The bottom line: price per employee tells you nothing until you know what the cycle includes
The monthly price per employee is the number almost everyone compares first, and it is the one that helps least. Two platforms can cost the same per person and deliver very different things: one charges to send simulations and report clicks, the other includes credential monitoring, training at the moment of failure, and later validation that behavior actually changed. Price only makes sense when we know what the cycle includes, not when we look at it in isolation.
That is why it pays to reverse the order. Before requesting quotes, we define what a human risk management (HRM) program, the category these platforms belong to, is supposed to do, and only then compare what each vendor charges to deliver it. This piece gathers the criteria to do that without getting stuck on the most visible figure.
The most common pricing models and what each one hides
Per-employee monthly billing is the dominant model, and its appeal is that it looks easy to compare. The trouble shows up when two vendors use the same unit for different packages: one includes the whole cycle in that figure, the other reserves half its capabilities for higher tiers. The unit is identical, the content is not.
Human risk is managed automatically.
Turn human risk into your first line of defense.
Book a demoFree demo · 30 minutes · No commitment
The second model is licensing by blocks or employee bands, common on platforms built for large enterprises. It usually costs less per person at scale, but it penalizes the midsize company that lands just above a threshold and ends up paying for seats it does not use. The third, less frequent, charges per activated feature: simulation on one side, training on another, credential monitoring as an add-on. Here the base fee is misleading, because the real price is only known once we add up the modules that are genuinely needed.
The question that orders this part is not which model is cheapest, but which one hides the least. A low price that leaves out the capabilities that matter is not a saving, it is a deferred invoice.
What is included and what is billed separately
This is where two quotes that look alike come apart. It pays to ask in writing what the fee includes and what is billed outside it, with particular attention to four elements.
Leaked-credential monitoring is the first. Detecting that an employee's passwords already circulate in public breaches or on the dark web delivers value from day one, without waiting to accumulate behavioral data. When this capability is sold as a separate add-on, the base price stops being comparable.
The second is post-failure validation, usually called retest: probing the person again with the same type of deception weeks later, in a different context, to confirm they learned the lesson rather than remembering one email. There is peer-reviewed evidence that completing training does not, on its own, predict a reduction in real failures (Ho et al., IEEE S&P 2025; Lain et al., IEEE S&P 2022); what proves the change is measuring behavior again, a distinction we develop in how to measure if security training works. A platform that only reports completed courses charges for activity, not for outcome.
The third is reporting for leadership, and the fourth is implementation. It is worth asking whether the report an executive committee understands comes included or is an extra, and whether the initial connection runs on its own through OAuth or carries a setup charge. None of these four elements is a decoration: they are the difference between a sending tool and a program that closes the cycle.
The cost of the minimum: why an employee floor protects the measurement
Almost no platform says so on the first call, but measuring human risk needs a minimum number of people for the result to mean anything. With very small samples, a couple of unlucky clicks moves the risk score for the whole company and the figure stops being reliable.
That floor, far from being a commercial limitation, is a sign of statistical honesty. A vendor that promises a valid risk score for a team of eight is selling a precision it cannot sustain. For the focus on companies of 25 to 500 employees, the minimum is rarely an obstacle, and it is better understood for what it is: the condition for the measurement not to be noise.
How to compare two offers without looking only at the fee
With the criteria clear, the comparison stops being a row of prices and becomes a matrix of what each vendor delivers. A provider comparison like the one we gathered in the best human risk management platforms in LATAM helps map the terrain, but the final decision is made criterion by criterion. The table below gathers the ones that separate a cheap fee from a program that truly reduces risk, with the question worth asking and the red flag for each.
| Criterion | What to ask | Red flag |
|---|---|---|
| Pricing model | Does the per-employee fee cover the full cycle or only sending simulations | The base price excludes core capabilities that are billed separately later |
| Credential monitoring | Is it included or an add-on with an extra cost | Sold as an add-on and absent from the base fee |
| Retest validation | Does the platform probe the person again after a failure | Only reports completed courses and click rate |
| Reporting for leadership | Is the executive report included | The report the board understands has a separate price |
| Implementation and onboarding | Is the connection automatic via OAuth or is there a setup charge | High implementation fee before any value is seen |
| Employee minimum | What is the floor for the risk score to be valid | Promises reliable measurement with very small samples |
| Personalization | Are simulations adapted by role and behavior | The same simulation for the whole company |
Read this way, the decision changes. The cheapest offer per employee can be the most expensive per outcome if it leaves out half the columns.
The cost of not measuring: what the breach data says
This whole comparison exists because risk has a price, and it is not abstract. IBM's Cost of a Data Breach 2025 report put the global average cost of a breach at USD 4.4 million, a 9 percent drop from the prior year that the report itself attributes to faster identification and containment. The message is twofold: breaches remain expensive, and the speed to detect and contain them is exactly what lowers the bill.
That is the ground a human risk program plays on, because the origin of the problem is human. Cisco's 90-5-5 framework estimates that around 90 percent of breaches involve a human factor. In the same vein, CISA notes that more than 90 percent of successful cyberattacks begin with a phishing email. Both figures point to the same place: the surface that weighs most is the one made of people. Comparing prices without weighing this is optimizing spend on a small part and ignoring the large one. The fee matters, but the underlying question is how much it costs not to measure in time what is already exposed.
At Fensivo we structure pricing around the full cycle rather than loose modules: credential monitoring, role-personalized simulation, training at the moment of failure, and the retest that validates behavior change all sit within the same per-employee fee, with a minimum of 25 people that protects the validity of the risk score. You can see the detail on our pricing page.
Do you know which part of the cycle you are paying for when you compare two per-employee fees, or are you only comparing the most visible number?
Human risk is managed automatically.
Turn human risk into your first line of defense.
Book a demoFree demo · 30 minutes · No commitment
