MANAGED XDR SUITE / BUNDLED DETECTION STACK / EDR + NDR + CSPM + SIEM + SOAR + UEBA

Inside the Managed XDR Suite

The full bundled stack we install when Petronella Technology Group takes over your detection and response operations. Endpoint, network, cloud, SaaS, identity, and email telemetry routed through one correlation pipeline, one SOAR runbook library, and one 24/7 AI plus human SOC. Vendor-neutral. Compliance-tuned for CMMC Level 1, Level 2, and Level 3, HIPAA, PCI-DSS, and SOC 2.

Custom-quoted per endpoint, per identity, per data source, per retention window
24/7 AI + Human SOC | CMMC RPO #1449 | NC HQ Raleigh | BBB A+ Since 2003
Free Stack Walkthrough Call (919) 348-4912
SOC pulse: enterprise private AI cluster processing telemetry now
24/7
AI + Human Hybrid SOC
23+
Years Operating
NC
Raleigh Headquarters
A+
BBB Accredited Since 2003

Looking for the service overview instead of the stack anatomy? If you want the methodology, decision matrix, and detect-respond-rehearse rhythm, see the Managed XDR service overview. This page documents what is in the bundle, how the components fit together, and where data flows once we plug it in.

Most cybersecurity buyers do not need another product pitch. They need to see the wiring diagram. They need to know which telemetry sources feed the correlation engine, where the playbooks live, which compliance controls the bundle answers, and what the operating cost will be after the initial deployment. This page is that wiring diagram.

The Petronella Technology Group Managed XDR Suite is the assembled stack we deploy when you outsource detection and response to us. It is intentionally vendor-neutral. We do not lock you into a single security platform because the threat landscape outpaces any one vendor's R&D cycle. Instead we curate enterprise-grade components that play well together, integrate them into a single SOAR pipeline, and run the whole apparatus from our 24/7 hybrid SOC. The artificial intelligence layer runs on our enterprise private AI cluster, which means your alert metadata and forensic artifacts never leave a Petronella-controlled boundary.

If a competitor pitches you a "private tenant" inside a public cloud they do not own, ask where the model weights live and who has root on the inference nodes. Then ask us the same question. The answers are different.

Stack Anatomy

What Is in the Suite

Nine integrated component families, each filling a specific role in the kill-chain. We select the specific enterprise-grade vendor per family based on your tech stack, compliance scope, and existing licenses. The orchestration layer and the SOC are always Petronella-operated.

