// AEGIS-DIB  |  Defense Industrial Base Security  |  Raleigh, NC

Nation State
APT Armor.

Hardened network security for defense manufacturers — built for the threat, built for CMMC compliance, built to run on hardware you can see.

Book Network Readiness Interview View Modules
82
CMMC Controls Mapped
8
Security Modules
0
Cloud Telemetry
20+
Years Infrastructure
NOV
2026
CMMC Phase 2 Enforcement
VOLT TYPHOON · LIVING-OFF-THE-LAND · SALT TYPHOON DNS EXFILTRATION · APT40 SUPPLY CHAIN · LOCKBIT DIB TARGETING · CMMC PHASE 2 NOV 2026 · NIST SP 800-171 · BEACON DETECTION · NETWORK SEGMENTATION · CUI HANDLING · ZERO CLOUD TELEMETRY · VOLT TYPHOON · LIVING-OFF-THE-LAND · SALT TYPHOON DNS EXFILTRATION · APT40 SUPPLY CHAIN · LOCKBIT DIB TARGETING · CMMC PHASE 2 NOV 2026 · NIST SP 800-171 · BEACON DETECTION · NETWORK SEGMENTATION · CUI HANDLING · ZERO CLOUD TELEMETRY ·
"CMMC can't name the adversary.
We can.
Your shop is being targeted by patient, nation-state-backed actors right now."
01 //
Volt Typhoon — Living off the Land No malware. No signatures to catch. Built-in Windows tools only. Beacon detection and behavioral analysis are the only realistic defense.
02 //
Salt Typhoon — DNS Exfiltration CUI leaves your network disguised as normal DNS traffic. Uncontrolled DNS resolvers are an open door. Most small shops have them.
03 //
Commodity Ransomware — OT Targeting Flat networks mixing office workstations with PLCs and HMIs are the most common ransomware entry path in manufacturing. One workstation. Your entire production floor.
04 //
CMMC is a Liability Framework — Not a Defense It can't name countries or APT groups by design. We map the threat intelligence CMMC implies but cannot say. Compliance evidence included. Actual protection is the point.
// Service Modules

Assembled to
your threat profile.

Every engagement starts with Module 01 — visibility is the foundation. Additional modules are selected based on assessment findings and your specific risk profile. Each module maps explicitly to CMMC controls and known APT TTPs.

MODULE 01 // FOUNDATION · ALWAYS INCLUDED
Intelligence-Driven Visibility
On-box processing · Zero cloud telemetry · CMMC AU · CA · SI

Full network and endpoint visibility. Passive traffic analysis, beacon detection, and endpoint behavioral monitoring — all processed on hardware in your facility. No vendor cloud. No subscription dependency.

  • Zeek full network connection logging
  • Suricata IDS with custom DIB signatures
  • RITA beacon & C2 pattern detection
  • Wazuh endpoint agents + file integrity monitoring
  • Automated CMMC evidence collection — 82 controls
  • Flask compliance console (HTTPS, per-user auth, CUI theme)
MODULE 02 // MODULAR SUB-PACKAGES
Perimeter Hardening
Mix and match · CMMC SC · AC control families

Most defenses watch what comes in. We watch what goes out, pin DNS to controlled resolvers, lock down every remote access door, and clean up firewall rules nobody has touched in a decade.

  • 02-A Egress filtering policy
  • 02-B DNS hardening + tunneling detection
  • 02-C Remote access audit + MFA enforcement
  • 02-D Firewall rule audit + cleanup
  • 02-E Network segmentation + VLAN design
MODULE 03 // CMMC AC · IA FAMILIES
Identity & Access Control
Credential theft is the most common lateral movement vector

MFA, privileged access hardening, and account auditing close the door most attackers walk through first. Integrated with your existing AD or M365 — no rip and replace.

