About Petronella Technology Group, Inc.

Raleigh-Based Cybersecurity and Compliance Since 2002

RPO #1449 / BBB A+ since 2003 / Team 100% CMMC-RP

Petronella Technology Group, Inc. is a Raleigh, North Carolina cybersecurity and compliance firm built around the defense industrial base, healthcare, engineering, legal, and financial verticals. Every assigned engineer holds the CMMC Registered Practitioner credential, the firm is listed on the Cyber AB registry as RPO #1449, and our engagements begin with a free 30-minute scoping consultation, not a price sheet.

Schedule a free 30-min scoping consultation Call (919) 348-4912
Cyber AB Registry RPO #1449 CMMC-AB Registered Provider Org verify
BBB Accreditation A+ Continuously accredited since 2003
Founded 2002 23+ years building regulated IT and security
Headquarters Raleigh 5540 Centerview Dr., Suite 200, NC 27606
Industries Served DIB / Health Defense, Healthcare, Engineering, Legal, Financial
01 / Founding Story

From a Two-Person Computer Repair Shop to a Compliance Firm

Petronella Technology Group, Inc. opened in Raleigh in 2002. The original brief was unglamorous: keep small and mid-sized North Carolina businesses running on the IT and networking equipment of the day, fix what broke, and replace what failed. That work was honest and steady, but the calls that started coming in around 2010 were different. Law firms had laptops stolen and needed forensics. Healthcare practices were asked HIPAA questions they had never been asked before. Defense subcontractors started seeing flow-down clauses in their prime contracts that referenced something called DFARS 252.204-7012.

The pattern was clear. North Carolina has one of the densest defense and healthcare clusters in the Southeast - Research Triangle Park, Fort Bragg (formerly Fort Liberty), Camp Lejeune, Seymour Johnson Air Force Base, Cherry Point MCAS, the academic medical centers across Duke and UNC and ECU and Wake Forest - and the regulatory weight on those organizations was only going to grow. Petronella shifted from generalist managed services toward security, digital forensics, and compliance consulting. The firm earned BBB Accreditation in 2003 and has held A+ continuously since. Craig Petronella sat for the North Carolina Digital Forensics Examiner license, which became DFE #604180, listed on the North Carolina Office of Indigent Defense Services expert-witness registry at forensicresources.org.

By the time the Department of Defense finalized CMMC 2.0 in October 2024 and DFARS clause 252.204-7021 began its phased rollout, Petronella had spent more than a decade walking small and mid-sized DoD subcontractors through NIST SP 800-171, the System Security Plan, and the Plan of Action and Milestones. Joining the Cyber AB Registered Provider Organization list as RPO #1449 was the natural step. So was rolling out the CMMC Registered Practitioner certification across the entire team rather than just the principal. Today every Petronella engineer assigned to a defense client is CMMC-RP certified, and the firm partners with a network of independent practitioners who hold deeper specialty credentials - more on that in the partner-network section below.

Raleigh stayed the headquarters. The office sits at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606, ten minutes from the I-40 / I-440 interchange and within a short drive of every major North Carolina defense base and academic medical center. We remain locally owned and operated. Craig is still the principal, still answers the phone, and still sits on the scoping calls.

What grew alongside the consulting practice was a small portfolio of tooling and intellectual property the firm now uses on engagements and offers separately to clients. ComplianceArmor is our compliance documentation platform that automates the heavy lift of SSP authoring, POA and M tracking, and evidence repository organization. Our private AI cluster and 24/7 AI-plus-human hybrid threat analysis stack underpins managed detection and response for the DIB and healthcare clients who cannot risk sending Controlled Unclassified Information or Protected Health Information to a public-cloud SOC. That AI infrastructure is aligned to CMMC, DFARS, and HIPAA data sovereignty rules - we built it because the off-the-shelf options were not, and clients started asking. The hardware story for that cluster lives separately at our hardware practice.

