// AEGIS-DIB  |  CMMC compliance for small DIB manufacturers  |  Raleigh, NC

Compliance
you can prove.

An on-premise appliance that takes small defense manufacturers to CMMC Level 2 — with cryptographically signed, assessor-verifiable evidence. Honest about what it proves. Right-sized for shops that don't need a SOC.

Book Network Readiness Interview View Modules
300+
800-171A Objectives Mapped
Signed
+ Merkle-Anchored Evidence
0
Cloud Telemetry
20+
Years Infrastructure
NOV
2026
CMMC Phase 2 Enforcement
CMMC LEVEL 2 · NIST SP 800-171 · SIGNED EVIDENCE · MERKLE-ANCHORED · ASSESSOR-VERIFIABLE · SSP & POA&M · CUI HANDLING · ON-PREM APPLIANCE · HARDWARE-BACKED SIGN-OFF · NETWORK SEGMENTATION · ZERO CLOUD TELEMETRY · NOV 2026 DEADLINE · CMMC LEVEL 2 · NIST SP 800-171 · SIGNED EVIDENCE · MERKLE-ANCHORED · ASSESSOR-VERIFIABLE · SSP & POA&M · CUI HANDLING · ON-PREM APPLIANCE · HARDWARE-BACKED SIGN-OFF · NETWORK SEGMENTATION · ZERO CLOUD TELEMETRY · NOV 2026 DEADLINE ·
"Most compliance is a binder of claims.
Ours is signed proof.
Evidence an assessor can re-check themselves — not a vendor's word."
01 //
Signed & anchored Every check is producer-signed and Merkle-anchored. Tamper-evident by construction — the difference between a screenshot and proof.
02 //
An independent verifier A CLI your assessor runs to re-check the entire evidence chain. Verification doesn't require trusting us.
03 //
Honest by design Each control is labeled by how it's proven. The console never shows green it can't defend in an assessment.
04 //
People, provably Real staff sign adopted policies with hardware-backed passkeys. Identity is cryptographic, not asserted.
// Service Modules

Assembled to
your compliance scope.

Every engagement starts with Module 01 — visibility is the foundation. Additional modules are added based on your assessment findings and the controls you need to close. Each module maps explicitly to CMMC control families, with sensible network hardening included along the way.

MODULE 01 // FOUNDATION · ALWAYS INCLUDED
Intelligence-Driven Visibility
On-box processing · Zero cloud telemetry · CMMC AU · CA · SI

Full network and endpoint visibility. Passive traffic analysis, beacon detection, and endpoint behavioral monitoring — all processed on hardware in your facility. No vendor cloud. No subscription dependency.

  • Zeek full network connection logging
  • Suricata IDS with custom DIB signatures
  • RITA beacon & C2 pattern detection
  • Endpoint behavioral monitoring + file integrity
  • Native host agents → signed, Merkle-anchored compliance evidence
  • Compliance console (HTTPS, per-user auth, CUI theme)
MODULE 02 // MODULAR SUB-PACKAGES
Perimeter Hardening
Mix and match · CMMC SC · AC control families

Most defenses watch what comes in. We watch what goes out, pin DNS to controlled resolvers, lock down every remote access door, and clean up firewall rules nobody has touched in a decade.

  • 02-A Egress filtering policy
  • 02-B DNS hardening + tunneling detection
  • 02-C Remote access audit + MFA enforcement
  • 02-D Firewall rule audit + cleanup
  • 02-E Network segmentation + VLAN design
MODULE 03 // CMMC AC · IA FAMILIES
Identity & Access Control
Credential theft is the most common lateral movement vector

MFA, privileged access hardening, and account auditing close the door most attackers walk through first. Integrated with your existing AD or M365 — no rip and replace.

  • MFA deployment and enforcement
  • Privileged access review + tiering
  • Account inventory and audit
  • Identity reconciliation — accounts mapped to real people, hardware-backed sign-off
  • Password policy enforcement via GPO
  • Session logging + anomaly alerting
  • M365 security baseline (optional)
MODULE 04 // UNIQUE CAPABILITY · HIGH ROI
Deception Layer
High-signal early warning · Zero false positives · Any alert is real

Tripwires an intruder can't avoid — fake CUI documents, honey credentials, decoy endpoints. The moment anything touches one, you get a real alert. No tuning, no noise: if it fires, something is genuinely wrong.

