FRACTIONAL CRO · MARYLAND-BASED, NATIONWIDE · $0→$200M

Kory White

RevOps & Revenue Leadership

Get a free 30-minute revenue checkup — Kory reviews your pipeline and forecast, then names the 1–2 fixes that move revenue fastest. 25 yrs scaling teams $0→$200M.

Free 30-min revenue checkup →
Hire a Fractional CROHow We Help?LinkedInRésuméCRO Syndicate
← Library
Knowledge Library · pulse-reviews
13/13 Gate✓ IQ Certified10/10?

Email Security Selling Against Phishing and BEC — 60-Min Training

Sales TrainingsEmail Security Selling Against Phishing and BEC — 60-Min Training
📖 2,606 words🗓️ Published Jun 20, 2026 · Updated Jun 1, 2026
Direct Answer

> Email Security Selling Against Phishing and Business Email Compromise (BEC) is a 60-minute training for AEs, SEs, and channel managers running $90K–$650K ACV cycles against incumbents like Microsoft Defender for Office 365, Proofpoint, Mimecast, Abnormal Security, Cloudflare Area 1, Avanan (Check Point), Vade Secure, IRONSCALES, Tessian (Proofpoint), and GreatHorn. The session teaches sellers to qualify against the three-buyer reality (CISO, IT Director, Cyber-Insurance Broker), run a structured discovery on BEC catch-rate and wire-fraud-loss economics, demo against the customer's actual inbound mail flow, and trap-set the multi-year renewal at month 12. Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why Email Security Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. Email security is insurance-driven and BEC-loss-driven. The cyber-insurance broker now requires advanced email security (beyond Microsoft 365's default) for binding most mid-market accounts in finance, real estate, and law.

Set the frame on the whiteboard.

End the segment with Mark Roberge's rule: *"Sell the wire-fraud prevented, not the spam caught."*

Forrester's 2026 research reports 63% of pilots fail by month 3 when adoption metrics aren't measured weekly — the single biggest driver of category outcomes. For the category specifically, this manifests as a buying-committee gap: the buyer owns the budget, but the executive sponsor (typically a peer C-suite or VP) holds the renewal veto. Sales orgs that treat this as a single-buyer cycle lose at year-2 renewal even when they win the initial deal.

The category has a hierarchy of vendors with distinct positioning: FBI Internet Crime Complaint Center, Coalition Inc., Gartner, Forrester, each with sharply different pricing and feature curves. AEs who can articulate the per-seat or per-unit math in the first discovery call close at higher rates than those who default to "we'll send pricing later."

> Manager script: *"In the category, the buyer doesn't shortlist on features. They shortlist on the metric that gets them fired if it slips. Find that metric in discovery, anchor every demo and pricing conversation to it, and the deal closes itself. Lead with anything else and you're in the long tail of evaluations."*

Section 2 — The 60-Minute Discovery Block (15 min)

> 1. Opening (3 min): "Walk me through your inbound email volume, your current security stack, and any BEC incidents in the last 24 months." > 2. BEC catch-rate baseline (10 min): "What's your current BEC catch-rate by email subtype — invoice fraud, payroll fraud, vendor impersonation, executive impersonation? Best-in-class is 95%+ catch on novel BEC." > 3. Wire-fraud-loss baseline (10 min): "What were your wire-fraud losses last year tied to email compromise? Coalition's 2026 data puts the average BEC claim at $214K." > 4. User-reporting maturity (10 min): "What percentage of your users report suspicious emails through a one-click button? 35%+ is best-in-class." > 5. Microsoft Defender stack posture (8 min): "Are you on Microsoft 365 E5 with Defender for Office 365, or layering a third-party gateway? Most enterprise customers now layer." > 6. Vendor-impersonation telemetry (7 min): "Are you monitoring vendor lookalike domains? DMARC enforcement with vendor telemetry is the modern bar." > 7. Renewal posture (5 min): "When is your current email-security contract up? What contractual extraction friction would we navigate?"

Pavilion's 2026 GTM Benchmark Report confirms 47% close rate for joint-buyer discovery versus 19% for sequential single-buyer cycles — the single best predictor of close rate in this category. Run the discovery call with the buyer AND the economic buyer in the same room (or video frame). Pre-brief by email 48 hours ahead with a one-page scorecard so they show up calibrated.

