Industry-Tuned Solution Stacks

Industry Solution Stacks We Deploy

Stack Anatomy, Architecture, Audit Evidence across regulated verticals.

This is the deliverable view of Petronella Technology Group's industry work. If you want to know what ships when you engage us for a CMMC enclave, a HIPAA ePHI hosting topology, a FINRA WORM archival stack, or a matter-scoped legal IT program, this is the page. Six core capabilities. Vertical-tuned reference architectures. Audit-evidence production built in.

CMMC-AB RPO #1449 Team CMMC-RP DFE #604180 BBB A+ Since 2003
Call Penny (919) 348-4912 Request an Industry Fit Call
What This Page Is

Stack anatomy, not industry story

Quick answer. Every Petronella regulated-industry engagement ships the same six-capability stack, tuned per vertical. This page is the engineering spec view: components deployed, architecture patterns used, audit artifacts produced, and service-level commitments we operate to. For the industry overview and threat-landscape context, see the industries identity pillar.

Most managed IT providers describe what industries they serve. That's a useful question, and we answer it on the sibling industries pillar. This page answers a different question: what do we actually build for you? What goes in the rack, in the tenant, in the policy binder, in the evidence folder. What the auditor, the insurance underwriter, the contracting officer, or the partner's compliance counsel will see when they ask for proof.

Petronella has been shipping stacks for regulated small and mid-market organizations since 2002. The commodity managed service provider pattern assumes every client needs roughly the same thing. In regulated verticals the opposite is true. A 40-seat federal subcontractor handling Controlled Unclassified Information needs an isolated enclave with documented boundary controls, logged privileged access, and DoD-formatted incident reporting. An eight-provider medical practice needs HIPAA Security Rule coverage, executed Business Associate Agreements, and a sixty-day breach notification playbook. A FINRA member firm needs tamper-evident communications archival on SEC Rule 17a-4 compliant WORM storage with documented supervision. A law firm needs matter-scoped access, ethical walls, and forensic-ready privileged incident response.

The same monitoring agent does not solve all four. The evidence an auditor will accept does not overlap across the four frameworks. The service-level commitment you need for a reportable incident is not the same as the service-level commitment you need for a dropped mailbox.

So we build per vertical. Same engine, different transmission. This page is the transmission spec.

What belongs here, and what belongs on the sibling

On this page: stack components, reference architectures, capability matrices, service-level commitments, audit evidence production mechanics, private AI integration patterns, tool and platform choices we make. Written for the person who will own the operational outcome.

On the sibling industries pillar: the vertical story. Who your regulator is. Who your attacker is. What 2 AM looks like when an incident hits. Why a specialist in your vertical is different from a generalist who also takes your call. Written for the person asking "do you understand my world?"

Most prospects read both. Buyers read this one. This is the deliverable. For the broader set of platforms we operate across all clients (managed SOC, private AI, digital forensics, voice agents, digital twin), see our full solutions portfolio.

Six Capabilities We Deploy In Every Engagement

The stack, before vertical tuning

Every Petronella engagement stands up the six capabilities below. Tuning happens on top: retention windows, evidence formats, privileged-access policies, incident-response playbooks, and data classification all shift per framework. The capability shape does not.

Capability 1

Enterprise private AI cluster

What we deploy. Dedicated inference capacity on Petronella-operated infrastructure, isolated at the tenant level, with per-client audit logging, prompt and response retention configurable per regulatory framework, and documented data custody. Not a shared public API.

  • Tenant isolation (per-client inference lane)
  • Prompt + response audit log, retention per framework
  • Model selection governed by data-classification policy
  • Private retrieval index, no external egress by default
  • Integration points for voice agents, document review, knowledge base lookup

Artifact produced. Data-flow diagram, AI acceptable-use policy, model-use log, residency attestation. See the private AI cluster pillar for full architecture.

Capability 2

Managed security operations

What we deploy. Continuous monitoring of endpoints, identity, email, and network plane, with human analyst oversight, vertical-tuned detection rules, and response playbooks that route to the right regulator or legal counsel when an event crosses the reporting threshold. This is a real SOC function, not a dashboard with alerts.

  • EDR/XDR on every endpoint in scope
  • Identity-plane detection (conditional access, risky sign-in, privileged token anomaly)
  • Email-plane detection (credential phishing, BEC patterns, impersonation)
  • Detection engineering tuned per vertical (CUI anomaly, ePHI access anomaly, privileged-matter anomaly)
  • Response playbooks with named regulatory reporting branches

Artifact produced. Alert log, investigation write-ups, quarterly tuning change-log, incident reports in the format your regulator expects.

