Engagement Process

How Petronella Technology Group Engages With Clients

A short, honest explanation of how the process works, who we serve best, who we do not serve, and what happens if we are not a fit. Read this before booking a call. It will save us both time.

CMMC-AB RPO #1449 / DFE #604180 / Team CMMC-RP / Founded 2002
Call Penny (919) 348-4912 See the process

How does the engagement process work?

Four steps. (1) Free 15-minute discovery call with Penny. (2) Paid assessment with a written scope, usually 2 to 3 weeks. (3) Written engagement proposal with milestones and deliverables. (4) Ongoing managed or retainer support if there is a fit. No surprise invoices. No hidden scope. You know exactly where you are at every step.
1

Discovery

Free 15-minute call with Penny, our AI intake agent. She asks qualification questions, captures your stack, regulatory footprint, and deadline, then books a follow-up with a senior engineer if there is a fit. No pressure, no pitch deck.

2

Assessment

Paid scoping engagement, typically 2 to 3 weeks. We interview stakeholders, inventory systems, map data flows, and identify compliance gaps. Deliverable is a written assessment with prioritized findings and a fixed-fee implementation proposal.

3

Engagement

Written proposal with scoped milestones, named deliverables, acceptance criteria, and a timeline. You approve the statement of work in writing before any implementation work begins. Assessment fees credit toward engagement.

4

Ongoing

Managed services or retainer options after the initial engagement closes, for clients who want Petronella to continue running compliance, threat monitoring, private AI operations, or incident response. Renewable, not auto-locking.

Why no public price list?

Because every regulated business has a different CUI boundary, a different stack, a different risk appetite, and a different deadline. Fixed menu pricing lies about your real exposure. A $5,000 CMMC project at Company A is a $75,000 project at Company B, and anyone who tells you otherwise on a public page has not actually done the work.

Regulated-business security and compliance work is custom by nature. Two defense contractors of similar headcount can have wildly different scopes. One has a clean single-domain Microsoft 365 tenant, a small CUI enclave, and documented policies from a prior assessor. The other has shadow IT across three business units, legacy on-prem file servers with mixed CUI and non-CUI data, an expired POA&M, and three untracked SaaS tools that touch sensitive data. Same employee count. Very different project.

We have watched competitors publish "CMMC Level 2 for $X" pricing and then pile on change orders once the real scope becomes visible. That is not a quote. That is a trap door. Petronella Technology Group does not work that way. We scope in writing before we bill in full, and our assessment phase exists precisely so nobody gets surprised.

If you need a firm number before you can have a real conversation, that is a signal the engagement is not ready yet. In that case, book the free 15 minutes with Penny and we will tell you honestly whether an assessment is the next step, whether you need internal prep work first, or whether a different firm is a better fit.

For commodity, fixed-package offers (AI starter kits, self-serve readiness sessions, off-the-shelf compliance templates), see petronella.ai. Those packages are priced publicly because the scope is fixed by design.

What does the free 15 minutes cover?

Penny takes an intake: your company, your regulatory driver, your deadline, your stack, your decision-makers, and your budget range. Craig Petronella or a senior engineer reviews the intake within 48 hours. You get a plain-English answer: "yes, we can help, here is the next step" or "no, and here are two firms we would send you to instead." That is it. No pitch.

The first call exists to protect both sides. You find out within 15 minutes whether we are the right firm for your situation. We find out whether your timeline, budget, and regulatory footprint are compatible with how we work. About 30 percent of intake calls end with a referral out to another firm. That is by design, not a failure.

Penny does not try to close you. She does not push for a calendar hold on the senior engineer. She captures the intake, confirms your email, and sets the expectation: "Someone senior will reach out within 48 hours with a real answer, including the answer no if we are not a fit." If the qualifying questions reveal an obvious mismatch during the intake itself, she will tell you politely and offer to recommend an alternative.

Everything Penny collects is encrypted at rest and only visible to the senior engineer reviewing the intake. No third-party call-tracking tools are plugged into this pipeline. Craig Petronella personally reviews every enterprise-scope intake.

What does a paid assessment look like?

Two to three weeks of scoping work with a senior engineer. Fixed fee, quoted in writing before you sign. Range is low-four-figures for small, bounded scopes up to mid-five-figures for complex multi-site CMMC or hybrid HIPAA and CUI environments. Deliverable is a written assessment report plus a fixed-fee implementation proposal. Assessment fees credit toward the implementation engagement when you proceed.

