MANAGED XDR / 24/7 SOC AS A SERVICE / MITRE ATT&CK / NIST IR 800-61

Managed XDR Services 24/7 SOC, MTTR Under 15 Minutes

Petronella Technology Group runs a 24/7/365 human SOC correlating endpoint EDR, network NDR, identity IDR, cloud workload, and email signals into a single response platform. Every alert that crosses the severity threshold is reviewed by a credentialed analyst within minutes, not parked in a queue. Built on an enterprise private AI cluster for detection engineering, vendor-agnostic across CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Palo Alto, and Fortinet.

Custom quote per environment . Engagement letter inside three business days . No published list pricing
< 15 minMTTR Target
50+Detection Feeds
24/7/365Human SOC
SOC online . NC HQ . 24 plus years on the same street
#1449CMMC-AB RPO
#604180DFE Certified
2002Founded Raleigh NC
A+BBB Since 2003
Free XDR Scoping Call Call (919) 348-4912
See It in Action

Inside the Petronella Managed XDR Suite

A short walkthrough of the SOC console, the correlation engine, and the live response actions the analyst takes when a confirmed threat fires.

Play Managed XDR Suite overview video
What Managed XDR Actually Is

One SOC. Five Telemetry Domains. One Response Loop.

Managed Extended Detection and Response, sometimes called MXDR, is a single security service that pulls together five different telemetry domains and runs them through one correlation engine, watched by one 24/7 SOC, under one contract. Endpoint EDR tells you what is happening on the laptop. Network NDR tells you what is happening between the laptop and everything else. Identity IDR tells you what is happening to the credential that authenticated. Cloud workload detection tells you whether the same identity then touched the AWS or Azure environment. Email security tells you whether the original lure that started this chain came through your inbox. Stitched together they describe an attack. Pulled apart, each tool answers a different question and the attacker walks between the gaps.

Petronella Technology Group has been running this work in North Carolina since 2002. The firm holds CMMC-AB Registered Provider Organization status, number 1449. Every engineer is CMMC-RP credentialed. Founder Craig Petronella holds CMMC-RP, CCNA, CWNE (Certified Wireless Network Expert), and a state-issued Digital Forensics Examiner credential, license number 604180. The firm maintains a BBB A+ rating continuously since 2003. None of those acronyms run a SOC by themselves, but they tell you who is going to be holding the response keys to your environment when the alert fires at 02:17 on a Saturday.

The cost case for MXDR over a build-it-yourself SOC is rarely close. Industry salary surveys put a credentialed SOC analyst at roughly $95,000 to $140,000 per year fully loaded. Twenty four by seven by three sixty five coverage requires six analysts at minimum to cover shifts, holidays, vacation, and sick days. Add a detection engineer, a SOC lead, and the licensing for the SIEM and the EDR and the cloud detection platform and the threat intelligence feeds, and the internal-build bill clears one and a half to two million dollars annually before the first alert fires. Petronella's managed model delivers the same capability at a fraction of the cost because the SOC, the platform, and the detection engineering are amortized across many clients. The bill of materials becomes a known monthly line item rather than a hiring and retention problem.

Equally important, an internal-build SOC ages quickly. The threat landscape moves faster than the typical security hiring cycle. The attacker tradecraft that mattered in 2022 looks different from the attacker tradecraft that matters today. Petronella's detection engineering team updates correlation rules, MITRE ATT&CK mappings, and threat intelligence indicators continuously, with every client benefiting from every detection improvement. That is the operational advantage that a single-client internal SOC simply cannot match without unsustainable headcount.

Definitional Clarity

EDR vs MDR vs XDR vs MXDR vs SIEM

The acronyms get sold interchangeably. They are not the same product, they do not produce the same evidence, and they do not satisfy the same audit clause. Below is the clearest plain-English breakdown.

Product Category

EDR

Endpoint Detection and Response. Software agent on the laptop, desktop, or server. Detects malicious processes, suspicious behavior, and known IOCs at the host level. CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Sophos Intercept X all live in this category. EDR alone has no view of the network, the identity, or the cloud.

