Multi tenant SAT: the MSP operating guide

TL;DR

Multi tenant SAT is security awareness training built for the way MSPs actually deliver services: many clients, many users, one operating layer.

The point is not a prettier dashboard. The point is fewer separate logins, fewer one-off reports, fewer client-by-client campaign rebuilds, and less admin drag every time the MSP adds a client.

If an MSP plans to sell security awareness training across a client base, multi-tenancy should be treated as a margin feature, not a nice-to-have.

What is multi tenant SAT?

Multi tenant SAT means a security awareness training platform can manage multiple client organisations inside one MSP-level environment.

A single-tenant SAT setup is built around one company. One company has its users, campaigns, reports, phishing simulations, admins, and audit records.

That works for a direct buyer.

An MSP works differently. The MSP may need to run awareness training for a 27-person dental practice, a 180-user law firm, a 65-user accounting firm, and 40 other clients in the same month. Each client needs separation. Each client needs its own reporting. Each client may need different branding, policies, users, schedules, and evidence.

The MSP still needs one place to see whether the service is actually being delivered.

That is the multi-tenant SAT job: give the MSP a control plane across client organisations while keeping each client cleanly separated.

A good multi-tenant model should let the MSP:

• Add and manage client tenants without starting from scratch.
• Separate client users, data, reports, branding, and admin rights.
• Push a campaign across many clients, then adjust per client where needed.
• See completion, phishing, and risk signals across the client fleet.
• Export client-ready evidence without rebuilding reports by hand.
• Keep the MSP brand in front of the client when the training is white-labelled.

This is where the buying question changes.

The MSP is not only asking: "Does this SAT content train employees?"

The better question is: "Can we run this across every client without creating a new admin job?"

Why multi tenant SAT matters now

Security awareness training has moved from optional education to expected evidence.

NIST SP 800-50 Rev. 1 describes a life cycle approach to building a cybersecurity and privacy learning program. Its abstract says the program should encourage behaviour change as part of risk management and include metrics and evaluation methods to improve the program as needs evolve.

NIST CSF 2.0 PR.AT-01 points in the same direction. Its implementation examples include basic cybersecurity awareness and training for employees, contractors, partners, suppliers, and other users of non-public resources. It also calls out training people to recognise social engineering attempts, report suspicious activity, follow acceptable use policies, and perform basic cyber hygiene tasks.

ISO 27001 adds the evidence pressure. A practical guide to ISO 27001 Annex A 6.3 summarises the control as requiring appropriate information security awareness, education, training, and regular updates for personnel and relevant interested parties. It also stresses records, verification, and audit evidence.

For an MSP, that matters because the client request rarely arrives as a clean SAT project.

It arrives as:

• "Our insurer is asking whether staff complete awareness training."
• "Can you send completion evidence for the audit?"
• "Can we include training results in the QBR?"
• "Can we roll this out to the rest of the staff before renewal?"
• "Can you prove the phishing program is running?"

That work has to be done across many clients.

Verizon's 2025 Data Breach Investigations Report gives the commercial reason clients care. The report analysed 22,052 security incidents and 12,195 confirmed data breaches. It says human involvement in breaches was 60% this year, and the Social Engineering pattern included 4,009 incidents and 3,405 breaches. It also states that phishing and pretexting are still the main techniques used to con employees.

Training does not remove human risk by itself. But clients increasingly expect proof that someone is doing the work.

For MSPs, the hard part is not explaining that phishing exists. The hard part is delivering a repeatable training service across a client base without drowning the service desk in admin.

What single-tenant SAT gets wrong for MSP operations

Single-tenant SAT is not broken. It is just built around the wrong operating unit for an MSP.

The operating unit for a direct buyer is the company.

The operating unit for an MSP is the client fleet.

That difference creates 5 problems.

1. Every client becomes a separate admin surface

If each client lives in a separate admin environment, the MSP has to switch context for basic work: add users, check completion, update campaigns, export reports, and handle exceptions.

One login does not sound expensive. Fifty logins do.

Even when a vendor provides partner-level access, the question is whether the daily work rolls up cleanly. Account creation is not the same as fleet management.

2. Reporting turns into copy-paste work

MSP reporting needs 2 views at once.

The client needs their own report: completion, overdue users, phishing outcomes, certificates, and evidence.

The MSP needs the fleet view: which clients are behind, which campaigns are stalled, which tenants need escalation, and whether the service is healthy.

If the platform only handles client-level reporting, the MSP has to build the fleet view somewhere else. Usually that means spreadsheets, PSA notes, ticket comments, or someone quietly keeping a tracker no one asked for.

3. Campaign consistency breaks across clients

NIST CSF PR.AT-01 talks about periodic assessment, social engineering recognition, reporting suspicious activity, and annual refreshers. That requires consistency.

