Cybersecurity for Regulated Organizations
24/7 Security Operations Center, Managed Detection and Response, Endpoint EDR / XDR, identity and email hardening, vulnerability management, penetration testing, and incident response retainer - aligned to CMMC L1 / L2 / L3, HIPAA, NIST 800-171, SOC 2, and cyber insurance underwriting. One Raleigh team. One accountable stack. Petronella Technology Group has been doing this since 2002.
8 Controls. Pick the One That Matches Your Gap.
Cybersecurity is not one product. It is a layered stack of controls, each one closing a specific class of threat. Match your gap on the left to the control on the right - or call us and we will run the assessment together.
In Short - What This Page Covers
- Petronella runs a Security Operations Center, MDR, endpoint EDR / XDR, email and identity hardening, vulnerability management, penetration testing, incident response retainer, and security awareness training as one accountable engagement, not eight vendor relationships.
- Every control maps to a compliance framework. CMMC L1 / L2 / L3, HIPAA Security Rule, NIST 800-171 / 800-172, SOC 2, PCI, and standard cyber insurance underwriting questionnaires all derive from the same control families. We instrument once and harvest the evidence for every framework you are subject to.
- The differentiator is people, not posters. SOC analysts triaging alerts in under 15 minutes, ransomware rollback executed before encryption completes, CMMC-RP credentialed engineers running the engagements. We replace 5+ point vendors with one team and one phone number.
- Compliance and security are different problems and we solve both. Most MSPs sell one. Petronella sells the combined posture because regulated SMBs cannot afford to optimize one and fail the other at audit time.
- Engagements price after a discovery call. Cost depends on user count, endpoint count, regulatory frame, and the specific control mix. Custom-quote model. Request an assessment to scope.
Detect, Respond, Recover
Every engagement runs the same three-stage cycle, end to end. We adopted the labels the NIST Cybersecurity Framework uses for the same reason auditors do: it is the shared vocabulary that lets your security stack, your compliance evidence, and your insurance application all line up.
Find the threat before it lands
Continuous telemetry from endpoint, network, identity, email, and cloud feeds into the SOC. Analysts triage alerts in under 15 minutes, threat hunters look for what the rules missed, and the evaluation pipeline shows which detections are producing real findings.
- 24/7 SIEM and log correlation
- EDR / XDR with behavioral analytics
- Email gateway + DMARC enforcement
- Continuous dark web monitoring
- Vulnerability scanning and asset discovery
Contain it before it spreads
Triage to a verdict in 15 minutes. Isolate the host, kill the process, freeze the account, roll back the encryption attempt. For confirmed incidents, the IR retainer activates with a 1-hour SLA, forensics-grade collection, and chain-of-custody preserved for legal and regulator notification.
- Automated isolation + rollback
- Ransomware kill-switch playbooks
- Forensics-grade evidence capture
- Regulator notification clock managed
- IR playbook rehearsed via tabletop
Restore operations and close the gap
Restore from immutable backups, rebuild affected systems on hardened baselines, and feed the post-incident review back into the control set. Every incident produces a written root-cause analysis and a control hardening item that ships within 30 days.
- Immutable backup restore and verification
- Hardened baseline rebuild
- Written root-cause analysis
- Control-gap remediation roadmap
- Updated audit evidence binder
Four Things That Separate Us From a Stack-Reseller MSP
Anyone can buy the same EDR agent. The difference is what happens after the alert fires. Petronella Technology Group has been running cybersecurity for regulated SMBs since 2002.
A 24/7 SOC Built for Regulated SMBs
Real-time monitoring is the foundation. Without it, every other control is theoretical. Petronella's SOC is the layer that takes telemetry from your endpoints, network, identity provider, email gateway, and cloud workloads and turns it into a triaged finding with a recommended action.
The hard part of building a Security Operations Center is not the tooling. The hard part is the headcount: senior analysts cost into six figures, tier-1 analyst rotation requires 24x7x365 staffing, and the calibration period for new detections runs months. Most SMBs underestimate the operational weight of building this in-house by an order of magnitude. We share a regional SOC across our regulated-SMB client base so the cost amortizes across multiple buyers and you get senior analyst coverage from day one.
Our SOC operates on a 24/7 follow-the-sun model. Alerts route through a tiered triage pipeline: tier-1 analysts validate, classify, and either close or escalate within 15 minutes. Tier-2 analysts execute containment, isolate the host, freeze the account, and roll back the encryption attempt. Tier-3 incident responders handle confirmed breaches with forensics-grade evidence capture and chain-of-custody preservation. The same SOC is used for our managed cybersecurity service, our dark web monitoring, and our incident response retainer.