Capability 3

CMMC and NIST-aligned compliance program

What we deploy. A living compliance program, not a pre-audit scramble. System Security Plan, Plans of Action and Milestones, Security Assessment Report, policy library, training records, and quarterly evidence collection. Framework mappings aligned to CMMC Levels 1, 2, and 3, NIST SP 800-171 Rev 2 and Rev 3, NIST 800-53, HIPAA Security Rule, FINRA, SEC, NYDFS, and GLBA as the engagement requires.

  • Control baseline selection + scoping
  • SSP authoring + version control
  • POAM management with target remediation dates
  • Evidence collection on a quarterly cadence, not pre-audit only
  • SPRS scoring (for federal contractors) on a documented revision schedule

Artifact produced. SSP, POAM, SAR, policy library, evidence bundle, audit-ready package. See the CMMC compliance program for framework detail.

Capability 4

Digital forensics readiness

What we deploy. Pre-staged forensic readiness, not a scramble at event time. Endpoint imaging capability, documented chain-of-custody procedures, preserved logs on a retention schedule that survives the investigation window, and a licensed Digital Forensic Examiner on staff (Craig Petronella, North Carolina DFE #604180). When an incident becomes a legal, regulatory, or insurance matter, you already have evidence in the right form.

  • Log retention sized to the investigation window (not the billing window)
  • Endpoint imaging capability on demand
  • Chain-of-custody documentation template
  • Forensic IR on ransomware, BEC, SIM swap, crypto theft, pig butchering, network intrusion
  • Licensed DFE available for affidavit and expert-witness work where scope permits

Artifact produced. Chain-of-custody records, forensic report, timeline reconstruction, preserved evidence bundle. See the digital forensics practice.

Capability 5

Managed IT foundation

What we deploy. The day-to-day operational core. Endpoint lifecycle management, patch discipline with documented exception handling, identity and access administration, email and collaboration platform support, backup with tested restore, and a single ticketing queue. Done to a regulated-industry bar: every action is logged, every change reviewed, every access justified.

  • Endpoint enrollment, baseline, monitoring, retirement
  • Patch cadence with documented exception process
  • Identity and access management (lifecycle, joiner/mover/leaver, privileged access controls)
  • Email and collaboration (Microsoft 365 or Google Workspace, tuned per framework)
  • Backup + immutable copy + tested restore (not just configured, actually tested)

Artifact produced. Asset inventory, patch report, access-review log, restore-test records, change-management log.

Capability 6

Advisory and executive reporting

What we deploy. Reporting written for the person who signs the engagement. Monthly executive summary translating operational activity into business and regulatory posture. Quarterly risk review with trending. Annual control-effectiveness testing. Board-level briefings on request. Your leadership never has to translate technical telemetry into a regulatory answer; we do that translation every month.

  • Monthly executive summary (one page, regulatory posture first)
  • Quarterly risk review with trended metrics
  • Annual control-effectiveness test
  • Board or partner briefing on request
  • Vendor-risk and insurance-renewal support (control attestations, SIG / CAIQ questionnaires)

Artifact produced. Monthly executive summary, quarterly risk review, annual control-effectiveness report, completed vendor questionnaires.

Vertical-Specific Stacks

What the six capabilities look like per vertical

The cards below describe what actually ships per vertical. Each card lists the core technical deliverables, the stack components we deploy, and the regulatory frame that drives tuning. Deeper vertical narrative lives on the linked spokes.

CMMC, DFARS, NIST 800-171

Federal contractor stack

We stand up a CUI enclave with documented boundary controls, deploy DoD-format incident reporting on a 72-hour timer, author and maintain your SSP / POAM / SAR, and tune detection for CUI anomaly. Private AI inference runs in-tenant for classified-adjacent workloads.