Honesty Rail

What Petronella Does Not Do

A short list to save everyone time. If your engagement is in this list, we will tell you on the scoping call and refer you to a firm that specializes.

  • We do not certify or assess CMMC engagements. By design - that is the C3PAO's role under the Cyber AB framework. We are a Registered Provider Organization, not a Certified Third Party Assessment Organization. We prepare you for the assessment and hand you off cleanly. See our C3PAO selection guide for a vendor-neutral list.
  • We do not do mobile device extraction work. Forensics here is scoped to bring-your-own-device and corporate-mobile breach response only. No Cellebrite, EnCase, or Graykey work. No iPhone or iPad extraction. No jailbreak forensics. No private-investigator or custody-dispute work. If that is what you need, we will refer you to a firm that does.
  • We do not publish managed-services tier pricing. Cybersecurity and compliance work is too variable to price from a card. Every engagement starts with the free scoping call and gets quoted after we understand the environment.
  • We do not subcontract scoping calls to outside salespeople. The CMMC Registered Practitioner who runs your discovery call is on the firm payroll. You meet the engagement lead before the contract.
02 / Team

Who You Will Actually Work With

Named team members who are CMMC Registered Practitioners. We name the practitioner working your engagement during scoping.

Craig Petronella

CEO and Founder / Principal Consultant

Craig founded Petronella Technology Group, Inc. in 2002 and has spent more than 30 years working in regulated IT - first as a generalist serving Raleigh small and mid-sized businesses, then progressively narrowing into security, forensics, and compliance as the regulatory landscape demanded it. He is the Amazon #1 best-selling author of How HIPAA Can Crush Your Medical Practice, has 10 bylined articles in Attorney at Law Magazine covering cryptocurrency in divorce litigation, CMMC 2.0, and ransomware on law firms, and a 15-title Amazon author page. Craig still answers the phone at the Raleigh office and personally sits the discovery call for every CMMC engagement.

  • CMMC-RP
  • CCNA
  • CWNE
  • DFE #604180
  • MIT-Certified in AI
  • MIT-Certified in Blockchain
Read Craig's full bio

Blake Rea

Cybersecurity Consultant

Blake works the assessment side of the firm - gap analyses, SSP authoring, evidence repository organization, and the mock C3PAO dry-run that defense subcontractors run before the real Certified Third Party Assessor walks in.

  • CMMC-RP

Justin Summers

Cybersecurity Consultant

Justin focuses on technical remediation work - multifactor authentication rollout, FIPS-validated encryption deployment, audit logging pipeline integration, and the configuration management baselines that hold up under assessor questions.

  • CMMC-RP

Jonathan Wood

Cybersecurity Consultant

Jonathan handles ongoing POA and M tracking, monthly compliance cadence calls, and the evidence handoff package that organizes artifacts to the Conformity Assessment Procedures a C3PAO will reference.

  • CMMC-RP

Entire team CMMC-RP certified. No subcontracted "consultants" who turn out to be brokers. No outsourced helpdesk-grade staff billed at senior rates. You meet the person doing the work on your discovery call. Visit the full team page for deeper bios.

03 / Partner Network

Specialist Credentials We Reach for When the Engagement Needs Them

A clean separation between named-team credentials above and the partner practitioner network below.

Partner Practitioner Network

Petronella's engagements draw on a partner practitioner network whose collective credentials extend our coverage across the full security and compliance landscape.

Cybersecurity and compliance are wide. The full landscape stretches from CMMC and HIPAA into ISO 27001 lead-auditor work, SOC 2 attestation, penetration testing under PCI-DSS rules, advanced incident response, cloud architecture review for FedRAMP, and the GIAC family of specialist designations. Holding every one of those credentials in-house would either be theatrical (paper credentials no one uses) or unaffordable for a Raleigh-sized firm. We do not do either.

