Industries We Serve. Do you understand my industry?

When a dental group owner, a shop floor manager at a defense subcontractor, a managing partner at a boutique law firm, or a CFO at a mid-sized CPA practice calls a cybersecurity company, they are not comparing feature lists. They are listening for one thing. Does this person understand my world? Can they name my auditor? Do they know what my day looks like when the EHR goes down, when the DCMA letter arrives, when opposing counsel subpoenas our backup tapes, when the state bar sends a technology-competence inquiry, when the C3PAO is scheduled for next quarter and nobody has written the System Security Plan?

That question is not paranoia. It is pattern recognition. Every regulated buyer has watched a previous IT vendor get out of their depth at the worst possible moment. A horizontal generalist cannot produce a HIPAA Risk Analysis that an OCR regulator will accept. A solo consultant cannot run a 24/7 security operations program in February when your CPA firm hits peak tax season and attackers know it. A national MSP with a Raleigh help desk sticker has never actually sat across a desk from a Cyber AB assessor watching them audit your CUI boundary. There is a baseline of vertical fluency that either exists in a firm or it does not, and it takes years to build.

We built it across 24 verticals and sub-verticals over 24 years. The team at Petronella Technology Group spends its days inside these industries. Our founder Craig Petronella wrote books on ransomware response and cyber warfare and has testified as a Digital Forensic Examiner (DFE credential number 604180). He is also MIT-Certified in AI and Blockchain. Our entire team holds the CMMC Registered Practitioner credential. The firm is a CMMC-AB Registered Provider Organization (RPO #1449), verifiable on the Cyber AB member registry. We hold PPSB accreditation from the North Carolina Private Protective Services Board. We have been BBB A+ accredited continuously since 2003. Those are not marketing claims; they are filings and registrations a buyer can verify in about three minutes.

If you came here trying to evaluate whether a Raleigh-based cybersecurity company can actually move the needle inside your specific industry, you are in the right place. The rest of this page is organized the way buyers actually think. By vertical identity, by regulator, by the anxieties that keep founders and operators up at night, and by the sub-verticals within each industry where generic coverage falls apart.

Healthcare is not one thing. A 12-operatory dental group in Cary does not operate like an ambulatory surgery center in Charlotte, which does not operate like a rural federally qualified health center in eastern North Carolina, which does not operate like a behavioral health telepsychiatry practice serving the whole state. A dental practice is dominated by practice management software (Dentrix, Eaglesoft, Open Dental), imaging archives, and claim clearinghouse connections. A surgery center adds anesthesia machines, scheduling integrations, and infection control software. A research site adds IRB workflows, sponsor portals, and 21 CFR Part 11 controls. An integrated system adds HL7 interfaces, FHIR endpoints, and patient portal entanglement. We have worked in all four shapes, and we scale the assessment and the controls to the shape you actually operate.

Defense is not one thing either. A 40-person machine shop supplying a Tier-1 aerospace prime is operationally nothing like a 300-person electronics manufacturer supplying radar subsystems, which is operationally nothing like a boutique engineering firm doing structural analysis for a shipyard, which is operationally nothing like a small software company whose only government exposure is a subcontract schedule line. CMMC Level 2 looks different inside each of these. Whether the right architecture is a full enclave, a segmented VLAN, a managed cloud CUI tenant, or a hybrid depends on your actual workflows, not a brochure. Our starting point is mapping the CUI lifecycle in your environment, then sizing the boundary to the workflow rather than the other way around.

Law firms split by matter type and size. A transactional M&A boutique has dramatically different document security expectations than a family-law practice, a public-defender office, or an intellectual property firm handling patent portfolios. A five-lawyer firm with one office is a different operational animal than a twenty-lawyer firm with offices in Raleigh and Charlotte, which is a different animal again than a mid-market firm with an eDiscovery practice area serving corporate clients. The controls, the document management hardening, and the incident response playbook all have to fit the firm.

