Post-Quantum Ready · AI-Hardened · Human-Led

Secure the Sanctum.
Guard the Future.

Sanctum SecOps is a New York boutique cybersecurity firm building the operational security foundation small and defense-adjacent organizations need before AI-accelerated attacks, harvest-now-decrypt-later campaigns, and CMMC enforcement make unmanaged infrastructure unacceptable.

NY LLC · Horseheads, NY EIN 42-2733487 Focus SMB · Nonprofit · DIB
110
NIST 800-171 Controls

Every CMMC Level 2 engagement maps to the SP 800-171 control families.

Nov '26
CMMC Phase 2 Window

Phased CMMC requirements continue to roll into DoD contracts.

SMB→DIB
Coverage

SMB, nonprofit, healthcare-adjacent, municipal, defense subcontractors.

Operator-Led
Delivery Model

Founder-delivered engagements. No layered junior teams.

Service Lines

Productized cybersecurity for organizations that can't afford ambiguity.

We sell outcomes — better identity control, audit evidence, vendor visibility, and readiness — not hours. Retainers, fixed-fee projects, and POC engagements built around the systems you already run.

01 · Retainer

Foundation Security Retainer

Documented security baseline for organizations starting their security program. Identity hygiene, Microsoft 365/Entra baseline, MFA, firewall & backup review, monthly executive summary.

Monthly$500 – $2,500
02 · Retainer

Managed Security Operations

Recurring hands-on operations — Intune & endpoint policy, conditional access, vulnerability triage, RMM workflow, documentation, quarterly tabletop, vendor stack coordination.

Monthly$2,500 – $7,500
03 · Retainer

Fractional CISO

Security roadmap, risk register, board reporting, policy program, cyber insurance support, vendor risk, incident response planning, compliance evidence strategy.

Monthly$3,000 – $8,000
04 · Project

Security Baseline Assessment

Risk-ranked snapshot of identity, endpoint, network, and backup posture, with a remediation plan and executive summary you can hand to a board.

Fixed Fee$2,500 – $7,500
05 · Project

Microsoft 365 / Entra / Intune Hardening Sprint

MFA enforcement, conditional access baseline, admin role hygiene, device compliance, security defaults audit, and full documentation package.

Fixed Fee$3,500 – $12,000
06 · Project

PKI & Certificate Authority Design

Root/intermediate CA design, Vault or ADCS architecture, certificate policy draft, key ceremony checklist, revocation/OCSP plan, lifecycle automation.

Fixed Fee$5,000 – $20,000
07 · Project

CMMC Readiness Gap Assessment

Scope, asset categorization, NIST SP 800-171 control mapping, SSP/POA&M starter, ESP notes, remediation roadmap. Readiness support — not certification.

Fixed Fee$7,500 – $25,000
08 · Project

UniFi / WatchGuard Network Cleanup

Network diagram, VLAN/SSID review, firewall policy review, admin access review, configuration backup process, change-control documentation.

Fixed Fee$2,500 – $10,000
09 · POC

Sanctum Trust Foundation POC

Short engagement that produces a visible, documented trust foundation: identity baseline, PKI narrative, evidence list, CMMC/NIST notes, and remediation roadmap.

Fixed Fee$3,000 – $15,000
CMMC Readiness

Get to evidence-grade before your prime asks for it.

The DoD CMMC program assesses contractor and subcontractor implementation of safeguarding requirements for Federal Contract Information and Controlled Unclassified Information, and ties required CMMC status to applicable contract awards (DoD CIO CMMC overview). Level 2 is centered on the 110 security requirements in NIST SP 800-171.

  • Scope & asset categorization for FCI and CUI
  • NIST SP 800-171 control mapping across all 14 families
  • System Security Plan (SSP) and POA&M starter structures
  • External Service Provider (ESP) documentation notes
  • Risk-ranked remediation roadmap with 30/60/90-day plan
Readiness, not certification. Sanctum SecOps provides CMMC readiness consulting. We are not a C3PAO and do not issue CMMC certifications. Engage a certified C3PAO for formal CMMC Level 2 assessment.
PKI & Zero Trust

A trust foundation that holds up under inspection.