Managed Service

MDR

Managed Detection and Response. Someone else operates the EDR for you, watches the alerts, and triages. Scope is generally limited to the endpoint signal. MDR is a useful baseline service if you do not have an internal SOC, but it cannot see lateral movement, identity abuse, or cloud-side compromise unless you bolt on additional tools and contracts.

Detection Architecture

XDR

Extended Detection and Response. A correlation platform that pulls endpoint, network, identity, cloud, and email telemetry into one engine. The product category, not the service. You can buy an XDR platform and operate it yourself, the same way you can buy an EDR and operate it yourself. Operating it well requires detection-engineering and SOC capability you may not have.

Managed Service

MXDR

Managed Extended Detection and Response. XDR delivered as a service with a 24/7 SOC. One contract, one platform, one phone number when the alert fires. Petronella runs MXDR. The SOC is the buying party from the platform vendors so the customer gets a unified service-level commitment instead of a stack of separate ones.

Log Repository

SIEM

Security Information and Event Management. A log aggregation and search platform with correlation rules layered on top. Splunk, Microsoft Sentinel, Elastic Security all live here. SIEM is a critical infrastructure component, but on its own it is a log search appliance. Without analysts watching it 24/7 and tuning the rules continuously, a SIEM is an expensive disk array.

Adjacent Surface

SOAR

Security Orchestration, Automation, and Response. Playbook engine that takes a SIEM or XDR alert and triggers automated containment actions across the rest of the security stack. Petronella's MXDR includes SOAR-style playbooks for endpoint isolation, identity revocation, and Conditional Access policy enforcement, with human review on every irreversible step.

Adjacent Surface

NDR

Network Detection and Response. Sees east-west and north-south traffic, flags command-and-control beaconing, lateral movement, and data exfiltration. NDR is one of the five telemetry streams Petronella's MXDR correlates. On its own it is blind to what happens inside the endpoint and the identity provider.

Adjacent Surface

IDR

Identity Threat Detection and Response. Sees credential abuse, impossible-travel logins, MFA fatigue, OAuth token theft, golden-ticket forgery. As identity becomes the primary attack surface for cloud-first organizations, IDR has moved from a nice-to-have to a non-negotiable component of any serious detection program.

Adjacent Surface

CDR

Cloud Detection and Response. Watches AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs, Kubernetes audit streams, and SaaS audit feeds for misconfiguration, privilege escalation, and post-compromise persistence. The cloud-native detection layer most internal teams either ignore or hand-roll.

Methodology

Detect, Respond, Rehearse

Every Managed XDR engagement collapses to three operational stages. NIST SP 800-61 Revision 2 (Computer Security Incident Handling Guide) and the MITRE ATT&CK framework sit underneath these stages as our operational standard.

Stage One

24/7 Detection

Endpoint, network, identity, cloud, and email signals flow into the correlation engine in near-real time. Detection rules are MITRE ATT&CK mapped so every alert carries a tactic-and-technique tag that maps to the same vocabulary your threat-intel feed, your red-team report, and your cyber insurance underwriter use. SOC analysts watch the queue 24/7/365. Automated playbooks handle initial containment within seconds on confirmed indicators (endpoint isolation, identity lockout, Conditional Access push). Human review precedes any irreversible action. Detection engineering tunes rules continuously based on telemetry from the entire managed client base, which means every client benefits from every new attacker tradecraft observed across the fleet.

Stage Two

Live Response

The mean-time-to-respond target on critical alerts is under 15 minutes from detection to first containment action. The SOC analyst calls or messages the designated client point of contact during the same window, with the case ticket, the evidence trail, and the recommended next steps. For confirmed incidents that require full investigation, the IR retainer activates and the case is escalated to a Tier-3 lead with the digital-forensics-examiner credential on file. We coordinate with your legal counsel, your cyber insurance carrier, and where applicable the FBI or law enforcement contact named in your IR plan. The objective is containment first, eradication second, recovery third, and lessons-learned fourth - the NIST SP 800-61 sequence executed in real time.

Stage Three

Quarterly Tabletop + Retest

Detection without rehearsal is theory. Every MXDR engagement includes one tabletop exercise per quarter at no additional cost. We script a realistic scenario from current threat intelligence (ransomware, business email compromise, supply chain compromise, insider exfiltration), walk your leadership, IT, legal, and communications teams through the response sequence, and close with a written after-action report that satisfies CMMC IR.L2-3.6.3 (incident response testing) and HIPAA contingency-plan testing requirements. The tabletop output also feeds the next cycle of detection-rule tuning so the SOC and the client team are always working from the same playbook.