A typical assessment runs along these lines. Week one: stakeholder interviews (IT lead, compliance officer, sometimes CFO or general counsel), system inventory, data-flow mapping, review of existing policies and prior audit reports. Week two: technical scans, access review, identity and key-management posture, SaaS sprawl audit, network and boundary review. Week three: written report with prioritized findings, a gap-closure roadmap, and a line-item implementation proposal.

We do not subcontract assessment work. The engineer who scopes your environment is the engineer you work with during implementation. That matters because tacit knowledge from interview conversations does not always make it onto paper, and we want that knowledge staying with the project.

If the assessment reveals that your project is larger, smaller, or fundamentally different from what Penny intake suggested, we say so. We do not stretch scope to match an artificial budget, and we do not pretend a bigger problem is smaller just to get a signature. The value of the assessment is the honest number at the end, not the number you were hoping to see going in.

Many clients proceed directly from assessment to engagement. Some take the written report and implement fixes internally. Some shop the report against other vendors. All three are legitimate outcomes. The assessment is a standalone deliverable, not a bait-and-switch intake for an implementation contract.

Assessment timelines can flex for urgent breach or deadline work. A 72-hour forensic-triage scope obviously does not wait 3 weeks for a written report. In those cases, senior engineer time deploys within 24 hours and a written summary follows once the active response stabilizes. If a regulatory-notification clock is already running, tell Penny that first and everything else reshapes around it.

What assessments are not: vendor-selection beauty contests where three firms each do two-week free discovery and the winner bills for implementation. That model rewards whichever firm is most willing to swallow unpaid scoping time, which is not the firm you want implementing your compliance posture. We bill assessment work because the work is real. If you are comparing us against firms offering free assessments, please read their statement of work carefully to understand what they expect to recover in the implementation phase.

The Honest Filter

Who we do NOT serve

This section exists so you do not waste a week getting excited about a potential engagement that is never going to close. If you see your situation here, we respect you enough to tell you up front. In most of these cases, there are excellent firms we can refer you to.

Not a fit

  • Solo practitioners, very small firms, and side businesses with under $2 million in revenue. The scope of regulated-business work we specialize in does not map to your budget or your risk profile. A local generalist MSP is a better match.
  • Shoppers of sub-$10,000 engagements. The scoped, documented, defensible compliance work we do costs real money because it takes real senior time. If your budget ceiling is below that line, look at our commodity offerings at petronella.ai or ask us for a referral.
  • Mobile forensics, Cellebrite extractions, EnCase workflows, and traditional private-investigator engagements. We are not Cellebrite-trained. We do not serve chain-of-custody mobile phone evidence for law-enforcement or civil litigation. A qualified mobile-forensics firm is the right referral.
  • Conventional e-discovery, document-review, and litigation-support contracts. We do network, endpoint, crypto-asset, and incident-scope forensics. E-discovery shops are built differently and you will get better value there.
  • "Just give me a quote for antivirus" commodity MSP shopping. If you are comparing three local MSPs on price for endpoint protection, email spam filtering, and help desk, that is a commodity conversation and a local generalist will beat us on price. If you are an MSP yourself looking to resell our AI and compliance stack to your clients, see MSP Partners instead.
  • Out-of-state retainer-hunting fishing expeditions with no verified decision authority on the call. If the person reaching out cannot describe the regulatory driver, the deadline, and who signs the statement of work, the conversation is premature. Send us the decision-maker when one exists.
  • "Tell me everything about your methodology so I can show my boss" without a real project on the table. We publish enough on this site to answer that question. If the follow-up is "great, send me your entire playbook," that is a signal we are being scoped as a free research project, not engaged.

