Cloud Sentry

Plans

Start with the check. Grow into the function.

There are two ways in. The entry rung starts today: a fixed-fee inspection of your Microsoft 365 tenant, and a flat monthly package that keeps it in order. The three tiers publish their pricing below and enroll through a short configure-and-confirm call with our team.

Entry rung: start todayBuilt around Microsoft 365Tiers: configure with usPublished pricing

The entry rung

Start today

Self-enrollment lives here, on the smallest engagements we sell. Run the check once, or start the monthly package; either way you meet the people who do the work.

One-time, fixed fee

Microsoft 365 Hygiene Check

The smallest way to see how we work.

$1,950 one-time

What it inspects

  • Tenant configuration, reviewed setting by setting
  • Entra Conditional Access policies, including the gaps between them
  • Licensing hygiene: what you pay for against what your people use
  • Mail security posture: SPF, DKIM, DMARC, and transport rules

You get the results in a working session with our team: what we found, what it means, and what we would fix first.

How the fee works

The check fee credits into Microsoft 365 Admin Guidance when you enroll within 90 days. Continue, and the check costs you nothing.

Microsoft 365 Admin Guidance

The recurring entry package. Your tenant, kept in order.

$795/mo

What it covers

  • Monthly tenant hygiene, reviewed and summarized in writing
  • Conditional Access upkeep as Microsoft moves the defaults
  • Licensing review that cuts what nobody uses
  • Admin guidance from an operator who knows your tenant

How billing works

Flat per tenant through about 25 users, then $28 per user each month. No annual commitment; it runs month to month, and the Hygiene Check fee credits into your first 90 days.

The honest part. Covers one Microsoft 365 tenant. Migrations and larger projects are scoped separately, in writing, before any work starts.

What the Hygiene Check is not

  • A penetration test. Nobody attacks anything. We read configuration; we do not probe defenses.
  • An audit. It certifies nothing and satisfies no framework requirement. It tells you what we found, plainly.
  • An incident response. This is a scheduled inspection. If something is actively wrong, you need a different engagement and we will say so.

The three tiers

One pricing grammar, from the desk to the audit

Every tier prices the same way: a base operations fee for the company, plus a per-user rate for the work that scales with seats. The pricing is published here; enrollment runs through a short configure-and-confirm call. Every tier has a seat minimum, printed on the card. Below it, start on the entry rung; the check fee credits forward when you grow into a tier.

Foundations

Managed IT and the service desk, run on the platform.

15-user minimum

Base operations fee

$1,750/mo

Plus, for seat-scaled work

$85/user/mo

What it covers

  • A staffed service desk: requests land with a person and resolve against SLAs you can see
  • CSAT captured on resolved requests, visible to you
  • A knowledge base kept current as answers repeat
  • Service health in one view your whole team can read
  • A team console for the people who run your side

The honest part. Foundations is IT and the desk. Detection, access lifecycle, and compliance operations live in the two tiers above it.

Recommended starting point

Resilience

Foundations, plus security operations.

15-user minimum

Base operations fee

$2,750/mo

Plus, for seat-scaled work

$150/user/mo

Everything in Foundations, plus

  • Security operations run by our team
  • Managed detection via Microsoft Defender for Business and cloud-native signals
  • Access lifecycle: requests, provisioning, and joiner-mover-leaver
  • Coverage visibility, so you know who is watching and when

The honest part. Detection runs on Microsoft Defender for Business and cloud-native signals. If your estate sits outside that footprint, we will say so on the configure call.

Assurance

Resilience, plus compliance operations.

20-user minimum

Base operations fee

$4,500/mo

Plus, for seat-scaled work

$195/user/mo

Everything in Resilience, plus

  • An evidence vault your auditor can actually read
  • A risk register reviewed by an operator, on a set cadence
  • Policy acknowledgements tracked to completion
  • A questionnaire-response allotment for customer security reviews
  • A quarterly advisory review with our team

The honest part. One framework to start; additional frameworks are an add-on. The audit itself comes from an independent firm, and we will not pretend otherwise.

Included in every plan

The platform

The same product our operators work inside. You see the queue they see, and the history stays yours.

Named operators

Every queue has a person behind it, with a name you will learn and a face you will recognize on calls.

Published, flat pricing

The structure is public and the monthly retainer is flat. You can read the whole pricing page before anyone calls you.

A written annual escalator cap

Annual increases are capped in writing in the agreement. You know the ceiling before you sign.

The tiers change what's in the cards above. These four never change.

Fixed fee, one time

Engagements you can buy once

Three scoped engagements with a beginning, an end, and something in your hands afterward.

Risk assessment

A structured read of where your real risk sits: the systems, the identities, the access, and the gaps, ranked by what to fix first. You leave with a completed risk register, and you keep working it in the platform for six months.

$2,500 one-time

SOC 2 readiness snapshot

A point-in-time read on where you stand before the audit window opens. You leave with a prioritized gap list your team can work from.

$9,500 one-time

Incident tabletop exercise

A facilitated walkthrough of a bad day, run with your leadership team. You leave with a written summary of where the plan held and where it needs work.

$8,500 one-time

Who is watching, and when

Coverage, stated plainly

01

Resilience tier

Standard business-hours signal triage by our operators.

02

Detection & Response module

Extended coverage with sev-1 page-out, threat hunting, and incident run.

03

Enterprise uplift

Staffed around-the-clock coverage, scoped for enterprise engagements only.

No rung oversells the one above it. You know exactly who is watching and when.

Before you call

Common questions

What happens after the Hygiene Check?

You review the findings in a working session with our team: what we found, what it means, and what we would fix first. Some companies take the list and fix things internally, and that is a fine outcome. If you enroll in Microsoft 365 Admin Guidance within 90 days, the check fee credits into the package.

Can we move between tiers?

Yes, on a quarterly true-forward. When you outgrow a tier, the next quarter starts on the new one; your history, your operators, and the platform come with you.

What does the escalator cap mean?

Annual increases are capped in writing in the agreement, so you know the ceiling on renewal pricing before you sign anything.

Do plans require multi-year terms?

The three tiers are annual agreements, with multi-year options if you want to hold the structure longer. The entry rung is monthly.

Does the Hygiene Check only look at Microsoft 365?

The entry-rung check starts on Microsoft 365, where most companies our customers' size run identity and email. The tiers themselves run wider: managed IT covers both Microsoft 365 and Google Workspace, and cloud operations covers AWS, Azure, and GCP. Start on the M365 check, and the fee credits into Admin Guidance within 90 days.

Some companies need the bigger door.

The tiers run a lot. The operated partnership runs the whole function: IT, security, and compliance end to end, with named modules and one accountable lead. That work starts with a conversation, and the conversation is free.

Tell us what you run today and where it hurts. The partnership is configured around the full function, with named modules and a roadmap one accountable lead owns. Bring your own cloud if you have one; single-tenant BYOC deployment is available for qualified engagements.

Read how the partnership is structured, module by module, and where the tiers hand off to it.