Instead, Petronella maintains long-standing working relationships with independent practitioners across the Southeast who hold the deeper specialist credentials. When your engagement calls for one, we name the practitioner during scoping and bring them onto the engagement under our oversight. Network credentials we routinely draw on include:

  • CISSP
  • CISA
  • CISM
  • GIAC GSEC
  • GIAC GCIH
  • GIAC GPEN
  • GIAC GCFA
  • GIAC GCIA
  • GIAC GREM
  • CCSP
  • CRISC
  • ISO 27001 Lead Auditor
  • SOC 2 attestation specialists

These credentials are partner-held, not held by individual Petronella team members beyond those listed above. We name the practitioner working your engagement during scoping, you meet them on the kickoff call, and the engagement letter reflects who is doing what work. No bait and switch.

If you are evaluating cybersecurity firms and a competitor is listing CISSP, CISA, CISM, or the GIAC family on their site, ask them to name the person who holds each credential and confirm whether that person is an employee or a contractor. The honest answer for most small and mid-sized firms is the same as ours: a partner network. We just say so up front.

04 / Frameworks

Compliance Frameworks We Work Within

The regulatory inventory we have actually delivered against. Not a marketing checklist. If a framework is missing here it is because we honestly have not done significant work in it.

Department of Defense

  • CMMC 2.0 (Level 1, Level 2, Level 3)
  • NIST SP 800-171 Rev 2 / 3
  • NIST SP 800-172 enhanced
  • DFARS 252.204-7012 / -7019 / -7020 / -7021
  • FAR 52.204-21 basic safeguarding

Healthcare

  • HIPAA Privacy / Security / Breach Notification
  • HITECH Act
  • HITRUST CSF
  • NIST SP 800-66
  • FDA 21 CFR Part 11 / Part 820

ISO and Audit

  • ISO 27001:2013 / 2022
  • ISO 27002 controls reference
  • SOC 1 / SOC 2 / SOC 2 Type II / SOC 3
  • SSAE 16 / SSAE 18
  • COBIT framework alignment

Financial Services

  • GLBA Safeguards Rule
  • PCI DSS v4.0
  • FACTA Red Flags Rule
  • Sarbanes-Oxley IT general controls

Government and Cloud

  • FedRAMP readiness consulting
  • FERPA for higher-education clients
  • State-level data breach notification
05 / Methodology

Scoping First, Then Price, Then Work

Defense and healthcare contractors get sold to constantly. Most of those pitches lead with a price card. We do the opposite.

01 / SCOPE

Free 30-minute scoping consultation

The first call costs nothing and is run by a CMMC Registered Practitioner, not a salesperson. We pull the regulatory flow-down clauses out of your prime contract, identify your data class (FCI, CUI, PHI, PCI, mixed), draw a candidate asset boundary, and tell you the realistic engagement length you are looking at. You leave that call with clarity even if you never hire us.

Book the scoping call

02 / QUOTE

Custom quote, no published prices

Cybersecurity and compliance pricing depends on environment size, control posture today, CUI scope, whether an enclave will reduce the assessment boundary, and how much of the documentation work you keep in-house. Published price sheets always either overcharge the small client or undercharge the large one. We quote after scoping. Custom-quote model, no list price. Standard tools and our ComplianceArmor SaaS documentation platform reduce the labor side of the engagement materially - we will quote it both ways during proposal.

03 / DELIVER

A 39+ layer security stack built on patented solutions

Engagements deploy a 39+ layer security stack where each layer leverages patented technologies, covering People, Process, and Technology - policy and SSP authoring (Process), engineer training and tabletop exercises (People), and technical control rollout including MFA, FIPS-validated encryption, audit logging, and configuration management baselines (Technology). The patents are held by the underlying vendors behind each layer, and we engineer them into a single defensible program. The whole engagement is documented for the C3PAO or auditor, and the same documentation makes future renewal cycles dramatically cheaper. Read our CMMC readiness playbook for the full step-by-step.

