Mon–Fri 8am–5pm CT · Remote-first IT, nationwide 270.816.5726 · support@micro-it.net
Micro-IT/Security

Eleven vendors. Seven layers. One stack.

We don't pick one tool and call it security. Every Micro-IT client gets the same defense-in-depth — best-of-breed at every layer, monitored 24/7 by a managed SOC, integrated through Datto and Kaseya so it's one pane of glass instead of eleven login pages.

7
Defense layers
11+
Vetted vendors
24/7
SOC monitoring
Tools in production · every clientLive
Datto EDR RocketCyber SOC Datto RMM Datto BCDR Datto SaaS Protection Datto File Protection Microsoft Entra ID Defender for 365 Inky DNSFilter NextDNS Ubiquiti UniFi SaaS Alerts BullPhish ID Dark Web ID
·· 02 ·· The toolset

Best-of-breed at every layer.

No mystery vendors. No "proprietary platform." Each tool below is a category leader, deployed on every client we onboard. We pay for them so you don't have to evaluate them.

EDR · Endpoint
Datto EDR

Behavioral threat detection on every workstation, server, and laptop. Auto-isolates infected devices.

SOC · 24/7
RocketCyber

Managed Security Operations Center watching every alert from every client, every hour, every day.

RMM · Patch
Datto RMM

Remote monitoring and management. OS and third-party patching on a 72-hour critical SLA.

Backup · Image
Datto BCDR

Image-level backup with on-prem appliance and immutable cloud copies. RPO ≤ 1 hour for critical systems.

Backup · SaaS
Datto SaaS Protection

Daily backup of every Microsoft 365 mailbox, OneDrive, SharePoint site, and Teams channel.

Backup · Files
Datto File Protection

Continuous file-level backup for endpoints. Recover an individual document in minutes, not hours.

Identity
Microsoft Entra ID

MFA enforced on every account. Conditional Access by location, device posture, and risk signal.

Email · Defense
Microsoft Defender for 365

Inline scanning of every email and attachment. Safe Links and Safe Attachments enforced.

Email · Anti-phish
Inky

AI-driven impersonation and phishing detection. Banner warnings on suspicious mail, in-Outlook reporting.

DNS · Endpoint
DNSFilter

Per-endpoint DNS filtering, on or off the network. Blocks known-bad domains before the browser loads.

DNS · Network
NextDNS

Network-level DNS filtering at the gateway. Visibility into every device, including IoT and guest.

Network
Ubiquiti UniFi

Gateways, switches, and access points with intrusion prevention. VLAN segmentation for POS, IoT, and guest.

SaaS · Alerts
SaaS Alerts

Continuous monitoring of M365 admin actions, suspicious sign-ins, and configuration drift.

People · Training
BullPhish ID

Quarterly phishing simulations and short-format training. The only layer with a human in it.

People · Dark web
Dark Web ID

Continuous monitoring of every client domain on the dark web. Alerts when credentials surface in a breach.

·· 03 ·· The seven layers

Every layer covered. Nothing left to the user.

The same control set deployed on every client environment. Below is exactly what runs, layer by layer, with the named vendor in each box.

LAYER 01 · IDENTITY

Who can sign in

MFA enforced on every identity. Conditional access by location and device. Quarterly access reviews documented.

Microsoft Entra IDConditional Access
LAYER 02 · ENDPOINT

What's on the device

EDR with 24/7 SOC monitoring. OS and 3rd-party patching on a 72-hour critical SLA. Image-level backup.

Datto EDRRocketCyber SOCDatto RMM
LAYER 03 · EMAIL

The #1 attack vector

Advanced anti-phishing, banner warnings on external mail, impersonation protection, SaaS backup.

Microsoft Defender for 365InkySaaS AlertsDatto SaaS Protection
LAYER 04 · DNS

Where they're going

DNS filtering on every endpoint, on or off the network. Block known-bad domains before the browser loads them.

DNSFilter
LAYER 05 · NETWORK

The perimeter

UniFi gateways & firewalls with intrusion prevention. Segmented guest, IoT, and POS networks. NextDNS at the DNS layer, on-network and off.