MDR vs EDR vs XDR - what the acronyms actually mean
EDR (Endpoint Detection and Response) is the agent that lives on the endpoint, sees process behavior, captures telemetry, and can isolate the host. It is a tool. You still need someone watching it.
XDR (Extended Detection and Response) is the platform that correlates EDR telemetry with network, identity, email, and cloud signals. It connects the dots between a phishing click on one workstation and a lateral-movement attempt on a server twenty minutes later.
MDR (Managed Detection and Response) is the service that wraps a 24/7 SOC team around the EDR / XDR platform. The SOC tunes the detections, hunts for what the platform missed, executes containment when alerts fire, and produces the post-incident report. MDR is what makes the EDR investment actually pay off. Without it, the platform fires alerts at a portal nobody is watching.
What the Petronella SOC actually does on a given day
- Continuous monitoring across endpoint, network, identity, email, and cloud. Telemetry flows into the SIEM and detection rules fire automatically. Analysts hunt manually for what the rules missed.
- Triage within 15 minutes. Every alert gets a verdict and an action. False positives close. True positives escalate to containment.
- Containment within 30 minutes for active incidents. Host isolated, account frozen, encryption rolled back, lateral movement cut off.
- Daily threat hunting. Analysts query the data lake for indicators tied to current threat intelligence even when no alert has fired.
- Weekly executive summary. What we saw, what we contained, what we did about it, what changed in your control set.
For organizations where credential theft and keylogger malware are the dominant threat vectors (financial services, law firms handling M&A, regulated healthcare), we layer in our keystroke encryption software as an anti-keylogging control that pairs cleanly with the EDR and SOC monitoring above.
Pen Testing That Auditors and Insurers Actually Accept
A penetration test should produce three things: a written list of exploitable findings ranked by impact, a remediation roadmap your team can execute, and an attestation an auditor or insurer will accept. Many tests produce only the first.
Petronella runs penetration tests in three modes depending on what the buyer needs. External pen tests simulate an internet-borne attacker hitting your perimeter: exposed services, web apps, VPN endpoints, exposed dev or admin surfaces. Internal pen tests simulate an attacker who already has a foothold, testing lateral-movement controls, segmentation, identity propagation, and privilege escalation paths. Web application pen tests target your customer-facing or partner-facing applications against the OWASP Top 10 plus business-logic flaws no scanner will find.
The engagement produces a written report with executive summary, detailed findings with reproduction steps, exploitation evidence, remediation guidance, and a retest provision. The retest is critical. Auditors and underwriters want to see findings discovered, remediated, and retested before the engagement is closed. We include the retest in the engagement scope so the close-out is unambiguous.
For CMMC-aligned defense contractors, the pen test scope is defined by the in-scope CUI enclave and the assessment objectives in NIST SP 800-171A. For HIPAA covered entities, scope follows the risk analysis under 45 CFR 164.308. For cyber insurance, scope follows the underwriting questionnaire and any control-specific carrier requirements. We map the scope to the framework before the test runs.
An IR Retainer Is Insurance That Pays Out Faster
When a breach happens, the clock starts immediately. Regulator notification windows are measured in days, not weeks. Cyber insurance demands a credentialed forensics team. The IR retainer is the difference between a phone call and a scramble.
The Petronella incident response retainer is a pre-positioned engagement with a 1-hour SLA into our forensics team. Pre-negotiated rates, pre-paid hours, written engagement letter, and a chain-of-custody process that survives legal review. The retainer includes an annual tabletop exercise, an IR plan written specifically for your environment, and quarterly plan reviews as your systems change.
What happens when an active incident triggers the retainer: the SOC validates, the IR team is engaged within an hour, containment runs in parallel with evidence capture, the regulator-notification clock is identified and tracked, the cyber insurance carrier is looped in with chain-of-custody-preserved artifacts, and the legal team gets a written timeline they can defend. Read the full incident response playbook for the step-by-step.
For active breaches without a retainer, the same team responds. The difference is the SLA and the cost. Non-retainer emergencies go behind active engagements and bill at standard incident-response rates. The retainer is the right architectural decision for any organization that cannot accept a delayed forensics response.
