What's the difference between resold and white-label phishing simulation for MSPs?

Resold means the MSP procures the platform and bills it through to the customer at a markup; the customer typically sees the platform's brand. White-label means the platform appears as the MSP's branded product - dashboards, login pages, training videos and reports carry the MSP's logo and copy. White-label requires platform support for custom branding and typically costs more per seat. Most MSPs operate resold for SMB customers (faster onboarding, less customization needed) and white-label for mid-market customers where brand alignment matters.

What multi-tenant architecture should MSPs require?

The platform must support: (1) Isolated customer tenants - each customer's users, campaigns and data accessible only by their assigned MSP staff; no cross-tenant data leakage. (2) MSP-level master dashboard - aggregate KPIs across all customer tenants for the MSP's own ops view. (3) Per-customer reporting exportable in customer's brand format. (4) Per-customer billing data - whether the MSP bills aggregate or per-customer. (5) MSP-staff role separation from customer-staff (some platforms blur these; that's a problem). (6) Per-customer template-library scoping if customers have different industries or compliance scope.

What SLAs do MSP customers expect from phishing simulation?

Most MSP-end-customers expect: monthly campaign delivery (not skipped); auto-assigned remediation training within 24 hours of click; quarterly reporting available within 5 business days of quarter-end; threshold-exceedance escalation to customer security contact within 1 business day of detection; annual program review with customer-side stakeholders (CISO, CIO, board if applicable); compliance evidence exportable on demand for SOC 2 / HIPAA / PCI audits. SLAs are typically embedded in the MSP master services agreement; the platform underneath must support them operationally.

How does compliance pass-through work for MSPs?

When an MSP-customer is under SOC 2 / HIPAA / PCI audit, the auditor wants evidence of the awareness training program. The MSP either (a) generates the evidence package directly from the multi-tenant platform and hands it to the customer, or (b) provides the customer with read-only access to their tenant for self-export. Pattern (a) is more common for small MSPs; pattern (b) for larger MSPs with mature customer-portal infrastructure. The MSP needs to ensure the platform's evidence-export quality is acceptable to typical SOC 2 auditors / QSAs / CCSFP assessors - generic exports often don't suffice.

What pricing structure works for MSP economics?

MSPs need: (1) Aggregate-seat pricing across all customer tenants (not per-customer). MSPs aggregate purchasing power; per-customer minimum contracts kill the economics. (2) Volume discount tiers that hit at MSP-relevant scale (1K, 5K, 10K seats). (3) Annual commitment with seat-flexibility - MSPs onboard and offboard customers throughout the year. (4) Predictable margin structure (typically 20-40% gross margin on the platform fee passed through to customer). (5) No per-customer setup or implementation fees. The platforms that win MSP business have all five; platforms that price as if every customer is a direct enterprise sale lose MSP business.

MSP and MSSP Phishing Simulation: Multi-Tenant, Resold, and White-Label (2026)

By The Bait & Phish Team
MSP, MSSP, Channel, vCISO

MSPs, MSSPs and vCISO firms operate phishing simulation differently than direct end-customers. The buyer evaluates platforms across a different set of dimensions: multi-tenant architecture, reseller margin economics, white-label vs resold positioning, SLA expectations from end-customers, compliance pass-through and the operational burden of running programs at scale across many small customers.

This post is the buyer-archetype-specific lens for channel partners. The platforms that fit MSP economics are different from the platforms direct end-customers buy; programs that work for one MSP customer may not scale across 50 customers; and the reseller agreement details that matter to MSPs are invisible to direct buyers.

Resold vs white-label vs direct

Model	Customer sees	Best fit
Resold	Platform brand visible; MSP brand on invoice and account management	SMB customers; faster onboarding; less customization
White-label	MSP brand on dashboards, training, reports; platform invisible to end-user	Mid-market customers; brand alignment matters; higher per-seat cost
Direct referral	Platform brand; MSP gets referral commission only	When customer is too large to comfortably resell or wants direct vendor relationship

Most MSPs operate a mix - resold for SMB volume, white-label for mid-market, direct referral for occasional large customers.

Multi-tenant architecture: the load-bearing platform requirement

The platform must support isolated customer tenants with no cross-tenant data leakage. Specific requirements:

Isolated customer tenants. Each customer's users, campaigns and data accessible only by their assigned MSP staff. Test before committing - some platforms market multi-tenancy but have data-leakage edges (shared template categories, shared reports, shared admin views).
MSP-level master dashboard. Aggregate KPIs across all customer tenants for the MSP's own operational view - identifies which customers need program intervention.
Per-customer reporting. Exportable in customer's brand format (or unbranded for resold model). Customer's auditors will see this directly; quality matters.
Per-customer billing data. Whether the MSP bills aggregate or per-customer, the platform should support both reporting cuts.
MSP-staff role separation from customer-staff. MSP techs administering customer tenants should have a different role than customer-side users. Platforms that blur these create privacy and audit issues.
Per-customer template-library scoping. When customers are in different industries or compliance scopes, template libraries should be segmentable.

