Day 1 Recap — Hoxhunt MSP Portal Design Sprint

📊

The Problem in NumbersOperational data from Support & Operations roles

~190h

Manual ops hours per month

Spent by Hoxhunt staff on MSP work

216

Support tickets per month

From MSP partners to Hoxhunt CS

10–14d

Days to first live campaign

From contract signed to live simulation

91%

Tickets self-serviceable

With the right portal capabilities

~145h

Hours saved per month

Estimated with full portal coverage

25–40

Active MSP partners

Growing; 10–15 more in pipeline

5

Open sprint questions

Defined by PM & Decider to resolve

30min

Target onboarding time

Down from 10–14 business days

📋

Problem BriefProduced by Product Manager

Current State

Every customer lifecycle action requires Hoxhunt involvement — tenants take 1–3 business days to provision via email request
No unified cross-customer view — MSPs log into each tenant individually
Bulk operations (push campaign to 50 customers) impossible without Hoxhunt assistance
License and tier changes require manual emails; MSPs can't see their own consumption
Configuration done via shared spreadsheets, email threads, and screen-sharing calls

Desired Future State

MSPs are fully autonomous — zero Hoxhunt involvement for standard ops
New customer tenant provisioned and configured in under 30 minutes
Single dashboard across all customers with health metrics at a glance
Bulk operations are first-class: push campaigns, assign training, toggle settings
Hoxhunt ops team shifts from ticket-handling to strategic partner enablement
MSP channel scales to 100+ partners without proportional headcount growth

Validated Portal Capabilities (from customer interviews)

Must Have View all customers in one place · Must Have Self-service tenant creation · Must Have Configure provisioning, email & branding per tenant · Must Have Assign products & licenses · Must Have Cross-customer analytics · Must Have Bulk phishing campaigns · Should Have Bulk settings changes · Should Have Bulk training assignment · Could Have Customer health scoring · Could Have Self-service offboarding

❓

What This Sprint Must Answer5 open questions the sprint is designed to resolve

1

What does the end-to-end MSP workflow look like in the portal?A clear, testable journey from "MSP signs a new customer" to "customer is live and receiving simulations" — complete, intuitive, and fast enough.

2

How do we handle bulk operations without overwhelming the interface?MSPs managing hundreds of customers need bulk actions, but the UI must remain approachable for MSPs with only a handful of customers.

3

What cross-customer analytics do MSPs actually need?We have signal that they want comparative metrics, but we don't know exactly which metrics matter most, how they want to consume them, or what actions those metrics should drive.

4

Can an MSP realistically complete tenant setup without Hoxhunt support?The configuration steps (email, IdP, branding) are inherently complex. Can a guided self-service flow work, or will some steps still require Hoxhunt assistance at MVP?

5

How should the portal communicate status across async operations?Tenant provisioning, user sync, and campaign deployment are not instant. How does the MSP know what's happening, what's done, and what needs attention?

🗺️

MSP Operator Journey MapProduced by Product Designer — 9 stages, current state → portal opportunities

Stage

1. Customer Win & Kickoff

Today

Email Hoxhunt channel manager → wait 1–5 days for tenant

Pain

Can't promise a go-live date. No visibility into request status.

Portal Opportunity

"New Customer" wizard — instant provisioning, inline validation, appears in dashboard immediately

Stage

2. Identity & User Provisioning

Today

Follow PDF guide for Azure AD / Okta / Google Workspace; CSV for others; contact support on errors

Pain

Silent sync failures. No way to verify without logging into each tenant. CSV has no error reporting.

Portal Opportunity

Guided IdP wizard with live "Test Connection" button, sync health dashboard, row-by-row CSV validation

Stage

3. Email Environment Config

Today

Multi-step technical guide; manual test emails; trial-and-error debugging; escalates to Hoxhunt support

Pain

Most technically variable step. Misconfiguration discovered only when campaign fails.

Portal Opportunity

Email config checklist with "Send Test Simulation" button; green/yellow/red delivery status badges per customer

Stage

4. Product & License Assignment

Today

Email Hoxhunt → wait 1–2 days; MSP tracks allocation in a spreadsheet

Pain

No real-time visibility. Can over/under-provision. Billing surprises. No self-service.

Portal Opportunity

License dashboard: total pool, allocated, used per customer. Inline-edit, tier changes with billing preview, overage alerts

Stage

5. Campaign & Training Config

Today

Configure each customer individually by logging into each tenant separately. No templates.