When You Need Security Leadership Without a Hire
A virtual Chief Information Security Officer (vCISO) is the right call when board reporting, insurance underwriting, regulator inquiries, or executive-level risk discussions need a credentialed voice and you cannot justify a full-time hire.
Most regulated SMBs need security leadership for one to five days per month. Hiring a full-time CISO is unjustifiable at that volume. Hiring no one means executive-level security questions get pushed to whoever in IT raised their hand last. The vCISO engagement solves both. Fractional senior leadership, on a fixed monthly cadence, accountable for the strategy, the controls roadmap, the audit calendar, and the board-level reporting.
Petronella's vCISO and vCIO offerings sit on top of the operational security stack rather than replacing it. The vCISO owns strategy and governance. The SOC owns daily detection and response. The vCIO owns IT strategy and aligns technology investment with business outcomes. The three engagements compose: an organization can take any one, two, or all three. For most regulated SMBs the right move is operational security plus vCISO; the vCIO is added for organizations going through a tech-stack transition or M&A integration. Read our deeper coverage on virtual CISO services and vCISO vs vCIO scope differences.
Security Controls Mapped to the Frameworks You Are Subject To
The same EDR rollback, the same SOC alert, the same access review, and the same penetration test produce evidence for multiple frameworks simultaneously. We instrument once and harvest the evidence wherever it is needed.
CMMC L1 / L2 / L3
Petronella is CMMC-AB Registered Provider Organization #1449. We deliver readiness, gap analysis, remediation, and ongoing operational support across all three levels.
- L1: 17 controls aligned to FAR 52.204-21
- L2: 110 controls aligned to NIST SP 800-171 Rev 2
- L3: enhanced controls aligned to NIST SP 800-172
- SPRS score, SSP, and POAM artifacts produced
HIPAA Security Rule
Covered entities and business associates need ongoing risk analysis under 45 CFR 164.308. Our SOC instrumentation, identity controls, and audit logging produce the evidence the rule requires.
- Annual risk analysis and risk management plan
- Workforce sanction policy and training records
- Access controls, audit logs, and integrity
- BAA signed before any PHI handling
NIST CSF + 800-171 / 800-172
The NIST Cybersecurity Framework is the spine of every other framework. We map every control we deploy back to NIST CSF Identify / Protect / Detect / Respond / Recover.
- NIST CSF 2.0 alignment
- SP 800-171 Rev 2 (CUI environments)
- SP 800-172 (enhanced security)
- SP 800-61 (incident response)
SOC 2 and Cyber Insurance
SOC 2 Type II readiness work and cyber insurance underwriting attestations both rely on the same control evidence. We package the evidence binder once and reuse it across audits and renewals.
- SOC 2 Common Criteria mapping
- MFA, EDR, immutable backup, IR plan attestations
- Cyber insurance application support
- Auditor- and broker-friendly evidence package
PCI DSS
For merchants and service providers handling cardholder data, PCI DSS controls overlap heavily with NIST 800-171 and SOC 2. We map your stack and gap-assess against the applicable level.
- Self-Assessment Questionnaire prep
- Network segmentation review
- Quarterly external ASV scan support
- Annual internal pen test scope alignment
NC SBSAP and State Frameworks
Petronella is a North Carolina Small Business Cyber Security Assistance Program authorized provider, with direct experience in NC-specific small business cybersecurity readiness work.
- NC SBSAP-aligned engagements
- Regional buyer-vetted credentialing
- NC Department of Justice victim-advocate experience
- Local NC-based incident response
Built for Regulated SMBs
Industries where a single breach triggers a regulator, an insurer, and a lawsuit at the same time. The control stack is similar across these verticals; the regulatory framing is what differs.
Talk to Penny - Our 24/7 AI Receptionist
Call (919) 348-4912 right now. Penny picks up before the third ring, asks three qualifying questions, and books your free 15-minute cybersecurity assessment with a CMMC-RP credentialed engineer. The same architecture we ship to clients.
(919) 348-4912Frameworks We Align To
Every Petronella security engagement is aligned to recognized federal and industry standards so the controls survive an auditor, an underwriter, and a board-level review.