  • CUI enclave (tenant isolation, documented data-flow, boundary controls)
  • Endpoint hardening to NIST 800-171 Rev 2 / Rev 3
  • Privileged access management with session logging
  • DFARS 252.204-7012 incident reporting workflow (72-hour DC3 notification path)
  • Shared Responsibility Matrix for prime and subcontractor relationships
  • SPRS scoring cadence + remediation plan
Frame: CMMC L1/L2/L3, NIST 800-171, DFARS 7012, FedRAMP-aligned tenant Open federal contractor stack → HIPAA, HITECH, 45 CFR 164

Healthcare and medical stack

We deploy ePHI hosting on a BAA-covered tenant, execute Business Associate Agreements across every downstream vendor, run HIPAA Security Rule risk analysis, and pre-stage the 60-day breach notification playbook. Medical practice workflow and EHR integration sit on top of the compliance spine.

  • ePHI hosting topology (BAA-covered tenant, encrypted at rest, key custody segregated)
  • HIPAA Security Rule risk analysis + remediation tracking
  • BAA inventory and execution workflow for every downstream vendor
  • Six-year audit log retention (SOC + compliance log fusion)
  • Breach notification playbook (60-day window, HHS OCR format)
  • EHR integration hardening (Epic, Athena, eClinicalWorks, NextGen, OpenDental)
Frame: HIPAA Security + Breach Notification, HITECH, state ePHI law Open healthcare stack → FINRA, SEC, NYDFS, GLBA

Financial services stack

We stand up SEC Rule 17a-4 compliant WORM archival for supervised communications, wire FINRA Rule 4511 retention workflows, deploy supervision tooling across email and Teams, and pre-stage forensic readiness so a securities examiner gets answers within the expected response window.

  • WORM-compliant communication archival (SEC 17a-4(f), FINRA 4511)
  • Email + Teams supervision workflow with escalation routing
  • Privileged-access session logging (advisor terminal, admin lane)
  • NYDFS 23 NYCRR 500 control mapping for licensed entities
  • GLBA Safeguards Rule program documentation
  • Standing forensic-readiness posture for examiner response
Frame: FINRA 4511, SEC 17a-4, NYDFS 500, GLBA Safeguards Open finance stack → ABA 1.6(c), NC Bar 2011 FEO 6

Legal and law firm stack

We deploy matter-scoped access control, ethical walls across practice groups, outside-counsel-guideline alignment, litigation-hold tooling, and a privileged incident-response playbook that treats every event as a potential privilege event until ruled otherwise.

  • Matter-scoped access with role-based entitlements
  • Ethical wall configuration per matter + auditable enforcement
  • Outside counsel guideline compliance review (per-client OCG matrix)
  • Litigation hold tooling + documented preservation workflow
  • Privileged communication encryption in transit and at rest
  • Privileged incident-response playbook with counsel-first notification
Frame: ABA Model Rule 1.6(c), NC State Bar 2011 FEO 6, OCGs per client Open legal stack → White-Label, Wholesale, Partner

IT companies and MSPs (wholesale)

We stand up wholesale access to Petronella's compliance advisory, digital forensics, and private AI capability under your brand. You sell the outcome; we deliver the regulated-industry specialty without requiring you to hire the in-house team. Sister program at MSP Partners.

  • CMMC advisory wholesale for your clients
  • Digital forensics on demand under your brand
  • Private AI cluster access for partner workloads
  • Compliance documentation templates licensed for resale
  • Revenue share on advisory and assessment engagements
  • Co-delivery model (your CSM, our specialists)
Frame: white-label, SOW-driven, NDAs + downstream BAAs as needed Open wholesale stack → Cyber Insurance, SOC 2, Vendor Risk

Small business B2B stack

For business-to-business SMBs that need real managed IT, cyber-insurance-ready control attestation, and a path to formal compliance when an enterprise customer contract requires it. We build toward the certification gate your pipeline needs next, not a hypothetical one.

  • Cyber insurance control attestation (MFA, EDR, email security, backup)
  • Vendor risk management for your customer contracts (SIG, CAIQ, custom questionnaires)
  • Managed detection and response with continuous monitoring
  • Email security, MFA enforcement, endpoint hardening
  • SOC 2 Type II preparation where a customer contract is driving it
  • Right-sized compliance posture (avoid paying for frameworks you don't need)
Frame: cyber insurance controls, SOC 2, customer-driven compliance gates Open B2B stack → PCI DSS, State Breach Notification

Small business B2C stack

For consumer-facing retail, hospitality, and service businesses that process card data and hold customer personal information. We scope your PCI DSS footprint down aggressively, harden point-of-sale endpoints, and pre-stage breach-disclosure readiness under state notification laws.