Component Role in the Stack Integration Notes
Endpoint Detection and Response (EDR)Workstations, laptops, servers Continuous process telemetry, behavioral analytics, ransomware rollback, fileless attack detection, on-host containment, USB device control. Detects what antivirus signatures miss. Cross-platform agent for Windows 10/11, Windows Server, macOS, and major Linux distributions. We standardize on an enterprise-grade EDR engine that exports JSON event streams over a Kafka bus into our correlation layer.
Network Detection and Response (NDR)East-west and north-south traffic Flow analytics, DNS tunneling detection, lateral movement signatures, encrypted traffic analysis, beaconing detection. Catches what gets past the endpoint agent. Span port or virtual TAP on core switches, plus cloud VPC flow log ingestion. Optional inline TLS inspection where regulatory scope allows. Sensors deploy as virtual appliances; no proprietary hardware required.
Cloud Security Posture Management (CSPM)AWS, Azure, GCP Continuous configuration baselining, drift alerts, public-bucket detection, over-privileged IAM role detection, encryption-at-rest validation, regional sovereignty enforcement. Read-only role assumed in each cloud account. Compliance-pack mappings for CIS Benchmarks, NIST 800-53, PCI-DSS, HIPAA. Drift findings flow into the same SOAR queue as endpoint alerts.
SIEM Correlation LayerCentralized log and event store Long-term log retention, cross-source correlation rules, MITRE ATT and CK technique mapping, compliance reporting, threat-hunt query surface. The brain of the suite. We standardize on a horizontally scalable, cost-efficient SIEM with hot or warm or cold tiering. Default retention is 12 months hot for active hunt and 36 months cold for compliance and forensic recall. CMMC and HIPAA scopes get extended retention.
SOAR PlaybooksSecurity orchestration, automation, response Automated containment actions, ticket creation, evidence collection, stakeholder notifications, scheduled hunts. Cuts mean time to respond from hours to minutes for known patterns. Library of 140+ Petronella-authored playbooks covering ransomware containment, credential-theft response, business email compromise triage, insider-threat workflows, and compliance evidence collection. Customer-specific runbooks layer on top.
Threat Intelligence FeedsExternal enrichment Indicator-of-compromise enrichment, threat-actor attribution, dark-web credential exposure monitoring, brand-impersonation detection, supplier-breach awareness. Aggregated commercial feeds plus open-source intelligence plus ISAC sharing. Indicators automatically pivot into the SIEM as detection rules. Confidence scores filter low-signal feeds out of analyst queues.
User and Entity Behavior Analytics (UEBA)Identity-centric anomaly detection Baselines normal user and service-account behavior. Flags impossible travel, privilege escalation, after-hours data access, mass downloads, suspicious OAuth grants, account takeover patterns. Identity events ingested from Entra ID, Okta, Active Directory, and SaaS application logs. Behavioral models retrain weekly against your environment, not a generic baseline.
Email Security LayerInbound, outbound, internal Attachment sandboxing, URL rewriting and time-of-click analysis, business email compromise heuristics, vendor-impersonation detection, post-delivery clawback, DMARC and DKIM and SPF enforcement. API-integrated with Microsoft 365 and Google Workspace. Sits in addition to the native gateway, not in line, so mail flow is never interrupted. Compromised-message clawback removes phish from recipient inboxes after delivery.
Identity ProtectionConditional access, MFA, privileged access Conditional-access policy hardening, MFA enforcement, privileged-access workstation guidance, just-in-time elevation, password vaulting, service-account rotation reminders. Works alongside your existing identity provider. We do not replace Entra ID or Okta; we tune them. Privileged access management deploys as a vaulted broker; admins check out elevated credentials per-session with automatic rotation.

All nine families ship as part of every Managed XDR Suite engagement. We rarely deliver fewer; the correlation engine loses its leverage when any single telemetry domain is missing. If you already license one of these components, we can usually integrate the existing tooling rather than rip and replace.

Data Flow Architecture

How the Components Talk to Each Other

The wiring diagram. Telemetry flows in from the left, gets normalized and correlated in the middle, and exits as response actions and analyst-visible incidents on the right. The Petronella SOC sits at the top of the loop, supervised by the AI tier and backed by senior human analysts on every shift.

01 SOURCES
Telemetry Agents
Endpoints, network sensors, cloud APIs, SaaS audit logs, identity events, email security telemetry
02 INGEST
Normalization Bus
Common schema, deduplication, enrichment with threat-intel context and asset metadata
03 CORRELATE
SIEM + AI Layer
Rules, behavioral models, MITRE ATT and CK mapping. AI cluster prioritizes signal over noise.
04 DECIDE
SOAR + Analyst
Playbook executes automatic containment for known patterns; novel patterns escalate to human analyst
05 ACT
Response Actions
Isolate host, disable account, kill session, rotate credential, clawback email, ticket the customer
+-------------------+      +-------------------+      +-------------------+      +-------------------+      +-------------------+
|  TELEMETRY        |      |  INGEST + NORMAL  |      |  CORRELATION     |      |  DECISION        |      |  RESPONSE        |
|  AGENTS           | ---> |  - schema map     | ---> |  - SIEM rules    | ---> |  - SOAR playbook | ---> |  - host isolate  |
|  - EDR            |      |  - dedupe         |      |  - UEBA models   |      |  - tier-1 analyst|      |  - account lock  |
|  - NDR sensors    |      |  - enrich w/ TI   |      |  - AI cluster    |      |  - tier-2 hunter |      |  - cred rotate   |
|  - cloud APIs     |      |  - asset metadata |      |  - MITRE map     |      |  - tier-3 forens.|      |  - email clawback|
|  - SaaS audit     |      |                   |      |                  |      |                  |      |  - ticket out    |
|  - identity log   |      |                   |      |                  |      |                  |      |                  |
|  - email sec      |      |                   |      |                  |      |                  |      |                  |
+-------------------+      +-------------------+      +-------------------+      +-------------------+      +-------------------+
        |                                                      ^                                                      |
        |                                                      |                                                      |
        +------------------------------------------------------+------------------------------------------------------+
                                              FEEDBACK LOOP: tuning, model retrain, customer reporting

