Technology Services Engineered For Resilience
Petronella Technology Group delivers managed IT, cybersecurity operations, compliance program ownership, and AI strategy from a single accountable engagement. Built for regulated mid-market organizations across the United States and headquartered in Raleigh, NC since 2002. We architect outcomes - zero-trust networks, CMMC Level 1, 2, and 3 readiness, 24/7 managed detection and response, immutable backup, and private AI infrastructure - not break-fix contracts or commodity license resale.
One accountable team for IT, security, compliance, and AI strategy. Most organizations end up stitching together a managed service provider, a security vendor, a compliance consultant, and an AI advisor - then play vendor-coordinator full time. Petronella Technology Group runs all four service lines from a single engagement with named engineers, written SLAs, and one phone number when something needs attention. If you are evaluating us against a multi-vendor stack, the consolidation conversation usually pays for itself before the first quarterly review.
Petronella Technology Group was founded on a simple premise: technology should reduce risk, not create it. For over two decades we have served organizations that cannot afford downtime, data loss, or compliance failures - defense contractors preparing for CMMC 2.0 certification, healthcare practices navigating Office for Civil Rights expectations, financial services firms maintaining SOC 2 alignment, engineering firms protecting CAD intellectual property, law firms with privileged client matter, and growing enterprises that have outgrown their current IT support model. We are headquartered in Raleigh, NC and deliver remote-first across the continental United States with on-site dispatch in Wake County.
The credentials matter because the engagements matter. Craig Petronella holds an active CMMC Registered Practitioner certification and is listed publicly as CMMC-AB Registered Provider Organization #1449. He is MIT-Certified in Artificial Intelligence and Blockchain, holds a CCNA, is a Certified Wireless Network Expert (CWNE), and operates as a Digital Forensics Examiner under license #604180. The engineering team holds additional CMMC-RP certifications. Petronella Technology Group has maintained a Better Business Bureau A+ rating since 2003 and operates a 24/7 hybrid AI plus human SOC. These are auditable credentials backed by ongoing investment in the standards that protect your business, not decorative badges to fill out a pitch deck.
Every engagement follows a structured methodology: discover, design, deploy, and sustain. Pricing is custom because environments are unique - two organizations with identical headcount can have wildly different compliance scopes, after-hours coverage requirements, regulatory exposure, and incident history. The 30-minute discovery call produces a written assessment with every line item spelled out. There are no per-incident bills, no surge pricing during outages, and no mystery line items at the bottom of the invoice. The economics work for both sides because the work is contracted upfront, not invented when things go wrong.
Legacy IT vs. Engineered Operations
Most organizations are running on reactive IT models that were never designed for the threat landscape they now operate inside. Here is how an engineered operating model changes the math.
| Dimension | Legacy / Break-Fix MSP | Petronella Engineered Engagement |
|---|---|---|
| Operating DisciplineReactive vs. proactive | Helpdesk responds when users call. Patches happen during the next scheduled window or after a vulnerability becomes news. Incidents drive the calendar. | 24/7 monitoring detects issues before users notice. Patch cadence is documented in the runbook with exceptions tracked. Quarterly business reviews surface trends before they become incidents. |
| Security PostureIT and security separation | Antivirus on every endpoint and a firewall at the perimeter. Security incidents route to a different vendor or get added to the IT queue. | 24/7 hybrid AI plus human SOC. Endpoint detection and response with behavioral analytics on every workstation, laptop, and server. Same engagement, same on-call rotation, same accountability. |
| Compliance PositionChecklist vs. controls | Generic compliance checklists copied from a template. No mapping to your technical environment. Evidence collection happens the month before the audit. | CMMC, HIPAA, NIST 800-171, NIST CSF, PCI DSS, and SOC 2 mapped to deployed technical controls. Evidence collection is automated and continuous. Assessment-ready posture year round. |
| Pricing ModelFlat seat vs. scoped engagement | Per-device pricing with hidden overage fees. After-hours work billed at surge rates. Hardware refresh and project work absorbed into vague line items. | Custom-scoped engagements with transparent deliverables and fixed-fee milestones. Recurring monthly figure for managed services. Project work quoted separately so there are no surprises. |
| Strategic LayerExecutive engagement | Owner or office manager owns the IT relationship. No vCIO or vCISO role. Strategic decisions get deferred or made by the loudest vendor. | Named vCIO and vCISO with quarterly board-ready reporting, technology roadmap, risk register, and budget narrative tied to business outcomes. |
| AI PosturePublic cloud vs. private cluster | Sensitive customer data routed through public-cloud LLMs because that is what the integrator sells. No data-sovereignty conversation, no model-weight provenance. | Enterprise private AI cluster on hardware Petronella owns and physically controls. Customer telemetry, alert metadata, and forensic queries stay inside the boundary. |
The shift from reactive to engineered is the single largest factor in whether technology becomes a force multiplier or a tax. The math compounds: a proactive patch program prevents the incident that would have cost three days of revenue and triggered a breach-notification obligation. A tuned EDR alert pipeline catches the ransomware behavior 60 seconds in rather than 6 hours in. A quarterly compliance evidence run keeps the auditor from finding a gap that requires a Plan of Action and Milestones to remediate. Each of these compounds over a year into the difference between a clean operating record and a series of avoidable losses.
