The 30% Problem: Why Most MSPs Only Train a Third of Their Clients on Security
Per-seat pricing forces MSPs to leave 70% of end-client employees untrained. Here's how the seat tax creates a coverage gap — and what it's costing you.
Jono
DefendWise
The 30% Problem: Why Most MSPs Only Train a Third of Their Clients on Security
There's a number that should keep every MSP owner up at night: 30%.
That's the percentage of end-client employees who typically receive security awareness training through their MSP. Not 80%. Not 60%. Thirty percent.
The other 70%? They're clicking phishing links, reusing passwords, and opening attachments from "the CEO" without a second thought. And when one of them causes a breach, it's not just the client who has a problem — it's you.
So why are MSPs leaving the vast majority of their clients exposed? It's not negligence. It's not ignorance. It's math.
The Seat Tax That Forces Bad Decisions
Every major security awareness training platform — KnowBe4, Proofpoint, Huntress, Arctic Wolf — charges per seat, per month. The rates vary ($1 to $5 per user), but the economics are the same: every employee you train costs you money.
That creates a straightforward business calculation. Say you manage 20 clients with a combined 2,000 employees. At $2/user/month, training everyone costs $48,000 per year. For most MSPs, that's a significant line item — one that's hard to pass through to clients who are already pushing back on monthly managed services fees.
So you make trade-offs. You train the 10 largest clients and skip the rest. You cover the C-suite and finance team but leave the warehouse staff untrained. You run phishing simulations quarterly instead of monthly because every additional campaign takes hours to configure.
The result is that 30% number. Not because you don't care — because per-seat economics made the decision for you.
The Liability You're Carrying
Here's where it gets uncomfortable. When an untrained employee at one of your unprotected clients clicks a phishing link and triggers a ransomware incident, the question isn't just "who pays for the recovery?" It's "who knew this was a risk and didn't act?"
MSPs are increasingly finding themselves in the liability conversation after breaches. If you're the managed service provider and you didn't offer — or couldn't afford to offer — security awareness training to a client, that gap is discoverable. Insurance carriers are asking about it. Compliance frameworks require it. And lawyers absolutely love it.
The 30% problem isn't just a revenue optimization question. It's a risk management failure that's baked into the pricing model itself.
What Full Coverage Actually Costs (Today)
Let's run the real numbers for a mid-sized MSP with 2,000 total seats across all clients:
| Vendor | Per-Seat Rate | Annual Cost (2,000 seats) | Admin Time |
|---|---|---|---|
| KnowBe4 (Gold) | $2.00/user/mo | $48,000 | 12–19 hrs/mo |
| Proofpoint | $1.50/user/mo | $36,000 | 10–15 hrs/mo |
| Huntress SAT | $1.00/user/mo | $24,000 | Low (managed) |
| Arctic Wolf | $3.99/user/mo | $95,760 | Moderate |
Even at the cheapest option, you're looking at $24,000/year to cover everyone. And that's before you account for the admin time to manage campaigns, configure simulations, build reports, and chase down completion rates.
This is exactly why MSPs don't cover everyone. The cost of full coverage is prohibitive, so they cover what they can afford and hope the rest doesn't blow up.
The Hidden Cost: Admin Hours
The dollar cost is only half the story. Per-seat SAT platforms require significant hands-on management:
Campaign setup and scheduling. Someone on your team has to create phishing campaigns, select templates, configure target groups, set schedules, and manage exceptions. For each client. Every month.
Reporting and compliance documentation. When clients ask for their training metrics — and they will, especially during compliance audits — someone has to pull reports, format them, and send them. Manual report generation across 20 clients is a full afternoon, every month.
User management. Employees join, leave, and change roles. Someone has to keep the training platform in sync with each client's directory. Without automation, this is a constant trickle of manual work.
The industry estimate is 12–19 hours per month for a typical MSP running KnowBe4 or Proofpoint across multiple clients. That's a quarter of a full-time employee spent on SAT administration.
At $50/hour (fully loaded), that's another $7,200–$11,400 per year in labor costs. Add that to the per-seat fees and the true cost of full coverage becomes even more daunting.
Why This Problem Is Getting Worse, Not Better
Three trends are compounding the 30% problem:
AI-powered phishing is exploding. The phishing emails of 2024 were bad. The phishing emails of 2026 are grammatically perfect, contextually relevant, and nearly indistinguishable from legitimate messages. Every untrained employee is a more vulnerable target than they were a year ago.
Compliance requirements are tightening. More frameworks, more auditors, more insurance carriers are requiring documented security awareness training for all employees — not just key personnel. The days of "we train the important people" are ending.
Clients expect it. As security awareness grows in the public consciousness, more end-clients are asking their MSPs: "Are we doing security training?" The MSPs who can say "yes, everyone's covered" win trust. The ones who have to explain coverage gaps lose it.
Breaking the Model
The 30% problem is a pricing problem. The solution isn't to convince MSPs to spend more on per-seat training — it's to eliminate the per-seat model entirely.
What if SAT didn't cost more when you added clients? What if every employee across every client was trained, automatically, for one fixed monthly price? What if the admin time dropped from 19 hours a month to zero?
That's not a hypothetical. That's the model DefendWise was built on: $299/month, flat rate, unlimited users, zero admin. AI generates the training content. AI personalizes the phishing simulations. AI handles the reporting. You connect a directory, and every employee is covered.
At 2,000 seats, that's $3,588/year instead of $24,000–$95,760. Full coverage. No trade-offs. No liability gaps.
The 30% problem doesn't need a bigger budget. It needs a different model.
DefendWise is flat-rate security awareness training built for MSPs. $299/month. Every client. Every employee. See your savings →