  • PCI DSS scope minimization (tokenization, P2PE, network segmentation)
  • Point-of-sale endpoint hardening
  • Customer data classification and retention policy
  • Breach disclosure readiness under state notification laws
  • Retail WiFi and guest network separation
  • Card-data environment documentation for your acquirer's annual SAQ
Frame: PCI DSS v4, state breach notification statutes, acquirer SAQ Open B2C stack → Engineering, Manufacturing, Nonprofit, Dental, Auto, Retail

Adjacent verticals

Engineering firms (ITAR / EAR data handling, CAD asset protection), manufacturing (OT/IT convergence, supply-chain compliance), nonprofits (grant-reporting IT), dental practices (HIPAA scope reduction), and auto dealers / retail (PCI + customer PII). Each gets a tuned variant of the same six capabilities.

  • Engineering + architecture firms: ITAR / EAR classification, CAD asset control, AI integration
  • Manufacturing: OT network segmentation, supply-chain attestation, CMMC readiness
  • Nonprofit: grant-reporting IT, donor data protection, right-sized compliance
  • Dental: HIPAA Security Rule aligned practice IT, imaging system integration
  • Auto dealer + retail: PCI scope minimization, F&I workflow hardening
Frame: matched per vertical, assessed at fit call Open adjacent-vertical stacks →
Reference Architectures

Named patterns we deploy

These are the reference architectures we deploy most often. Each describes topology, core components, audit evidence produced, and integration points with the other five capabilities. Treat them as starting points; engagements tune details to scope, head count, existing posture, and framework revision.

Pattern A

CUI Enclave Reference Architecture

Topology. A separated tenant (Microsoft 365 GCC High or equivalent FedRAMP-aligned environment) with a documented boundary, scoped endpoint fleet, privileged-access segmentation, and no path for CUI to leave the enclave without logged exception. The enclave is the unit of certification; it is smaller than the whole business and larger than a single folder.

Core components. Tenant baseline hardened to NIST 800-171 Rev 2 or Rev 3, conditional access with device compliance, session-logged privileged-access workstations, CUI-aware DLP, endpoint detection and response, email and Teams supervision on the enclave lane, encrypted file storage with per-user audit, and the private AI cluster reachable only from inside the boundary if the engagement uses AI.

Audit evidence produced. Boundary diagram, data-flow diagram, asset inventory scoped to enclave, SSP with control implementation per 800-171 domain, POAM, SPRS score, quarterly evidence bundle (access reviews, privileged-access session logs, training completion, patch report). Packaged in a format Cyber AB C3PAOs accept.

Pattern B

HIPAA ePHI Hosting Topology

Topology. ePHI lives on a BAA-covered tenant. A central identity plane enforces MFA on every account touching ePHI, not selectively. Audit logs on ePHI access persist six years. Key custody for encryption is segregated from day-to-day operations so a single compromised admin cannot access both encrypted data and keys. Downstream vendors (EHR, billing platform, imaging system, backup vendor) each have executed BAAs tracked in a single registry.

Core components. Identity platform with conditional access and risk-based sign-in, endpoint MDM with encryption enforcement, EHR integration on BAA-covered hosting (Epic, Athena, eClinicalWorks, NextGen, OpenDental, others), email + collaboration on a BAA-covered tenant, backup with immutable copy and per-restore audit log, DLP tuned to ePHI patterns (SSN, MRN, payer IDs), and a documented breach-response playbook timed to the sixty-day HHS OCR notification window.

Audit evidence produced. Executed BAA registry, annual HIPAA Security Rule risk analysis, risk management plan, sanction policy, workforce training records, audit log export for the investigation window, breach notification drill results, vendor attestation set.

Pattern C

WORM Communication Supervision Stack

Topology. All supervised communications (email, Teams, approved messaging channels) are captured into a SEC Rule 17a-4(f) compliant WORM repository with downstream supervision tooling overlaid. Retention is sized to the regulatory window for the specific registration (broker-dealer, investment adviser, licensee under state law) with a margin for examination-period extensions. The repository is tamper-evident and supports the documentation-of-controls requirement examiners will ask for.

Core components. WORM archival service (Global Relay, Smarsh, or equivalent) with Petronella-managed connector configuration, supervision-tool lexicon tuning per the firm's product set, privileged-access logging on the supervision platform, case management for flagged items, and a documented escalation path to named supervisory principals.

Audit evidence produced. Retention attestation, lexicon change-log, supervision-review documentation, flagged-item case records, examiner-ready export on demand.