  • Sentinel files — fake ITAR / CUI documents with callbacks
  • Honey credentials embedded in systems and shares
  • Canarytokens on critical assets
  • Decoy AD objects + honey endpoints
  • Self-hosted Canarytokens — no external service dependency
MODULE 05 // DIB-SPECIFIC · HUMAN-CURATED
Threat Intelligence
DIB-relevant indicators · Human-curated · MISP integration

Detection tuned to the indicators that actually matter for small DIB shops — curated by a human, not a generic vendor feed. An optional layer for clients who want monitoring beyond the compliance baseline.

  • MISP threat intelligence platform
  • DIB-tuned Suricata ruleset
  • DIB-specific threat indicator feeds
  • Geopolitical context-driven rule updates
  • ISAC feed integration
MODULE 06 // CMMC IR FAMILY
Incident Response
When, not if · Forensic capability · Evidence preservation

When something happens — and it will — you need forensic capability, a documented response process, and evidence that survives legal and regulatory scrutiny. Module 06 ensures you're not building the plan during the crisis.

  • Written incident response plan (tailored)
  • Velociraptor forensic collection capability
  • Evidence chain of custody documentation
  • DoD / prime contractor notification procedures
  • IR retainer — up to 4 hours/year included
MODULE 07 // CMMC ALL 14 DOMAINS
Compliance Engine
Signed evidence · POA&M · Assessment-ready output

NIST 800-171A mapped at the assessment-objective level — 300+ of 320 objectives across all 110 controls — to live, signed telemetry. Every fact is producer-signed and Merkle-anchored; an independent verifier lets your assessor re-check the evidence themselves. SSP and POA&M render from the evidence, not over it.

  • 800-171A objective-level mapper (300+ of 320)
  • Append-only, signed, Merkle-anchored evidence bus
  • Independent verifier — assessor-runnable, no trust required
  • Hardware-backed people-signing on adopted policies (WebAuthn)
  • POA&M + SSP rendered from live evidence · C3PAO package
MODULE 08 // FUTURE STATE · SHIELDGATE
Multi-Site SOC Layer
Cross-client correlation · Supply chain visibility · Coming 2027

ShieldGate aggregates signals across multiple AEGIS deployments — correlating threat patterns across the supply chain, sharing anonymized IOCs between DIB clients, and providing cross-site anomaly detection that no single deployment can see alone.

  • Cross-client beacon correlation
  • Anonymized IOC sharing between clients
  • Supply chain threat pattern detection
  • Aggregate CMMC posture reporting
  • Available to Manage + Full Service clients
// Engagement Profiles

Start where you are.
Build to where you need to be.

Profile A
STARTER
Visibility, perimeter hardening, and identity controls. The foundation every DIB shop needs before anything else.
M01 — Intelligence-Driven Visibility
M02 — Perimeter Hardening
M03 — Identity & Access Control
M07 — Compliance Engine
CMMC Level 2 Coverage
~65%
Profile B
STANDARD
Adds the deception layer and IR capability. Practical, right-sized security for shops with active DoD contracts.
M01 — Intelligence-Driven Visibility
M02 — Perimeter Hardening
M03 — Identity & Access Control
M04 — Deception Layer
M06 — Incident Response
M07 — Compliance Engine
CMMC Level 2 Coverage
~85%
Profile C
ADVANCED
All modules. Full CMMC Level 2 coverage. Human-curated monitoring tuned to your specific sector.
M01 through M07 — All Modules
M05 — Threat Intelligence active
Priority access to M08 ShieldGate
Quarterly executive briefing
Assessment preparation included
CMMC Level 2 Coverage
~95%+
// Engagement Process

From first call to
running appliance.

