Continuous monitoring
Round-the-clock alert triage and review, playbook execution for documented patterns, defined escalation to L2 when scope exceeds standard runbook.
CompleteCare Shield
If you get hit, how fast will you know?
24x7 managed Microsoft Sentinel SOC for nonprofits, foundations, and rural hospitals. Full Defender XDR, SOAR-driven response, 5-minute Critical-severity SLA. Month-to-month. No 12-month lock-in.
Microsoft Solutions Partner, Security FY26 priority co-sell: Modernize SecOps with Sentinel + XDR The No-Lock-In Promise: month-to-month, 30 days' notice
What Shield is, in brief
- What it is
- A 24x7 managed Microsoft Sentinel SOC: Centered Networks monitors your environment around the clock, investigates alerts, and contains incidents before you call anyone.
- Who it is for
- Nonprofits, foundations, and rural hospitals (50 to 1,000 users) on Microsoft 365 and Azure. A primary fit for HIPAA-covered rural hospitals and critical-access hospitals, and for any organization facing cyber-insurance renewal questions about 24x7 monitoring.
- What is included
- Full Defender XDR deployment, Microsoft Sentinel workspace, SOAR playbooks, L1/L2/L3 analyst coverage, proactive threat hunting, monthly executive dashboard, quarterly security posture report, and full incident response. Ten named components, all in the retainer, no per-incident fee.
- Pricing and terms
- Managed service: $30,000 Kickoff Project (6 to 10 weeks, one-time), then $4,000 per month for 24x7 SOC. Month-to-month, no 12-month lock-in, 30 days' notice to stop. Alternative: fixed-fee deployment project at $50,000 to $75,000 with no recurring obligation.
- The outcome
- A documented mean-time-to-detect and mean-time-to-respond every month, a 5-minute Critical-severity SLA, and a quarterly posture report your board, insurer, and auditor can actually use.
- Prerequisite
- CompleteCare Foundations is required. A SOC on a misconfigured tenant generates noise, not signal.
See the full detail below, or schedule your security assessment.
Why continuous monitoring is no longer optional
Your board is going to ask: if we get hit, how fast do we know?
The answer most mission-driven organizations can give today is some version of "we'd find out eventually" or "our IT vendor would tell us." Neither is a defensible answer.
Sophisticated attacks targeting mission-driven organizations are intensifying. OAuth phishing kits that steal session tokens silently. Business email compromise targeting finance and grant-administration roles. Ransomware operators focused on smaller, well-funded organizations because the math works for them. Insider-risk patterns at foundations handling sensitive donor data.
The cyber-insurance underwriter is asking sharper questions every renewal: 24x7 monitoring? EDR deployed? IR plan tested? Sentinel SIEM in place? Mean-time-to-detect documented? Without an active SOC tier, the answers are weak, and the premium reflects it.
Foundations catches a lot. MFA enforced. Devices managed. Email security tuned. But Foundations is a configuration baseline, not an operational watch. When something sophisticated gets through, you need an operations layer that detects it in minutes and responds in minutes.
That's Shield.
CompleteCare Foundations is required. This is non-negotiable, and the reason is operational: a SOC operating on a tenant without baseline identity, device, and email controls is defending chaos. Alerts on a misconfigured tenant generate noise, not signal. We won't run a SOC on an environment that isn't on Foundations. That's protection, not a sales construct. If you're not on Foundations yet, that's where we start.
The operational commitment
Response SLAs, by severity.
A SOC's credibility is its commitments. These are ours, in writing, before you sign anything.
| Severity | Definition | First response | Containment target |
|---|---|---|---|
| Critical | Active compromise, data exfiltration in progress, ransomware deployment underway | 5 minutes | 30 minutes |
| High | Confirmed compromise, lateral movement detected, privileged account at risk | 15 minutes | 1 hour |
| Medium | Suspicious activity requiring investigation, possible compromise unconfirmed | 30 minutes | 4 hours |
| Low | Anomalous but low-impact, informational alerts requiring documentation | 2 hours | Next business day |
Post-incident: initial detection notification within SLA per severity. Updates every 30 minutes for Critical, hourly for High, per shift for Medium/Low. Post-incident report within 5 business days. Full Root Cause Analysis within 14 business days for Critical/High.