Pattern D

Matter-Scoped Legal Access Architecture

Topology. Client matter files live in a document management system that enforces role-based access per matter. Ethical walls are configured at the matter level and audit-logged so an OCG review can document enforcement. Mobile and remote access flow through managed devices with DLP scoped to privileged content. Incident response assumes every event is a potential privilege event and routes to counsel before technical remediation closes.

Core components. Document management system (iManage, NetDocuments, or SharePoint-based with Petronella governance overlay), ethical-wall enforcement, managed devices with per-matter conditional access, email + collaboration lane with e-discovery preservation policy, litigation-hold tooling, privileged-communication encryption, and forensic-ready endpoint imaging for any device implicated in a privileged incident.

Audit evidence produced. Ethical-wall configuration log, access-review records, OCG compliance matrix per client, litigation-hold records, incident-response playbook with privilege-preservation step-by-step, and (when the engagement requires it) expert-level forensic reports from a licensed DFE.

Pattern E

Private AI Inference Integration (Regulated Verticals)

Topology. The private AI cluster is reachable only from inside the client's compliance boundary. No prompt, no retrieved document, and no response leaves the tenant. Audit logs record who invoked which model against which data. Retrieval indexes are populated from sources already inside scope (your EHR summary export, your CUI document library, your matter-scoped folders) with no external mirror. Model selection is governed by the data classification policy: the most sensitive class is served by the most constrained model.

Core components. Dedicated inference lane, retrieval-augmented generation with private vector index, identity-bound access (no shared API keys), per-invocation audit log, model-use policy, data-classification policy binding, and optional voice or chat agent front-end routed through the same lane.

Audit evidence produced. AI acceptable-use policy, model-use log, data-classification binding record, residency attestation, penetration test of the inference interface, and (for federal-contractor engagements) documentation suitable for a C3PAO assessor reviewing AI-related CUI processing.

Capability Matrix

What's included by vertical stack

Every engagement includes the six core capabilities. The matrix below highlights vertical-specific additions. If a component is not listed, it is either included in the core (managed SOC, managed IT, compliance program, forensic readiness, private AI, advisory) or scoped case-by-case.

Stack Addition Federal Healthcare Finance Legal B2B SMB
CUI enclave (FedRAMP-aligned tenant)CoreOptOptOpt
BAA-covered ePHI hosting tenantCoreOptOpt
SEC 17a-4 / FINRA 4511 WORM archivalCore
Matter-scoped DMS + ethical wallsCore
Privileged-access session loggingCoreOptCoreCoreOpt
SSP / POAM / SAR authoringCoreOptOptOptOpt
DFARS 7012 incident reporting workflowCore
HIPAA Security Rule risk analysisCoreOptOpt
Supervision tooling (email + Teams)Core
Litigation-hold tooling + workflowOptOptOptCoreOpt
Cyber-insurance control attestationCoreCoreCoreCoreCore
Vendor-risk questionnaire program (SIG/CAIQ)CoreCoreCoreCoreCore
Private AI cluster accessOptOptOptOptOpt
Digital twin voice agentOptOptOptOptOpt

Legend. Core = included in the vertical stack by default. Opt = available as a scoped add-on, most commonly attached during the industry fit assessment. Dash = not applicable or not typically relevant.

Service-Level Commitments

Monitoring posture and response commitments

Every Petronella engagement operates to a documented service-level commitment. Specific targets are scoped in the engagement letter because environment size, integrations, and urgency vary. The shape below holds across regulated verticals.

Continuous monitoring posture. Endpoints, identity, email, and network plane are monitored continuously with human analyst oversight during the contracted coverage window. Coverage windows default to regulated-industry expectations (extended hours with on-call after-hours coverage) and are explicitly named in the engagement letter. We do not overstate coverage; if the engagement does not include a given window, that is documented and priced intentionally.

Detection-to-investigation. High-severity detections (identity-plane anomaly, endpoint ransomware behavior, privileged-access misuse) enter investigation on a defined clock. The clock is written into the engagement letter, not assumed. We measure it, and we report it monthly.

Incident notification. When an incident crosses the reporting threshold for your framework (DFARS 7012 for federal contractors, HHS OCR for HIPAA, SEC / FINRA for registered firms, state attorney general for consumer-data events), the response playbook routes notification to the named internal owner on a timer derived from the framework's statutory clock. We pre-stage this routing at onboarding.