01
Network Readiness Interview
30–45 minute remote call. We walk through your network, endpoints, policies, and CMMC posture. No charge. No obligation.
// FREE · SAME-DAY SUMMARY
02
Readiness Report & Proposal
A one-page readiness summary delivered before you leave the building — traffic light findings across all 14 CMMC domains, top three priorities, fixed-price proposal.
// DELIVERED SAME DAY
03
Deployment Day
On-site installation — appliance or VM, network tap configuration, host agent enrollment on all endpoints. Ansible-automated, documented, and tested before we leave.
// TYPICALLY 1 DAY ON-SITE
04
Ongoing Service
Monthly compliance reports, alert triage, POA&M updates, and remediation support. You get evidence. You get visibility. You get compliance momentum.
// MONTHLY RECURRING
// Monthly Service Tiers

Recurring service.
Predictable cost.

All tiers require a one-time Phase 1 deployment engagement. Pricing shown is for ≤15 endpoints — scales with environment size. Triangle / Triad area on-site included.

Monitor
from $500/mo
Eyes and evidence. You own remediation. Best for shops with in-house IT who need compliance coverage and network visibility without hand-holding.
  • AEGIS appliance operation + health monitoring
  • Monthly CMMC compliance report (HTML + PDF)
  • POA&M tracking — advances and regressions flagged
  • Monthly alert triage summary
  • Quarterly check-in call
  • Email support — 2 business day response
  • Quarterly Ansible stack updates
≤15 EP: $500  |  16–35 EP: $625  |  36–50 EP: $750
Manage
from $1,200/mo
SND monitors and leads remediation. Best for shops without dedicated security staff or an MSP that doesn't cover this ground.
  • Everything in Monitor
  • Weekly alert triage — critical alerts within 48 hours
  • Monthly remediation session (1hr remote)
  • One on-site visit per quarter
  • Detection rule tuning + configuration updates
  • Firewall policy review (twice yearly)
  • IR support — 4 hours/year included
  • Phone support — 4 business hour response
≤15 EP: $1,200  |  16–35 EP: $1,500  |  36–50 EP: $1,800
Full Service
from $2,500/mo
SND drives the compliance program. Best for shops with active DoD contracts and near-term CMMC assessment deadlines.
  • Everything in Manage
  • Weekly alert review with written summary
  • Unlimited remote remediation support
  • Two on-site visits per quarter
  • SSP maintenance — kept current
  • POA&M actively worked by SND
  • CMMC mock assessment walkthrough
  • Annual executive briefing
  • Priority phone — 2 business hour response
≤15 EP: $2,500  |  16–35 EP: $3,000  |  36–50 EP: $3,500
// Why SND

Built different.
On purpose.

20+ years of enterprise infrastructure. Former sole global escalation engineer for SolarWinds ThreatMonitor. Deep Cisco, DNS, and network behavioral analysis expertise. Not a platform vendor. Not a staffing firm. A consultant who has been inside these networks and knows what breaks.

AEGIS-DIB is built on open-source components — Zeek, Suricata, RITA — deployed via Ansible to hardware you own, in your facility, under your control. No vendor lock-in. No cloud dependency. No telemetry leaving your network. When the SaaS platform goes down, your security keeps running.

  • Others
    Cloud-analyzed EDR
    SND
    On-box processing, zero cloud
  • Others
    Endpoint-only visibility
    SND
    Full network + endpoint layer
  • Others
    Generic threat feeds
    SND
    DIB-specific, human-curated
  • Others
    Compliance is a checkbox
    SND
    Signed, verifiable evidence
  • Others
    Vendor lock-in
    SND
    Open source stack you own
  • Others
    OT devices invisible to EDR
    SND
    Network layer sees everything
// Network Readiness Interview

Know where
you stand.

A free 30–45 minute call. We walk through your network, your endpoints, your policies, and your CMMC posture. You get a one-page readiness summary — traffic lights across all 14 CMMC domains, top three priorities, and a clear picture of what November 2026 looks like from where you are today. No charge. No obligation. Delivered same day.

Schedule Your Free Interview
Triangle / Triad area · Remote interviews available anywhere in the US
info@standalonedefense.com  ·  Standalone Network Defense LLC  ·  Raleigh, NC