Finance is a ladder. A two-person CPA practice using QuickBooks Online and Drake Tax has a very different technology reality than a 60-person regional firm with a tax, audit, and advisory practice, which is different again from a wealth manager with multiple registered investment advisers and a broker-dealer affiliate. FTC Safeguards Rule obligations hit all three. SOC 2 becomes relevant for the larger firms handling outsourced services. FINRA and SEC posture is only relevant further up. We map the obligation set to your actual license and client mix, then build the controls on top.

Field services and dealerships split by geographic span and asset count. A single-rooftop dealer in Garner is a different operation than a four-rooftop dealer with a centralized F&I and a regional service network. A general contractor running one job site in Cary is a different operation than the same firm running five concurrent jobs across the Triangle and the Triad. The number of field devices, the number of cellular endpoints, the number of payment touchpoints, and the number of OEM or supplier integrations all scale differently. We design field architectures for the operational shape you actually run.

Nonprofit and SaaS is a maturity curve. A 4-person 501(c)(3) running on Google Workspace and a single grant database has a very different posture than a 60-person social services nonprofit with case management, accounting, and a donor CRM. A pre-revenue SaaS startup has a different control burden than a Series A company with paying enterprise customers and a SOC 2 deadline. We meet you where you are on the curve and build the next 12 months of program work, rather than trying to install a Fortune-500 control set on day one.

Local matters more in this industry than some buyers realize. When a CUI assessment is in progress, when an auditor arrives on site, when a ransomware incident requires physically rebuilding servers, or when a court-rule retention matter needs evidence handling by a credentialed examiner, a team inside the Carolinas answers faster and in person. Our primary on-site delivery footprint covers North Carolina. For national clients we partner with vetted field technicians under our quality system and manage them from Raleigh, so the buyer experience stays consistent.

Craig Petronella founded Petronella Technology Group in 2002. The firm started the way most MSPs start, doing mixed break-fix and managed services for local businesses. Over two decades, two things happened that reshaped what the firm does and the customers we serve.

The first was the slow migration from generalist managed services into regulated industries. As HIPAA enforcement matured, healthcare clients needed real HIPAA expertise rather than a best-effort friend. As CMMC emerged from the DFARS 252.204-7012 baseline, defense clients needed a Registered Practitioner on the engagement. As the ABA, the NC State Bar, and cyber insurance carriers all moved technology competence to the center of the conversation, law firms started requiring a firm that actually reads state bar ethics opinions and can quote them. We followed the work. By year ten, more than half our revenue was regulated-industry work. By year twenty, essentially all of it was.

The second was the deepening of our cybersecurity practice beyond managed services. Craig wrote books on ransomware response. He earned an MIT certification in Artificial Intelligence and Blockchain. The firm earned Digital Forensic Examiner credentials and PPSB accreditation for private-sector forensics work in North Carolina. We built the capacity to respond to a breach, run the investigation, handle the evidence, work with breach counsel, and stand up recovery, end to end, without handing the client off to three different firms.

The combination is unusual. Vertical specialists often do not have operational IT capacity. Generalist MSPs often do not have vertical or forensic depth. We sit in the middle with both. The trade-off is that we are picky about the industries we enter. If we cannot get to the depth that buyers in that vertical actually need, we do not pretend we can.

The first pattern is paperwork that was assembled, not produced. In every framework we touch (HIPAA, NIST 800-171, SOC 2, GLBA, FFIEC, FTC Safeguards), the difference between a passing assessment and a finding is whether the documentation looks like a record of ongoing operations or a hand-assembled artifact built in the week before the assessor arrived. Auditors and regulators can tell the difference instantly. The metadata, the version history, the cross-references, and the tone of the writing all leak the truth. A vertical specialist's first job is to make sure the documentation cadence matches the operational cadence so the artifacts produce themselves on schedule. We build that cadence into every engagement, regardless of industry.

The second pattern is treating compliance as a project rather than a program. Compliance projects end. Compliance programs continue. A SOC 2 Type II report is not the finish line; it is the receipt that proves you had a program for the prior observation period. A CMMC Level 2 certification is good for three years and assumes you continue to operate the control set during that window. A HIPAA Risk Analysis is supposed to be reviewed at least annually and after any material change. The buyers we see succeed are the ones who internalize that compliance is a steady state, not a sprint, and who treat their MSP partner as the operating arm of that steady state.

