Managed Security Awareness Training
Most awareness programs fail for a boring reason: nobody runs them like a program. We design, operate, and report on managed security awareness training so your staff learn to recognize the attacks they will actually see — and so you have the evidence HIPAA, SOC 2, and your cyber-insurance renewal will ask for.
What is managed security awareness training?
Managed security awareness training is a phishing and awareness program that an outside team designs, runs, and reports on for you — short story-driven micro-lessons, realistic simulations, a one-click Report Phishing button that routes to a real Security Operations Center, and the documentation auditors and insurers ask for.
It is bundled into Protected ($32 per user per month) and Complete (from $55 per user per month). The Foundation tier ($15 per agent per month) is endpoint-only and does not include SAT.
We do not build the training content from scratch. Our default platform is Huntress Managed Security Awareness Training — story-driven 5-minute micro-lessons, realistic phishing simulations, and a report-phishing workflow that ties back to the same Huntress 24/7 SOC running your MDR and ITDR. KnowBe4 and Hoxhunt are deployed where existing licensing or specialty content calls for them. The Obsidian Ridge value is the program around the platform: design, content selection, simulation cadence, reporting analysis, leadership debrief, and audit-evidence packaging.
What's included
Six things tend to separate a program that changes behavior from one that produces a completion certificate nobody reads.
Short lessons people can finish between meetings. Each one teaches a single pattern — urgent payment changes, login links from email, shared-file requests — using realistic examples instead of cartoon hackers and security vocabulary.
Finance, HR, IT, and executives each get scenarios that match their work. A bookkeeper learns vendor-payment fraud; an admin learns OAuth consent and mailbox-rule abuse; an executive learns approval-fraud and MFA fatigue. Everyone learns the basics first.
Scenarios that look like the email your staff actually receives. We avoid emotionally manipulative tricks — no fake layoffs, no fake bonuses — because those teach distrust of leadership instead of distrust of suspicious requests.
A Report Phishing button lives in Outlook or Gmail. When someone reports, an analyst triages the message and replies with a verdict. Reporting becomes detection, and detection becomes feedback that reinforces the behavior.
Reporting rate, time to first report, repeat risk, and which workflows still let bad email through. Click rate matters — but it is one signal, not the scoreboard.
Completion records, simulation reports, policy attestations, and the program narrative in the form HIPAA, SOC 2, PCI DSS, and ISO 27001 reviewers actually ask for — including the gaps you fixed and what changed because of training.
The shift is subtle but important. The program stops asking “who failed the test?” and starts asking “where is the business still easy to trick?” That second question leads to better fixes — better payment-verification policy, better MFA coverage, better mailbox-rule monitoring. Training helps people recognize attacks before they click; the program around it helps the business respond when training is not enough.
Compare honestly
None of these are wrong choices. They solve different problems. Here is how the operational reality changes between them.
| Question | DIY phishing training (free) | LMS-only platform | Managed SAT program |
|---|---|---|---|
| Who designs the program | Whoever volunteers — usually IT | You — vendor ships a content library | We do — based on your industry, headcount, and risk |
| Who reviews reported phish | Sometimes nobody, sometimes IT | You, if your team has time | Our SOC, with a reply back to the reporter |
| Who debriefs with leadership | Whoever has the spreadsheet | You — the platform gives you data, not narrative | A senior practitioner, quarterly |
| Audit evidence | Reassembled the week of the audit | Export a CSV; format it yourself | Packaged the way auditors consume it |
| Total cost (50-user org, year 1) | $0 in licenses, ~80 hrs of internal time | ~$3K license + ~40 hrs to run it | Bundled into Protected — no separate program tax |
| Best fit | Comfortable with the audit risk | Internal security lead with bandwidth | 5–500 employees, no internal security team |
If you already have a security-minded person inside who genuinely owns the program, an LMS-only platform may be the right answer — and we will tell you that on the triage call. Managed SAT is for the businesses where the program would otherwise become shelfware.
See the reel
A short visual walk-through of how modern phishing reaches a small business — what an employee actually sees, where the decision happens, and how a managed program shortens the time between “this feels off” and “the SOC is already on it.”
Pricing
Managed SAT is bundled into Protected and Complete. The Foundation tier ($15 per agent per month) is endpoint detection and response only — it does not include awareness training, simulations, or the reporting workflow. If awareness is what you came here for, start with Protected.
Prices in USD · per agent or per user
Tier 01 · Protected
Annual term · billed monthly
Managed security awareness training built into the wider Protected program — phishing simulations, role-based lessons, a real reporting workflow, and the training records auditors and insurers ask for.
What's included for SAT
Replaces or complements
Tier 02 · Complete
Scoped · annual term
Adds executive debriefs, deeper role-based scenarios, and audit-evidence packaging for teams that already feel the weight of compliance and want the program handled end-to-end.