Evidence production cadence. Audit artifacts refresh on a documented cadence. Access reviews quarterly. Privileged-access session log export quarterly. Restore testing on a named schedule (not annual for most regulated clients). Policy library reviewed annually. Training records captured on hire and annually thereafter. The cadence is published to the client at onboarding so an auditor sees a running schedule, not a pre-audit sprint.

Reporting cadence. Monthly executive summary. Quarterly risk review. Annual control-effectiveness test. Ad-hoc incident reports in the format your regulator or insurance underwriter expects.

What we will not commit to on a public page. Specific percentage uptime targets, specific minute-by-minute detection-to-contain numbers, or specific fixed pricing. Those are engagement-specific and written into your agreement, not a marketing page. We would rather under-promise on a public page and over-deliver inside the engagement than publish a number we cannot defend under cross-examination.

Engagement Process

From first call to operating stack in under thirty days

Scope definition takes a short, bounded window. The steps below are identical across verticals; what varies is the framework under review and the specific control gaps in your environment.

Discovery call with Penny

Free 15-minute discovery call answered by Penny, our AI front-desk agent. Penny confirms your vertical, the framework driving the engagement, your upcoming audit or contract requirement, and the internal owner. You leave with a clear next step, not a sales pitch. If the fit is wrong, we say so on the call.

Industry fit assessment

If discovery confirms fit, we run a paid industry fit assessment. We map your current environment to the framework that governs you, document gaps, score your starting posture, and deliver a phased remediation plan plus a scoped proposal. The assessment is reusable. If you hire us, it becomes the basis of your SSP. If you do not, you still own a real gap analysis.

Build and operate

We stand up the vertical stack, train your team, and begin continuous operations. For federal contractors, the build track runs to CMMC assessment readiness. For healthcare, to HIPAA Security Rule compliance evidence. For finance and legal, to the supervisory and forensic readiness your regulators expect. Month one you are monitored. Month three your audit evidence is organized. Month six you are operating to the industry standard.

Adjacent Pillars

Related platforms and programs we operate

This page is the deliverable view. Below are the adjacent pillars that plug into every industry stack.

Industries identity pillar →

See the vertical identity and story view. Threat landscape per vertical, regulator detail, and the 2 AM scenarios we're built for. The complementary angle to this page.

Full solutions portfolio

Every platform and service Petronella operates, including platforms that are not vertical-specific (managed SOC, managed IT, advisory, voice agents, digital twin).

Enterprise private AI cluster

Dedicated inference infrastructure referenced in Pattern E above. Powers regulated AI work across every industry stack.

CMMC compliance program

The CMMC Levels 1, 2, and 3 readiness path referenced in the federal contractor stack. Also runs vertical-neutral for manufacturers and engineering firms anticipating CMMC.

Cybersecurity pillar

The vertical-neutral cybersecurity program (managed detection and response, incident response, penetration testing) that every vertical stack inherits from.

Digital forensics practice

Where Capability 4 lives in detail. Licensed DFE, chain-of-custody procedures, and the incident types we handle most frequently.

Digital twin voice assistants

Private AI voice agents deployed as extensions of your team. Commonly bundled into industry stacks on the private AI lane.
Verified Credentials

The credentials behind the stack

Every credential below is publicly verifiable. Nothing on this page is a claim we cannot document.

CMMC Registered Provider CMMC-AB RPO #1449 Verify on the Cyber AB member directory at cyberab.org.
Team Certification Entire Team CMMC-RP Every Petronella team member who touches a federal contractor engagement holds the CMMC Registered Practitioner credential.
Licensed DFE Craig Petronella, DFE #604180 Digital Forensic Examiner. Also holds CCNA and CWNE. CMMC Registered Practitioner.
Company Longevity Founded 2002, BBB A+ Since 2003 Better Business Bureau A+ rating held continuously since 2003.
Address 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 In-region team. On-site response where the engagement requires it.
PPSB Accreditation Private Protective Services Board North Carolina PPSB accreditation covering private protective services including forensic investigation.
Frequently Asked Questions