Reseller economics

MSP economics are price-sensitive. The platforms that win MSP business have all five of these:

Aggregate-seat pricing across all customer tenants. Not per-customer. Per-customer minimum contracts kill MSP economics. The MSP aggregates purchasing power across 50 customers; platform pricing should reflect that aggregation.
Volume discount tiers at MSP-relevant scale. 1K, 5K, 10K seat tiers. Platforms that only discount at 100K seats are useless to most MSPs.
Annual commitment with seat flexibility. MSPs onboard and offboard customers throughout the year. The platform must accommodate seat changes within the annual commitment.
Predictable margin structure. 20-40% gross margin on the platform fee passed through to customer is the typical range. Margins below 20% rarely sustain MSP-side overhead.
No per-customer setup or implementation fees. MSPs are onboarding customers continuously; per-customer fees compound expensively.

Platforms that price as if every customer is a direct enterprise sale lose MSP business. The MSP buying motion is volume-and-margin, not enterprise-bespoke-deal.

SLA expectations from MSP end-customers

Most MSP-end-customers expect (and these typically appear in the MSP master services agreement):

Monthly campaign delivery, not skipped (skipping campaigns is a chargeback risk)
Auto-assigned remediation training within 24 hours of click
Quarterly reporting available within 5 business days of quarter-end
Threshold-exceedance escalation to customer security contact within 1 business day
Annual program review with customer-side stakeholders
Compliance evidence exportable on demand for SOC 2 / HIPAA / PCI audits

The MSP commits to these SLAs; the platform underneath must operationally support them. An MSP that signs SLAs the platform can't deliver loses customer relationships.

Compliance pass-through patterns

When an MSP-customer is under SOC 2 / HIPAA / PCI audit, the auditor wants evidence of the awareness training program. Two patterns:

Pattern A (small MSPs): MSP generates the evidence package from the multi-tenant platform and hands it to the customer for inclusion in their audit package.
Pattern B (larger MSPs): MSP provides the customer with read-only access to their tenant for direct self-export. Customer gets the evidence on demand without MSP-staff involvement.

Pattern A is simpler for small MSPs but consumes ops time at audit-prep moments. Pattern B requires platform support for read-only roles plus customer-portal infrastructure. The right pattern depends on MSP scale and customer profile.

Critical: verify the platform's evidence-export quality is acceptable to typical SOC 2 auditors / QSAs / CCSFP assessors before committing. Generic exports often don't suffice. The MSP customer relationship is at risk if customer auditors reject the evidence.

The vCISO subset

vCISOs and fractional CISOs sit between MSPs and customers - they typically serve 5-25 client organizations directly. Architecture requirements overlap with MSP needs (multi-tenant, isolated customer data, per-customer reporting) but:

Smaller volume per vCISO (5-25 customers vs 25-200 for MSPs)
Greater program-design depth per customer (vCISOs tailor more)
Stronger dashboard architecture preference (cross-client trend visibility matters more)
Higher willingness to pay per-seat (vCISO model has higher margin per customer-seat than typical MSP)

Our vCISO dashboard architecture deep-dive covers the cross-client visibility design pattern in detail.

What changes by MSP scale

MSP scale	Customer count	Platform priorities
Small MSP	5-25 customers	Self-serve onboarding, low setup overhead, predictable seat pricing
Mid-size MSP	25-100 customers	Multi-tenant master dashboard, per-customer reporting depth, strong API for ops automation
Large MSP / MSSP	100+ customers	White-label support, marketing co-op, customer-portal integration, SOC integration

Common MSP/MSSP procurement mistakes

Buying enterprise-priced platform without aggregate-seat negotiation
Skipping the multi-tenant data-isolation test before committing
Not validating compliance-evidence export quality against actual audit requirements
Accepting ambiguous data-export-on-termination clauses (data lock-in risk)
Underestimating per-customer ops burden over 12-24 months as customer count grows
Choosing white-label-only platforms when 80% of customer base would accept resold

Where Bait & Phish fits

Bait & Phish supports the MSP / MSSP buying profile: aggregate-seat pricing across all customer tenants, isolated customer-tenant architecture, per-customer reporting exportable for compliance audits, MSP-staff role separation from customer staff, and 15+ years of operating history that matters when the MSP's customer asks "how long has the platform been operating." Talk to us about a reseller program walkthrough or start a free trial on a test customer to validate fit.

This post is informational and does not constitute partner-program, legal, or commercial advice. Specific reseller agreements, master services agreement clauses and compliance pass-through patterns are organization-specific - consult appropriate counsel and channel-program advisors for tailored guidance.

See also: Building Your Phishing Simulation Dashboard - vCISO's Guide for the cross-client architecture pattern, Best Phishing Simulation for SMBs for the small-customer end of the MSP base, and the Maturity Model for tier targeting across diverse MSP customers.

Related industry guides

09may