Discover, Design, Deploy, Sustain
Every engagement follows a repeatable four-phase methodology. Each phase has named deliverables, written acceptance criteria, and a clear handoff to the next.
The methodology exists to make the engagement legible to everyone in your organization - the CEO who wants to know what value is being delivered, the operations lead who wants to know when the next change window is, the finance leader who wants to know what the next quarter looks like, the compliance officer who wants to know what evidence is collected and when. Discovery is the most undervalued phase. The temptation is to skip it and start deploying tools, but the engagements that produce the best outcomes are the ones where discovery surfaced an environment fact that changed the design - an undocumented application that drove a different EDR vendor, an unmapped network segment that changed the segmentation plan, a compliance scope decision that pulled a subsidiary into or out of the boundary.
What Petronella Delivers
Six service lines, one accountable team. Each capability is staffed by certified engineers, governed by written runbooks, and instrumented for the metrics that matter to your business.
Managed IT Services
Proactive infrastructure management, named-engineer helpdesk, patch and configuration management, vendor coordination, identity and access controls, immutable backup, and vCIO strategic planning - delivered as a single contracted engagement.
- 24/7 monitoring across endpoints, servers, network gear
- Helpdesk with 15-minute P1 response SLA
- Documented patch cadence with exception tracking
- Quarterly business reviews with vCIO roadmap
Cybersecurity & Managed Detection
24/7 hybrid AI plus human SOC running endpoint detection and response, managed XDR correlation across network and cloud, threat hunting on a quarterly cadence, and incident response with digital forensics capability on staff.
- EDR behavioral analytics on every endpoint
- XDR correlation across email, identity, cloud
- Quarterly threat hunts against fresh telemetry
- Incident response under DFE #604180 licensure
Compliance Readiness
CMMC Levels 1, 2, and 3, HIPAA, NIST 800-171, NIST CSF 2.0, PCI DSS v4.0, SOC 2, and ISO 27001 program ownership. Continuous evidence collection, control mapping to deployed technical posture, audit-ready documentation.
- CMMC-RP certified, CMMC-AB RPO #1449
- All three CMMC levels, not just Level 2
- Evidence automation tied to RMM and EDR
- System Security Plan and POA and M ownership
vCISO & vCIO Services
Virtual Chief Information Security Officer and Chief Information Officer services on a retainer model. Risk assessments, policy development, board reporting, technology roadmap, budget narrative, and tabletop incident response exercises.
- Board-ready quarterly reporting deck
- Risk register tied to business impact
- Tabletop incident response exercises
- Vendor risk reviews and contract redlines
Cloud & Network Architecture
Azure, AWS, and hybrid cloud architecture, migration, and optimization. Zero-trust network design with SD-WAN, secure remote access, identity-aware proxies, and tenant-level hardening tied to compliance posture.
- Cloud architecture and migration playbooks
- Zero-trust segmentation design
- Identity-provider hardening (Entra, Okta)
- Backup and disaster recovery validation
AI Strategy & Private Cluster
MIT-Certified AI and Blockchain advisory. Private AI cluster operations on hardware Petronella owns. Governance, model selection, evaluation, and deployment for organizations that need AI capability without data egress to public-cloud LLMs.