Decision Matrix

DIY EDR vs MSP MDR Add-On vs Petronella MXDR

Three different buying patterns, three different audit conclusions, three different bills. The decision is rarely about feature lists. It is about which one produces evidence that holds up when something tries to break it.

Dimension
DIY EDR (e.g., CrowdStrike Alone)
Generic MSP MDR Add-On
Petronella MXDR
24/7 human SOC
No. Alerts pile up overnight unless you staff six analysts internally.
Often outsourced to an overseas Tier-1 triage farm. Tier-3 escalations may not exist.
Yes. 24/7/365 SOC, NC-based, credentialed analysts at every tier.
Telemetry surface
Endpoint only. Network, identity, cloud, and email are blind spots.
Endpoint plus whatever the MSP's stack happens to include. Rarely covers identity, cloud, and email together.
All five domains correlated: endpoint EDR, network NDR, identity IDR, cloud CDR, and email security.
Threat-hunting cadence
None. Alerting is reactive. Threat hunting requires dedicated headcount you do not have.
Quarterly at most, often advertised but unevenly delivered.
Continuous. Hunt cycles run weekly against the current threat-intel pulse. MITRE ATT&CK technique-by-technique hypothesis testing.
MTTR commitment
No commitment. Your team triages on availability.
Stated SLA, often four to eight hours. Critical alerts wait in queues during overnight shifts.
Internal target under 15 minutes on critical alerts. Automated containment within seconds on confirmed indicators.
MITRE ATT&CK mapping
Vendor-dependent. Quality of tagging varies by EDR.
Inherits whatever tagging the underlying tools produce. Rarely consistent across the alert queue.
Every alert carries a tactic-and-technique tag. SOC reporting heatmaps your coverage gaps month over month.
IR retainer hours
No. Incident response is a separate emergency engagement, often at retail breach-response rates.
Sometimes bundled, often as a soft commitment that does not survive a real incident.
Pre-paid IR retainer at a discounted rate. Tier-3 lead with DFE #604180 credential on file.
Cyber insurance evidence packet
Self-produced. Format varies. Renewal underwriters often push back.
Generic monthly report. Rarely matches the renewal questionnaire structure.
Quarterly underwriting-ready packet aligned to the standard cyber insurance renewal questionnaire. Saves brokers and CFOs hours.
CMMC + HIPAA + PCI evidence
Produces logs. You write the evidence narrative.
Compliance reports exist but rarely map to the practice catalog the assessor uses.
Pre-mapped to NIST 800-171 control families 3.6 and 3.14, HIPAA 164.308(a)(6), PCI DSS Req 10 and 12, SOC 2 CC4 and CC7. C3PAO-ready.
Executive reporting
Self-produced. Quality varies by who in IT has time.
Generic ticket-volume dashboard. Often not board-suitable.
Monthly executive summary written for board, audit committee, and cyber insurance broker. Three pages, one read.
On-call escalation
Your phone rings. Your CIO becomes the first responder at 02:00.
Tier-1 calls. Tier-3 escalation often delayed.
Named SOC analyst, named Tier-3 escalation, named IR lead. All US-based, all on the engagement letter.

If a vendor quotes you MXDR pricing at half the going rate, the bill of materials is short something. Usually it is the human-SOC line item. The most expensive part of the service is the credentialed analyst at 02:17 on a Saturday with the authority to isolate a domain controller without waiting for a Monday-morning email approval. That capacity is the line item that determines whether the incident is contained or whether you read about it on Monday.

Detection Surface

Five Telemetry Domains, One Correlation Engine

Each domain catches a different attacker behavior. Run them in isolation and the attacker walks between them. Run them correlated and the attack chain shows up as one timeline instead of five fragments.

