The Petronella Solutions Stack

Petronella Technology Group has been operating from Raleigh, North Carolina since 2002. The solutions we deploy today are the result of twenty-three years of running production environments for regulated organizations: defense contractors handling Controlled Unclassified Information, healthcare practices under HIPAA, financial services firms under SOC 2 and PCI-DSS, engineering firms under ITAR, law firms handling privileged material, and mid-market businesses that need cybersecurity, managed IT, compliance, and now private AI under a single accountable partner.

The stack on this page is vendor-neutral by design. We do not earn referral fees on detection products, backup platforms, or cloud-security tools, which means the scoping conversation is about what fits your environment rather than what pays our quarterly margin. The artificial intelligence layer that handles triage, prioritization, and detection runs on our enterprise private AI cluster, on hardware Petronella owns, operates, and physically controls. Your data does not leave that cluster, and that is a design choice that matters when the compliance scope is real.

What follows is the seven-category breakdown of what we deploy. Each card opens a focused pillar with the technical depth, the onboarding stages, the compliance crosswalk, and the pricing approach for that scope. Read whichever ones map to your situation. When you are ready, the scoping call is thirty minutes and produces a real quote.

Most engagements ride both hubs. A defense contractor reads /industries/ to confirm Petronella understands the CMMC environment and the prime-contract pressure, then comes here to evaluate the technical solution that gets deployed against that scope. Read in whichever order matches your buying motion. The phone number and the contact form are the same either way.

The cybersecurity operations category is where most engagements start. The reason is structural: endpoint visibility is the single highest-leverage detection surface in a modern environment because that is where attackers land, where credentials are harvested, and where ransomware encrypts. EDR closes the blind spot first, XDR brings in network, cloud, identity, and email once the analyst pod has learned your environment, and CSPM addresses the misconfiguration layer that turns cloud workloads into unauthenticated public endpoints by accident.

What separates the Petronella operating model from a license-bill SOC: every shift is staffed by senior analysts with authority to act, the artificial intelligence layer prioritizes the alert queue but does not delegate consequential containment decisions to a model, and the after-hours response is not handed off to an offshore script. Read the cybersecurity pillar for the broader programmatic view including governance, awareness training, and risk management.

The compliance category is two related disciplines: the technical-control implementation that satisfies the requirement, and the documentation, evidence-collection, and assessor-coordination work that survives third-party scrutiny. Petronella delivers both halves under a single engagement. For most defense-contractor clients the engagement combines a Managed XDR deployment against the technical controls with a CMMC consulting engagement against the documentation, the System Security Plan, the Plan of Action and Milestones, and the assessment-readiness check.

What we do not do is sell compliance theater. A signed SSP that no one operates against is a finding waiting to be discovered. We build the evidence base from the actual operating state of your environment, which is why the technical-control side and the documentation side run on the same engagement clock. The handoff fee model that most consultancies use, where assessment-readiness work happens once and then drift accumulates, produces a finding cluster on the next audit. We stay in the chair.

Managed IT and managed cybersecurity are increasingly the same conversation. Patching is a security control. Backup is a ransomware control. Identity-provider hygiene is a credential-theft control. Helpdesk ticket triage is often where an indicator of compromise first surfaces. The Petronella operating model unifies the disciplines: the same team that runs the helpdesk feeds tickets into the same SOC that operates the detection stack, the same patching cadence that satisfies the IT vendor satisfies the compliance assessor, and the same backup verification job that meets the recovery-time objective also meets the audit-evidence requirement.

Most of our managed IT engagements include managed cybersecurity as a layered scope. The few that do not are organizations with an in-house security team and a need for the operational layer only. Either way the scoping call determines the boundary. There is no quarterly retainer for "discovery work" that produces a recommendation to buy more discovery.

Digital forensics work at Petronella is specifically scoped to corporate-mobile and BYOD breach response. We are not a generalist law-enforcement forensics shop and we do not perform Cellebrite, EnCase, or Graykey extractions, jailbreak operations, personal-investigator surveillance, or chain-of-custody work for criminal or family-court matters. Our Digital Forensic Examiner credential, DFE #604180, supports the corporate breach-response and litigation-support scope where chain-of-custody discipline produces evidence that holds up in business-litigation venues. Craig Petronella also brings MIT-Certified credentials in AI and Blockchain to the forensics engagement when crypto-asset or smart-contract evidence is in scope.

The virtual CISO engagement is the right fit when the organization has outgrown a part-time security committee but cannot justify a full-time Chief Information Security Officer salary plus benefits. The fractional model produces the executive-level strategic guidance, the board reporting cadence, the regulator-facing documentation, and the vendor-management discipline that mid-market organizations need without the cost of a permanent hire. Most engagements run a half-day to two days per month of dedicated executive time on top of an always-available advisory channel.

What the vCISO does not replace: the security operations team that runs the SOC, the IT team that operates the network, or the compliance specialists who manage the framework engagement. The vCISO is the strategic layer above the operational and compliance layers, and the Petronella engagement model includes the vCISO scope inside a broader managed-security retainer when that is the right answer for the organization. The scoping call is where we determine whether the vCISO scope stands alone or rolls up into a broader engagement.

The private AI category exists because regulated organizations cannot send Controlled Unclassified Information, Protected Health Information, cardholder data, or attorney-client privileged material to a public-cloud-hosted large-language-model service and still satisfy their compliance obligations. The honest version of that statement: the public-cloud LLM vendor's marketing language about "your data is private" is structurally different from "your data does not leave a sovereign infrastructure you control." If a vendor pitches you a "private tenant" inside their public service, ask where the model weights live and who has root on the inference nodes. The honest answer is rarely the same as the marketing answer.

Petronella operates the private AI cluster on hardware we own and physically control. Your alert metadata, retrieval-augmented corpora, behavioral baselines, and forensic queries process there. The cluster is the substrate for the artificial intelligence layer that runs inside the Managed XDR Suite SOC, the compliance-mapping engine that supports CMMC engagements, and the custom-agent development we do for clients who need automation against their sensitive data without sending it offsite.

The human layer category is where the largest measurable risk reduction tends to happen in the first ninety days of a security engagement. Phishing-simulation click rates of fifteen to twenty-five percent in the first campaign drop to single digits within two quarters of consistent training. That single behavioral shift closes more breach surface than any individual technical control. The pairing of awareness training with the technical controls in the cybersecurity-operations category is where the program produces outcomes, rather than just dashboards.

The composition pattern that recurs most often: a defense contractor or healthcare practice composes Managed Cybersecurity Operations plus Compliance plus Managed IT under a single engagement, with Awareness Training layered on as the human-layer control and the Virtual CISO scope handling strategic and board-level reporting. A litigation or breach-response engagement composes Incident Response plus Digital Forensics on the front end and transitions into one of the steady-state managed engagements after the incident closes. A research-heavy organization composes Private AI Infrastructure plus Managed Cybersecurity, with Compliance scoped to the framework that applies to the research data.

What we do not push: scope creep for its own sake. If your environment is small enough that endpoint detection plus quarterly vulnerability scanning is the right answer, that is the proposal we write. The customer-retention model is good service plus honest scoping, not feature creep.