- Enterprise private AI cluster on-prem option
- Model evaluation and governance framework
- Data-sovereignty alignment for CMMC and HIPAA
- Pilot to production transition playbook
The portfolio is integrated by design. The EDR data feeds the SOC, the SOC feeds the compliance evidence pack, the compliance evidence feeds the vCISO board report, and the board report feeds the vCIO roadmap that drives next quarter's infrastructure investment. Each capability is also available as a standalone engagement, but most organizations consolidate over time because the integration is where the value compounds.
Service Scope at a Glance
Exactly what each service includes for the dimensions that come up most often in scoping conversations. Detailed scoping happens during discovery and lands in the written engagement.
| Service | Monitoring | Response SLA | Reporting | Compliance Mapping |
|---|---|---|---|---|
| Managed IT | 24/7 RMM | 15 min P1 | Monthly + QBR | HIPAA, SOC 2 |
| EDR + MDR | 24/7 SOC | Auto + 5 min analyst | Weekly + monthly | NIST 800-171, CMMC |
| Managed XDR | 24/7 cross-domain | Auto + 5 min analyst | Weekly + monthly | CMMC L2 + L3 |
| vCISO | Quarterly review | 1 hr advisory | Board-ready | All frameworks |
| vCIO | Quarterly roadmap | Same day strategic | Budget narrative | N/A strategic |
| Compliance Programs | Continuous evidence | Per audit cadence | SSP + POA and M | CMMC, HIPAA, NIST, SOC 2, ISO |
| Incident Response | On-call retainer | 1 hr engagement | Forensic packet | Breach-ready evidence |
| Penetration Testing | Engagement-scoped | Per engagement | Findings + remediation | CMMC, PCI DSS |
| Cloud Architecture | 24/7 health | 2 hr P1 | Monthly + QBR | SOC 2, ISO 27001 |
| AI Advisory | Project-scoped | Per project | Executive | Governance framework |
The matrix above is a starting point, not a contract. Every engagement is scoped to the specific environment, after-hours coverage requirements, regulatory exposure, and risk tolerance of the organization. CMMC Level 3 environments, healthcare environments with extensive Business Associate Agreements, and financial services environments with broker-dealer obligations frequently require tighter contracted numbers than the standard tier above. Those tighten happens during the discovery and design phases so the operating SLA matches the regulatory reality.
Where Petronella Operates
Concentration in regulated mid-market organizations where downtime, data loss, or compliance failure carries material consequences. Headquartered in Raleigh, NC. Delivered remote-first across the continental United States with on-site dispatch in Wake County.
Defense Contractors & DIB Suppliers
Primes and subcontractors handling Federal Contract Information and Controlled Unclassified Information. CMMC Levels 1, 2, and 3 readiness, DFARS 252.204-7012 compliance, NIST 800-171 control implementation, and audit-ready System Security Plans.
- CMMC-RP certified team, RPO #1449
- NIST 800-171 control mapping
- POA and M lifecycle ownership
- C3PAO coordination assistance
Medical & Dental Practices
HIPAA Security Rule, Privacy Rule, and Breach Notification Rule compliance. Protected Health Information handling, Business Associate Agreement coverage, and Office for Civil Rights audit preparation for practices of all sizes.
- HIPAA Security Rule technical controls
- Encryption at rest and in transit
- Annual risk analysis and remediation plan
- Breach notification runbook
Banks, RIAs, & Broker-Dealers
SOC 2 Type II readiness, GLBA Safeguards Rule alignment, FTC Safeguards Rule compliance, FINRA Books and Records support, and SEC examination preparation. Privileged customer data handled inside hardened identity and access controls.
- SOC 2 Type II evidence collection
- FTC Safeguards Rule alignment
- Customer Identification Program tooling
- Examiner-ready audit packet
Engineering Firms & Manufacturers
CAD intellectual property protection, technical-data export-control alignment, ITAR-aware handling for defense-adjacent work, and Operational Technology security for production floors. Engineering firms are a Petronella concentration with AI plus CMMC differentiation.
- CAD repository hardening
- ITAR-aware boundary design
- OT and IT network segmentation
- Vendor risk reviews for supply chain
Law Firms & Brokerages
Privileged client matter protection, ABA Model Rule 1.6 alignment, multi-state breach notification preparation, and wire-fraud defense for real estate closings. Identity-aware email security and DMARC enforcement to defend against business email compromise.
