TLDR: Onboarding a new security awareness client by hand takes four to eight hours of repetitive work. An API-driven platform cuts that to under 30 minutes, reduces provisioning errors, and lets MSSPs scale human-risk services without scaling headcount. This post introduces a four-level onboarding maturity model and a 90-day automation roadmap.
A new MSSP client signs the statement of work on Thursday. They need 340 employees enrolled in security awareness training, quarterly phishing simulations, role-based compliance modules, and executive dashboards by Monday. Your analyst opens the platform admin panel, exports a CSV from the client’s identity provider, cleans the columns by hand, uploads users one group at a time, assigns training manually, schedules the first simulation, and builds three reports from scratch.
By Friday evening, the analyst has spent six hours on work that adds no strategic value. The client sees nothing except a delayed kickoff. The margin on the first month is already thin.
This is the onboarding tax that most MSSPs pay every week. It is not a talent problem. It is an automation problem.
Why Onboarding Is the Highest-Leverage Process to Automate
For MSSPs, security awareness training is a volume business. A single provider may deliver programs across dozens or hundreds of clients, each with different user counts, compliance regimes, and risk profiles. The work between contract signature and first live report looks similar every time, yet most providers still perform it manually.
The cost of that repetition compounds. Analysts who should be interpreting risk data and advising clients instead copy rows between spreadsheets. Provisioning errors create support tickets. Inconsistent configurations make benchmarking impossible. And every hour spent on setup is an hour not spent on the outcomes that justify recurring revenue.
The business case is reinforced by broader service-provider data. In ConnectWise’s 2024 State of SMB Cybersecurity report, 94% of surveyed organizations reported suffering at least one cyberattack, and 76% acknowledged they lack in-house cybersecurity skills.1 SMBs are turning to MSPs and MSSPs precisely because they cannot manage this work themselves. The providers that onboard them fastest capture the relationship and the renewal.
The financial upside of automation is equally clear. IBM’s 2025 Cost of a Data Breach Report found that organizations using AI and automation extensively shortened breach lifecycles by 80 days and reduced average breach costs by $1.9 million.2 While that study measured incident response, the same principle applies to service delivery: removing manual delay from security operations reduces both cost and risk exposure.
What an API-Driven Security Awareness Platform Actually Does
An API-driven platform is not simply a web application that happens to expose a few endpoints. It is one where the core operations, provisioning users, assigning training, launching simulations, and pulling risk data, can be executed programmatically and tied into the MSSP’s existing tooling.
For onboarding specifically, the critical capabilities are:
- Directory synchronization. Read users and groups from Azure AD, Google Workspace, or an HRIS system so the training platform stays current as employees join, move, or leave.
- Tenant provisioning. Spin up a logically isolated client environment with default policies, branding, and compliance settings through a single API call.
- Program assignment. Map groups to training tracks, compliance modules, and simulation cadences based on role, location, or risk profile.
- Scheduled execution. Launch phishing simulations, reminder campaigns, and report generation on a defined calendar without manual intervention.
- Data extraction. Pull completion rates, click rates, reporting rates, and risk scores into the MSSP’s BI tool, PSA, or client portal.
When these capabilities are available as first-class APIs, onboarding becomes a workflow problem rather than a data-entry problem.
Symbol Security exposes these operations through a public API so MSSPs and vCISO partners can build the same workflows into their own stacks. The Symbol API supports tenant provisioning, directory sync, training assignment, simulation scheduling, and reporting. For partners that want the outcomes without the engineering work, the MSSP Partner Program and vCISO Partner Program include built-in automations for onboarding, scheduling, reporting, and day-to-day administration, and Managed Program Services can run the entire program under your brand.
The API-Driven Onboarding Maturity Model
Not every MSSP needs the same level of automation. Some are just launching security awareness services. Others are managing hundreds of tenants and need fully orchestrated delivery. The following maturity model helps you locate your current state and identify the next investment.
| Level | Name | Characteristics | Typical Onboarding Time |
|---|---|---|---|
| 1 | Manual | Ad-hoc CSV uploads, hand-built groups, per-client configuration, analyst-driven reporting. | 4–8 hours |
| 2 | Templated | Standardized onboarding checklist, reusable group mappings, report templates, but still mostly manual execution. | 2–4 hours |
| 3 | Automated | Directory sync, API-based provisioning, automated training assignment, scheduled simulations, standardized dashboards. | 30–60 minutes |
| 4 | Orchestrated | Fully API-driven lifecycle management integrated with PSA/CRM/HRIS, custom client portals, predictive risk workflows, and self-healing exceptions. | Near zero-touch |
Most MSSPs operate between Level 1 and Level 2. The jump to Level 3 is where margin and client experience improve dramatically, because it eliminates the repetitive work that consumes analyst hours without requiring the heavy engineering investment of Level 4.
