Home Services How We Work Proof About Contact Book Free Assessment

How we work

A clear, named process — so you always know what is happening and why.

Most IT providers are a black box: you file a ticket, something happens, you get a bill. We work the opposite way. Every engagement follows the same five phases, each one ends in a concrete deliverable you can read, and there is one accountable owner on the other end of the line. Transparency is the point — not a feature we bolt on.

  • Same five phases on every engagement — no improvised, undocumented work
  • Every phase produces a written deliverable in plain English with risk ratings
  • Month-to-month, no long-term contracts — and a clean exit with full handover if you leave

The engagement

Five phases, five deliverables

Each phase has a defined job and ends with something tangible in your hands. Nothing moves to the next phase until the deliverable is done and you have seen it.

  1. Kickoff

    We align on your business, your tolerance for risk, and what "good" looks like for you. We confirm scope, access, and the single point of contact on both sides.

    Deliverable: a one-page engagement brief — scope, contacts, escalation path, and how we will communicate.

  2. Discovery & Audit

    We inventory your environment — identities, endpoints, email, network, backups — and run a security and network audit. We document what we find and rate it by real-world risk, not jargon.

    Deliverable: a plain-English audit report — prioritized findings, each with a risk rating and a recommended fix.

  3. Hardening & Setup

    We close the gaps in priority order: MFA and identity hardening, endpoint protection and patching, managed backups, email security, and the Coeus Watchtower monitoring + alerting layer.

    Deliverable: a remediation tracker showing every finding, its owner, and its status as it moves from open to resolved.

  4. Monitoring & Response

    We assume breach. Watchtower watches your environment around the clock and posts alert cards to Microsoft Teams the moment something looks wrong — with automated password rotation on trigger so a stolen credential is shut down fast.

    Deliverable: live Teams alerting plus a running incident log — what fired, what we did, and when.

  5. Reviews

    On a regular cadence we step back and look at the whole picture: what changed, what risk remains, and what to do next. No surprises, no drift.

    Deliverable: a technology & risk review — an updated risk register and a clear set of next steps.

Our methodology

Prepare → Detect → Respond → Recover

The five phases sit on top of one operating loop. We prepare for the attack before it happens, detect it fast, respond decisively, and recover cleanly — then prepare again, sharper than before.

Prepare

Harden identities, endpoints, email, and backups before anything goes wrong.

Detect

Watchtower monitors continuously and surfaces anomalies in real time.

Respond

Teams alerts fire and automated password rotation shuts down the threat.

Recover

Restore from tested backups, then feed the lesson back into Prepare.

Typical timeline

What the first 30 days usually look like

Every environment is different, so treat this as a representative shape — the assessment sets the real schedule. The point is that you are protected quickly, not left waiting.

Week 1

Kickoff & Discovery

Engagement brief signed, access established, and the security & network audit underway. You receive the plain-English audit report with prioritized, risk-rated findings.

Weeks 2–3

Hardening & Setup

High-risk findings closed first — MFA, endpoint protection, patching, managed backups, email security. Coeus Watchtower monitoring and Teams alerting go live, tracked openly in the remediation tracker.

Week 4 onward

Monitoring & Reviews

Steady-state protection: continuous monitoring, helpdesk, and your first risk register. Reviews settle into a regular cadence so nothing drifts.

Sample deliverables

What you actually receive — redacted, illustrative

These are representative of the documents we produce, built with synthetic sample data. Real client deliverables contain your environment's findings and are never shared. The format and the plain-English risk ratings are exactly what you would see.

1 · Audit finding (from the Discovery report)

No MFA on admin accounts

High
Finding

Three Microsoft 365 global-admin accounts can sign in with a password alone. A single phished password would hand an attacker full control of the tenant.

Recommendation

Enforce multi-factor authentication on all administrative accounts and require number-matching. Estimated effort: under one day, zero downtime.

Backups never test-restored

Medium
Finding

Cloud backups are running but have never been restored. An untested backup is an assumption, not a recovery plan.

Recommendation

Run a documented test restore and schedule recurring restore drills so recovery is proven, not hoped for.

Illustrative example — synthetic sample data

2 · Remediation tracker (from the Hardening phase)

coeustech.net/remediation-tracker
ID Finding Status Severity
R-001 Enforce MFA on admin accounts Resolved High
R-002 Deploy endpoint protection + patching Resolved High
R-003 Test-restore cloud backups In progress Medium
R-004 Retire shared mailbox password Open Medium

Illustrative example — synthetic sample data

3 · Risk register (from the Reviews phase)

coeustech.net/risk-register
ID Risk Rating Status
RR-11 Phishing — staff credential theft High Mitigating
RR-12 Single point of failure — on-prem file server Medium Monitoring
RR-13 Unmanaged personal devices on the network Medium Planned
RR-14 Vendor access without least-privilege Low Accepted

Illustrative example — synthetic sample data

Onboarding

Switching providers should not be scary

The fear with any IT change is the handover going wrong. We run onboarding as a deliberate, low-disruption sequence — and because we are month-to-month with a clean-exit guarantee, the same care applies if you ever leave us.

No "rip and replace" on day one

We stabilize first, then improve. Your team keeps working while we quietly inventory the environment, harden the highest risks, and stand up monitoring in the background. You will not wake up to a broken Monday.

Documented from day one

Access, accounts, and configuration are written down as we go — not locked in one person's head.

Clean exit, guaranteed

If you leave, you get a full handover of accounts, documentation, and credentials. No hostage data, ever.

One owner, start to finish

The person who onboards you is the person who runs your account.

Quick to protected

Highest-risk gaps are closed first, so you are safer in days — not quarters.

You always know the plan

Every step is communicated before it happens. No silent changes.

What you talk to

A named human — not a ticket robot

When you reach out, you reach a person who knows your environment. No phone tree, no rotating cast of strangers, no off-shore script.

Matthew Staton — Owner & Principal Engineer

Your point of contact

Matthew personally builds and runs the managed IT and security for every client. Security-led, remote-first, Michigan-based. When something fires, you are talking to the person accountable for fixing it — not handing it to a queue and hoping.

[ response-time promise — owner to confirm ]

See the process applied to your environment.

Every engagement starts the same way: a free security & IT assessment with a named, accountable owner. You will get a plain-English read on where you stand — no obligation, no lock-in.

Book a Free Security & IT Assessment See the proof