Deliverable questions buyers ask

What's actually in a Petronella industry stack?
Six capabilities, every time: private AI cluster access, managed security operations, CMMC and NIST-aligned compliance program, digital forensics readiness, managed IT foundation, and advisory plus executive reporting. On top of the six, we add vertical-specific components: a CUI enclave for federal contractors, ePHI hosting for healthcare, WORM archival for finance, matter-scoped access for legal, and so on. The capability matrix above shows what is core versus optional per vertical.
How is a solution stack different from managed IT?
Managed IT is Capability 5 out of the six above. It covers endpoint management, patch discipline, identity administration, email and collaboration support, and backup with tested restore. A solution stack is all six capabilities. A client on commodity managed IT may pass uptime reviews but fail an audit because nobody is producing evidence, tuning detections to the vertical, or maintaining an SSP. A client on a Petronella industry stack passes both because evidence production is a product requirement from day one.
What artifacts will my auditor actually receive?
Depending on the framework: SSP, POAM, SAR, SPRS score (federal), HIPAA Security Rule risk analysis, BAA registry, audit log export (healthcare), 17a-4 retention attestation, supervision records, lexicon change-log (finance), ethical-wall configuration log, OCG compliance matrix (legal), plus the shared artifacts every engagement produces: asset inventory, access-review records, privileged-access session logs, patch report, restore-test records, training completion, and the monthly + quarterly + annual reporting bundle. We pre-stage these so your auditor sees running evidence, not a pre-audit sprint.
How does the private AI cluster integrate per vertical?
The inference lane is the same platform; the governance changes per vertical. For federal contractors handling CUI, retrieval indexes are populated only from inside the CUI enclave and no prompt or response leaves the boundary. For healthcare, prompts and responses are captured in the six-year HIPAA audit log and model selection is governed by the data-classification policy (the most sensitive ePHI class is served by the most constrained model). For legal, matter-scoped access flows into the retrieval index so an associate asking a question about Matter A cannot surface content from Matter B. Pattern E in the reference architectures section above describes the common topology. See the private AI cluster pillar for the full architecture.
What's your commitment on incident response?
Continuous monitoring with human analyst oversight during the contracted coverage window. High-severity detections enter investigation on a clock written into the engagement letter. When an incident crosses the reporting threshold for your framework (DFARS 7012, HHS OCR, SEC / FINRA, state AG notification), the playbook routes to the named internal owner on a timer derived from the statutory window. Specific minute-by-minute numbers are scoped per engagement because environment size and integrations vary; we would rather publish principles here and write defensible numbers into your agreement.
Do you integrate with my existing MSP, EHR, DMS, or tooling?
Usually yes. Most regulated-industry engagements begin with an existing provider in place; we either replace, supplement, or coordinate alongside depending on fit and urgency. We integrate with the EHRs named above (Epic, Athena, eClinicalWorks, NextGen, OpenDental and others), the document management systems named above (iManage, NetDocuments, SharePoint with governance overlay), and the WORM archival services named above (Global Relay, Smarsh). Where a client runs a niche tool, we scope integration work at the fit assessment stage rather than promising blind.
How fast can you stand up a CUI enclave?
For a small-to-mid subcontractor, we target a documented enclave ready for an internal readiness review within 60 to 90 days of signed engagement. Full CMMC Level 2 assessment readiness depends on your starting posture, SPRS history, and the control gaps surfaced at the fit assessment. The fit assessment produces a phased timeline before you commit to the build, so you know whether your target window is realistic before signing. Urgent timelines (active contract award requiring fast readiness) are accommodated where we have capacity.
Do I need to be in a regulated industry to engage?
No. The B2B SMB stack above covers non-regulated growth-stage companies, and the B2C SMB stack covers consumer-facing retail and hospitality. The strongest fit, though, is an organization that already operates under a framework (HIPAA, CMMC, FINRA, SEC, NYDFS, GLBA, state privacy law) or expects to take on such a requirement within 12 to 18 months. If that describes you, the fit is clean. If not, we will say so on the discovery call.
What does a fit assessment cost?
Custom-quoted from the discovery call. Scope varies meaningfully by organization size, existing control posture, and the framework under review. A 40-user defense subcontractor with an existing SSP is a different engagement than an eight-provider medical practice starting from commercial managed IT. Call Penny at (919) 348-4912 or request a fit call and the discovery conversation produces a scoped assessment quote within a few business days.

Ready to see the stack for your vertical?

Start with a free 15-minute discovery call. Penny confirms fit, captures the framework and timeline you are working against, and schedules an industry fit assessment if the direction lines up.

Call Penny (919) 348-4912 Request Fit Call Online