Two design choices matter most. First, every component writes into a single normalized event bus before correlation. That means a suspicious PowerShell process on an endpoint, a beaconing DNS query on the network sensor, and a Microsoft 365 sign-in from a brand-new IP can all converge on the same incident card within seconds. Most siloed tooling never sees the relationship. Second, the AI layer is not the decision-maker. It is the prioritizer. Analysts make every containment call that involves a customer-impacting action, except for a small set of pre-authorized automated playbooks where speed matters more than nuance, such as ransomware encryption-pattern detection.

Bundle vs Best-of-Breed

Why an Integrated Suite Beats Stitched-Together Tools

There is a legitimate argument for assembling your own best-of-breed stack. There is a less legitimate argument that ends with a 14-product control plane no analyst can operate at three in the morning. Here is the honest tradeoff.

Best-of-Breed, Self-Assembled

  • Every component is "best in class" by individual vendor benchmark, but the joins between them are your problem to engineer
  • Eight to fourteen separate consoles, each with its own access model and on-call rotation, each with its own renewal date
  • Correlation engineering is on you. The vendors do not talk to each other; you write the glue code or hire someone who can.
  • Total cost of ownership often runs 40 to 60 percent above a bundled suite once you factor in integration engineering, training, and 24/7 staffing
  • Compliance evidence collection becomes a scavenger hunt across multiple platforms at audit time

Petronella Managed XDR Suite

  • Vendor-neutral curation: we pick the right enterprise-grade engine per layer based on your existing licenses, compliance scope, and tech stack
  • One contract, one renewal calendar, one ticketing surface, one quarterly business review
  • Correlation engineering is Petronella's job. We own the joins, the schema mapping, and the playbook library across the whole bundle.
  • 24/7 SOC staffing comes with the suite. You do not stand up a night shift; you do not pay an analyst pool retainer; you do not lose coverage when a senior engineer takes vacation.
  • Compliance evidence flows from a single audit-ready reporting layer mapped to CMMC, HIPAA, PCI-DSS, SOC 2, and NIST CSF

The honest caveat: a perfectly resourced security organization with strong platform engineering can build a best-of-breed stack that outperforms any commercial bundle. We meet very few of those. Most organizations we audit are running three or four named-brand security products without a correlation layer underneath. The bundle wins not because the components are individually superior; it wins because the integration is already built, the playbooks already exist, and the analysts already know how to operate it.

Coverage Surface

What the Suite Watches

Every cell in the matrix below represents an active telemetry feed in a default Managed XDR Suite deployment. Customer-specific scope adjustments are common; this is the baseline.

Asset Class EDR NDR CSPM SIEM UEBA Email Identity
Windows endpoints and servers YES YES - YES YES - YES
macOS endpoints YES YES - YES YES - YES
Linux servers and VMs YES YES - YES YES - YES
AWS workloads and accounts YES YES YES YES YES - YES
Azure workloads and tenants YES YES YES YES YES - YES
Google Cloud workloads YES YES YES YES YES - YES
Microsoft 365 tenant - - YES YES YES YES YES
Google Workspace tenant - - YES YES YES YES YES
SaaS apps (Salesforce, Slack, etc.) - - - YES YES - YES
On-premise network (switches, firewalls) - YES - YES - - -
Entra ID / Okta / Active Directory - - - YES YES - YES

Operational technology, industrial control systems, and clinical medical devices fall outside the default suite scope and require purpose-built sensors. We integrate those when present; the architecture supports it but the components are quoted separately.

Compliance Crosswalk

Which Suite Component Answers Which Control

A short map from regulatory control family to the suite component that produces the evidence. Petronella Technology Group consults across all CMMC levels, including Level 1, Level 2, and Level 3. We are CMMC-RP certified and operate as a Registered Provider Organization, RPO #1449.