Endpoint EDR

Laptops, Desktops, Servers

Behavior-based detection at the host level. Catches process injection, credential theft from LSASS, suspicious PowerShell, in-memory loaders, ransomware encryption patterns. Integrates with CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Sophos Intercept X, Palo Alto Cortex XDR, Fortinet FortiEDR.

alert: T1003.001 . OS Credential Dumping . LSASS Memory . HOST-PROD-FIN-04
Network NDR

East-West and Perimeter

Behavioral analysis of internal lateral movement, C2 beaconing patterns, data exfiltration, DNS tunneling, suspicious outbound flows to known-bad infrastructure. Pulls from firewall flow records, NetFlow, packet capture, and DNS query logs. Catches what the endpoint missed because the attacker turned the agent off.

alert: T1071.004 . DNS C2 . anomalous TXT query cadence . VLAN 30
Identity IDR

AD, Entra ID, Okta, Duo

Catches credential abuse: impossible-travel logins, MFA fatigue attacks, OAuth token theft, golden-ticket forgery, Kerberoasting, AD enumeration via LDAP, suspicious group-membership changes, dormant-account reactivation. Integrates with on-prem Active Directory, Microsoft Entra ID, Okta, Duo, JumpCloud.

alert: T1110.003 . Password Spraying . 14 distinct accounts in 90s . tenant Entra
Cloud CDR

AWS, Azure, GCP, Kubernetes

CloudTrail, Azure Activity Logs, Google Cloud Audit Logs, Kubernetes audit streams, SaaS audit feeds. Detects misconfiguration drift, privilege escalation through IAM role assumption, cross-account access from new geographies, unexpected resource provisioning, dormant credential reuse, secrets in environment variables.

alert: T1078.004 . Valid Cloud Accounts . unexpected AssumeRole from new ASN
Email Security

M365, Google Workspace, Proofpoint

Inline anti-phishing analysis plus post-delivery clawback. Catches business email compromise, vendor-impersonation, payload-bearing attachments, malicious OAuth consent grants, internal-from-external spoofing, and credential-harvesting URLs that survive gateway filters. Integrates with Microsoft Defender for Office 365, Proofpoint, Mimecast, Abnormal.

alert: T1566.002 . Phishing Link . credential harvest domain . CFO inbox . post-delivery clawback initiated
OT / ICS (Scoped)

Manufacturing, Engineering, Utilities

Operational Technology and Industrial Control System detection scoped on request. Passive monitoring of Modbus, DNP3, BACnet, and OPC-UA traffic for anomalous commands, unauthorized firmware changes, and pivots from corporate IT into OT segments. Critical for manufacturing, engineering firms, and utilities.

alert: T0836 . Modify Parameter . unscheduled write to PLC tag . OT segment
Operating Discipline

What You Get From Petronella That You Will Not Get From a Generic SOC Vendor

Managed XDR is human-led work. The operator behind the keyboard at 02:17 on a Saturday determines the value of the contract. Below is what we put on the engagement letter.

Engagement Discipline

  • NC-based 24/7/365 SOCNo overseas Tier-1 triage farm. Every analyst is US-based and credentialed. Chain-of-custody and accountability stay clean for CMMC, HIPAA, and defense-contractor work.
  • CMMC-RP credentialed leadsRPO #1449 across the firm. Every Tier-3 escalation is owned by a Registered Practitioner, not a contractor passing through.
  • DFE-licensed IR leadFounder Craig Petronella holds DFE license #604180. The same firm that detects can produce court-admissible forensics if litigation, law enforcement, or regulator notification follows.
  • MTTR target under 15 minutesCritical-alert SLA defines the time from detection to first containment action. Automated containment within seconds on confirmed indicators. Human review on any irreversible step.
  • Quarterly tabletop includedOne scripted exercise per quarter, with a written after-action report. Satisfies CMMC IR.L2-3.6.3 and HIPAA contingency-plan testing at no additional cost.