  • MFA deployment and enforcement
  • Privileged access review + tiering
  • Account inventory and audit
  • Password policy enforcement via GPO
  • Session logging + anomaly alerting
  • M365 security baseline (optional)
MODULE 04 // UNIQUE CAPABILITY · HIGH ROI
Deception Layer
Nation state early warning · Zero false positives · Any alert is real

Patient adversaries do slow reconnaissance before striking. We plant tripwires they cannot avoid — fake CUI documents, honey credentials, decoy endpoints. The moment they touch anything, you know. Before they know you know.

  • Sentinel files — fake ITAR / CUI documents with callbacks
  • Honey credentials embedded in systems and shares
  • Canarytokens on critical assets
  • Decoy AD objects + honey endpoints
  • Self-hosted Canarytokens — no external service dependency
MODULE 05 // DIB-SPECIFIC · HUMAN-CURATED
Threat Intelligence
Geopolitical context · APT TTP mapping · MISP integration

Signatures tuned to known nation state TTPs — Volt Typhoon living-off-the-land, Salt Typhoon DNS exfil, APT40 supply chain techniques. Updated by a human analyst tracking the threat landscape your sector actually faces.

  • MISP threat intelligence platform
  • APT TTP-tuned Suricata ruleset
  • DIB-specific threat indicator feeds
  • Geopolitical context-driven rule updates
  • ISAC feed integration
MODULE 06 // CMMC IR FAMILY
Incident Response
When, not if · Forensic capability · Evidence preservation

When something happens — and it will — you need forensic capability, a documented response process, and evidence that survives legal and regulatory scrutiny. Module 06 ensures you're not building the plan during the crisis.

  • Written incident response plan (tailored)
  • Velociraptor forensic collection capability
  • Evidence chain of custody documentation
  • DoD / prime contractor notification procedures
  • IR retainer — up to 4 hours/year included
MODULE 07 // CMMC ALL 14 DOMAINS
Compliance Engine
Automated evidence · POA&M · Assessment-ready output

82 CMMC Level 2 controls mapped to live security telemetry. Automated monthly compliance reports, POA&M generation, and an evidence archive formatted for C3PAO submission. The compliance documentation your assessor will ask for, built continuously.

  • 82-control CMMC Level 2 mapper
  • Automated monthly HTML + PDF compliance reports
  • POA&M auto-population from findings
  • System Security Plan (SSP) development
  • C3PAO evidence package compilation
MODULE 08 // FUTURE STATE · SHIELDGATE
Multi-Site SOC Layer
Cross-client correlation · Supply chain visibility · Coming 2027

ShieldGate aggregates signals across multiple AEGIS deployments — correlating threat patterns across the supply chain, sharing anonymized IOCs between DIB clients, and providing cross-site anomaly detection that no single deployment can see alone.

  • Cross-client beacon correlation
  • Anonymized IOC sharing between clients
  • Supply chain threat pattern detection
  • Aggregate CMMC posture reporting
  • Available to Manage + Full Service clients
// Engagement Profiles

Start where you are.
Build to where you need to be.

Profile A
STARTER
Visibility, perimeter hardening, and identity controls. The foundation every DIB shop needs before anything else.
M01 — Intelligence-Driven Visibility
M02 — Perimeter Hardening
M03 — Identity & Access Control
M07 — Compliance Engine
CMMC Level 2 Coverage
~65%
Profile B
STANDARD
Adds the deception layer and IR capability. Practical nation state deterrence for shops with active DoD contracts.
M01 — Intelligence-Driven Visibility
M02 — Perimeter Hardening
M03 — Identity & Access Control
M04 — Deception Layer
M06 — Incident Response
M07 — Compliance Engine
CMMC Level 2 Coverage
~85%
Profile C
ADVANCED
All modules. Full CMMC Level 2 coverage. Human-curated threat intelligence tuned to your specific sector and adversary profile.
M01 through M07 — All Modules
M05 — Threat Intelligence active
Priority access to M08 ShieldGate
Quarterly executive briefing
Assessment preparation included
CMMC Level 2 Coverage
~95%+
// Engagement Process

From first call to
running appliance.

