Most MSPs know they should be running phishing simulations for their clients. Fewer than half actually do it consistently. The rest cite the same blockers: setup takes too long, clients push back, and it's hard to show tangible results beyond a click rate number.
This guide cuts through that. It walks through every step of running a phishing simulation as an MSP service — from planning to remediation — and explains exactly where the common breakdowns happen. Whether you're running your first campaign or trying to scale phishing simulations across 30+ clients, the process is the same.
A phishing simulation has five phases: plan → select templates → launch → report → remediate. Most MSPs fail at planning (no client scope agreement) and remediation (no follow-up training). Automation is the only realistic path to scaling this across more than 10 clients.
Why MSPs Need to Run Phishing Simulations
Phishing is the entry point for over 90% of successful cyberattacks on SMBs. Your clients' employees are the last line of defense — and without regular testing, you have no data on how well that line actually holds.
There are three business reasons this matters for MSPs specifically:
Compliance requirements are tightening. HIPAA, PCI DSS, SOC 2, and cyber insurance underwriters increasingly require documented security awareness training and phishing simulation records. Clients in healthcare, finance, and legal verticals face audit risk if they can't produce training logs. Your MSP is positioned to provide exactly this documentation — or to leave that gap for a competitor to fill.
Client retention improves when you can show risk trends. Phishing simulation data is one of the few security metrics that's immediately legible to non-technical buyers. A chart showing click rates dropping from 28% to 7% over 12 months is a renewal conversation, not just a security report. MSPs who run simulations consistently have a data asset that MSPs without them simply can't compete with at renewal time.
It's a legitimate revenue line. Security awareness training with phishing simulation can be packaged as a standalone service ($3–8/user/month) or bundled into a managed security tier. At 50 clients averaging 40 users, that's $6,000–$16,000 in monthly recurring revenue from a service that — when automated — requires minimal ongoing labor.
Step-by-Step: How to Run a Phishing Simulation
Every phishing simulation failure I've seen starts in the planning phase. The two most common mistakes: not getting explicit sign-off from the client, and not scoping which employees are included.
Before launching any campaign, document and confirm:
- Authorized sender domains — which domains will simulation emails come from? Client IT teams need to whitelist these to ensure deliverability.
- Employee scope — all employees, specific departments, or a pilot group? New hires and executives often warrant separate treatment.
- Notification policy — does leadership know simulations are happening? Will employees be told after they click?
- Campaign frequency — monthly is standard for active clients; quarterly for maintenance mode.
- Success definition — what click rate threshold triggers escalation or additional training?
Get this in writing (even a simple email confirmation). It protects you if a client's employee escalates a "real phishing email" that was your simulation.
Phishing template difficulty should be calibrated to where your client actually is. First campaign for a client who's never run simulations? Start with moderate difficulty — obvious-but-not-trivial scenarios like "Your password expires in 24 hours" or a fake invoice from a familiar vendor name.
Categories to cover across your simulation rotation:
- Credential harvesting — fake login pages (Microsoft 365, Google Workspace, VPN portals)
- Executive impersonation — "The CEO needs you to..." wire transfer or gift card requests
- Vendor/invoice fraud — spoofed emails from client suppliers requesting payment updates
- IT alert spoofing — fake security alerts, password reset requests, MFA prompts
- SMS smishing — delivery notifications, two-factor verification texts (especially effective in 2026)
Don't use the same template twice in back-to-back months. Employees catch patterns. Rotate the category and the brand being spoofed each cycle.
Technical setup is where most manual phishing simulation processes break down at scale. For every client you add, the work multiplies: whitelisting simulation IPs, importing employee lists, configuring sending domains, scheduling delivery windows.
Key technical checklist before sending:
- Whitelist simulation sending IPs/domains with client's email security gateway (Proofpoint, Mimecast, Microsoft Defender) to avoid filtering before delivery
- Import or sync current employee list — stale lists waste sends on departed employees and miss new hires who are highest-risk
- Set delivery window to business hours (7am–5pm local time) — off-hours sends skew click rate data and may trigger unnecessary alerts
- Configure the landing page — what employees see after they click should include immediate training context, not just a "gotcha" message
- Test with a small pilot group (2–3 accounts you control) before full deployment
Raw click rate numbers aren't enough. A 12% click rate means nothing to a healthcare practice owner without context. Your reporting should translate metrics into client-legible risk language.
A good phishing simulation report covers:
- Overall click rate — and how it compares to industry benchmark (SMB average: 14–18% without training)
- Department breakdown — which teams click most? Finance and operations are consistently highest-risk
- Repeat clickers — employees who click in multiple campaigns need individual follow-up, not just group training
- Time-to-click — users who click within 60 seconds are the highest-risk cohort; they're not reading anything
- Trend over time — month-over-month improvement is your retention argument at renewal
Keep client-facing reports to one page. Decision-makers don't read 12-page PDFs. A summary card with headline metrics and a risk trend chart lands better in a QBR.
