exportable and feeds into whatever client-facing report template you already use.

The two conversations to have first

Most MSSPs evaluating HailBytes SAT need answers to two specific questions before they’ll commit to standing up the first client instance. We wrote articles on both:

• What does the white-label margin actually look like at scale? Concrete tier math, a sample 200-seat P&L showing why small clients are loss leaders without the right tier mix, and the renewal mechanics that make a compliance-driven SAT line item one of the stickiest SKUs in a managed-service book.
• How do you run multi-client deployments operationally? One-instance-per-client architecture, template management across clients, role-based access for client security teams, and the reporting cadence that scales without burning analyst time.

If you’d rather scope white-label terms on a call than read about it, the HailBytes SAT product page has a 15-minute demo slot. We’ll walk through your client portfolio and build a tier-mix recommendation on the call.

Which deployment topology fits your service model?

MSSPs land on one of three shapes depending on the client portfolio and tier mix. All three deploy from the official Terraform modules at github.com/HailBytes/hailbytes-terraform-modules (MPL-2.0):

• Single instance per client (~$435/mo all-in) — Terraform: sat-aws-single / sat-azure-single. The classic white-label model. Each client gets a clean tenant boundary in either your AWS/Azure account or theirs. Best margin shape for clients under ~5,000 seats. Tears down cleanly on churn via terraform destroy.
• HA hot-hot per client (~$1,215/mo all-in) — Terraform: sat-aws-ha / sat-azure-ha. For clients with formal uptime SLAs in their MSA (regulated industries, healthcare, financial services). Adds an ALB / Standard LB, Multi-AZ RDS / Zone-Redundant Postgres Flex, and shared Redis. Pre/post-patch SSM verifiers ship with the module so your rolling-update cadence is documented and auditable.
• Auto-scaling (one tenant, many clients) (from ~$2,250/mo at 3-instance steady state) — Terraform: sat-aws-autoscale / sat-azure-autoscale. For regional MSSPs serving 20+ clients from a single shared tenant. Read replicas, rolling instance refresh with auto-rollback on 5xx, ElastiCache shared session store. Scales linearly; common shape for MSSPs running 100+ campaigns/month.

Per-vCPU marketplace meter ($0.24/vCPU-hour) applies identically across all three; the delta is infrastructure, not licensing. Cross-cloud parity is intentional: AWS HA and Azure HA land within ~6% of each other at procurement-grade sizing. Full topology comparison and customer-shape examples →

Resell through AWS CPPO or Azure Multiparty Private Offer

The marketplace path most MSSPs miss until late in evaluation is the channel-partner private-offer flow on both clouds. It is what lets you mark up the platform itself, capture the resale margin, and have the customer’s purchase still count toward their EDP or MACC commit — without the customer having to onboard HailBytes as a new vendor:

• AWS Channel Partner Private Offers (CPPO) — HailBytes (ISV / seller of record on the marketplace listing) issues you a resale authorization keyed to your AWS account, scoped to SAT and/or ASM, with a minimum acceptable price. You create a private offer at your resale price (typically wholesale + 15–30% margin), the customer accepts from their AWS account, and AWS splits proceeds: wholesale share to HailBytes, resale margin to you. Customer purchase decrements their AWS EDP commit.
• Azure Multiparty Private Offer (MPO) — the Microsoft equivalent, launched on Azure Marketplace in 2024. Three parties on a single private offer: HailBytes + you + the customer. Microsoft Marketplace splits proceeds the same way, and the customer’s purchase decrements their MACC commit. The Microsoft account team gets co-sell credit, which keeps them aligned with you on growing the deal.

What that looks like in unit economics: on a 20-client portfolio running single-shape per-client deployments (~$5,220/yr each in HailBytes wholesale), a 20% CPPO/MPO resale margin is ~$20,880/year in pure resale margin, layered on top of your managed-service ARR with zero incremental service-delivery cost. Customer sees one cloud invoice; their CFO sees committed-spend drawdown; you keep the platform margin as well as the service margin.

Register on the partner program page with your AWS account ID or Azure tenant ID and we’ll issue resale authorization. First private offer usually ready within one business day. Full mechanics, worked examples, and procurement-language scripts are in the SAT Partner Brief and the ASM Partner Brief.

Model your portfolio margin

Plug in your own numbers. HailBytes prices on infrastructure per client instance, not seats, so the cost basis is flat while a per-seat platform scales with headcount. All math runs in your browser — nothing is sent anywhere.

Estimates only, for internal modeling — not a quote. Infrastructure default reflects the ~$435/mo single-instance shape above; your actual cost depends on topology and vCPU sizing.

Why bundle ASM and SAT for the same client?

HailBytes is one of the only vendors that ships both an attack-surface-management platform and a security-awareness-training platform. For an MSSP selling compliance bundles, that means you can hand a single client’s auditor one evidence package that covers both the human layer and the technical layer — from one vendor, with consistent audit-log formats, under your white-label branding. Same per-vCPU marketplace meter, same CPPO/MPO resale path, one renewal conversation.

When you run both products for a client, the combined branded PDF reports and structured audit logs go straight to the auditor — no reformatting, no second vendor to onboard. Read the full SOC 2 + PCI-DSS evidence walkthrough →