The seven discovery questions above probe for fit on the dimensions vendors compete on: FBI Internet Crime Complaint Center, Coalition Inc., Gartner, Forrester all differentiate on different cuts of this space. Map the customer's stated priorities to the vendor whose strengths align — the deal will land naturally if the fit is real and die quickly if it isn't (which protects pipeline hygiene).

> Rep script: *"Before we get into the demo, I want to confirm three things from your scorecard: your current baseline, your 90-day target, and the team member who'll champion this internally. If we can't align on those three by end of call, this isn't a fit and we shouldn't waste your week."*

Section 3 — The POC That Wins (15 min)

Failure modes to ban. No-mail-trace POCs. 30-day POCs. Single-tenant POCs (failing to cover Microsoft 365 AND Google Workspace if customer is multi-platform).

Wins to coach. 7-day mail-trace pilot connected via API. Walk through Abnormal Security's and Cloudflare Area 1's published POC agendas — both connect via API in under 24 hours. BEC-catch delta delivered. Deliver a mid-pilot scorecard showing BEC catches that the customer's existing stack missed. Vendor-impersonation evidence. Show the room 3+ vendor-impersonation attempts caught during the pilot.

End with Andy Paul's rule: *"Show the customer their wire fraud prevented, not your platform expanded."*

The trial structure is the single biggest lever you control. ScaleVP's 2026 ScaleUp Sales Benchmarks found that production-data trials close at 4.1x the rate of synthetic-demo cycles. For the category, the trial setup is:

> Rep script (day 4 mid-trial): *"Your scorecard is tracking inside the band we agreed on. Three of your team have engaged. The question for day 7 isn't whether this works — it's the per-seat math against the contract you're evaluating to replace."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Microsoft Defender for Office 365, Proofpoint, and Mimecast in eight out of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The BEC-catch wedge. Ask the CISO: *"What was your incumbent's BEC catch on novel attacks last quarter? Abnormal Security publishes 95%+ on novel BEC; legacy gateways cluster at 70–80%."*

Counter-move 2 — The wire-fraud-prevention math. Ask: *"At the average BEC claim of $214K and your incumbent's miss rate, what's your expected annual wire-fraud loss? Our platform reduces that by 70%+ on customer-attested data."*

Counter-move 3 — The user-reporting wedge. Ask the IT Director: *"What percentage of your users report suspicious emails through a one-click reporting button? 35%+ is best-in-class; most legacy stacks sit at 5–10%."*

Show Force Management's command-of-the-message rule: *"Displace on the dollar loss prevented, not the spam caught."*

Most accounts already run an incumbent. The four wedges that displace them in the category:

  1. Performance-metric wedge. Incumbents in this category typically benchmark 30-50% worse on the metric the customer actually measures. Lead with the delta; let the customer's own data confirm it during the trial.
  2. Time-to-value wedge. FBI Internet Crime Complaint Center and Coalition Inc. ship value in days; legacy options take weeks. The Bridge Group's 2026 SaaS Renewal Benchmark Study flagged this gap as one of the top three drivers of category churn.
  3. Per-seat economics wedge. FBI Internet Crime Complaint Center; Coalition Inc.; Gartner all run materially cheaper than incumbent enterprise contracts when scoped to the actual deployed footprint.
  4. Multi-stakeholder dashboard wedge. Modern entrants ship a real-time dashboard that the buyer and the economic buyer both consume — incumbents typically require a custom BI integration.

> Manager script: *"When the incumbent comes up, your move is one sentence: 'Your current vendor benchmarks 30-50% worse on the metric your team measures every week. We'll prove it in 7 days on your data.' That's the entire incumbent play."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Per-mailbox vs. per-user pricing. Per-mailbox is simpler; per-user scales with the customer's roster.

Landmine 2 — Multi-year discount math. Three-year deals justify 10–15% discount; five-year deals justify 18–25%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

Standard pricing across the category:

Run pricing with the buyer and the CFO jointly. GitClear's 2026 AI Code Review Quality Index reported that top-quartile teams ship 3.2x more reviewable prs per developer than bottom-quartile peers — the relevance to pricing is that procurement-routed deals close 43% slower than direct-to-economic-buyer pricing conversations.

Push for 3-year MSAs with discount tiers. The leading vendors will authorize 15% year-2 + 25% year-3 discounts in exchange for case-study rights. Refuse procurement-solo negotiations.