Framework / Control Family Requirement Summary Suite Component That Answers It
CMMC Level 1, Level 2, Level 3System and Information Integrity (SI) Identify, report, and correct flaws; provide protection from malicious code; monitor security alerts and advisories. EDR + SIEM + Threat Intel + SOAR playbooks. Audit-ready evidence pack maps to each SI control.
CMMC Level 1, Level 2, Level 3Audit and Accountability (AU) Create, protect, and retain audit logs to enable monitoring, analysis, investigation, and reporting. SIEM retention tier with 12-month hot and 36-month cold. Tamper-evident write-once storage available.
HIPAA Security RuleTechnical Safeguards 164.312 Audit controls, integrity, person or entity authentication, transmission security. UEBA + Identity Protection + SIEM logs. Required PHI access logging captured at every layer.
PCI-DSS v4.0.1Requirement 10 Log and monitor all access to system components and cardholder data. SIEM ingestion of cardholder-environment events, daily log review automated through SOAR.
PCI-DSS v4.0.1Requirement 11 Test security of systems and networks regularly; respond to intrusion detection. NDR + EDR + scheduled threat-hunt playbooks. Quarterly internal scans coordinate with annual penetration test.
SOC 2Trust Service Criteria CC6 and CC7 Logical and physical access controls; system operations monitoring including detection and response. Identity Protection + UEBA + SIEM + SOAR. SOC 2 examiners typically accept Petronella SOC reports as control evidence.
NIST Cybersecurity Framework 2.0Detect and Respond functions Continuous monitoring, anomaly and event detection, response planning, communications, analysis, mitigation. Entire suite. The Detect function maps to SIEM + UEBA + NDR + EDR; Respond maps to SOAR + analyst pod.
FTC Safeguards Rule16 CFR 314.4 Implement and periodically review safeguards; monitor and log activity; detect intrusions. SIEM + Identity Protection + EDR. Annual safeguards assessment leverages our compliance evidence pack.

The suite is not a compliance certification on its own. It is the technical control layer that, paired with the policies and procedures from our compliance practice and a documented System Security Plan, satisfies the technical-safeguards requirements of each framework. We deliver both halves.

Where the Suite Fits

Adjacent Services That Compose With It

The suite is the steady-state operating layer. These adjacent Petronella services slot in around it for engagement-specific needs.

Managed XDR Service Overview

See the service-overview angle: methodology, decision matrix, EDR vs MDR vs XDR vs MXDR vs SIEM definitional clarity

Incident Response Services

When an incident exceeds steady-state response, the IR team takes over with forensic-grade investigation and recovery

Endpoint Detection and Response

The EDR-only engagement when you have other layers covered and need just the endpoint component

Penetration Testing

Adversary-simulation that exercises the suite. Pen tests confirm the detection coverage is real, not theoretical.

Cybersecurity Pillar

The broader cybersecurity program overview, including governance, awareness training, and risk management

CMMC Compliance

The compliance side of the engagement: System Security Plan, Plan of Action and Milestones, audit preparation

Cloud Security Posture Management

The CSPM-only engagement when the cloud-config drift layer is in scope but the broader detection suite is not. AWS, Azure, GCP read-only role with CIS Benchmark and NIST 800-53 mappings.
Onboarding Milestones

What the First Ninety Days Actually Look Like

Realistic expectations, not "fully operational on day one" marketing. The suite earns its detection edge as it learns your environment. The schedule below reflects what most engagements actually achieve, not aspirational best-case.

Day 1

Kickoff and Asset Inventory

  • SOC introduction call with named senior analyst as your relationship owner
  • Asset discovery scan to validate scope and count licensed endpoints
  • Read-only API role established in each cloud account
  • Communication channels established: Slack or Teams, ticketing, after-hours escalation
  • First batch of EDR agents pushed to a 5 percent pilot cohort
Week 1

Full Telemetry Capture

  • EDR agent deployment completes across all endpoints in scope
  • Network sensors operational on core switches and VPC flow logs
  • Microsoft 365 and Google Workspace audit-log ingestion live
  • Identity-provider events streaming into the SIEM
  • Baseline event volumes calculated for capacity planning
Week 4