Everything in Protected, plus
Replaces or complements
Frameworks have firm expectations here: HIPAA Security Rule 164.308(a)(5) requires a workforce security awareness and training program; SOC 2 Common Criteria CC1.4 expects evidence that competent personnel are developed and trained; PCI DSS 4.0 section 12.6 requires a formal awareness program with annual training and signed acknowledgement; ISO 27001 Annex A.6.3 requires information-security awareness, education, and training. The pricing reflects a program designed to satisfy all four without four separate tools.
Sources: 45 CFR 164.308 — HHS / eCFR, AICPA SOC 2 Common Criteria, PCI DSS 4.0, ISO/IEC 27001:2022.
Honest fit check
Managed SAT is the right fit for most small and mid-market businesses that want a working awareness program without staffing one. It is not the right fit if:
If any of those describe you, we tell you that on the triage call. No follow-up sales sequence.
What happens after you reach out
A direct call with the practitioner. We confirm whether managed SAT is the right next step or whether a single workflow fix — better MFA, a payment-verification policy — would do more right now.
Within one business day after the briefing, you get a fixed-fee proposal that names the underlying platform (Defender, KnowBe4, or Hoxhunt), the cadence, the role-based scenarios, and the audit frameworks the evidence will support.
We deploy the Report Phishing button to Outlook or Gmail, baseline current reporting behavior, and write the internal note that tells staff the program is starting and what good looks like. No surprise simulation on day one.
A realistic, fair simulation goes out around week three. From there: short recurring lessons, quarterly simulations or more often if risk demands, and a monthly summary in plain English. Quarterly debrief with leadership.
FAQ
Managed security awareness training is a phishing and awareness program that an outside team designs, operates, and reports on for you. It includes short recurring lessons, realistic phishing simulations, a reporting workflow, and the documentation auditors and insurers ask for. The point is to free a small or mid-market business from running a program that needs weekly attention to actually change behavior.
For most small and mid-market businesses, quarterly is a reasonable baseline; finance-heavy or regulated environments often benefit from monthly cadence with role-specific scenarios. The goal is repetition without fatigue: short, realistic, and consistent. Annual training tends to fade — NIST's updated awareness-program guidance emphasizes continuous improvement over one-time information dumps. Source: NIST SP 800-50 Rev. 1.
Click rate is one signal, not the scoreboard. A program optimizing only for click rate tends to get harder simulations until it produces a number leadership likes. We track reporting rate, time to first report, repeat risk, and which workflows still allow bad email through — because those metrics describe whether the business can respond, not just whether employees noticed. We share benchmarks transparently from sources like Verizon's DBIR and the KnowBe4 Phishing Benchmark Report rather than quoting an industry-average number out of context.
Yes. The HIPAA Security Rule at 45 CFR 164.308(a)(5)(i) requires covered entities and business associates to implement a security awareness and training program for all workforce members, including management. Specific implementation specifications cover security reminders, protection from malicious software, login monitoring, and password management. We package training completion records, simulation results, and program documentation as evidence of that requirement. Source: HHS Security Rule, 45 CFR 164.308.
Training fatigue is real and we plan for it. The fix is shorter lessons, not less frequent ones — five useful minutes beats a forgotten hour. We also vary the format: story-driven micro-lessons, short reminders tied to current events, and simulations that match how your business operates. If people are tired of training, we shorten the lesson before reducing the cadence.
No, and we are clear about that. Our default platform is Huntress Managed Security Awareness Training — story-driven 5-minute micro-lessons, realistic phishing simulations, and a one-click report-phishing workflow that ties back to the same 24/7 SOC that runs your ITDR. We can also deploy KnowBe4 or Hoxhunt where existing licensing or specific content requirements call for it. The Obsidian Ridge value is program design, content selection, simulation cadence, reporting analysis, the leadership debrief, and audit-evidence packaging. The training videos and base templates come from the underlying platform; we make the program work.
Huntress Managed SAT, KnowBe4, and Hoxhunt are all good platforms. The gap most teams hit is operational: who reviews reported phish, who decides the simulation calendar, who interprets the report each month, who debriefs with leadership, and who packages evidence for the audit. Buying the platform solves the content problem and leaves the program problem. Managed SAT runs the program.
Yes. SOC 2 CC1.4 expects evidence that the organization develops and retains competent personnel and that awareness training is delivered and tracked. PCI DSS 4.0 section 12.6 requires a formal security awareness program with annual training and acknowledgement. HIPAA requires the program at 164.308(a)(5). We package completion logs, simulation summaries, policy attestations, and program narrative in the form each framework's reviewers actually expect.
Related
Next step
Briefings are free and we tell you when you don't need us. 30 minutes, real answers, no follow-up sales sequence.