The simulation is the test. Remediation is the point. An MSP that sends phishing emails and produces click rate reports without connecting clickers to training is delivering compliance theater, not risk reduction.
Effective remediation structure:
- Immediate micro-training — when employees click, show a brief (2–3 minute) explainer on the specific technique used. In-the-moment training has 3–5x retention versus scheduled modules.
- Targeted follow-up — clickers get assigned specific training modules relevant to the attack type (credential harvesting → password security; invoice fraud → payment verification protocols)
- Repeat-clicker escalation — employees who click in three or more consecutive campaigns warrant a direct conversation with their manager, not just another training module
- Completion tracking — verify employees actually complete assigned training; report completion rates alongside click rates
Common Mistakes MSPs Make With Phishing Simulations
-
Running campaigns without client sign-off A simulation email that a client's employee flags as a real attack — and the client didn't know campaigns were live — is a support nightmare. Always document scope and authorization before the first send.
-
Using the same template repeatedly Employees pattern-match fast. Sending the same "Microsoft password reset" template every month trains people to recognize your template, not phishing in general. Rotate scenarios, brands, and attack vectors every cycle.
-
Skipping deliverability setup Simulation emails blocked by the client's spam filter produce artificially low click rates and zero training value. Whitelist your simulation infrastructure before every campaign — it takes 15 minutes and changes the validity of all your results.
-
No remediation loop Running simulations without automatic follow-up training is the single biggest gap in most MSP phishing programs. A clicker who doesn't receive immediate, relevant training will click again next month at roughly the same rate.
-
Treating all attack vectors as email only SMS smishing click rates now exceed email phishing in several SMB verticals. An MSP running email-only simulations is testing against yesterday's threat model. For a full breakdown of the phishing attack types your clients face in 2026, multi-vector coverage is the baseline standard.
-
Presenting click rates without context A 14% click rate on its own means nothing to a client. Put it against the industry average (17–22% for untrained SMBs), show the trend over 6 months, and translate it to dollar-risk. That's a conversation, not just a report.
How ThreatPulse Automates the Entire Workflow
The process above is manageable for one or two clients. At 20 or 50 clients, it breaks without automation. The manual work — importing employee lists, setting up templates, whitelisting IPs, generating reports, assigning training — multiplies linearly with every client you add.
ThreatPulse was built specifically for MSP delivery at scale. Here's what automation looks like across each phase:
One dashboard. Every client. Zero per-campaign setup.
Planning: Client onboarding captures scope configuration once. Campaign cadence, employee roster, and difficulty level are set per client and run automatically on schedule — no per-month setup required.
Template selection: ThreatPulse's AI-adaptive engine selects and generates templates based on each user's click history. Users who haven't clicked in months get harder scenarios. Users who clicked last month get targeted follow-up. The template never repeats exactly because it's generated per-user, not pulled from a static library.
Campaign launch: Deliverability whitelisting is handled once during onboarding. Employee lists sync automatically (or via CSV import). Campaigns launch on schedule without manual intervention. You're notified of results, not setup tasks.
Reporting: Per-client reports generate automatically after each campaign closes. MSP-level roll-up shows portfolio risk trends across all clients. Reports are designed for QBR use — executive summaries with headline metrics and trend charts, not raw data exports.
Remediation: Clickers receive immediate micro-training at the moment of click, then are auto-enrolled in relevant training modules. Repeat clickers trigger escalation alerts. Completion rates track alongside click rates in all reports.
- Multi-vector coverage: email phishing, SMS smishing, voice vishing, USB drop simulations
- No seat minimums — bill clients at $1.50/user/month, keep your margin
- No annual contracts — monthly billing aligns with MSP cash flow
The difference between running phishing simulations manually and running them through ThreatPulse is roughly 4–6 hours of MSP staff time per client per month versus 15 minutes of results review. At 30 clients, that's the difference between phishing simulation being a labor sink and a true managed service line.
The Bottom Line
Running phishing simulations well isn't complicated — but it is systematic. The five phases (plan → template → launch → report → remediate) each have failure modes that undercut the value of the whole program. Get the scope agreement done upfront, rotate your templates, fix deliverability before you send, and make sure every clicker gets actual training, not just a score on a report.
For MSPs running this across more than 10 clients, manual execution stops being viable. The economics of managed phishing simulation only work when the per-client labor cost drops toward zero — which requires automation at every phase of the workflow.
ThreatPulse handles the full cycle automatically — campaign setup, AI-adaptive template generation, deliverability, reporting, and remediation training — across all your clients from a single dashboard. The pricing page shows how the MSP margin model works at different client volumes.
Start Running Phishing Simulations in Under 10 Minutes
AI-adaptive campaigns across email, SMS, and voice — for all your MSP clients, on autopilot. No seat minimums. No annual contract.
Get the MSP Security Playbook
Weekly tips on running phishing simulations for your MSP clients. No spam.