Analyst coverage
Three-tier analyst structure, staffed around the clock.
Investigation and hunt
Escalated incident handling, investigations beyond standard runbook scope, analytics rule refinement, proactive threat hunting on a quarterly cadence at minimum.
Custom detection and IR
Custom detection development, advanced forensics, command authority on highest-severity incidents. Handles what L2 escalates and owns the most serious cases end to end.
What's included
Six SOC functions, run continuously on Microsoft Sentinel.
Each one is evidence that this is a real SOC, not a dashboard with an alert email.
24/7 managed detection and response
SOC analysts watch your environment around the clock: triage, investigation, containment, and clear communication to your team when something matters. Every alert is reviewed by a human. Every incident has a documented timeline.
Threat hunting
Proactive hunts using custom KQL queries against your data, informed by current threat intelligence from Microsoft Threat Intelligence and sector-specific sources, including H-ISAC for healthcare and sector ISACs for foundations and nonprofits. Hunting finds the activity that does not trip a rule.
Automated response (SOAR playbooks)
Microsoft Sentinel automation rules and Logic Apps playbooks that isolate compromised endpoints, disable accounts, revoke OAuth grants, and quarantine phishing email without waiting on human escalation for the obvious actions. Every automated step is logged and reversible.
AI workload monitoring
As you deploy Microsoft 365 Copilot and custom agents, the attack surface expands: prompt injection, agent over-permission, AI-channel data leakage. We extend SOC scope to cover Microsoft Agent 365 telemetry, paired with the governance baseline that keeps the data those agents touch under control.
Compliance evidence
Monthly reports for cyber-insurance renewals, HIPAA audits, board governance, and grant-funder requirements. The audit trail your auditors and funders actually need (incidents, response times, control coverage) is generated as a normal part of the service, not reconstructed under pressure before an audit.
Co-managed, not a black box
Your IT team retains full visibility into the Sentinel workspace, the analytics rules, and the playbooks. You can escalate, ask questions, or take work back at any time. We operate as an extension of your team, not a replacement for it.
Ten named components
Every deliverable, named and defined.
Shield covers the full advanced-security operations lifecycle in ten named components.
01
Security assessment and XDR proof of concept
A 2-week assessment of current Defender posture plus a proof of concept of the full Defender XDR stack. Validates fit and surfaces gaps before full deployment. You see exactly what we would build and what it would cost before committing.
02
Full Defender XDR deployment
Defender for Identity (on-premises AD telemetry where applicable), Defender for Cloud Apps (SaaS discovery, OAuth app governance, session policies), MDE Plan 2 (Advanced Hunting, AIR, custom detection rules), MDO Plan 2 (Attack Simulation Training, Threat Explorer, campaign view).
03
Microsoft Sentinel workspace
Sentinel workspace design, data connector configuration (Defender XDR, Entra ID, Azure activity, third-party log sources), analytics rule library, and cost controls with FinOps oversight for Sentinel consumption so ingest economics do not surprise you.
04
24x7 SOC monitoring
Staffed monitoring by L1/L2/L3 SOC analysts, structured triage of alerts and incidents, documented escalation paths, and a defined client communication runbook so you always know what your SOC is seeing and why.
05
SOAR playbook library
Automated response playbooks for common incident patterns: account compromise containment, OAuth-grant revocation, suspicious-sign-in challenge, lateral movement blocking, malicious-mail purge. SOAR reduces mean-time-to-respond from hours to minutes.
06
Threat hunting (defined cadence)
Proactive threat hunting at a minimum quarterly cadence, more frequently if posture or environment warrants. Threat-intelligence integration, including cross-CompleteCare-client learning propagation where patterns emerge across the portfolio.