Ubiquiti UniFiNextDNS
LAYER 06 · BACKUP

When the worst happens

Encrypted, off-site backups with verified restore tests. RPO ≤ 1hr for critical systems. Immutable cloud copies.

Datto BCDRDatto SaaS ProtectionDatto File Protection
LAYER 07 · PEOPLE

The biggest variable

Quarterly phishing simulations and short-format training. Reportable phish button in every Outlook client.

BullPhish IDDark Web ID
·· 04 ·· Defense in depth

How the layers catch a real attack.

A single tool catches some things. The whole stack catches almost everything — because each layer is a checkpoint, and the same threat has to defeat multiple controls before it reaches a keyboard. Here's how three common attacks actually play out.

Scenario 01
Phishing email with a malicious link.
Caught at Layer 3. User never sees the click.
Layer 03 · EmailDefender for 365 + Inky — flag the impersonation, rewrite the link, banner the message, isolate the attachment.
Layer 04 · DNSDNSFilter — even if delivered, the destination resolves to a known-bad category and the request is blocked at the endpoint.
Layer 07 · PeopleBullPhish ID training — user has seen this exact pattern in last month's simulation, reports it via the Outlook button.
Scenario 02
Stolen password used from an unfamiliar location.
Caught at Layer 1. Sign-in blocked, on-call paged.
Layer 01 · IdentityMicrosoft Entra Conditional Access — sign-in attempt from a high-risk geography is blocked outright. MFA challenge required.
Layer 03 · EmailSaaS Alerts — admin alert fires on the suspicious sign-in pattern; mailbox audit kicks in to check for forwarding rules.
SOCRocketCyber — pages the on-call engineer; session revoked, password forced reset, customer notified within 15 minutes.
Layer 07 · PeopleDark Web ID — the leaked credential gets cross-checked against breach data; pattern is added to client's risk register.
Scenario 03
Ransomware payload runs on a workstation.
Caught at Layer 2. Workstation isolated in seconds, full restore in hours.
Layer 02 · EndpointDatto EDR — behavioral detection identifies the encryption pattern and auto-isolates the device from the network.
SOCRocketCyber — pages on-call within 30 seconds. Customer call placed within 15 minutes per the runbook.
Layer 05 · NetworkUniFi IPS — confirms no lateral movement; segmented VLANs prevent the spread to the POS or imaging network.
Layer 06 · BackupDatto BCDR — last clean image is identified and staged for instant restore. RPO ≤ 1 hour for critical systems.
·· 05 ·· Incident response

What happens in the first 60 minutes.

A documented runbook for the moment something goes wrong — so the response is repeatable, not improvised.

T+0:00

Alert fires

EDR detects suspicious behavior. SOC pages the on-call engineer. Customer added to active-incident channel.

T+0:05

Containment

Affected endpoint isolated from the network automatically. Identity sessions revoked. No human required.

T+0:15

Customer call

Direct phone call to the primary contact. Plain-English summary: what we see, what we've already done, what's next.

T+0:30

Forensics

Memory and disk capture. Mailbox audit. Lateral-movement check across all managed endpoints.

T+1:00

Recovery decision

Restore from clean backup, rebuild, or rollback. Decision documented. Customer signs off before changes apply.

T+24h

Post-incident report

Written summary: timeline, root cause, controls that worked, controls being added. Filed in your QBR binder.

·· 06 ·· How we treat your data

Your data, your control.

Plainly, here's where your data lives, who can see it, and what we do with it.

Where it lives

Your data stays in your tenancies — Microsoft 365, your line-of-business apps, your on-prem servers. We don't pool customer data into shared systems.

  • Backups encrypted in flight and at rest
  • US-based data centers
  • Customer-held encryption keys available

Who can see it

Least-privilege access for every Micro-IT engineer. All admin actions logged. Quarterly access reviews include our team — not just yours.

  • Background-checked engineers
  • MFA + hardware keys for admin access
  • BAA on file for every healthcare client

What you get out

If you ever leave, you take everything: documentation, configs, recovery keys, and a clean handoff to your next provider — at no charge.

  • 30-day offboarding guarantee
  • Full configuration export
  • No data ransom — ever

Want to see how your current stack stacks up? 30-minute review, no slide deck.

Book a Posture Review → Get in Touch