Level 1: Manual Onboarding
At this level, every new client is a custom project. The analyst exports a user list, formats it to match the platform’s CSV template, uploads it, manually creates groups, assigns training modules one by one, and schedules the first phishing simulation from the admin console.
The problems are predictable. CSV formats vary between clients. Group names are inconsistent. Training assignments depend on which analyst performed the setup. Reporting is rebuilt for every quarterly business review. Scaling beyond a handful of clients requires hiring more analysts at the same rate as revenue.
Level 2: Templated Onboarding
Here the MSSP has created checklists, naming conventions, and report templates. Onboarding is more consistent, but the execution still depends on a person clicking through the same sequence of screens. The improvement is real but incremental.
Templates reduce variability, but they do not reduce labor. An analyst still spends hours per client on configuration, and the process remains vulnerable to sick days, turnover, and simple human error.
Level 3: Automated Onboarding
This is the practical target for most growing MSSPs. Directory integration keeps the user base synchronized. APIs provision the tenant, apply a standard policy set, assign training by group membership, and schedule recurring simulations. Dashboards are pre-built and automatically populated.
The analyst’s role shifts from data entry to exception handling and client advisory. A process that once took half a day now takes a brief review. The MSSP can onboard more clients with the same team, or redeploy that team toward higher-value services like vCISO advisory and incident response.
Level 4: Orchestrated Onboarding
At this level, onboarding is just one node in a broader client lifecycle workflow. A new client record in the PSA triggers tenant creation. HRIS changes automatically update training assignments. Risk scores feed into quarterly business reviews without manual extraction. Exception handling is rules-based, and most clients can be provisioned without touching the platform’s admin console.
This level requires more upfront integration work and is typically reached by MSSPs with mature development or automation practices. The return is a service that scales like software rather than professional services.
A 90-Day Roadmap to Level 3 Automation
Moving from manual or templated onboarding to automated onboarding does not require a full engineering team. It requires a deliberate sequence of small integrations that remove the largest bottlenecks first.
Week 1–2: Audit the Current State
Document the exact steps an analyst takes from contract signature to first live report. Time each step. Identify which actions are repeated identically across clients and which are genuinely client-specific. The repeated actions are your automation targets.
At the same time, inventory your existing tools. Most MSSPs already use a PSA, a documentation platform, an identity provider, and possibly an HRIS. The goal is not to replace them but to connect them to the security awareness platform through APIs.
Week 3–4: Standardize the Data Model
Before automating, agree on standards. Define canonical group names, training track mappings, simulation cadences, and report formats. This step is often skipped in favor of writing scripts, but it is what makes automation maintainable.
For example, decide that every client will have groups named after function, not department titles that vary by organization: end_users, finance, it_admin, executives, contractors. This lets a single automation rule assign the right training track without per-client logic.
Week 5–8: Implement Directory Sync and Tenant Provisioning
Connect the identity provider first. Directory sync eliminates the most error-prone step in onboarding: keeping the user list current. Most modern platforms support SCIM or direct Azure AD / Google Workspace integration.
Next, use the security awareness platform’s API to create new tenants. A single scripted call should apply the default configuration: branding, base training assignment, simulation schedule, and notification preferences. The Symbol API exposes endpoints for tenant provisioning, directory sync, training assignment, and simulation scheduling, so this step can be turned into a repeatable workflow rather than a manual checklist. This is the automation that turns a multi-hour setup into a few minutes.
Week 9–12: Automate Reporting and Exception Handling
Build scheduled exports or direct API pulls into your BI tool or client portal. Standardize a weekly or monthly risk report that shows completion rate, phishing click rate, reporting rate, and repeat offender trends. Partners using Symbol’s Managed Program Services receive packaged monthly executive summaries and audit-ready attestation artifacts without reformatting.
