Engagement notes
Eight recent engagements.
Each one anonymized. Each one substantive enough to give you a feel for what the work actually is — not just what slogan we'd put on it.
#01 Identity, Security & Compliance
Commercial → GCC High migration with CMMC L2 readiness
Aerospace components supplier (defense) · 220 seats
Tier-2 aerospace components supplier on a 14-week timeline to land in GCC High before a CUI-handling prime contract activated. Scope: tenant provisioning, ITAR-tagged file-share migration, AD-to-Entra hybrid, accounting integration with QuickBooks Enterprise, hardware MFA token rollout for privileged accounts, NIST 800-171 control mapping with a written POAM for residual gaps. Cutover landed on schedule. CMMC L2 readiness package delivered to the customer's compliance program for self-assessment attestation; C3PAO third-party assessment scoped separately.
#02 Microsoft 365 Copilot Readiness
Copilot Readiness assessment + 6-week remediation
Pacific Northwest healthcare network · 1,200 seats
Regional health network preparing for phased clinical Copilot rollout. The 2-week assessment surfaced 18,400 over-permissioned items across SharePoint and OneDrive — a mix of legacy 'Anyone in the company' shares, dormant guest access, and inheritance-broken site collections. 6-week remediation collapsed the exposure to under 200 reviewable items. Sensitivity-label baseline deployed. Purview DLP policies activated for PHI-in-chat and PHI-in-email. Written go-live recommendation: phased rollout to clinical staff in Q3, with administrative staff first as the canary cohort.
#03 VMware Exit & Server Modernization
VMware-to-Hyper-V migration after Broadcom 1,400% renewal hit
Manufacturing firm (mid-market discrete) · 500 VMs
Discrete manufacturer hit a $310K Broadcom renewal — up from $22K the year prior. The customer was already running Windows Server Datacenter, which meant Hyper-V was effectively pre-paid. Discovery (4 weeks) confirmed workload portability, no NSX or vSAN dependencies, and HCL-clean hardware. Wave-based cutover ran 8 weeks. Hypercare 2 weeks. Migration cost: $35K, 4-month payback against the Broadcom renewal. Year-2 run rate dropped to ~$20K (backup tooling and training). VMware decommissioned at week 14.
#04 Active Directory Audit
Three-layer AD audit (PingCastle + Purple Knight + manual)
Tribal nation healthcare + government · 17-DC AD forest
17-DC two-domain forest serving combined healthcare and government operations. Discovery-only engagement. Three audit layers in sequence: PingCastle for tier scoring and compliance baselines, Purple Knight for AD-specific attack-surface findings, manual review for misconfigurations the tools missed. Results: 61 findings total, 11 of them Tier-0. Forest functional level review surfaced a misconception about Server 2019 DFL — Microsoft never released a 2019/2022 functional level; Server 2016 (level 7) is the max for those forests. Hardening engagement scoped separately as Phase 2 implementation; the customer chose to remediate internally on the lower-priority findings.
#05 Microsoft 365 & Hybrid Exchange
Two-tenant merge — 60-day close + 60-day post-close cutover
Holding company M&A integration · $8B parent acquiring 200-seat subsidiary
$8B parent company acquired a 200-employee specialty subsidiary. Legal close was a hard 60-day deadline; tenant cutover scoped for an additional 60 days post-close. Complexity layers: Power Platform apps with environment-scoped data, externally shared apps with partner organizations, Teams chat history that the executive team wanted preserved across cutover, dual-mailbox routing during the transition window. Tenant-to-tenant migration completed inside the 60-day post-close window. No business interruption. Subsidiary's mail flow, file shares, Teams channels, and Power Platform apps all consolidated into the parent tenant with appropriate licensing reassignment.
#06 SharePoint & OneDrive Migration
File-share consolidation to SharePoint + OneDrive (KFM)
Tribal nation file-server consolidation · 737 shares / 15.28 TB
Discovery + dual-track migration design for a 737-share, 15.28 TB legacy file-server estate. 10.2 million files inventoried; 87.6% identified as cold (no access in 12+ months). Dual-track migration: actively used shares mapped to SharePoint sites with permissions remapped department-by-department; user home shares migrated to OneDrive with Known Folder Move (KFM) configured for desktop / documents / pictures redirection. ShareGate Pro tooling licensed for the migration. Batched by department to control blast radius. Cold-archive strategy for the 87.6%: tiered to inexpensive storage with a defined retrieval SLA rather than fully migrated.
#07 Microsoft 365 & Hybrid Exchange
Hybrid Exchange decommission ahead of Oct 2025 ESU window
Professional services firm · 800 seats
Last on-prem Exchange mailbox migrated, hybrid configuration cleanly removed before the Oct 14, 2025 Exchange 2019 mainstream-support cutoff. Customer had been running hybrid for years to support a small set of 'permanent' on-prem mailboxes; the project closed those out, retired the on-prem Exchange organization, and decommissioned the hybrid relationship per Microsoft's documented decommission sequence. ESU costs avoided: estimated $50K+ across what would have been the Year-1 ESU subscription. Hybrid-related complexity removed from the customer's identity and mail-flow architecture. Documentation handed off to internal IT.
#08 Identity, Security & Compliance
AD Tier-0 implementation — mid-market scaled
Financial services firm (mid-market RIA) · 350 seats
Mid-market financial services firm hardening their on-prem AD against ransomware blast-radius. Tier-0 model implemented in 90 days at mid-market scale — deliberately scaled down from the enterprise-grade RedForest / ESAE / JEA architectures into a model the customer's lean IT team could actually operate. PIM-based admin model deployed. Privileged-access workstations defined for Tier-0 administrators. Group policy and naming convention work. Outcome: a credible, sustainable Tier-0 boundary without the operational overhead of the full enterprise architecture. Documented for handoff and quarterly review.