Tuning and First Hunt Cycle

  • UEBA models complete their first behavioral baseline pass on user accounts
  • False-positive suppression rules tuned to your specific environment
  • First proactive threat hunt across the captured corpus
  • Initial compliance gap report delivered against your declared framework
  • Quarterly business review template populated with first 30 days of metrics
Month 3

Steady-State Operations

  • SOAR playbooks fully customized to your runbook conventions
  • Detection coverage validated through purple-team tabletop exercise
  • Compliance evidence pack ready for your auditor or assessor
  • UEBA models fully baselined, alert noise reduced 60 to 80 percent from week-1 volume
  • First-quarter business review delivered with measured improvement metrics

We do not promise full coverage on day one. We promise full coverage by week four and steady-state alert hygiene by month three, both of which we have hit on every engagement we benchmark internally. If a vendor pitches you "fully operational on day one," ask them what their false-positive rate looks like in week two; the answer is usually painful.

Pricing Model

What the Suite Costs

Custom-quoted per engagement. The variables matter; a flat per-endpoint number from a generic broker tells you almost nothing about the actual cost of operating a detection program at your scope.

What Drives the Quote

The Managed XDR Suite is custom-quoted because real cost depends on the variables below. Petronella Technology Group provides a fixed monthly subscription after a 30-minute scoping call. We do not surprise-bill on event-volume overages mid-quarter; capacity is sized up front against your declared baseline.

  • Endpoint count: workstations, laptops, servers, virtual machines, ephemeral cloud workloads. Each receives an EDR agent or equivalent telemetry source.
  • Identity count: human user accounts and service accounts that flow into UEBA and identity-protection layers. SaaS-app identities counted separately from primary IdP identities.
  • Data sources and event volume: each ingested SaaS app, each cloud subscription, each network egress, each on-prem firewall. Event-per-second baselines drive SIEM tier sizing.
  • Retention window: default is 12 months hot plus 36 months cold. CMMC and HIPAA scopes often extend cold tier. Longer retention adds storage cost; SOC labor is flat.
  • Compliance scope: CMMC Level 1, Level 2, or Level 3, HIPAA, PCI-DSS, SOC 2, NIST CSF. More frameworks means more evidence-mapping engineering and more report generation cycles.
  • Industry and regulatory burden: defense contractor, healthcare, financial services, and legal carry stricter incident-handling requirements that affect on-call labor mix.
  • After-hours and weekend incident response inclusion: included in the standard suite, but the depth of forensic recovery hours is tunable.

The quote arrives within five business days of the scoping call as a one-page proposal. No mystery line items, no "estimated overage," no auto-renewal lock-ins beyond a standard one-year term.

A typical Managed XDR Suite engagement for a 100-endpoint defense contractor lands as a low-five-figure monthly subscription. A 1,000-endpoint healthcare enterprise lands higher. We will not publish a sticker price because the per-engagement variance is real and material; we will get you a real number within a week of a real conversation.

Request a Scoping Call Call (919) 348-4912
FAQ

Stack-Anatomy Questions Buyers Ask

If your question is about service-overview, methodology, or decision-matrix specifics, see the Managed XDR service overview. The FAQ below is scoped to bundle-level and component-level questions.

Do I have to replace the security tools I already own?

No. The suite is vendor-neutral by design. If you already own an enterprise-grade EDR, an email security gateway, or a cloud posture tool, we usually integrate the existing product into the correlation layer rather than rip and replace. The 24/7 SOC, the SOAR playbooks, the SIEM correlation, and the threat-intel enrichment are always Petronella-operated. The detection sensors can be a mix of yours and ours.

The exception is when an existing tool is a known dead-end, such as a discontinued product, a license you are about to retire, or a platform we have benchmarked as substantively underperforming for your use case. We will tell you up front in the scoping call; we do not run engagements on stacks we cannot defend.

How is the Managed XDR Suite different from the Managed XDR service overview page?

Two different angles on the same engagement. The Managed XDR service overview answers "what is the methodology, what is the operating discipline, why is your SOC different." This page answers "what is in the bundle, how do the components fit together, what does the wiring diagram look like." Read both before a scoping call; they complement each other rather than overlap.

Why do you not name the specific vendor products you use?