Finally, define what happens when the automation fails. A user fails to sync. A simulation bounces. A client requests a custom training module. Document the exceptions and assign them to a person. Automation handles the routine; people handle the edge cases.
The Security Case for Faster Onboarding
Automation is usually framed as an efficiency play, but it is also a risk-reduction play. The longer a client spends in onboarding, the longer they remain unmeasured and untrained. KnowBe4’s 2025 Phishing by Industry Benchmarking Report, based on 67.7 million simulated phishing tests, found a global baseline Phish-prone Percentage of 33.1%.3 That means roughly one in three untrained users will click a simulated phishing link.
Every day of manual onboarding is a day those users remain at baseline risk. Shrinking the time from contract to first training session directly shrinks the client’s vulnerability window. In that sense, onboarding speed is a security metric, not just an operational one.
The same KnowBe4 data shows that after 90 days of combined training and simulated phishing, the Phish-prone Percentage drops by over 40%. After 12 months, it falls by 86%, from 33.1% to 4.1%.3 Those outcomes only materialize if users are enrolled quickly and the program runs continuously. Manual onboarding delays both.
What to Look for in an API-Driven Platform
Not every security awareness platform is built for MSSP automation. When evaluating vendors, focus on these capabilities:
- Multi-tenant architecture. Each client should be a distinct tenant with isolated data, but manageable from a single provider console.
- Complete API coverage. Provisioning, group management, training assignment, simulation launch, and reporting should all be available as API endpoints, not just a subset.
- Webhook support. Real-time notifications for completions, clicks, and tenant events let you trigger downstream workflows without polling.
- SCIM or native directory sync. Bidirectional identity synchronization reduces the largest source of ongoing manual work.
- Standardized reporting. Pre-built dashboards and exportable metrics let you deliver consistent client reports without rebuilding them each quarter.
- Transparent pricing. Per-user pricing that scales predictably makes it possible to package security awareness as a standardized service.
Symbol Security was built with these requirements in mind for MSPs and MSSPs. The platform supports multi-tenant administration, API-driven provisioning, and automated program delivery, while the MSSP Partner Program and vCISO Partner Program provide built-in automations for onboarding, scheduling, reporting, and day-to-day administration. Partners that prefer a done-for-you approach can use Managed Program Services to run the entire program under their brand.4
Measuring the Impact
Automation investments should be measured in both cost and outcome terms. Track these metrics before and after the transition to Level 3:
| Metric | Why It Matters |
|---|---|
| Average onboarding time | Direct measure of analyst hours recovered per client. |
| Provisioning error rate | Fewer manual steps means fewer misconfigured groups and missed users. |
| Time to first training completion | Shorter windows reduce client exposure at their most vulnerable moment. |
| Analyst hours per client per month | Shows whether automation is freeing capacity for advisory work. |
| Client satisfaction / NPS | Faster, more consistent delivery improves the partner experience. |
| Revenue per analyst | The ultimate efficiency measure for a service business. |
Aim to cut onboarding time by 75% in the first 90 days. That is an achievable target for most MSSPs moving from Level 2 to Level 3, and it pays for the automation effort through reduced labor and faster revenue recognition.
Building a Service, Not a Series of Projects
The difference between a scalable MSSP practice and a collection of custom engagements is whether repeated work is treated as a project or a product. Manual onboarding treats every client as a project. API-driven onboarding treats delivery as a product: configurable, repeatable, and measurable.
This shift is what allows MSSPs to package security awareness as a standardized service, price it predictably, and demonstrate consistent risk reduction across the entire client base. It also creates the foundation for higher-value offerings like human risk management, where risk scores and behavioral data drive targeted interventions.
The organizations that win in the next phase of managed security will not be the ones with the largest analyst teams. They will be the ones whose platforms let a small team deliver outcomes at scale.
References
- ConnectWise. The State of SMB Cybersecurity in 2024. https://www.connectwise.com/globalassets/media/asset-docs/executive-briefs/the-state-of-smb-cybersecurity-in-2024.pdf
- IBM. Cost of a Data Breach Report 2025. https://www.ibm.com/security/data-breach
- KnowBe4. 2025 Phishing by Industry Benchmarking Report. https://www.knowbe4.com/phishing-by-industry
- Symbol Security. Partners: MSSP. https://symbolsecurity.com/partners/mssp