Hardware-backed root-of-trust, certificate-based authentication, and zero-trust network access are still rare for SMB-focused providers. We design PKI and identity systems that survive board questions, cyber-insurance underwriting, and CMMC evidence requests — without enterprise tooling sprawl.

  • Vault PKI, ADCS, and YubiKey-backed root and intermediate CA workflows
  • SSH CA concepts and SCEP integration for managed devices
  • Certificate inventory, revocation/CRL/OCSP, and lifecycle automation
  • Conditional access, MFA enforcement, admin separation
  • NetBird / Traefik / DNS / routing — ZTNA without expensive overlays
Microsoft Security

Make Microsoft 365 stop being your biggest open door.

Most SMB compromises don't start with novel zero-days — they start with overshared mailboxes, missing conditional access, dormant admin accounts, and unmanaged endpoints. Our Microsoft hardening sprint takes Entra ID, Intune, and Defender from default to defensible.

  • MFA enforcement & phishing-resistant authentication paths
  • Conditional access baseline tuned to user roles, not theory
  • Admin role separation, break-glass & PIM workflows
  • Intune device compliance & security baselines
  • Documentation package your auditor and insurer will accept
Fractional CISO

The security leader your board needs — at the budget your CFO accepted.

A vCISO retainer gives you continuity of security governance without the cost of a full-time hire. We build the risk register, own the policy roadmap, sit in front of the board, and run the program — quietly and competently.

  • Risk register, security roadmap, and quarterly board reporting
  • Policy program (Acceptable Use, Access, IR, Data Handling, Vendor Risk)
  • Cyber insurance application support & renewal evidence
  • Incident response plan + tabletop exercise
  • Coordination with your MSP, MDR, and tooling vendors
MSP & Channel Partners

A specialist subcontractor for the work MSPs would rather not own.

We work behind the scenes with MSPs, IT consultancies, CPAs, attorneys, and brokers — delivering PKI builds, identity hardening, CMMC documentation, and vCISO governance under your relationship.

For · MSP

White-labeled security delivery

PKI builds, Intune/Entra hardening, CMMC documentation, and vCISO governance delivered under your account relationship and SOW.

EngagementProject + retainer
For · CPA / Legal

Compliance referral partner

Plain-language CMMC, NYDFS, and HIPAA briefings your clients can actually read — paired with a defensible remediation pathway.

EngagementCo-branded one-pager
For · Broker

Cyber insurance pre-qualification

Help underwriting-ready clients close coverage gaps — MFA enforcement, IR plan, backup posture, vendor risk — before renewal.

EngagementAssessment package
About · Founder-Operated

An operator who has implemented these systems — not described them in a deck.

Sanctum SecOps LLC is founder-operated. Engagements are scoped, sold, and led by the same practitioner — not handed to a junior team behind a logo. That's the moat.

Practitioner background

Hands-on experience with the tooling and architecture patterns SMB and defense-adjacent organizations actually run: Microsoft 365, Entra ID, Intune, Atera RMM, WatchGuard firewalls, UniFi networks, HashiCorp Vault, ADCS, YubiKey HSM workflows, Docker, NetBird, Traefik, PowerShell and Python automation, Windows and Linux infrastructure.

Entra IDIntuneMicrosoft 365Atera WatchGuardUniFiVault PKIADCS YubiKey HSMNetBirdTraefikDocker PowerShellPythonWindows / Linux

Operating principles

  • Documentation is the deliverable. Every engagement leaves diagrams, asset inventory, policy, configuration summaries, and a backlog.
  • Outcomes over hours. Reduced ambiguity, better identity control, audit evidence, vendor visibility, cleaner insurance posture, board-ready reporting.
  • No vendor theatre. We use, configure, and document the tools you already pay for before we recommend new spend.
  • Independence. No conflicts with current employer; no exposure of confidential systems; clean IP separation.
Contact · Intake

Book a security readiness call.

Tell us about your environment, your compliance pressure, and the timeline. We'll respond with a short discovery agenda and a scoping question list.

Your message is composing in your email client. If nothing opened, email admin@sanctumsecops.com directly.

This form opens your email client with a pre-filled message to admin@sanctumsecops.com. No data is sent to a third-party server from this page.