07
Incident response and root cause analysis
Full IR support for confirmed incidents: investigation, containment, eradication, recovery, communication. Detailed Root Cause Analysis documentation. Post-incident hardening recommendations feed back into the CompleteCare Foundations roadmap.
08
Monthly executive security dashboard
KPIs: mean time to detect (MTTD), mean time to respond (MTTR), incident counts by category, top vulnerabilities, posture trend. A five-minute executive read that answers the board's questions before they ask them.
09
Quarterly security posture report
Board- and underwriter-ready posture documentation. CIS IG1 coverage from Foundations, CIS IG2/IG3 maturity progress from Shield, incident summary, and forward roadmap. Structured to support HIPAA compliance audits and cyber-insurance renewals.
10
Optional vCISO advisory
Strategic security-leadership advisory for clients without an internal CISO function. Monthly executive sessions, board-meeting representation when needed, and security strategy ownership. Add-on to the retainer: $2,000 per month.
How it works
From workspace to watch floor.
A managed SOC is only as good as the Sentinel environment underneath it. We build that environment first, then run it.
-
01
Sentinel workspace design
We stand up the Microsoft Sentinel workspace with a cost-conscious data-tier design across Analytics, Auxiliary, and Basic logs, so you monitor what matters without an unbounded ingestion bill.
-
02
Data connectors
We connect the sources that matter: Microsoft 365, Microsoft Entra ID, Microsoft Defender XDR, Azure, and your line-of-business applications, so the SOC sees the whole environment.
-
03
Analytics rules, tuned
We tune analytics rules to your environment, not a generic template. The goal is signal: alerts that mean something, with the false-positive noise pulled down so real incidents are not buried.
-
04
SOAR playbooks
We build Sentinel automation rules and Logic Apps playbooks for the obvious containment actions, so the response to a known-bad signal starts in seconds, with every step logged and reversible.
-
05
The co-managed handoff
We take the watch. Your team retains full visibility into the workspace, the rules, and the playbooks, and a senior analyst handles every escalation. You always know what we are seeing and why.
-
06
Monthly compliance reporting
Every month, we deliver the report your auditors, funders, and insurer expect: incidents, response times, and control coverage, recorded as the service runs rather than reconstructed before a deadline.
Why it matters now
Continuous monitoring stopped being optional.
For mission-driven organizations, three forces have already settled the question.
HIPAA enforcement
For rural and critical-access hospitals, HIPAA and HITECH expectations now treat continuous monitoring and documented incident response as table stakes. Regulators expect a timeline when something goes wrong, and a timeline has to be recorded as it happens, not reconstructed afterward.
Cyber-insurance underwriting
Carriers now underwrite on security posture. Renewal questionnaires increasingly assume 24x7 detection and response, a documented incident-response capability, and a SIEM in place. Without them, premiums rise, coverage narrows, or the policy is declined outright.
Grant-funder expectations
A growing share of grant funders now ask nonprofits and foundations for evidence of continuous monitoring and an incident-response plan. Sector ISACs set the baseline, and H-ISAC does the same for healthcare. A managed SOC produces that evidence as a byproduct of normal operations.
HIPAA Security Rule coverage
Shield directly addresses the three HIPAA Security Rule safeguard categories.
Rural hospitals and FQHCs are a primary Shield audience because HIPAA plus ransomware exposure makes the 24x7 SOC math obvious. Here is how Shield maps to the regulation.
45 CFR 164.308
Administrative safeguards
Shield delivers the Security Management Process (risk analysis documented through the quarterly posture report), the Workforce Security controls (access management through Defender for Identity), and the Incident Procedures required under the Security Incident Procedures standard. The Monthly Executive Dashboard and quarterly Root Cause Analysis reports are structured to satisfy audit requests under this section directly.
45 CFR 164.310
Physical safeguards
Defender for Endpoint Plan 2 provides the workstation use monitoring and device-activity logs that satisfy the Workstation Security and Device and Media Controls standards. MDE's device posture tracking, combined with the Sentinel audit trail, produces the workstation activity logs HIPAA requires for physical safeguard documentation.