- ABA Model Rule 1.6 technical alignment
- DMARC, DKIM, SPF enforcement
- Wire-fraud playbook and tabletop
- Multi-state breach-notification matrix
K-12, Higher Ed, & Nonprofits
FERPA-aligned student-record handling, state breach-notification readiness, grant-funded technology procurement support, and tight-budget operating models for organizations where every dollar is mission-restricted.
- FERPA student-record controls
- State breach-notification preparation
- Grant-funded procurement alignment
- Donor data and CRM security
Certified Expertise You Can Verify
Every credential listed below is currently held by a named Petronella team member and independently verifiable through the issuing body. Credentials are listed because they govern the work, not because they fill a slide.
Phone: (919) 348-4912 · Operating from Raleigh since 2002
Meet the team · Schedule a consultation
Engagements Scope to Environment, Not Per-Seat
The published-flat-rate model breaks down the moment compliance scope, after-hours coverage, or environment complexity enters the conversation. Custom scoping protects both sides from the surprise invoice that ends the relationship.
Two organizations with the same headcount can have wildly different engagements. A 40-person dental practice with two locations and one Microsoft 365 tenant runs at a very different operating cost than a 40-person defense subcontractor preparing for CMMC Level 2 with three CUI enclaves and a manufacturing floor full of legacy Windows 7 controllers. A 200-person law firm with a single office and a clean Active Directory runs differently than a 200-person engineering firm with five offices, three CAD vaults, and ITAR-flagged technical data. The headcount is the easiest variable to measure and the least informative variable in the actual cost equation.
Custom scoping happens during the discovery phase. The written assessment that follows has every line item spelled out: per-user managed services, per-server infrastructure management, security operations subscription, compliance program retainer, project work as fixed-fee milestones, and the small platform fee that covers the tooling stack. There are no surge rates, no per-incident bills, and no overage fees on the recurring contract. Project work that falls outside the recurring scope - infrastructure refresh, cloud migration, compliance attestation, penetration test - gets quoted as a fixed-fee deliverable with acceptance criteria.
The payment terms are upfront for fixed-fee milestones because that is how a 23-year-old business serves clients without lending them working capital. Recurring services bill monthly on standard net terms. The economics work because the engagement is scoped to be sustainable on both sides - we are not subsidizing the relationship and you are not paying for surprise capacity. If the scope changes mid-engagement, the change order is presented in writing with the cost impact before the work starts. No surprises.
Deeper Detail on Each Capability
Each service line has its own pillar page with the technical anatomy, deployment playbook, and pricing model. Start with the capability that maps to your most pressing question and use the discovery call to map across the rest.
If you are evaluating across multiple pillars, the discovery call is the highest-leverage way to compare. We map your current state, your target state, and the gap between them - then surface which pillar to start with and which to sequence later. Most engagements start with the most acute pain (a recent incident, an imminent audit, a vendor that just gave notice) and expand from there once the operating cadence is established.
Frequently Asked Questions
The questions that come up most often during scoping conversations. Detailed answers happen during discovery; these are the short-form versions for the website.
What services does Petronella Technology Group provide?
Four integrated service lines from a single accountable engagement: managed IT (24/7 monitoring, named-engineer helpdesk, patching, vendor management), cybersecurity (endpoint detection and response, managed XDR, penetration testing, incident response, digital forensics), compliance (CMMC Levels 1, 2, and 3, HIPAA, NIST 800-171, NIST CSF 2.0, PCI DSS v4.0, SOC 2, ISO 27001), and AI strategy (private AI cluster, governance, deployment).
Engagements scope by environment and compliance obligations rather than per-seat license counts. Most clients consolidate two or more service lines into a single engagement, but each capability is available as a standalone retainer.
How is Petronella different from a typical MSP?
Most managed service providers run IT and hand the security ball to a separate vendor or an after-hours skeleton crew. Petronella Technology Group operates as both MSP and MSSP inside one engagement, with named engineers, written SLAs, a 24/7 hybrid AI plus human SOC, and digital forensics capability on staff under DFE #604180.
We are CMMC-RP certified, registered as CMMC-AB RPO #1449, and consult across all three CMMC levels - not just Level 2. The result is one accountable team for IT, security, compliance, and emerging AI strategy rather than three vendors pointing at each other when something breaks. See the MSP Partner Program if you are an MSP looking for white-label depth in security or compliance.