01
Network Readiness Interview
30–45 minute remote call. We walk through your network, endpoints, policies, and CMMC posture. No charge. No obligation.
// FREE · SAME-DAY SUMMARY
02
Readiness Report & Proposal
A one-page readiness summary delivered before you leave the building — traffic light findings across all 14 CMMC domains, top three priorities, fixed-price proposal.
// DELIVERED SAME DAY
03
Deployment Day
On-site installation — appliance or VM, network tap configuration, Wazuh agent deployment to all endpoints. Ansible-automated, documented, and tested before we leave.
// TYPICALLY 1 DAY ON-SITE
04
Ongoing Service
Monthly compliance reports, alert triage, POA&M updates, and remediation support. You get evidence. You get visibility. You get compliance momentum.
// MONTHLY RECURRING
// Monthly Service Tiers

Recurring service.
Predictable cost.

All tiers require a one-time Phase 1 deployment engagement. Pricing shown is for ≤15 endpoints — scales with environment size. Triangle / Triad area on-site included.

Monitor
from $500/mo
Eyes and evidence. You own remediation. Best for shops with in-house IT who need compliance coverage and network visibility without hand-holding.
  • AEGIS appliance operation + health monitoring
  • Monthly CMMC compliance report (HTML + PDF)
  • POA&M tracking — advances and regressions flagged
  • Monthly alert triage summary
  • Quarterly check-in call
  • Email support — 2 business day response
  • Quarterly Ansible stack updates
≤15 EP: $500  |  16–35 EP: $625  |  36–50 EP: $750
Manage
from $1,200/mo
SND monitors and leads remediation. Best for shops without dedicated security staff or an MSP that doesn't cover this ground.
  • Everything in Monitor
  • Weekly alert triage — critical alerts within 48 hours
  • Monthly remediation session (1hr remote)
  • One on-site visit per quarter
  • Wazuh rule tuning + configuration updates
  • Firewall policy review (twice yearly)
  • IR support — 4 hours/year included
  • Phone support — 4 business hour response
≤15 EP: $1,200  |  16–35 EP: $1,500  |  36–50 EP: $1,800
Full Service
from $2,500/mo
SND drives the compliance program. Best for shops with active DoD contracts and near-term CMMC assessment deadlines.
  • Everything in Manage
  • Weekly alert review with written summary
  • Unlimited remote remediation support
  • Two on-site visits per quarter
  • SSP maintenance — kept current
  • POA&M actively worked by SND
  • CMMC mock assessment walkthrough
  • Annual executive briefing
  • Priority phone — 2 business hour response
≤15 EP: $2,500  |  16–35 EP: $3,000  |  36–50 EP: $3,500
// Why SND

Built different.
On purpose.

20+ years of enterprise infrastructure. Former sole global escalation engineer for SolarWinds ThreatMonitor. Deep Cisco, DNS, and network behavioral analysis expertise. Not a platform vendor. Not a staffing firm. A consultant who has been inside these networks and knows what breaks.

AEGIS-DIB is built on open-source components — Zeek, Suricata, Wazuh, RITA — deployed via Ansible to hardware you own, in your facility, under your control. No vendor lock-in. No cloud dependency. No telemetry leaving your network. When the SaaS platform goes down, your security keeps running.

  • Others
    Cloud-analyzed EDR
    SND
    On-box processing, zero cloud
  • Others
    Endpoint-only visibility
    SND
    Full network + endpoint layer
  • Others
    Generic threat feeds
    SND
    DIB-specific, human-curated
  • Others
    Compliance is a checkbox
    SND
    Evidence built continuously
  • Others
    Vendor lock-in
    SND
    Open source stack you own
  • Others
    OT devices invisible to EDR
    SND
    Network layer sees everything
// Network Readiness Interview

Know where
you stand.

A free 30–45 minute call. We walk through your network, your endpoints, your policies, and your CMMC posture. You get a one-page readiness summary — traffic lights across all 14 CMMC domains, top three priorities, and a clear picture of what November 2026 looks like from where you are today. No charge. No obligation. Delivered same day.

Schedule Your Free Interview
Triangle / Triad area · Remote interviews available anywhere in the US
info@snd-security.com  ·  Standalone Network Defense LLC  ·  Raleigh, NC