Pain

#1 scalability bottleneck. 50 customers = 50 manual logins. No concept of reusable policy.

Portal Opportunity

Templates applied to selected customers. Multi-select bulk-apply. Policy model: change once, all linked customers update.

Stage

6. Monitoring & Reporting

Today

Log into each tenant individually. Export CSVs. Manually compile in Excel. ~4h/month.

Pain

No aggregated view. Can't identify at-risk customers without checking each one.

Portal Opportunity

Portfolio-level dashboard: sortable/filterable table, sparklines, drill-down, one-click reports, threshold alerts

Stage ⭐

7. Bulk Operations

Today

Impossible. Must ask Hoxhunt to run backend scripts. Or do each tenant one by one.

Pain

Single biggest scalability bottleneck. 500 customers × any change = days of manual work or it doesn't happen.

Portal Opportunity

Multi-select + action pattern. Preview impact. Confirm destructive actions explicitly. Async progress tracking. Retry failed items.

Stage

8. Lifecycle Changes

Today

Contact Hoxhunt support for domain changes, tier changes, branding updates

Pain

Unpredictable turnaround. MSP can't self-serve routine changes. Damages MSP credibility with customers.

Portal Opportunity

Customer settings panel: self-serve domain management, branding, plan changes, status, change history

Stage

9. Offboarding

Today

Email Hoxhunt → manual deactivation. No standardized data export. License reallocation is informal.

Pain

No self-service. Freed licenses don't auto-reallocate. MSPs often confuse "suspend" vs. "offboard" — data loss risk.

Portal Opportunity

Deactivate wizard: export data → confirm → release licenses. Soft-delete with 30-day recovery window. Clear suspend vs. offboard distinction.

🔴 Most Complex Interaction — Flagged for Decider

Stage 7: Bulk Operations is the hardest design challenge. It requires: selection at scale (filters, segments, exclude patterns), impact preview before acting, proportional safeguards for destructive actions, async execution with partial failure handling, and post-action audit + undo. This is where most multi-tenant portals fail. Getting it right is the single highest-leverage design decision in this sprint.

💡

How Might We StatementsProduced by Product Manager — 7 themes, 7 selected as sprint-shaping

⭐ Selected HMWs — voted as most important, shaped the sprint goal

HMW let an MSP spin up a new customer tenant in under 5 minutes without any Hoxhunt involvement? HMW give MSPs a single dashboard that answers "how are all my customers doing?" at a glance? HMW let an MSP push a phishing simulation campaign to 50+ customers at once without configuring each one individually? HMW guide an MSP through email environment configuration so they feel confident they've done it correctly — even if it's their first time? HMW surface the customers that need attention without the MSP having to check each one? HMW handle partial failures in bulk operations so the MSP knows exactly what succeeded and what needs attention? HMW make the portal intuitive enough that a new MSP partner can start using it without training from Hoxhunt?

Customer Setup & Provisioning

HMW guide an MSP through IdP integration when each provider has a different setup flow? HMW give MSPs a clear checklist so nothing gets missed or forgotten during setup? HMW reduce time from "contract signed" to "first simulation sent" from days to hours? HMW handle the case where an MSP starts setup but can't finish in one session?

License & Product Management

HMW make it transparent how many licenses are used vs. available across the entire portfolio? HMW handle license overages gracefully — warning before they exceed allocation? HMW let MSPs upgrade/downgrade a customer's tier mid-contract without disrupting active campaigns?

Visibility & Ongoing Operations

HMW let MSPs compare customer performance side-by-side to identify best practices and underperformers? HMW provide MSPs with data they need to create customer reports — without manual CSV exports? HMW show leading indicators of risk early enough to act on them? HMW keep the MSP informed about async operations so they're never left wondering "did it work?" HMW ensure MSPs can only see and manage their own customers — never another MSP's?