45 CFR 164.312
Technical safeguards
The full Defender XDR and Sentinel deployment directly addresses the Access Control (Entra ID, Conditional Access), Audit Controls (Sentinel log retention and query capability), Integrity Controls (file integrity monitoring via MDE), and Transmission Security (MCAS/Defender for Cloud Apps) standards. The 24x7 SOC ensures those controls are monitored, not merely configured.
Two ways to engage
Managed service or project SOW. Same platform, different operating model.
Both deploy the same Defender XDR plus Sentinel platform with the same SLAs. What differs is the operating model after deployment.
Option A · The default
Managed service
A 6 to 10 week Kickoff Project delivers the Security Assessment, XDR proof of concept, full Defender XDR deployment, Sentinel workspace and connectors, SOAR playbook library, initial IR plan with tabletop exercise, and handover to 24x7 SOC operations. After Kickoff, the Monthly Retainer is the 24x7 SOC.
$30,000
Kickoff Project (one-time, 50 to 150 users)
$4,000
Monthly Retainer, 24x7 SOC included, IR included
- No incremental incident fees: IR is included in the retainer
- Sentinel ingest billed at passthrough (typically $300 to $3,000/month from Microsoft directly)
- Optional vCISO Advisory: +$2,000/month
- FinOps oversight included: we actively manage Sentinel ingest economics
The No-Lock-In Promise applies. Month-to-month, 30 days' notice, no termination fee. Most managed SOC providers require 12 to 36 months of commitment. We don't.
Option B · The alternative
Project SOW
Same team, same methodology, packaged as a fixed-fee Sentinel plus Defender XDR deployment project with defined scope, milestones, and acceptance. The project ends at acceptance. You operate the SOC internally afterward, contract a different provider, or return for 24x7 retainer later.
$50,000 to $75,000
Fixed-fee, scope-dependent, no recurring obligation
- XDR proof of concept, full Defender XDR deployment, and Sentinel workspace
- Connectors, analytics rules, SOAR playbook library, IR plan, tabletop
- Security Assessment sized as a discrete fixed-fee engagement: you see what we'd build and what it costs before committing to the full project
Best fit: organizations with an internal security team that wants the platform built and tuned to a professional standard, then operated internally. Most Shield clients choose the managed service because the 24x7 staffing math doesn't work internally below a certain scale.
Pricing
What Shield actually costs (50 to 150 user band).
Major MSSPs at this size charge $60,000 to $180,000/year with 12 to 36 month contracts. Shield is competitive on pricing and structurally better on terms.
| Item | Investment |
|---|---|
| Kickoff Project | $30,000 one-time |
| Monthly Retainer (24x7 SOC included, IR included) | $4,000 / month |
| Sentinel consumption | Passthrough (typically $300 to $3,000/month depending on ingest) |
| Optional vCISO Advisory | +$2,000 / month |
| Shield Pod (20 hours incremental) | $5,000 |
| Microsoft E5 Security or E5 licensing | Client-procured |
Total Year 1 from Centered Networks: $78,000 plus Microsoft licensing and Sentinel ingest. Pricing scales for larger tenants: a 500-user engagement is typically $45,000 Kickoff plus $6,500/month. Organizations with 1,000 or more users are custom-scoped given Sentinel-ingest economics.
Sentinel ingest passthrough: Typical CompleteCare clients ingest 5 to 25 GB/day of log data. Sentinel's pay-as-you-go pricing means ingest can range from $300 to $3,000/month. Microsoft bills you directly for ingest; Centered Networks does not mark up Sentinel consumption. FinOps oversight is part of the Shield retainer.
Risk reversal
Three guarantees. None of them cosmetic.
The commitments that differentiate Shield from every other managed SOC in the market.
01
The No-Lock-In Promise
Month-to-month. No 12-month contract. No 36-month auto-renewal. Most Sentinel SOC providers require 12 to 36 months of commitment. If you don't see value any month, 30 days' notice and you walk. The structural commitment is on us: we earn the relationship each month or we lose it.