A single-tenant model can make each client its own island. One client gets the updated phishing module. Another is stuck on last quarter's schedule. A third never had the new joiner campaign turned on.

Multi-tenant SAT should let the MSP set a baseline once, then tailor only where tailoring is needed.

4. Client separation becomes manual trust

Client separation is non-negotiable. A law firm should not see a dental practice's users. A client admin should not access another client's reports. MSP techs should have the right access without using shared credentials.

A real multi-tenant setup should support tenant-level separation, per-client access, and an audit trail. If the separation depends on admins remembering which login they are in, the model is fragile.

5. The MSP brand disappears

Many MSPs sell training as part of a managed security package. The client relationship belongs to the MSP.

If the SAT platform sends every email, portal login, certificate, and report under the vendor's brand, the vendor gets the credit and the MSP gets the support tickets.

For MSPs, white-label is not vanity. It protects the service relationship.

The multi-tenant SAT checklist for MSPs

A useful multi-tenant SAT platform needs more than a parent account and a client list.

Use this table when you are comparing tools.

Capability	What it should do	Why it matters for MSPs
MSP-level dashboard	Show all client tenants, completion, risk, campaign status, and exceptions in one place	Lets the MSP manage the service as a portfolio, not a pile of accounts
Client tenant separation	Keep users, reports, admins, policies, and data scoped to the right client	Reduces cross-client mistakes and supports client trust
Bulk campaign controls	Launch or update training and phishing campaigns across selected clients	Cuts repeat setup work when the MSP wants a baseline program
Per-client overrides	Adjust branding, schedules, policies, and audience rules for specific clients	Keeps the baseline efficient without ignoring client context
White-label delivery	Brand portals, emails, reports, certificates, and client-facing links as the MSP	Keeps the MSP in the relationship and reduces vendor confusion
Directory sync and lifecycle controls	Add, remove, and update learners from client directories or imports	Reduces stale users and new-hire gaps
Role-based admin access	Give MSP techs and client contacts the right permissions by tenant	Avoids shared-login chaos and overexposure
Audit logs	Record admin actions, changes, exports, and key campaign events	Helps prove what happened when a client asks
Evidence exports	Produce completion records, certificates, assessments, and report packs by client	Supports QBRs, insurance questions, and framework evidence
Fleet-wide alerts	Flag overdue clients, stalled campaigns, high-risk groups, and reporting gaps	Lets the MSP fix exceptions before the client asks

The table is simple because the job is simple.

The MSP should be able to answer 3 questions fast:

1. Are all clients covered?
2. Which clients need attention?
3. Can we prove the work happened?

If the platform cannot answer those from the MSP view, it is probably a direct-buyer SAT tool with partner packaging wrapped around it.

Step-by-step: how to evaluate multi-tenant SAT

1. Start with the number of clients, not the number of users

Per-seat buying trains MSPs to count users first. For multi-tenant SAT, count clients first.

A 600-user deployment across 2 clients is operationally different from a 600-user deployment across 40 clients. The second one has more reporting, more branding, more exceptions, more contract edges, and more places for a small admin task to repeat.

Ask vendors to show you the client list view, not only the learner view.

2. Test the new-client path

Do not accept "easy onboarding" as a phrase. Walk through the actual path.

How does the MSP add a client? How are users imported? How is branding applied? How are client admins invited? How is the first campaign assigned? What happens when the client adds 12 staff next month?

Huntress' SAT support guide, for example, shows the kind of setup detail that matters in practice: groups, learner imports, departments, tags, assignment scheduling, phishing campaign setup, and reporting links.

That is the level of operational detail MSPs should inspect before buying any SAT platform.

3. Separate baseline from exception handling

The MSP should define a default training baseline: new-hire awareness, phishing recognition, password hygiene, reporting suspicious activity, and recurring refreshers.

Then check how the platform handles exceptions.

A healthcare client may need different examples. A finance team may need invoice fraud and business email compromise content. A legal client may care more about confidentiality, client data, and document handling.

A good multi-tenant SAT platform lets the MSP set the baseline once and override it where the client context earns it.

4. Verify the reporting workflow before the first QBR

Reporting is where many SAT tools reveal whether they were built for MSPs.

Run the report workflow before you sign:

• Export a completion report for one client.
• Export a phishing report for one client.
• Export a fleet view across all clients.
• Create a client-ready PDF or evidence pack.
• Confirm whether the report is white-labelled.
• Check whether the report maps to the fields clients ask for: completion, overdue users, dates, topics, assessment results, and risk signals.

CISA's phishing guidance focuses on recognising, resisting, and reporting phishing. Verizon's DBIR also argues that reporting suspected social attacks remains one of the important controls at your disposal. If reporting is the behaviour you want, the MSP needs reports that show more than clicks.

Completion matters. Reporting behaviour matters. Repeat exceptions matter.