🎤

MSP Expert InterviewsProduced by MSP Representative role — two real-world operator perspectives

🧑‍💻

Persona A — The Lean MSP Technician

22-person MSP · 55 customers · 14 months Hoxhunt experience

Onboarding Timeline Today

Day 0: Sales hand-off (info chase takes 1–3 days)
Day 1: Email Hoxhunt for tenant → wait 1–3 business days
Day 3–5: Configure basics + IdP (1–2 hrs; up to full day for edge cases)
Day 5–7: Email allowlisting (1–3 hrs, often requires support ticket)
Day 7–10: First campaign + validation (40% test failure rate)
Total: 10–14 business days on a good run

Top Pain Points

Cannot create tenants — must wait on Hoxhunt every time
No single-pane-of-glass across 55 customers
License management is a black box — can't reallocate
No guided onboarding wizard or step-by-step setup
Tenant context switching requires logging out and back in

Benchmark

"NinjaOne is the gold standard — adding a new org takes 2 minutes, the tenant-switcher is fast, dashboards show all orgs at once. That's the bar."

Definition of Success

"If this portal can get a new customer from zero to first live campaign in under 5 business days with no Hoxhunt support tickets, I would consider that transformative."

👔

Persona B — The MSP Operations Lead

180-person MSP · 420 customers · 2.5 years Hoxhunt · dedicated security team of 28

Scale Challenges

No multi-tenant management — can't see which of 420 customers haven't had a campaign in 30 days
No configuration templates — configuration drift is a real problem as team grows
Bulk operations non-existent — pushing a setting to 420 tenants is a project, not a task
License tracking is a manual spreadsheet; billing disputes have occurred
No API — can't integrate with Rewst automation or PSA workflows

Critical Integration Needs

API access — prerequisite for any MSP managing 100+ customers
Webhooks — push events into PagerDuty & ConnectWise ticketing
SSO — Azure AD auth for all 28 security staff
RBAC — junior analysts can't change licenses or delete tenants

Definition of Success

"If this portal lets my team onboard a new customer in under 30 minutes with zero Hoxhunt interaction, gives me portfolio-wide visibility, and provides API access — it will be a strong competitive differentiator. If it doesn't, we'll eventually look for a vendor whose tooling matches our operational maturity."

⚙️

Operations Brief — Self-Service Opportunity MapProduced by Support & Ops role — 10 manual processes, estimated hours, and self-service feasibility

Process	Time / Instance	Frequency / Mo	Monthly Hours	Self-Serviceable?
New customer tenant creation	45 min	20	15.0h	Yes
User provisioning configuration	30 min – 3 hrs	20	25.0h	Yes
Product & license assignment	20 min – 1 hr	30	12.5h	Yes
Email environment configuration	2 – 4 hrs	18	54.0h	Partially
Campaign & simulation configuration	15 – 30 min / tenant	25	12.5h	Yes
Training course assignment	15 min / tenant	15	3.75h	Yes
Reporting & analytics requests	1 – 3 hrs	12	24.0h	Yes
Tenant suspension / offboarding	20 – 45 min	8	4.0h	Yes
Branding & customization	25 min	10	4.2h	Yes
Configuration troubleshooting & fixes	30 min – 2 hrs	35	35.0h	Partially

Total Monthly Burden

~190h

≈ 1.2 FTEs dedicated to MSP manual ops

Estimated Hours Saved

~145h

76% reduction with full portal coverage

Remaining (Needs Human)

~45h

Complex email configs, edge-case escalations

🔧

Technical LandscapeProduced by Engineer role — existing systems, what must be built, and key risks

Must Build for MVP

Tenant provisioning API — versioned, external-facing. Highest complexity. Est. 4–6 weeks.
MSP-scoped identity & access layer — new principal type across multiple tenants. Est. 3–5 weeks.
Cross-tenant campaign dispatch — bulk scheduling with queue-based orchestration. Est. 3–4 weeks.
Cross-tenant analytics aggregation API — sortable, filterable, time-range queries. Est. 2–4 weeks.
License & product tier management API — integrates with billing. Est. 2–3 weeks.

Technical Opportunities (Easier Than Expected)

Internal admin panel may already have tenant CRUD endpoints — wrapping behind an auth gateway could be fast
Campaign template library likely exists — exposing read-only to MSPs is low-effort, high-value
SCIM provisioning is already standard — MSPs just need a setup wizard + documentation
Gamification/scoring system could power cross-tenant benchmarking at low additional cost

Tenant provisioning has no API surface

Critical

Current process involves manual DB scripts and internal tooling. Exposing as a reliable API is a significant infrastructure project. Mitigation: audit end-to-end, build incrementally with async provisioning model.

