IT Security & Automation
Precision hardening.
Measurable security.
We lock down Microsoft 365 environments and tune your security tooling so it actually works.
Trusted by IT teams across the Philadelphia region
About Nereid Group
Nereid Group is a boutique IT security firm specializing in Microsoft 365 hardening, Intune endpoint management, and CrowdStrike Falcon tuning for SMBs and growing MSPs.
Microsoft 365 & Intune Specialists
Deep expertise in M365 tenant hardening and Intune endpoint management.
CrowdStrike Falcon Expertise
Falcon deployment audits, prevention tuning, and exclusion cleanup.
Built for SMBs & MSPs
Fixed-scope engagements sized for growing teams, not enterprise budgets.
/01Services
What we do
Two focused engagements. Fixed scope, clear deliverables, documented results.
/01
M365 + Intune Baseline Hardening
A comprehensive security baseline deployment for your Microsoft 365 tenant and Intune-managed endpoints, built to CIS benchmark standards.
- Conditional Access policy design & deployment
- Intune compliance & configuration policy hardening
- Entra ID security posture review
- MFA enforcement & legacy auth blocking
- Ongoing drift monitoring retainer available
Fixed-scope + optional retainer
Book a discovery call/02
CrowdStrike Falcon Tuning
Stop alert fatigue and silent gaps. We audit your Falcon deployment, tune prevention policies, clean up stale exclusions, and make sure your sensors are actually protecting you.
- Sensor health & coverage audit
- Prevention policy review & hardening
- Exclusion & suppression cleanup
- Detection gap analysis
- Monthly health digest retainer available
Fixed-scope + optional retainer
Book a discovery call/02Field Notes
From the playbook
A few of the changes we make in the first weeks of a typical engagement. Small on their own, decisive together.
# CA002: Block legacy authentication
$policy = @{
displayName = 'CA002 - Block legacy auth'
state = 'enabled'
conditions = @{
clientAppTypes = @(
'exchangeActiveSync', 'other'
)
users = @{
includeUsers = @('All')
excludeGroups = @($BreakGlassId)
}
}
grantControls = @{
operator = 'OR'
builtInControls = @('block')
}
}
New-MgIdentityConditionalAccessPolicy `
-BodyParameter $policy
Conditional Access
Legacy protocols are the #1 password-spray vector. We block them tenant-wide, with a break-glass exclusion so you never lock yourself out.
{
"displayName": "Win11 baseline compliance",
"bitLockerEnabled": true,
"secureBootEnabled": true,
"tpmRequired": true,
"defenderEnabled": true,
"rtpEnabled": true,
"osMinimumVersion": "10.0.26100.0",
"actionForNoncompliance": [
{
"action": "block",
"gracePeriodHours": 24
}
]
}
Device compliance
Devices prove disk encryption, Secure Boot, and patch level before Conditional Access lets them near company data.
# Flag exclusions untouched in 180+ days
Get-FalconMlExclusion -Detailed |
Where-Object {
[datetime]$_.modified_timestamp -lt
(Get-Date).AddDays(-180)
} |
Select-Object value, created_by,
applied_globally, modified_timestamp |
Export-Csv stale-exclusions.csv
Falcon hygiene
Stale exclusions are silent blind spots. We audit them on a schedule and retire anything that no longer belongs.
Not sure where the gaps are?
The 30-minute discovery call is free, and you'll leave with at least one concrete thing to fix, whether you hire us or not.
/03Process
How it works
/01
Discovery Call
30 minutes to understand your environment and goals.
/02
Scoped Engagement
Fixed deliverables, clear timeline, no surprises.
/03
Hardened & Documented
You get a locked-down environment and full documentation of everything done.
/04FAQ
Common questions
The things IT leads usually want to know before a first call.
Will hardening break things for my users?
This is the most common worry, and it is exactly why we stage everything. Conditional Access policies go out in report-only mode first, we review the real impact data with you, and only then enforce in stages, with break-glass accounts and a rollback plan in place.
What access do you need?
Least-privilege, time-boxed access: typically a scoped admin role in your tenant for the duration of the engagement. Every change we make is logged and appears in your handoff documentation.
How long does an engagement take?
Most baseline hardening engagements run two to four weeks from kickoff to handoff, depending on tenant size and complexity. You get a clear timeline before any work starts.
What does it cost?
Every engagement is a fixed quote agreed before work starts. No hourly billing, no surprise invoices. Ongoing drift-monitoring retainers are optional add-ons, never a requirement.
We already have an MSP. Is that a problem?
Not at all. We regularly work alongside MSPs, and MSPs hire us directly too. The usual split: we design and harden, your MSP operates day to day.
/05Contact
Ready to lock things down?
Reach out for a free 30-minute discovery call. We'll talk through your environment and where the gaps are. No pitch deck, no pressure.
Or email us directly
contact@nereid.group