One philosophical point. We are a partnership-first firm, not a transactional one. A CMMC Level 2 engagement is a 12 to 24 week initial build followed by years of POA and M tracking, annual evidence refresh, and ultimately a re-assessment every three years. A HIPAA program is even longer-cycle. Picking a partner with that scale in mind matters more than chasing the lowest hourly rate. We have clients who started in 2003. They are still clients.

06 / Geography

Raleigh-Local, North Carolina Native, National Reach

We work face-to-face within North Carolina and run remote engagements nationally. The Raleigh address is a real office, staffed during business hours.

Headquarters
5540 Centerview Dr., Suite 200, Raleigh, NC 27606
Research Triangle
Raleigh Durham Cary Chapel Hill Morrisville Apex Holly Springs Wake Forest
NC Defense Bases
Fayetteville (Fort Bragg) Jacksonville (Camp Lejeune) Havelock (MCAS Cherry Point) Goldsboro (Seymour Johnson AFB)
NC Metro Coverage
Charlotte Wilmington Greensboro Winston-Salem Asheville Greenville Wilson Rocky Mount
National Remote
CMMC and HIPAA engagements delivered remote-first across all 50 states
07 / Why Petronella

Seven Honest Reasons to Pick This Firm

01
Cyber AB RPO #1449
Petronella Technology Group, Inc. is listed on the Cyber AB Marketplace as Registered Provider Organization #1449. Verify the listing yourself at cyberab.org. This is the bare minimum credential for any firm doing serious CMMC consulting work, and not every competitor has it.
02
Full-team CMMC-RP certified
Not just the principal. Every engineer the firm assigns to a defense client carries the CMMC Registered Practitioner credential. You will not get a senior consultant on the sales call and a junior on the engagement.
03
BBB Accredited continuously since 2003
Over 22 years of continuous accreditation in the same legal entity, the same address, under the same founder. That is not common in the IT services world. It means you can audit our complaint history publicly before you ever sign a contract.
04
Scoping-first, not sell-first
The first call is a free 30-minute scoping consultation run by a CMMC Registered Practitioner. We do not lead with package tiers. We lead with reading your contract flow-down clauses and mapping your asset boundary so the quote we eventually send is grounded in your actual environment.
05
Raleigh-local for DIB primes and subs
Most of our defense clients are within a half-day drive of the Raleigh office. We can be on site at Fort Bragg, Camp Lejeune, Cherry Point, or Seymour Johnson when an engagement needs physical presence. National competitors quote you remote-only and bill travel when on-site work is unavoidable.
06
MIT-certified founder, multi-discipline depth
Craig Petronella holds MIT certifications in both Artificial Intelligence and Blockchain alongside the standard CMMC, networking, and forensics credentials. That breadth matters when an engagement bridges CMMC work and emerging-technology questions like AI in CUI environments or cryptocurrency forensics in litigation support.
07
Partner-network depth for specialist credentials
When your engagement needs CISSP, CISA, CISM, GIAC family, ISO 27001 Lead Auditor, or SOC 2 attestation depth, we bring the named partner practitioner onto the engagement during scoping rather than pretending we hold every credential in-house. Honesty about who does what work.
08 / Verticals

Industries We Serve

Verticals where we have demonstrated depth. Click through for the buyer-identity hub on each. Stack architecture for each industry lives one tier down under /industries/.

Defense Industrial Base
CMMC Compliance Hub CMMC Stack Architecture DIB primes and subcontractors
Healthcare
Healthcare cybersecurity HIPAA and HITECH programs
Engineering Firms
Engineering firms vertical AI plus CMMC for design-build
Legal and Financial
Law firm cybersecurity Financial services compliance

Ready for the Scoping Call?

Free 30 minutes with a CMMC Registered Practitioner. We will read your contract flow-down clauses, identify your data class and asset boundary, and tell you the realistic engagement timeline. No price card pitched at you. No obligation. You leave with clarity either way.

Schedule a free 30-min scoping consultation Call (919) 348-4912
Petronella Technology Group, Inc.
5540 Centerview Dr., Suite 200
Raleigh, NC 27606
(919) 348-4912