The third pattern is underestimating the human attack surface. Every breach we have investigated for a healthcare, defense, legal, financial, or nonprofit client traces back to a human at some point in the chain: a credential reused across services, a wire transfer authorized on a spoofed email, a USB drive plugged in by a contractor, a phishing link clicked on a phone during a busy week. Technical controls help, but a vertical specialist also has to build the awareness program, the executive scenario walk-throughs, the simulated phishing campaign, and the post-incident debriefs that change behavior. We treat the human layer as a discipline equal to the technical layer.

The fourth pattern is letting the assessor relationship become adversarial. A C3PAO, an OCR investigator, a state-bar ethics counsel, an FFIEC examiner, an SEC staffer, and an FTC enforcement attorney are not your enemy. They are the people who get to make a decision about your business, and they make it based on the evidence in front of them. The clients who handle these relationships well treat them with respect, candor, and prepared documentation. The clients who handle them poorly stonewall, hedge, or invent answers under pressure. A vertical specialist's job is to coach the management team into the first mode and out of the second. We do that explicitly with every client whose framework brings a regulator visit into play.

These four patterns are not industry-specific in their root cause, but the surface they appear on is always industry-specific. The healthcare version of "paperwork that was assembled" looks like a back-dated Risk Analysis with a signature page from a former employee. The defense version looks like an SSP whose control implementations contradict the actual network diagram. The legal version looks like a written information security policy that none of the partners have ever read. The financial-services version looks like an annual board report that no one delivered. Recognizing the pattern across verticals and translating it back into the vertical's own vocabulary is part of what a specialist does that a generalist cannot.

HHS Office for Civil Rights (OCR). The OCR investigator who picks up your HIPAA breach notification has a procedural rhythm. They want a written Risk Analysis dated before the incident. They want documented evidence of access controls, encryption, audit logging, and workforce training. They want a Security Incident Report that distinguishes events from incidents. They escalate fastest when the documentation looks back-dated, sparse, or inconsistent with the actual technical environment. We have walked clients through OCR inquiries, corrective action plans, and resolution agreements, and the through-line is always the same: the work has to look like it was done on a normal cadence, not assembled in a sprint after the breach.

The Defense Contract Management Agency (DCMA) and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DCMA contract administrators and DIBCAC assessors both care about NIST 800-171 implementation, but they ask different questions. DCMA tracks contract compliance and flow-down clause performance. DIBCAC runs the high-confidence assessments that confirm a prime's or subcontractor's CMMC posture against the actual control set. We have helped clients prepare for both kinds of conversation, and the prep work is meaningfully different. The good news for buyers is that a single well-built program addresses both, if it is built honestly.

C3PAO assessors and Cyber AB Provisional Assessors. The C3PAO performing your formal CMMC assessment is doing a defined exercise: walking your System Security Plan and Plan of Action and Milestones against the 110 NIST 800-171 controls, sampling implementation, and producing a scored result. They are not consultants and they cannot help you remediate during the assessment. Our role as a Registered Provider Organization is to make sure your environment, your documentation, and your team are ready to be examined cleanly. We have coordinated assessments with multiple C3PAOs and we know what each one tends to focus on.

State bars and ethics counsel. The North Carolina State Bar's Authorized Practice committee, the State Bar Ethics committee, and the lawyer assistance program each have a distinct intake. When a firm gets a technology-competence inquiry, the question is rarely about the technical implementation; it is about whether the firm can demonstrate a written policy, an acknowledged training program, and a documented assessment of the risks. We help firms produce that documentation in language that aligns with Rule 1.1 and Rule 1.6 commentary, so the response shows the lawyer side as well as the technical side.

The FTC under the Safeguards Rule. CPA practices, tax preparers, auto dealers, insurance agencies, and a long tail of financial-services firms now sit under the FTC's Safeguards Rule. The FTC's enforcement posture has shifted in the last 24 months: the agency expects a designated Qualified Individual, a written Information Security Program, a written Risk Assessment, encryption, MFA on customer-information systems, secure development, an Incident Response Plan, and an annual report to the board or senior leadership. We have built and operated all of those for clients in each of the covered industries.