Standards and Frameworks

  • NIST SP 800-61 Revision 2Computer Security Incident Handling Guide. The four-phase model (preparation, detection and analysis, containment-eradication-recovery, post-incident) drives every Tier-3 escalation.
  • MITRE ATT&CKAdversary tactic and technique tagging on every alert. Monthly coverage heatmap shows which techniques your stack detects and which it does not.
  • NIST SP 800-171 Rev 2Control families 3.6 (Incident Response) and 3.14 (System and Information Integrity) pre-mapped in every monthly report.
  • CIS Controls v8Implementation Group 2 and 3 expectations mapped to managed-service evidence streams. Auditor-ready.
  • Petronella enterprise private AI clusterDetection engineering runs on Petronella's on-premises GPU-accelerated AI infrastructure. Client telemetry never crosses into a public cloud LLM for analysis. Data sovereignty is built in, not a setting that can be toggled.
What Response Looks Like

A Real Lateral-Movement Detection, Walked Step by Step

Below is a representative scenario drawn from the kind of case that lands in a Petronella SOC queue. Times are sample illustrative values aligned with the under-15-minute MTTR target on critical alerts. Hostnames, ticket IDs, and specific commodity vendors are sample-illustrative.

07:32:14EDRSuspicious process tree on HOST-PROD-FIN-04. PowerShell spawning rundll32, decoded base64 payload references SMB share. Severity: high.
07:32:21CORRELATIONEngine joins EDR alert with identity log: same host authenticated to Finance VLAN domain controller 11 seconds earlier using svc_backup service account. Service account had not authenticated from this host in prior 30 days.
07:32:29NDREast-west flow detected: HOST-PROD-FIN-04 to FIN-DC-01 over SMB. 18 MB transferred in 4 seconds. Anomalous against rolling 90-day baseline.
07:32:34SOARAutomated playbook fires: endpoint isolation on HOST-PROD-FIN-04, service account svc_backup credential reset queued, Conditional Access policy push to revoke active session tokens. All three actions complete in under 8 seconds.
07:33:07SOCTier-2 analyst opens case CASE-2026-04212. MITRE ATT&CK tags: T1078.002 (Valid Accounts: Domain Accounts), T1021.002 (SMB), T1003 (OS Credential Dumping). Severity escalated to critical.
07:43:18ESCALATIONTier-3 IR lead engages CFO and IT director via secure messaging at 07:43:18. Mean-time-to-respond clock: 11 minutes 4 seconds.
07:51:42CONTAINMENTContainment confirmed. Endpoint quarantined, identity tokens revoked, blast-radius assessment underway. Initial scope: one host, one service account, no data egress to external destination.
08:14:01INVESTIGATIONTier-3 confirms attacker initial-access vector: phishing email clicked at 07:29:11 (delivered prior morning, post-delivery clawback fired). Lateral attempt to FIN-DC-01 blocked by SMB sensor. No CUI or ePHI exfiltration. Case ready for executive after-action by 09:00.

The case above represents a containment under the 15-minute MTTR target with cross-domain correlation joining endpoint, identity, and network signals into one investigation. Without the correlation engine the same case is three separate alerts in three separate consoles, each looking like noise. With the correlation engine it is a single timeline the SOC analyst can walk in one minute.

Compliance Coverage

Which Alerts and Playbooks Satisfy Which Framework

Every MXDR evidence stream is pre-mapped to the control catalog the auditor will use. The monthly executive summary is also the audit binder.

DoD / DIB

CMMC 2.0 IR Family

MXDR evidence maps to CMMC L2 practices IR.L2-3.6.1 (incident handling), IR.L2-3.6.2 (incident tracking and reporting to authorities), IR.L2-3.6.3 (incident response testing), and SI.L2-3.14.6 (system monitoring). Petronella is CMMC-AB RPO #1449. Reports format for direct C3PAO submission.

NIST 800-171 / DFARS

252.204-7012 Monitoring

NIST SP 800-171 Revision 2 control families 3.6 (Incident Response) and 3.14 (System and Information Integrity) require continuous monitoring and incident handling for any system processing Controlled Unclassified Information. MXDR evidence feeds the System Security Plan and the Plan of Action and Milestones in SPRS under DFARS 252.204-7019.

HIPAA / HITECH

Security Rule 164.308(a)(6)

Security Incident Procedures at 45 CFR 164.308(a)(6) and Information System Activity Review at 164.308(a)(1)(ii)(D) are satisfied by MXDR's 24/7 monitoring, alerting, and case-management evidence. Business Associate Agreement on file for every healthcare client before any work begins.

PCI DSS v4

Requirements 10 and 12.10

PCI DSS v4 Requirement 10 (log all access to network resources and cardholder data) and Requirement 12.10 (implement an incident response plan, test annually) are evidenced directly by MXDR case files, retained logs, and the quarterly tabletop after-action report. QSA-ready format.