Two reasons. First, we tune the stack per engagement; the EDR engine we deploy for a 50-person law firm is rarely the same one we deploy for a 5,000-endpoint healthcare system. Second, we maintain the ability to swap a component out without disturbing the customer relationship if a vendor's product trajectory degrades. Naming the brand in marketing copy creates customer expectations that constrain future engineering decisions. We share the specific vendor list under NDA during the scoping call.

Where does the AI layer run, and what data does it see?

The Petronella enterprise private AI cluster runs on hardware we own and operate, located in North Carolina. Customer alert metadata, threat-intel enrichment, and forensic-investigation queries process on that cluster. We do not send customer alert content to third-party large-language-model APIs. The "private tenant" model that several competitors pitch involves a slice of a public-cloud-hosted LLM with a contractual data-handling promise; ours is a physically separate inference platform with a different and stronger boundary.

How does the suite cover Microsoft 365 and Google Workspace?

API-integrated. The email security layer connects via the native Microsoft 365 and Google Workspace administration APIs and sits in addition to your existing inbound mail flow, not in line. That means no MX-record changes during onboarding, no mail-delivery delays, no operational risk to your business mail. We process audit logs, sign-in activity, conditional-access events, and SharePoint or Drive sharing events directly. Post-delivery clawback removes a phishing message from recipient inboxes after the threat-intel feed updates.

Can the suite handle CMMC Level 3?

Yes. Petronella Technology Group consults across all CMMC levels, including Level 1, Level 2, and Level 3. The technical control coverage in the suite is identical across levels; what changes is the depth of documentation, the rigor of the System Security Plan, and the involvement of a C3PAO at higher levels. We are CMMC-RP certified and operate as a CMMC-AB Registered Provider Organization, RPO #1449. For Level 3 engagements we coordinate with the assessing organization throughout the readiness window.

What happens if an incident exceeds the steady-state response capacity?

The Managed XDR Suite handles contained incidents up to and including ransomware encryption attempts, business email compromise, and credential-theft chains as part of the steady-state subscription. When an incident escalates to a major breach requiring forensic-grade investigation, legal hold, regulatory notification, or insurance-carrier coordination, the case transfers to the Incident Response Services team. The transfer is internal; you do not contract with a new vendor mid-incident.

Do you require us to switch identity providers?

No. The identity-protection layer integrates with Entra ID, Okta, Active Directory, and most major identity platforms. We tune your existing identity provider with conditional-access policy, MFA enforcement, and just-in-time elevation. Privileged access management deploys as a vaulted broker on top of your existing identity stack; admins check out elevated credentials per-session.

How quickly can you onboard if we have an active threat?

If you suspect or have confirmed an active threat in your environment, do not start with the standard Managed XDR Suite onboarding. Call (919) 348-4912 immediately. We will dispatch our incident response team first to contain and investigate, then transition you into the steady-state suite once the active incident is resolved. The two engagements run in sequence, not in parallel, during a crisis.

Can we see the suite operate before we sign?

Yes. We run live demos from a sanitized customer-consent environment, walking through real-world alert triage, SOAR playbook execution, and the analyst console. We do not show prospective customers another customer's live data. Demos last 45 minutes and include time for technical Q and A with a senior SOC analyst, not a sales engineer.

What does an exit look like if we want to leave?

Contracts are one-year terms with month-to-month thereafter and a 60-day notice provision. On exit, we provide the last 90 days of raw event data, the full SIEM rule library, the SOAR playbook source, and a transition runbook for your incoming vendor or in-house team. We do not hold customer data hostage; we operate on the premise that good service retains customers, not contract gotchas.

Is this the same as a Security Operations Center as a Service?

The Managed XDR Suite includes a SOC-as-a-Service capability, but it is more than just outsourced analyst staffing. A pure SOC-as-a-Service engagement typically expects you to bring the tooling stack; ours bundles the tooling with the analysts. Both models work; the bundled model trades vendor flexibility for reduced integration burden and a single accountable owner.

Get the Walkthrough

See the Stack Before You Decide

A 30-minute scoping call is enough to give you a real quote, a real component list, and a real onboarding schedule. No NDA required for the first conversation. No sales-engineer obstacles between you and a senior analyst.

Schedule the Walkthrough Call (919) 348-4912