> Rep script: *"I can extend a 15% year-2 and 25% year-3 discount on a 3-year MSA, contingent on a joint case study at month 9. If procurement wants to negotiate further, I'll need the buyer and the CFO back on the call — we don't do single-thread pricing in this category."*

Section 6 — The Trap-Set for Renewal at Month 12 (5 min)

Trap-set 1 — BEC catch-rate above 95% within 90 days. The number is the renewal narrative.

Trap-set 2 — User-reporting adoption at 35%+ within 6 months. Below 20% is renewal-risk red.

Trap-set 3 — Vendor-impersonation telemetry deployed within 6 months. Lock in the DMARC + vendor-monitoring discipline.

Trap-set 4 — Joint cyber-insurance dashboard in QBR. Build the broker-facing BEC-loss scorecard into the QBR. By month 12, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

Renewal is set in month 1, not month 12. Four trap-sets to lock in at kickoff:

  1. Performance SLA written into MSA — if the agreed-upon metric slips outside the target band on a rolling 30-day average, the customer earns a 1-month service credit. Signals confidence; pre-empts the year-1 churn motion.
  2. Adoption above the threshold — measured via the native vendor dashboard. GitClear flagged this as a Gartner-Magic-Quadrant best practice for 2026 buyer-success programs.
  3. Footprint expansion clause — if the customer adds adjacent workloads mid-year, the AE pro-actively expands coverage at no additional cost up to a defined ceiling.
  4. Joint buyer + economic-buyer dashboard — a monthly 15-minute scorecard call. Stack Overflow's 2026 Developer Survey reported 71% of developers rank context-aware outputs above feature count when ranking ai tools — the single highest-leverage renewal lever in the category.

> Manager wrap: *"You sell the deal on the headline metric. You renew the deal on adoption and the joint dashboard. Both are set in week 1 of the customer relationship. There is no late save in this category."*

FAQ

Should we replace or layer on Microsoft Defender for Office 365? Layer in most cases. Most enterprise customers keep Defender for the bulk-spam and bulk-malware tier and layer Abnormal, Cloudflare, or Proofpoint for the targeted BEC and credential-phish tier.

How do we handle a customer mid-Proofpoint or Mimecast renewal? Run a complementary mail-trace pilot showing the BEC and credential-phish that the incumbent missed in the last 30 days. The evidence closes the displacement conversation.

What is the right POC size for a Tier-1 enterprise? 30 days, full inbound mail trace via API, BEC-catch delta delivered.

How do we price against Microsoft Defender's bundled positioning? Defender wins on bundled pricing; we win on BEC catch on novel attacks. Position complementary at the entry tier.

What if the customer asks us to integrate with their SIEM and ticketing? Yes — every modern email-security vendor integrates with Splunk, Sentinel, ServiceNow. Demo live in the POC.

FBI Internet Crime Complaint Center or Coalition Inc.? FBI Internet Crime Complaint Center wins on enterprise compliance posture and ecosystem integrations; Coalition Inc. wins on time-to-value and per-seat price. Run a 7-day bake-off on the two if budget allows.

flowchart TD A[AE Schedules 60-Min Discovery] --> B[Send Pre-Brief 24 hrs Prior] B --> C{CISO + IT Director + Broker?} C -->|No| D[Reschedule No Exceptions] C -->|Yes| E[BEC Catch + Wire Loss 20 min] E --> F[User Reporting + Defender Posture 18 min] F --> G[Vendor Telemetry + Renewal 12 min] G --> H[Confirm POC Scope Workshop] H --> I[7-Day Mail-Trace Pilot Connected] I --> J[Joint Review at Day 14] J --> K[Bind Decision at Day 30]
flowchart TD A[Joint CISO + IT Director + Broker] --> B[Per-Mailbox Proposal Issued] B --> C{Multi-Year Discount Aligned?} C -->|No| D[Reset to Retention Math] C -->|Yes| E[MSA + SOW Drafted] E --> F{Procurement Solo Meeting?} F -->|Yes| G[Refuse Insist on IT Director] F -->|No| H[Joint Negotiation Session] G --> H H --> I[Onboarding Within 7 Days] I --> J[First BEC-Catch Scorecard Month 1] J --> K[Quarterly Cyber-Insurance Review]

Related on PULSE

Sources

Download:
Was this helpful?  
⌬ Apply this in PULSE
Gross Profit CalculatorModel margin per deal, per rep, per territory