FFIEC and NCUA examiners. Community banks and credit unions live under examiner visits that are not advisory. The FFIEC Cybersecurity Assessment Tool, the FFIEC Information Technology Examination Handbook, and the NCUA's ACET have explicit expectations that examiners check against. We have helped client teams prepare for examination cycles by mapping their existing controls to the relevant FFIEC categories, identifying the most common findings before the examiner does, and rehearsing the conversation.

SEC and FINRA. Investment advisers and broker-dealers face SEC examiners and FINRA Risk Monitoring Analysts who evaluate cybersecurity controls during routine examinations and sweep exams. The SEC's amended Regulation S-P, the cybersecurity disclosure rules, and the new Cybersecurity Risk Management rules all impose documented program expectations. We help registered investment advisers and broker-dealers translate those requirements into a working program that survives an examiner walk-through.

Cyber insurance carriers and brokers. Underwriters now ask insured-quality questions: MFA coverage on all administrative access, EDR on every endpoint, immutable backup architecture, email security with brand impersonation protection, security awareness training, incident response retainer in place, and a maintained Business Continuity Plan. We help clients align their controls with the renewal questionnaire so the premium reflects the actual posture rather than a guess. We have caught renewals coming back lower year-over-year for clients who improved measurable controls in the prior cycle.

Customer security questionnaires. A modern mid-market or enterprise customer's vendor security questionnaire (SIG, CAIQ, or a bespoke spreadsheet) is now the most common cybersecurity touch a SaaS or services firm experiences. We help clients produce a defensible response, attach the right policy excerpts, and build an evidence repository that scales to the next 20 customer questionnaires without manual rebuilding each time.

We are not a C3PAO. Petronella Technology Group is a CMMC-AB Registered Provider Organization (RPO #1449). The Cyber AB framework requires legal separation between the firm that prepares you for a CMMC assessment and the firm that conducts the assessment. We could not be your C3PAO even if we wanted to, and we believe that separation makes both roles work better. We refer clients to accredited C3PAOs we trust and coordinate the assessment logistics on your behalf.

We do not run mobile phone forensics in the Cellebrite or Graykey style. Tablet and mobile forensic work in our practice is scoped to BYOD and corporate-mobile breach response only. We do not perform iPhone or iPad chip-off extraction. We do not jailbreak devices. We do not take private-investigator engagements or custody disputes. That work belongs with specialty forensic labs, and we will name three good ones if you need a referral.

We do not chase verticals where we cannot reach depth. If your industry sits outside our six headline verticals and the adjacent overlap is too thin to give you a fluent engagement on day one, we will say so on the first call. Examples we have declined: pure capital-markets institutional buy-side stacks, large-scale higher education central IT, niche petrochemical SCADA programs, professional sports franchise IT. Each of those requires specialist depth we have chosen not to build.

We do not offer break-fix without a security floor. Mixed break-fix and managed services with no security program underneath is how MSPs end up as the headline in a ransomware article. Every managed engagement we accept includes a security baseline, an EDR layer, a backup architecture, and a documented incident response path. If you only want IT support without a security floor, we are not the right firm, and we will tell you on the first call.

We do not publish testimonials for regulated clients. Most of our clients hold protected data: PHI, CUI, privileged matter information, GLBA-covered information, donor and client data. They do not want to be marketed with, and frankly we do not want to advertise them either. We will describe anonymized archetypes on the discovery call. We will not name clients without explicit written approval. That is the trade-off for working with us, and most buyers in regulated industries prefer it.

We do not stack discounts that we cannot honor at renewal. Some MSPs win the first year on aggressive pricing and recoup it on year-two renewal increases. Our pricing model is custom-quote for fixed-fee work, with the assumption that your engagement is multi-year. We would rather price honestly on day one than rebuild the relationship at the first renewal.

We do not run social media outreach against regulated buyers. Cold automation against healthcare CISOs, defense subcontractor program managers, or law firm CIOs is brand suicide and a slow path to LinkedIn account bans. If we meet you, it is because you searched for us, you were referred by a client or partner, or you accepted a polite intro. The same restraint we expect from a vertical specialist firm we apply to our own outreach.