NIST Cybersecurity Framework
The federal reference framework for managing cyber risk. We map every control back to NIST CSF Identify, Protect, Detect, Respond, and Recover functions.
nist.gov →NIST SP 800-171 Rev 2
The 110-control set for protecting Controlled Unclassified Information in non-federal systems. The foundation under CMMC Level 2.
csrc.nist.gov →CISA Guidance
U.S. Cybersecurity and Infrastructure Security Agency guidance on threat intelligence, vulnerability management, and incident response posture.
cisa.gov →FBI Cyber Division
Federal investigative authority for cybercrime. Petronella works alongside FBI cyber teams on confirmed incident response and ransomware-payment guidance.
fbi.gov →HHS HIPAA Security Rule
U.S. Department of Health and Human Services reference for HIPAA Security Rule technical, physical, and administrative safeguards.
hhs.gov →Cyber AB / CMMC Accreditation Body
The CMMC accreditation body authorizing Registered Provider Organizations and C3PAOs. Petronella is verified at RPO #1449.
cyberab.org →Recent Defensive Field Guides
Two practitioner deep-dives that pair well with the controls above: a data loss prevention strategy walkthrough and a complete network segmentation reference.
Cybersecurity FAQ
The questions buyers ask when scoping a cybersecurity engagement, deciding between point tools and a managed stack, or comparing Petronella to a stack-reseller MSP.
Are you an MSP or an MSSP?
Both, by design. We run managed IT and a credentialed Security Operations Center under one roof so your security stack and your help desk are not finger-pointing at each other when something breaks. Most regulated SMBs cannot afford to coordinate four vendors during a live incident. We collapse the coordination into one engagement.
How fast do you respond to an active incident?
Retainer clients get a 1-hour response SLA into the IR team. The SOC executes initial containment within 15 to 30 minutes of an alert validating as a real incident. Non-retainer emergencies still route through the same SOC but queue behind active engagements. Read the incident response guide for the full sequence.
Will this satisfy my cyber insurance application?
Yes. We map our control stack to the standard underwriting questionnaires (MFA universal, EDR deployed, immutable backups tested, written IR plan rehearsed, security awareness training measured) and provide attestations your broker can submit at renewal. Premium reductions are common when the carrier sees a credentialed SOC and a tested IR plan rather than a stack-reseller MSP and an antivirus subscription.
Do you handle CMMC, HIPAA, and SOC 2 directly?
Yes. We are CMMC-AB Registered Provider Organization #1449 and the whole team is CMMC-RP credentialed. We run HIPAA gap analyses, risk analyses, policy work, and remediation under a signed Business Associate Agreement. SOC 2 Type II readiness work, gap assessment, and Common Criteria mapping is delivered as a productized engagement. See CMMC compliance, HIPAA compliance, and the compliance hub.
What is the difference between MDR, EDR, and XDR?
EDR is the agent on the endpoint, capturing process behavior and capable of isolating a host. XDR is the platform that correlates EDR signals with network, identity, email, and cloud telemetry to surface multi-vector attacks. MDR is the service that wraps a 24/7 SOC team around the EDR or XDR platform. EDR without MDR is a tool firing alerts at a portal nobody is watching. The Petronella engagement is MDR by default - tooling plus the humans.
What does cybersecurity cost?
Engagements are scoped after a free assessment. Cost depends on user count, endpoint count, regulatory frame, the specific control mix, and whether IR retainer hours and penetration testing are included. We publish productized package tiers for buyers who want a fixed scope entry point - see the packages page - and custom quotes for everything else. Call Penny at (919) 348-4912 or request an assessment to scope.
Do you only work with Triangle businesses?
No. We are headquartered in Raleigh at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 and serve regulated SMBs across North Carolina and nationally. Onsite work concentrates in the Raleigh - Durham - Chapel Hill metro and the broader I-40 / I-85 corridor. Remote security operations work the same way regardless of geography.
Can you support a small medical practice or a single-attorney firm?
Yes. The bottom of our range is the regulated small business whose security need is real (because the regulation does not care how many employees you have) but whose internal team is not big enough to scope and ship the build alone. The top of our range is the mid-market regulated organization whose security ambition outruns their internal staffing plan.
Do you offer a free initial assessment?
Yes. Penny books a free 15-minute discovery call with a CMMC-RP credentialed engineer. We listen to your environment, the regulatory frame you are in, and the incidents or audit pressure driving the conversation, then we recommend a starting lane. If we recommend something we do not sell, we say that too. Request your assessment.
06 /Service areas across North Carolina (84 cities)
Bring Us the Threat. We Will Bring the Stack.
If you have read this far, you are not researching the abstract idea of cybersecurity anymore. You have an audit deadline, an insurance application, an incident, or a board question in front of you. The discovery call is fifteen minutes. We listen, we recommend, and we tell you honestly if you do not need us yet.