SOC 2 Type II

Trust Services Criteria CC4 and CC7

SOC 2 CC4 (Monitoring Activities) and CC7 (System Operations) are evidenced by MXDR monthly reporting and case-management metrics. We coordinate scope directly with your CPA firm before the audit window opens so the evidence binder is ready on day one of fieldwork.

Cyber Insurance

Underwriting Renewal Packet

Cyber insurance carriers require continuous monitoring, documented incident response, and tabletop testing for nearly every renewal questionnaire. MXDR generates the underwriting packet in the format brokers and underwriters expect. Saves the CFO hours per renewal cycle and frequently moves the premium.

ISO 27001

Annex A.16 Incident Management

Annex A.16 of ISO 27001 (Information Security Incident Management) is best evidenced by a managed monitoring and response service. MXDR case files map directly to ISMS control records. We coordinate with your ISMS lead before the surveillance audit.

CIS Controls v8

Controls 8, 13, 17

CIS Control 8 (Audit Log Management), Control 13 (Network Monitoring and Defense), and Control 17 (Incident Response Management) are all evidenced through MXDR monthly reporting. Implementation Group 2 and 3 maturity targets are achievable within a single quarter of onboarding.

State Privacy Laws

NY-DFS, CCPA, NCGS 75-65

Reasonable-security obligations under state breach-notification statutes (NY-DFS 23 NYCRR 500, California Information Privacy Act, North Carolina General Statute 75-65, Massachusetts 201 CMR 17) are increasingly defined by case law as a documented detection-and-response program. MXDR produces the artifacts a state attorney general would apply during a post-breach review.

Industries

Verticals Where MXDR Earns Its Keep

Regulated verticals carry the majority of our MXDR work. The acronyms change. The scoping conversation does not.

Defense contractors and the Defense Industrial Base. CMMC 2.0 Level 2 and Level 3 require continuous monitoring and incident response evidence that a passive review will not produce. MXDR pre-maps every alert to the practice catalog, every monthly report to the SSP, and every quarterly tabletop to IR.L2-3.6.3. The defense supply chain attack surface is the highest-stakes work we do and the deliverable formats reflect that. See our engineering firms cybersecurity hub for the vertical narrative on the DIB-adjacent engineering practice.

Healthcare and HIPAA-regulated entities. Hospitals, clinics, dental practices, and Business Associates carry HIPAA Security Rule obligations under 45 CFR Part 164. The threat profile centers on ransomware against EHR systems, business email compromise targeting accounts-payable workflows, and credential abuse against remote-access portals. MXDR's 24/7 SOC and the IR retainer line item are usually the difference between a contained incident and a regulator notification. Petronella signs a Business Associate Agreement before any work begins. See HIPAA compliance services for the broader compliance wrap.

Financial services and accounting firms. Wealth managers, CPAs, registered investment advisors, and small banks operate under FFIEC, SEC, FINRA, and state-level supervisory expectations. Wire-fraud and business email compromise are the leading threat patterns, frequently joined with credential theft from cloud-hosted productivity suites. MXDR's email security and identity IDR domains correlate directly to those threat patterns. Cyber insurance underwriting for financial services has tightened materially since 2022 and MXDR evidence is one of the cleanest paths to a renewable policy.

Manufacturing, engineering, and architecture firms. Manufacturers and engineering firms hold the trade secrets, the CAD files, and the proprietary process documentation that nation-state and financially motivated actors specifically target. The OT and ICS adjacency adds a second attack surface that conventional IT detection rarely covers. MXDR with OT scoping closes the gap. Engineering firms with DoD or DIB contract exposure pull in the CMMC overlay as well.

Professional services and legal firms. Law firms hold privileged client data, financial wire authority, and frequent merger-acquisition-litigation intelligence. The attack pattern often centers on credential theft followed by business email compromise targeting partner-level wire approvals. MXDR's identity IDR and email security domains together catch the chain at the credential-abuse step before the wire goes out.