5. Check client access and audit trails

An MSP may need to give a client owner, HR manager, compliance contact, or vCISO access to one client tenant.

That access should not expose other clients. It should not require a shared MSP login. It should not create a support mess when the client contact leaves.

Ask for role-based access and audit history. Then ask what gets logged: admin changes, user imports, campaign launches, report exports, failed sends, deleted learners, and permission changes.

If the vendor cannot show the audit trail, assume your team will be the audit trail.

6. Put pricing against the operating model

Multi-tenancy and pricing are linked.

An MSP can have excellent multi-tenant controls and still lose margin if the price rises with every learner. An MSP can have flat pricing and still lose time if every report has to be built manually.

You need both sides of the model to work: predictable unit economics and low admin load.

That is why Defendwise positions multi-tenancy alongside flat-fee pricing, white-label delivery, and automated onboarding. One console matters more when adding clients does not create a new seat-tax conversation every month.

What good multi-tenant SAT looks like

Good multi-tenant SAT feels boring in the right places.

The MSP logs in and sees the whole client base. No hunt. No special spreadsheet. No mystery account that only one technician knows how to access.

A new client can be provisioned from a template. Branding, baseline training, reporting cadence, and policy defaults carry across. The MSP can tailor the client when needed, without rebuilding the program from zero.

A new user appears through directory sync or a clean import. They enter the right campaign. If they ignore the training, reminders and escalations run. If they finish, the completion record is captured. If the client asks for proof, the MSP exports it.

A campaign can run across the fleet. The MSP can still exclude a client, change timing, or adjust the topic. The platform supports the operating pattern instead of forcing every client through the same path by hand.

The MSP can see exceptions:

• Client A has a completion problem.
• Client B has a high phishing failure rate.
• Client C has no recent training evidence.
• Client D has stale users that need review.
• Client E has a report due before the QBR.

That is the point of a control plane.

It turns SAT from a set of client-by-client chores into a managed service the MSP can actually manage.

Mistakes to avoid when buying multi-tenant SAT

Mistake 1: treating a partner portal as true multi-tenancy

Some vendors offer partner access, account creation, or a reseller view. That can be useful.

It is not enough by itself.

KnowBe4's partner and multi-account guide shows a broad account management console, including accounts, importing users, managed phishing campaigns, managed training campaigns, admins, ModStore, and reports. That is a serious partner environment.

The MSP still needs to test the workflows that matter to its own service model. Can reporting roll up the way the MSP sells? Can branding work the way the MSP promises? Can campaign defaults be inherited? Can exceptions be handled without adding a new admin routine?

Do not buy the portal label. Buy the workflow.

Mistake 2: ignoring the client-facing brand

If your managed security package includes SAT, the client should experience it as part of your service.

White-label is where product operations meets retention. Branded reports make QBRs easier. Branded certificates give the MSP credit. Branded emails reduce the "who is this vendor?" confusion that turns into tickets.

CyberHoot's MSP page and Hook Security's MSP page both emphasise multi-tenant and white-label concepts because MSP buyers care about both.

That is not a coincidence.

Mistake 3: buying content library size instead of operating fit

A large content library can be useful. So can animated episodes, custom content builders, simulations, and role-based modules.

But library size does not solve MSP admin debt by itself.

If the MSP cannot easily assign, track, report, and prove training across clients, the content library becomes another thing the team has to manage.

For MSPs, the operating layer matters as much as the content.

Mistake 4: letting compliance claims outrun evidence

Awareness training supports compliance evidence. It does not make a client compliant by itself.

NIST, ISO 27001, cyber insurance questionnaires, and client audits all ask for different proof. Training completion may be one piece. Reporting behaviour, policy acknowledgement, onboarding records, phishing simulations, and role-based education may also matter.

Be precise in your offer.

Say: "We provide training evidence and reports for the awareness portion."

Do not say: "This makes you compliant."

Mistake 5: forgetting offboarding

Multi-tenant SAT is not only about adding clients and users.

It also needs clean removal.

Client churn, employee departures, contractor end dates, domain changes, and tenant handovers all need a process. If users never leave the platform, reporting gets messy and billing can get worse.

Ask how user lifecycle works before you ask how pretty the dashboard looks.

Framework mapping for multi-tenant SAT

Multi-tenant SAT is not a control in NIST or ISO by itself. It is the operating model that helps an MSP deliver and prove the training controls across clients.

Here is the practical mapping.