Who we serve best

  • CMMC-regulated defense contractors and supply-chain vendors preparing for Level 1 or Level 2 assessments, especially those with existing CUI handling gaps or a deadline under 12 months.
  • HIPAA-regulated healthcare, dental, medical-device, behavioral-health, and legal firms handling protected health information who need a defensible written posture, not a checkbox.
  • Financial-services firms, legal practices, and fiduciaries subject to GLBA, SEC, FINRA, and state privacy regimes who need real technical controls behind their written policies.
  • Incident response for breach, ransomware, business-email-compromise, SIM-swap, crypto theft, pig-butchering, and insider-threat scenarios where a digital-forensics examiner is required. Craig holds DFE #604180.
  • Private AI build-outs for regulated organizations: on-premise GPU clusters, private LLM deployments, custom voice agents with PHI or CUI data-residency constraints, and air-gapped AI for defense and legal environments.
  • Engineering firms, architectural firms, and AEC-sector professional-services organizations that need both CMMC scope work for federal contracts and private AI tooling for competitive design advantage.
  • Mid-market organizations (50 to 2,500 employees) with an existing internal IT function that needs senior advisory, compliance engineering, or specialist augmentation, rather than full IT outsourcing.

If you are not sure which side you fall on

Book the free 15 minutes with Penny anyway. She will tell you in the first few questions whether we are the right firm. If we are not, she will route you to someone we trust. That is a better outcome than silence or a vague "let us get back to you."

What happens if we are not a fit?

We refer. Petronella Technology Group has spent 20 years building relationships with specialty firms in mobile forensics, e-discovery, small-business generalist MSP work, enterprise-only security shops, and regional compliance auditors. If we are not the right match for your situation, we will name a firm that is. No referral fee games. No "we are not a fit, goodbye." A real name and a real warm handoff.

Our reputation lives in the referral network. An accountant who sends us an incident-response client, a defense-contractor attorney who sends us a CMMC client, a business coach who sends us a mid-market IT advisory client: those relationships exist because we do not burn trust by forcing every intake into a Petronella-shaped box. When we refer out, we refer to firms we would hire ourselves if the shoe were on the other foot.

Common referral paths include: specialty mobile-forensics firms for Cellebrite, EnCase, and traditional law-enforcement-chain-of-custody work; boutique e-discovery firms for document-review-heavy matters; local generalist MSPs for small-business commodity IT; large assessor organizations for Level 3 CMMC projects that exceed our scope; and private-investigator firms for surveillance, interview, and physical-investigation work outside of digital forensics.

If you need a referral, just ask. We maintain the network so you do not have to cold-call five firms.

What to bring to the first conversation

Three things make the first 15 minutes productive: (1) the regulatory driver and deadline, (2) the current-state stack at a high level, and (3) who signs the statement of work. Missing any of those, the intake is informational rather than qualifying, and we will schedule a follow-up once they exist.

You do not need a full vendor questionnaire answered before calling. You do not need an RFP. You do not need every system inventoried. What you do need is enough context that Penny can tell a senior engineer what this engagement actually is, so the follow-up call is not a second intake. Here is what moves a conversation from exploratory to actionable.

The regulatory driver and deadline. Is this a prime-contractor flow-down demanding CMMC Level 2 by a specific date? A hospital-system BAA deadline? A cyber-insurance renewal with a new security questionnaire? A breach that already happened and needs forensics on a 72-hour regulatory-notification clock? The driver and the deadline shape every recommendation we make. Without them, we are guessing.

The current-state stack at a high level. Not a full inventory. Just: Microsoft 365 or Google Workspace? On-prem file servers, cloud-only, or hybrid? How many physical sites? Any specialty systems (ERP, EHR, CAD, PLM, lab instruments, legacy line-of-business apps)? This lets us estimate scope within the first call rather than treating the assessment itself as the intake.

Who signs the statement of work. A CEO, CFO, general counsel, COO, or named owner. If the person calling us cannot confidently say "yes, I sign" or "my boss signs and she is on board with this conversation," the engagement is not qualified yet. That is not a judgment. It is a signal that the internal alignment work still needs to happen, and we would rather you do that first than waste your own time on our follow-up call.

If those three pieces exist, the first call can close with a real next step: assessment proposal in hand, or a referral out, or a written "come back to us in 90 days when your RFP closes." All three are respectful of your time.

Related pages

About Craig Petronella

Founder background, credentials, specialty scope for digital forensics, and why the firm is structured the way it is.

Why Petronella

Credentials, CMMC-AB RPO #1449, team certifications, and the positioning that separates us from commodity MSPs.

MSP Partners

White-label AI, CMMC, and forensics programs for managed service providers who want to resell Petronella capabilities to their regulated clients.

How do I start?

Call Penny at (919) 348-4912. She qualifies, books the follow-up with a senior engineer, and will not pitch you. If we are not a fit, she says so on the first call. That is the deal.

Call Penny (919) 348-4912 Send a written intake