No multi-tenant identity model exists

High

Current RBAC is single-tenant. Retrofitting cross-tenant access touches every auth check. Mitigation: implement as a separate gateway with "tenant switching" pattern — MSP assumes role within specific tenant per action.

Bulk ops will break synchronous request patterns

High

Sending to 500 tenants synchronously will time out. Mitigation: design bulk ops as async jobs from day one with job ID + polling. Use message queue for fan-out. Set realistic MVP scale target (50 tenants, path to 500+).

Billing/license may be manual spreadsheet

Medium

If license management isn't in a system yet, building the API creates a billing reconciliation problem. Must validate current state before designing the self-service license UI.

📚

Partner Case StudiesProduced by CS/Sales role — 3 real-world partner stories and design lessons

Nordic IT Services

~80 employees · 45 customers · Scandinavia · Advanced technical maturity · 18-month partner

Active — Top 5 by seats

What Worked

Expanded from 3 pilot customers to 18 in 8 months
Developed own QBR deck using Hoxhunt analytics
Positioned Hoxhunt as a sales differentiator

What Was Painful

Queue delays (7–10 days) caused missed go-live dates
Hybrid Exchange email config needed 3-week escalation
Monthly CSV exports across all tenants take 4+ hours to compile

Design lesson: Self-service provisioning is the #1 unlocker for fast-growing partners. Even technically capable MSPs are throttled by the current process. Cross-tenant dashboard directly eliminates their biggest ongoing operational burden.

Central European MSP Group

~320 employees · 70 customers · DACH region · Highest seat count · 2-year partner

Active — At risk without bulk ops

What Worked

Deeply sticky customer base in regulated industries
Helped improve GDPR documentation for all EU partners
Near-zero churn once live

What Was Painful

Pushing a new template to 70 customers took 3 weeks of manual clicks
24 individual seat change requests in one quarter
White-labeling absent — end customers see Hoxhunt brand, not MSP brand
Engineers reported "feeling like data entry clerks"

Design lesson: Bulk operations are non-negotiable for large MSPs. Without the ability to push settings/campaigns across multiple selected tenants, this partner's operational model does not work. License self-management is also a clear must-have. White-labeling is a recurring commercial ask for the roadmap.

Westfield Technology Partners

~22 employees · 18 customers · US · Low technical maturity · No dedicated security practice

Churned — Jan 2026

Why They Failed

No one ever fully learned the platform — IT generalists handled setup
Several tenants provisioned but campaigns never activated
CSV user management abandoned as too burdensome with high-turnover retail customers
Couldn't pull customer reports; asked CS to do it twice, then stopped

Owner's Exit Feedback

"The product probably works great if you have someone dedicated to running it. We don't have that person."

Design lesson: If setup is complicated enough that an IT generalist can't complete it, lower-maturity MSPs will abandon. The portal needs mandatory "activation checklists" and obvious progress indicators. That said, partner qualification should probably require a minimum security practice maturity — Westfield was likely not a good partner fit regardless of portal quality.

🌍

Partner LandscapeProduced by CS/Sales role — who our MSPs are and what they need

Partner Size Mix

55% — Small regional (5–50 employees, local SMBs)
35% — Mid-sized national (50–300 employees, 20–100 customers)
10% — Large enterprise-grade (300+ employees, 200+ customers)

Technical Maturity Split

60% — Limited: rely heavily on Hoxhunt CS, no API use
30% — Moderate: certified, can self-serve with some guidance
10% — Advanced: dedicated security practice, want API access, push for feature parity

Top 3 Friction Points

No aggregated view across customers — MSPs feel "blind"
Tenant provisioning requires Hoxhunt — creates 5–15 day delays
No self-service license & seat management — constant small requests

⚠️

Known Constraints & Design GuardrailsWhat the sprint design must respect

Technical

Tenant isolation is non-negotiable — MSP must never access another MSP's customers
IdP integrations require external steps the portal can guide but not eliminate
Bulk operations must be async — synchronous calls will fail at scale
Current architecture likely monolith or small service set — affects build speed

Business & Legal

MSP pricing model still being finalized — portal should not hard-code a pricing structure
Must work for 5-customer MSPs and 500-customer MSPs simultaneously
GDPR & data residency: customer data must stay in correct region, MSP admin access must be auditable
MVP must be shippable within two quarters — sprint should focus on that window
Transition period: some MSPs will still need hand-holding while others self-serve