Defense Contractors Healthcare and Dental Financial Services Manufacturing Engineering Firms Legal and Professional Services Accounting and CPA Technology and SaaS Government and Public Sector Real Estate Utilities and Energy E-Commerce and Retail
Onboarding

The First Thirty Days of a Petronella MXDR Engagement

Days one through five: scoping call, signed engagement letter, executed Master Services Agreement, executed Business Associate Agreement where HIPAA applies. Asset inventory exchange: endpoints, identities, cloud tenants, email tenants, and the specific tooling stack already in place. The objective is to remove ambiguity from the bill of materials before any agent is deployed.

Days six through twelve: telemetry connectors deployed and validated. EDR integration with whichever endpoint platform is in place. Identity provider connector to Active Directory, Entra ID, or Okta. Cloud tenant audit feeds connected to the correlation engine. Email tenant API connections to Microsoft 365 or Google Workspace. Each connector is validated end-to-end before the next one is wired in, so a misconfigured tenant does not silently produce zero telemetry for three weeks.

Days thirteen through twenty: baseline tuning. The correlation engine watches the environment for two weeks to establish behavioral baselines. Login patterns, authentication geographies, service-account activity windows, normal east-west flow volumes, expected outbound DNS cadence. Tuning runs in shadow mode so genuine alerts are still surfaced while false-positive thresholds adjust to your environment.

Days twenty-one through twenty-seven: live-cutover. Automated playbooks activate. The SOC begins active alerting against the tuned baseline. The named SOC point-of-contact and the escalation tree are confirmed in writing. The first weekly status review covers the tuning results, the open detection coverage gaps, and the IR retainer hour balance.

Days twenty-eight through thirty: first monthly executive summary lands. Tabletop scheduling kicks off for the upcoming quarter. Compliance evidence mapping is reviewed with the client's compliance lead or vCISO. The engagement is now in steady state and the relationship moves from onboarding cadence to operational cadence.

Most clients onboard in under thirty days. Larger environments with multi-tenant cloud footprints and OT scoping can run forty-five to sixty days. The engagement letter names the target. The weekly status review tracks variance against it.

Why Petronella

Twenty-Four Plus Years on the Same North Carolina Street

Credentials are not the SOC. They are who you are letting inside your environment when the alert fires. Below is what is on the engagement letter.

Headquarters and SOC

Petronella Technology Group, Inc.
5540 Centerview Drive, Suite 200
Raleigh, North Carolina 27606

Phone: (919) 348-4912
Hours: 24/7/365 Security Operations
Business hours: Mon-Fri 8:00 AM - 6:00 PM ET
Service area: North Carolina + nationwide via secure remote infrastructure

Credentials on the Engagement Letter

CMMC-AB RPO #1449. Every engineer is CMMC-RP credentialed.

DFE License #604180. Founder Craig Petronella holds a state-issued Digital Forensics Examiner credential.

CCNA + CWNE. Cisco Certified Network Associate plus Certified Wireless Network Expert.

BBB A+ since 2003. Continuously rated A+ for over two decades.

Founded 2002. Twenty-four plus years of NC-based security operations.

FAQ

Managed XDR Questions Decision-Makers Ask

Selected from scoping calls with CFOs, CISOs, IT directors, and compliance officers across the Triangle, North Carolina, and nationally.

