Enterprise-Grade Cybersecurity, Built for Small Business

A layered, defense-in-depth security architecture protecting Sacramento-area businesses across every attack surface.

Most small businesses run a single layer of security and hope it holds. We build seven. Below is the full architecture we deploy and manage for our clients. Every tool, every layer, and the specific risk each one is designed to stop.

Identity & Access Management

Controlling who can access what, and proving they are who they say they are.

What's in this layer
  • Cisco Duo Mobile: Multi-factor authentication (MFA) that requires users to verify their identity from a trusted device before accessing systems. Stops over 99% of account compromise attacks even when passwords are stolen.
  • Bitwarden: Enterprise password manager that ensures every employee uses strong, unique credentials for every account, eliminating password reuse, one of the leading causes of business breaches.
  • Microsoft 365: Provides centralized identity through Entra ID, enabling single sign-on, conditional access policies, and role-based permissions across cloud applications.
  • Hexnode: Mobile Device Management (MDM) that ties device identity to user identity, ensuring only enrolled, compliant devices can access corporate resources.

Endpoint Security

Protecting the laptops, desktops, and mobile devices your team uses every day.

What's in this layer
  • Atera: Remote Monitoring and Management (RMM) platform that continuously monitors device health, deploys security patches, and detects anomalies across every endpoint.
  • Hexnode: Enforces security policies on company devices: encryption, screen locks, app restrictions, and remote wipe capability for lost or stolen hardware.
  • ScreenConnect (ConnectWise Control): Secure remote support tool that lets our technicians resolve issues quickly without exposing devices to risky third-party access methods.
  • Windows Session Host (VDI): Virtual desktop environment that keeps sensitive data on secured servers rather than individual devices, dramatically reducing exposure if a laptop is lost or compromised.

Email & Cloud Security

Securing the platforms where most business work and most attacks happen.

What's in this layer
  • IronScales: AI-powered email security platform that detects and automatically removes phishing, business email compromise (BEC), and account takeover attempts that bypass traditional filters. Uses machine learning trained on millions of real attacks plus crowd-sourced threat intelligence from thousands of organizations to catch threats Microsoft 365 misses.
  • Microsoft 365: Includes Exchange Online Protection and Defender for Office 365, providing anti-phishing, anti-malware, and safe-link scanning across email and Teams.
  • Cisco Duo Mobile: Adds MFA to all Microsoft 365 logins, blocking unauthorized access even when credentials are phished or leaked.
  • Bitwarden: Secures cloud service credentials with encrypted vaults, secure sharing, and audit trails for every password access.

Network Security

Defending the perimeter and internal network from intrusion.

What's in this layer
  • pfSense: Enterprise-grade firewall that controls all traffic in and out of your network, with deep inspection, VPN access, and granular rule sets.
  • pfBlockerNG: Advanced threat intelligence layer for pfSense that blocks known malicious IPs, ad networks, and entire high-risk geographies before they ever reach your network.
  • HAProxy: Reverse proxy and load balancer that shields internal services from direct internet exposure and provides SSL termination for secure communications.
  • UniFi: Managed network infrastructure (switches, access points, gateways) providing network segmentation, guest network isolation, and centralized visibility.

Infrastructure & Virtualization Security

The hardened foundation everything else runs on.

What's in this layer
  • Proxmox VE: Enterprise virtualization platform that hosts critical services in isolated environments, enabling rapid recovery, snapshots, and reduced hardware risk.
  • Pulse: Real-time infrastructure monitoring dashboard purpose-built for Proxmox environments, providing unified visibility across virtualization hosts, containers, and backup systems with intelligent alerting before issues become outages.
  • Windows Session Host (VDI): Centralizes user computing into controlled, monitored sessions where data never leaves the secured environment.
  • UniFi: Provides VLANs and network segmentation that contain breaches and prevent lateral movement between systems.

Backup & Disaster Recovery

Ensuring the business survives ransomware, hardware failure, or human error.

What's in this layer
  • CubeBackup: Backs up Microsoft 365 data (email, OneDrive, SharePoint, Teams) to independent storage, protecting against accidental deletion, ransomware, and the gap in Microsoft's own retention.
  • UrBackup: Image and file-level backups of servers and workstations, enabling complete system restoration in hours rather than days.
  • Proxmox Backup Server: Purpose-built, deduplicated, and encrypted backup platform for virtualized infrastructure. Provides incremental backups, integrity verification, and air-gapped storage options that protect against ransomware attacks targeting backup systems themselves.
  • Proxmox VE: Provides VM-level snapshots and replication for near-instant rollback of critical infrastructure.

Monitoring, Detection & Response

Detecting threats early and responding before damage spreads.

What's in this layer
  • Wazuh: Open-source SIEM and XDR platform that aggregates logs from across your environment, detects threats in real time, and supports compliance reporting (HIPAA, PCI, etc.).
  • IronScales: Provides continuous monitoring of email threats with automated remediation: when a phishing email is identified anywhere in the network, it's instantly removed from every inbox it reached.
  • Atera: Continuous monitoring of every endpoint with automated alerting for suspicious behavior, failed logins, and system anomalies.
  • Pulse: Real-time infrastructure monitoring with smart alerts for virtualization hosts, container workloads, and backup systems, surfacing issues like failing backups, capacity thresholds, and clock drift before they cause outages.
  • pfSense + pfBlockerNG: Network-level monitoring and automated blocking of threats as they appear in real-time threat feeds.
  • ScreenConnect: Enables our team to respond to incidents within minutes, anywhere, anytime.

Why This Stack

This is a layered, defense-in-depth architecture, not a single product. Each layer assumes another may fail. If a phishing email slips past email filtering, MFA stops the login. If MFA is bypassed, endpoint monitoring detects the anomaly. If an endpoint is compromised, network segmentation contains it. If everything fails, immutable backups bring you back online.

That's how enterprise-grade security actually works. And it's what we deliver to small businesses that take their security seriously.

Want to know how your current security stacks up?

Schedule a no-obligation security assessment. We'll review your current environment against this framework and show you exactly where the gaps are, and what they would cost you.

Schedule a Security Assessment Call (916) 345-3616

We do not use advertising or analytics cookies on this site. If you contact us through a form, we collect the information you provide so we can respond to your request.