NEREIDGROUP

IT Security & Automation

Precision hardening.
Measurable security.

We lock down Microsoft 365 environments and tune your security tooling so it actually works.

Trusted by IT teams across the Philadelphia region

About Nereid Group

Nereid Group is a boutique IT security firm specializing in Microsoft 365 hardening, Intune endpoint management, and CrowdStrike Falcon tuning for SMBs and growing MSPs.

Microsoft 365 & Intune Specialists

Deep expertise in M365 tenant hardening and Intune endpoint management.

CrowdStrike Falcon Expertise

Falcon deployment audits, prevention tuning, and exclusion cleanup.

Built for SMBs & MSPs

Fixed-scope engagements sized for growing teams, not enterprise budgets.

/01Services

What we do

Two focused engagements. Fixed scope, clear deliverables, documented results.

/01

M365 + Intune Baseline Hardening

A comprehensive security baseline deployment for your Microsoft 365 tenant and Intune-managed endpoints, built to CIS benchmark standards.

  • Conditional Access policy design & deployment
  • Intune compliance & configuration policy hardening
  • Entra ID security posture review
  • MFA enforcement & legacy auth blocking
  • Ongoing drift monitoring retainer available

Fixed-scope + optional retainer

Book a discovery call

/02

CrowdStrike Falcon Tuning

Stop alert fatigue and silent gaps. We audit your Falcon deployment, tune prevention policies, clean up stale exclusions, and make sure your sensors are actually protecting you.

  • Sensor health & coverage audit
  • Prevention policy review & hardening
  • Exclusion & suppression cleanup
  • Detection gap analysis
  • Monthly health digest retainer available

Fixed-scope + optional retainer

Book a discovery call

/02Field Notes

From the playbook

A few of the changes we make in the first weeks of a typical engagement. Small on their own, decisive together.

block-legacy-auth.ps1PowerShell
# CA002: Block legacy authentication
$policy = @{
  displayName = 'CA002 - Block legacy auth'
  state       = 'enabled'
  conditions  = @{
    clientAppTypes = @(
      'exchangeActiveSync', 'other'
    )
    users = @{
      includeUsers  = @('All')
      excludeGroups = @($BreakGlassId)
    }
  }
  grantControls = @{
    operator        = 'OR'
    builtInControls = @('block')
  }
}
New-MgIdentityConditionalAccessPolicy `
  -BodyParameter $policy

Conditional Access

Legacy protocols are the #1 password-spray vector. We block them tenant-wide, with a break-glass exclusion so you never lock yourself out.

win11-compliance.jsonIntune
{
  "displayName": "Win11 baseline compliance",
  "bitLockerEnabled": true,
  "secureBootEnabled": true,
  "tpmRequired": true,
  "defenderEnabled": true,
  "rtpEnabled": true,
  "osMinimumVersion": "10.0.26100.0",
  "actionForNoncompliance": [
    {
      "action": "block",
      "gracePeriodHours": 24
    }
  ]
}

Device compliance

Devices prove disk encryption, Secure Boot, and patch level before Conditional Access lets them near company data.

falcon-exclusion-audit.ps1PSFalcon
# Flag exclusions untouched in 180+ days
Get-FalconMlExclusion -Detailed |
  Where-Object {
    [datetime]$_.modified_timestamp -lt
      (Get-Date).AddDays(-180)
  } |
  Select-Object value, created_by,
    applied_globally, modified_timestamp |
  Export-Csv stale-exclusions.csv

Falcon hygiene

Stale exclusions are silent blind spots. We audit them on a schedule and retire anything that no longer belongs.

Not sure where the gaps are?

The 30-minute discovery call is free, and you'll leave with at least one concrete thing to fix, whether you hire us or not.

Book your call

/03Process

How it works

/01

Discovery Call

30 minutes to understand your environment and goals.

/02

Scoped Engagement

Fixed deliverables, clear timeline, no surprises.

/03

Hardened & Documented

You get a locked-down environment and full documentation of everything done.

/04FAQ

Common questions

The things IT leads usually want to know before a first call.

Will hardening break things for my users?

This is the most common worry, and it is exactly why we stage everything. Conditional Access policies go out in report-only mode first, we review the real impact data with you, and only then enforce in stages, with break-glass accounts and a rollback plan in place.

What access do you need?

Least-privilege, time-boxed access: typically a scoped admin role in your tenant for the duration of the engagement. Every change we make is logged and appears in your handoff documentation.

How long does an engagement take?

Most baseline hardening engagements run two to four weeks from kickoff to handoff, depending on tenant size and complexity. You get a clear timeline before any work starts.

What does it cost?

Every engagement is a fixed quote agreed before work starts. No hourly billing, no surprise invoices. Ongoing drift-monitoring retainers are optional add-ons, never a requirement.

We already have an MSP. Is that a problem?

Not at all. We regularly work alongside MSPs, and MSPs hire us directly too. The usual split: we design and harden, your MSP operates day to day.

/05Contact

Ready to lock things down?

Reach out for a free 30-minute discovery call. We'll talk through your environment and where the gaps are. No pitch deck, no pressure.

Or email us directly

contact@nereid.group

We reply within one business day. No newsletters, no follow-up sequences.