What is the difference between EDR, MDR, and XDR?
EDR is a product category for endpoints. MDR is a managed service that operates an EDR for you. XDR is a broader detection surface that correlates endpoint signals with network, identity, cloud, and email telemetry. MXDR is XDR delivered as a managed service with a 24/7 SOC. Petronella runs MXDR, so the contract is for the whole detection surface under one SOC, one phone number, and one service-level commitment.
Do you actually have a 24/7 human SOC?
Yes. Petronella runs a 24/7/365 Security Operations Center staffed by credentialed analysts. Every alert that crosses the severity threshold gets reviewed by a human within minutes. Automated playbooks handle initial containment so the analyst spends the first ten minutes on investigation rather than triage. Shift boundaries have documented case notes so context never gets lost across handoffs.
Where are your SOC analysts located?
Petronella Technology Group is headquartered at 5540 Centerview Drive, Suite 200, Raleigh, North Carolina 27606. The SOC operates from this NC footprint with documented coverage handoffs. We do not subcontract triage to overseas providers. The chain-of-custody and credentialed-operator requirement attached to CMMC, HIPAA, and defense-contractor work demands a US-based, accountable analyst pool.
What is your mean-time-to-respond commitment?
Our internal service-level target on critical alerts is under 15 minutes from detection to first containment action. Containment is typically automated isolation of the affected endpoint, identity lockout of the compromised account, or a Conditional Access policy push that revokes session tokens. Full investigation timing depends on attack complexity, but the dwell-time clock stops at containment, which is the metric cyber insurance carriers and CMMC C3PAO assessors actually score.
Do you handle the incident response end-to-end or just the detection?
Both. The MXDR contract covers 24/7 detection, alerting, automated containment, and analyst-led investigation. For full incident response including forensics, regulator notification support, and post-incident reporting, we offer an Incident Response retainer that pre-pays hours at a known rate. Petronella holds DFE license #604180, so the same firm that detects can produce court-admissible evidence if litigation or law enforcement engagement follows. See our digital forensics page for the forensics scope.
How does Managed XDR satisfy CMMC and HIPAA?
Continuous monitoring and incident response are required controls under both frameworks. MXDR evidence maps to CMMC practices IR.L2-3.6.1 (incident handling), IR.L2-3.6.2 (incident tracking and reporting), and IR.L2-3.6.3 (incident response testing). For HIPAA, the same evidence stream satisfies 45 CFR 164.308(a)(6) Security Incident Procedures and 164.308(a)(1)(ii)(D) Information System Activity Review. Monthly executive summaries and a quarterly tabletop close the loop on every framework requirement. See HIPAA compliance.
Do you offer a retainer model?
Yes. Petronella runs both a monthly MXDR subscription and a pre-paid Incident Response retainer. The MXDR subscription is sized per endpoint, per identity, and per cloud workload. The IR retainer pre-pays a block of investigator hours at a discounted rate and locks in priority response. Most clients combine both so the detection layer and the response layer have separate budget lines but the same single firm.
What does Managed XDR cost?
Pricing is a custom quote driven by endpoint count, identity count, cloud workload count, retention requirement, and whether the engagement includes a pre-paid IR retainer. From a few thousand dollars monthly for small environments to enterprise-scale engagements with dedicated detection-engineering capacity. Petronella publishes no list pricing for MXDR because the bill of materials varies materially by environment. Call (919) 348-4912 for a scoping call and a fixed-fee engagement letter inside three business days.
Can we keep our existing EDR or do we have to switch?
Keep what you have. Petronella runs a vendor-agnostic MXDR stack and integrates CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Sophos Intercept X, Palo Alto Cortex XDR, and Fortinet FortiEDR. We normalize telemetry from your existing tools into the correlation engine so the rip-and-replace question stays off the table. If your EDR has a known limitation we will say so before the contract is signed.
Do you run tabletop exercises?
Yes. Every MXDR engagement includes one tabletop exercise per quarter at no additional cost. We script realistic scenarios drawn from current threat intelligence (ransomware, business email compromise, supply chain compromise, insider exfiltration) and walk your leadership, IT, legal, and communications teams through the response sequence. The tabletop closes with a written after-action report that satisfies CMMC IR.L2-3.6.3 (incident response testing) and HIPAA contingency-plan testing requirements.
Related Services

Pair Managed XDR With

MXDR is most valuable as part of a security program. These pages cover the work that wraps around it.

This page is the MXDR service deep-dive. For the bundled stack angle - how endpoint EDR, network NDR, identity IDR, cloud CDR, and email security are packaged and priced as one suite with the SOC retainer wrapped in - see the Managed XDR Suite bundled stack page.

Managed XDR Suite (bundled stack)

Cybersecurity Pillar Hub

Managed IT Services

Managed IT Raleigh NC

Penetration Testing

Digital Forensics

HIPAA Compliance

CMMC Compliance

Cybersecurity Wilmington NC

vCISO Services

Incident Response

Managed SIEM

Managed Detection & Response

Endpoint Detection & Response (EDR)

Cloud Security Posture Management (CSPM)

Scope Your Managed XDR Engagement

Free 30-minute scoping call. A Petronella engineer walks the environment, names the controls the deliverable will map to, and produces a fixed-fee engagement letter inside three business days.

Free XDR Scoping Call Call (919) 348-4912