Email Security Selling Against Phishing and BEC — 60-Min Training

Direct Answer

Email Security Selling Against Phishing and Business Email Compromise (BEC) is a 60-minute training for AEs, SEs, and channel managers running $90K–$650K ACV cycles against incumbents like Microsoft Defender for Office 365, Proofpoint, Mimecast, Abnormal Security, Cloudflare Area 1, Avanan (Check Point), Vade Secure, IRONSCALES, Tessian (Proofpoint), and GreatHorn.

The session teaches sellers to qualify against the three-buyer reality (CISO, IT Director, Cyber-Insurance Broker), run a structured discovery on BEC catch-rate and wire-fraud-loss economics, demo against the customer's actual inbound mail flow, and trap-set the multi-year renewal at month 12.

Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why Email Security Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. Email security is insurance-driven and BEC-loss-driven. The cyber-insurance broker now requires advanced email security (beyond Microsoft 365's default) for binding most mid-market accounts in finance, real estate, and law.

Set the frame on the whiteboard.

• Three buyers, one driver. The CISO funds; the IT Director picks the platform; the cyber-insurance broker enforces. Coalition's 2026 binding data shows advanced email security as a top-3 required control for real estate, law firms, and accounting firms.
• BEC dwarfs phishing in dollar losses. The FBI Internet Crime Report 2026 put BEC at $2.9 billion in reported losses — more than ransomware. The CISO buys the BEC-catch metric, not the phishing-catch metric.
• AI-native challengers are eating legacy share. Abnormal Security and Cloudflare Area 1 built billion-dollar businesses on behavioral-anomaly detection vs. Signature-based legacy gateways.

End the segment with Mark Roberge's rule: *"Sell the wire-fraud prevented, not the spam caught."*

Section 2 — The 60-Minute Discovery Block (15 min)

1. Opening (3 min): "Walk me through your inbound email volume, your current security stack, and any BEC incidents in the last 24 months."
2. BEC catch-rate baseline (10 min): "What's your current BEC catch-rate by email subtype — invoice fraud, payroll fraud, vendor impersonation, executive impersonation? Best-in-class is 95%+ catch on novel BEC."
3. Wire-fraud-loss baseline (10 min): "What were your wire-fraud losses last year tied to email compromise? Coalition's 2026 data puts the average BEC claim at $214K."
4. User-reporting maturity (10 min): "What percentage of your users report suspicious emails through a one-click button? 35%+ is best-in-class."
5. Microsoft Defender stack posture (8 min): "Are you on Microsoft 365 E5 with Defender for Office 365, or layering a third-party gateway? Most enterprise customers now layer."
6. Vendor-impersonation telemetry (7 min): "Are you monitoring vendor lookalike domains? DMARC enforcement with vendor telemetry is the modern bar."
7. Renewal posture (5 min): "When is your current email-security contract up? What contractual extraction friction would we navigate?"

Section 3 — The POC That Wins (15 min)

Failure modes to ban. No-mail-trace POCs. 30-day POCs. Single-tenant POCs (failing to cover Microsoft 365 AND Google Workspace if customer is multi-platform).

Wins to coach. 7-day mail-trace pilot connected via API. Walk through Abnormal Security's and Cloudflare Area 1's published POC agendas — both connect via API in under 24 hours. BEC-catch delta delivered. Deliver a mid-pilot scorecard showing BEC catches that the customer's existing stack missed.

Vendor-impersonation evidence. Show the room 3+ vendor-impersonation attempts caught during the pilot.

End with Andy Paul's rule: *"Show the customer their wire fraud prevented, not your platform expanded."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Microsoft Defender for Office 365, Proofpoint, and Mimecast in eight out of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The BEC-catch wedge. Ask the CISO: *"What was your incumbent's BEC catch on novel attacks last quarter? Abnormal Security publishes 95%+ on novel BEC; legacy gateways cluster at 70–80%."*

Counter-move 2 — The wire-fraud-prevention math. Ask: *"At the average BEC claim of $214K and your incumbent's miss rate, what's your expected annual wire-fraud loss? Our platform reduces that by 70%+ on customer-attested data."*

Counter-move 3 — The user-reporting wedge. Ask the IT Director: *"What percentage of your users report suspicious emails through a one-click reporting button? 35%+ is best-in-class; most legacy stacks sit at 5–10%."*

Show Force Management's command-of-the-message rule: *"Displace on the dollar loss prevented, not the spam caught."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Per-mailbox vs. Per-user pricing. Per-mailbox is simpler; per-user scales with the customer's roster.

Landmine 2 — Multi-year discount math. Three-year deals justify 10–15% discount; five-year deals justify 18–25%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

Section 6 — The Trap-Set for Renewal at Month 12 (5 min)

Trap-set 1 — BEC catch-rate above 95% within 90 days. The number is the renewal narrative.

Trap-set 2 — User-reporting adoption at 35%+ within 6 months. Below 20% is renewal-risk red.

Trap-set 3 — Vendor-impersonation telemetry deployed within 6 months. Lock in the DMARC + vendor-monitoring discipline.

Trap-set 4 — Joint cyber-insurance dashboard in QBR. Build the broker-facing BEC-loss scorecard into the QBR. By month 12, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

FAQ

Should we replace or layer on Microsoft Defender for Office 365? Layer in most cases. Most enterprise customers keep Defender for the bulk-spam and bulk-malware tier and layer Abnormal, Cloudflare, or Proofpoint for the targeted BEC and credential-phish tier.

How do we handle a customer mid-Proofpoint or Mimecast renewal? Run a complementary mail-trace pilot showing the BEC and credential-phish that the incumbent missed in the last 30 days. The evidence closes the displacement conversation.

What is the right POC size for a Tier-1 enterprise? 30 days, full inbound mail trace via API, BEC-catch delta delivered.

How do we price against Microsoft Defender's bundled positioning? Defender wins on bundled pricing; we win on BEC catch on novel attacks. Position complementary at the entry tier.

What if the customer asks us to integrate with their SIEM and ticketing? Yes — every modern email-security vendor integrates with Splunk, Sentinel, ServiceNow. Demo live in the POC.

Sources

• FBI Internet Crime Complaint Center — Internet Crime Report (2026)
• Coalition Inc. — Cyber Claims Report and Binding Requirements (2026)
• Gartner — Market Guide for Email Security (2026)
• Forrester — The Forrester Wave: Enterprise Email Security (2026)
• Abnormal Security — H1 Email Threat Report (2026)
• Proofpoint — State of the Phish (2026)
• Force Management — Command of the Message and MEDDPICC Reference (2026)
• Mark Roberge — "The Sales Acceleration Formula" Premium-Pricing Chapter
• Andy Paul — "Sell Without Selling Out" Discovery Cadence
• Jeb Blount — "Fanatical Prospecting" Renewal-First Doctrine