Do you publish pricing on your website?
No. Petronella Technology Group works on a custom-scoped quote model because two firms of the same headcount can have wildly different environments, compliance scopes, after-hours coverage requirements, and risk profiles. Every engagement begins with a no-obligation discovery call.
We produce a written assessment with every line item spelled out, fixed-fee milestones for project work, and a transparent monthly figure for managed services. There are no per-incident bills, no surge rates, and no mystery line items. Payment terms are 100 percent upfront on fixed-fee milestones (standard for a 23-year-old shop), and recurring services bill monthly.
Which industries does Petronella serve?
Regulated mid-market organizations across the United States with concentration in defense contractors and DIB suppliers preparing for CMMC certification, healthcare providers under HIPAA, financial services firms requiring SOC 2 or GLBA alignment, engineering and manufacturing firms protecting CAD intellectual property, legal practices handling privileged client data, real estate brokerages, and education and nonprofit organizations subject to FERPA or state breach laws.
Headquartered in Raleigh, NC with on-site dispatch in Wake County and remote delivery nationwide. See the full industries vertical hub for buyer-identity narrative or the solutions hub for deliverable architecture.
Do you operate AI infrastructure or rely on public-cloud LLMs?
Petronella Technology Group operates an enterprise private AI cluster on hardware we own, physically control, and maintain. Customer telemetry, alert metadata, behavioral baselines, and forensic queries process on that cluster and nowhere else. We integrate with public cloud AI for non-sensitive workloads where it makes sense, but no Controlled Unclassified Information, Protected Health Information, or financial data leaves your boundary into a third-party model.
Data sovereignty is a CMMC, HIPAA, and SOC 2 requirement, not a marketing slogan. See the AI strategy pillar for the governance framework and pilot-to-production playbook.
How do engagements start and how long does onboarding take?
Every engagement begins with a 30-minute discovery call followed by a written assessment. Managed IT onboarding typically runs 30 to 60 days for mid-market environments and 60 to 90 days when CMMC or HIPAA evidence collection is in scope.
Week one is documentation and access. Week two is tooling deployment (RMM, EDR, immutable backup, identity baseline). Weeks three and four are risk assessment, any emergency remediation, and handoff to steady-state operations. We run alongside incumbent providers when one exists so there is zero coverage gap during transition.
Are Petronella credentials verifiable?
Yes. Craig Petronella holds active CMMC-RP, is listed as CMMC-AB Registered Provider Organization #1449, holds CCNA, is a Certified Wireless Network Expert (CWNE), is a Digital Forensics Examiner under license #604180, and is MIT-Certified in Artificial Intelligence and Blockchain. Team engineers hold CMMC-RP certification.
Petronella Technology Group has maintained a Better Business Bureau A+ rating since 2003 and has been operating from Raleigh, NC since 2002. All credentials are independently verifiable through the issuing bodies. Meet the named team on the team page.
Do you support remote workforces and multi-site organizations?
Yes. EDR, vCISO advisory, compliance program ownership, and helpdesk operate identically regardless of where users connect. On-site dispatch is available in Wake County for Priority 1 outages, typically inside 60 minutes.
Multi-site organizations are supported through cloud-managed RMM and identity providers, with site-specific runbooks and named on-call engineers. Defense contractors with classified or air-gapped environments are scoped separately because the controls differ from standard CUI handling.
Can you take over an environment that is already in trouble?
Yes. Petronella Technology Group regularly assumes responsibility for environments mid-incident, mid-audit, or after a previous provider has lost the customer's confidence. If there is an active threat in the environment, the incident response team engages first to contain and investigate before steady-state onboarding begins. Call (919) 348-4912 immediately rather than starting with the standard onboarding path.
If a compliance assessment is imminent, evidence collection and gap remediation become the first sprint. The discovery call surfaces these urgencies so the engagement plan reflects reality on day one.
Ready to consolidate IT, security, compliance, and AI under one team?
Schedule a 30-minute discovery call. We will listen to your environment, your compliance obligations, and the pressure points you are trying to solve - then deliver a written assessment with every line item spelled out. No pressure, no generic pitch, no surprise invoice.