Framework or source	Awareness requirement	What the MSP needs from SAT
NIST CSF 2.0 PR.AT-01	Personnel receive awareness and training so they can perform general tasks with cybersecurity risks in mind	Training assignments, completion records, social engineering topics, refreshers, and evidence by client
NIST SP 800-50 Rev. 1	A life cycle approach to learning programs, behaviour change, metrics, and ongoing improvement	Program templates, training cadence, metrics, review cycles, and repeatable reporting
ISO 27001 Annex A 6.3	Personnel and relevant interested parties receive appropriate awareness, education, training, and policy updates	Completion logs, assessment results, policy acknowledgement, role-based training records, and exportable proof
CISA phishing guidance	Users should recognise, resist, report, and delete phishing attempts	Phishing modules, reporting prompts, simulated phish results, and client-ready education material
Verizon DBIR 2025	Human involvement and social engineering remain major breach patterns	Training content tied to phishing, pretexting, credential abuse, reporting behaviour, and repeat measurement

The MSP lesson is clear: frameworks create the expectation, but operations decide whether the work is repeatable.

The buying question MSPs should ask

Most SAT demos answer the direct-buyer question: "Will our employees complete this training?"

MSPs need another question first:

"Can we run this for every client without adding more admin than margin?"

That one question cuts through most of the noise.

A good multi-tenant SAT platform should let the MSP sell training as part of a managed service, keep the client relationship under the MSP brand, prove the work happened, and see the whole client base from one place.

If the platform cannot do that, the MSP is not buying an operating layer. It is buying another client-by-client chore.

Where Defendwise fits

Defendwise is built around the MSP operating model: multi-tenant control, white-label delivery, automated reports, and one flat $399/month price for unlimited users and clients.

That does not remove the need for a real training program. It removes the admin and pricing friction that stops MSPs from offering training to every client.

If you are evaluating multi tenant SAT, start with the dashboard. Then test the reporting. Then test the new-client path. Then look at the bill.

That order will tell you whether the platform was built for MSPs, or merely sold to them.

Frequently asked questions

What is multi tenant SAT?

Multi tenant SAT is security awareness training built so an MSP can manage multiple client organisations from one admin environment. The MSP can run training, phishing simulations, user imports, reporting, and evidence exports across clients without logging into a separate account for each one.

Why does multi-tenant SAT matter for MSPs?

Multi-tenant SAT matters because MSPs do not sell training to one company at a time. They often need to onboard users, prove completion, prepare client reports, and respond to audit or insurance requests across many clients at once.

What should MSPs look for in a multi-tenant SAT platform?

MSPs should look for client separation, one MSP-level dashboard, bulk campaign controls, per-client overrides, white-label reporting, directory sync, role-based admin access, audit logs, and exportable evidence for frameworks such as NIST CSF and ISO 27001.

Is single-tenant SAT bad for every MSP?

No. Single-tenant SAT can work for an MSP with one or two training clients, or where each client needs a completely separate program. It starts to break when the MSP needs consistent delivery, reporting, and evidence across 10, 30, or 100 clients.

How is multi-tenant SAT different from a partner portal?

A partner portal may only handle account creation, billing, or top-level visibility. Multi-tenant SAT should also support day-to-day operations: campaign rollouts, user lifecycle controls, client-level reporting, delegated access, and fleet-wide risk views.

Does multi tenant SAT help with compliance evidence?

It can. Awareness frameworks still require the client to run a real program, but a multi-tenant SAT platform can make it easier for the MSP to export completion records, assessment results, phishing reports, and evidence packs for each client.

How does Defendwise handle multi-tenant SAT?

Defendwise is built for MSPs that need one console across client organisations, flat $399/month pricing, unlimited users, white-label delivery, and client-ready reporting. Review the Defendwise multi-tenancy page to see how the model works.

Source notes

• NIST SP 800-50 Rev. 1: https://csrc.nist.gov/pubs/sp/800/50/r1/final
• NIST CSF 2.0 PR.AT-01 reference: https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-at/pr-at-01/
• CISA social engineering and phishing overview: https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
• CISA recognize and report phishing: https://www.cisa.gov/secure-our-world/recognize-and-report-phishing
• CISA phishing guidance PDF: https://www.cisa.gov/sites/default/files/2023-10/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One_508c.pdf
• Verizon 2025 DBIR: https://www.verizon.com/business/resources/T16f/reports/2025-dbir-data-breach-investigations-report.pdf
• ISO 27001 Annex A 6.3 explainer: https://hightable.io/iso-27001-annex-a-6-3-information-security-awareness-education-and-training/
• KnowBe4 Partner and Multi-Account guide: https://support.knowbe4.com/hc/en-us/articles/360013635634-Partner-and-Multi-Account-Getting-Started-Guide
• Huntress Managed SAT page: https://www.huntress.com/platform/security-awareness-training
• Huntress Managed SAT support guide: https://support.huntress.io/hc/en-us/articles/10962579695379-The-Core-Functions-of-Huntress-Managed-Security-Awareness-Training-SAT
• Hook Security for MSPs: https://www.hooksecurity.co/for-msps
• CyberHoot for MSPs: https://cyberhoot.com/solutions/for-msps/