The Kickoff Project itself is a project SOW that runs to its milestones. That's the right structure for project work. The No-Lock-In Promise applies to the recurring monthly retainer, which is where the lock-in in this market typically lives.
02
The 5-Minute Critical Response
For Critical-severity incidents, an L1 analyst is on alert within five minutes, with SOAR playbooks executing automated containment for common patterns in parallel. Containment target for Critical incidents: 30 minutes. This is not an aspiration. It is a documented SLA in your agreement.
We can stand behind this because Critical alerts are the highest-priority queue in the SOC, because SOAR automation handles the obvious containment actions before a human even finishes reading the alert, and because the analyst-to-client ratio in the Shield retainer is sized to honor the SLA, not just cite it.
03
The Documented MTTD/MTTR Promise
Every month, you receive a documented mean-time-to-detect and mean-time-to-respond across all incidents in the period. Not a verbal assurance. A number, in a report, every month. This is the board answer, the cyber-insurance evidence, and the year-over-year benchmark rolled into one deliverable.
The Monthly Executive Security Dashboard is the mechanism. MTTD and MTTR, incident counts by category, top vulnerabilities, posture trend. A five-minute read that makes the SOC's value legible to non-technical leadership every single month.
Microsoft platform
Built on the full Microsoft security stack.
Shield is architected for organizations already standardized on Microsoft. Generic MSSPs run their own SIEM and bolt on Microsoft connectors. Shield's analysts, playbooks, and IR procedures are native to the platform your data lives on.
- Microsoft Defender XDR
- Microsoft Sentinel
- Defender for Identity
- Defender for Cloud Apps
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Office 365 Plan 2
- Microsoft Entra ID
- Microsoft Graph (IR actions)
- Logic Apps (SOAR)
- KQL (threat hunting)
- Microsoft Threat Intelligence
- Microsoft Agent 365 telemetry
- Microsoft Solutions Partner for Security
- FY26 co-sell: Modernize SecOps with Sentinel + XDR
- Named managed Sentinel SOC partner for mission-driven organizations
- HIPAA BAA available on request
In practice
What Shield looks like in practice.
Rural critical-access hospital, 150 to 300 staff
HIPAA audit in six months, no documented incident-response plan, EDR partially deployed. Kickoff completed in eight weeks: full Defender XDR, Sentinel workspace, SOAR playbooks, IR plan, and tabletop exercise. By the audit date, MTTD documented at under 12 minutes across 90 days, MTTR under 45 minutes for High-severity incidents. Cyber-insurance renewal: 22 percent premium reduction using the quarterly posture report as evidence.
"We had been telling our board we had security covered. Shield showed us what covered actually means. The quarterly posture report is the most useful document we give our board now."
CIORepresentative client profile
Foundation, 75 to 125 staff
OAuth phishing campaign targeting grant-administration staff. SOAR playbook revoked the malicious OAuth grants within four minutes of alert fire, before any data was exfiltrated. Post-incident RCA delivered in nine business days. Hardening recommendations integrated back into the Foundations roadmap: blocked legacy authentication for the two remaining service accounts with documented exceptions approved at the next change window.
"The SOAR playbook ran before I even got the notification. Four minutes from alert to grant revocation. That's not something we could have done with our prior MSP at any price."
IT DirectorRepresentative client profile
The CompleteCare stack
Shield is strongest when the stack is complete.
Shield sits on Foundations and pairs well with Govern. Together, these three tiers address the full range of mission-sector compliance and security exposure.
Tier 01 · Required
CompleteCare Foundations
Microsoft 365 Business Premium, baselined to CIS Top 18 IG1. The prerequisite Shield sits on. A SOC on a tenant without baseline identity, device, and email controls is defending chaos.
See Foundations →
Tier 02 · Strongly recommended
CompleteCare Govern
Sensitivity-label taxonomy, DLP at scale, eDiscovery, and Insider Risk. Govern's labels feed Shield's data-classification awareness. Critical for clients with HIPAA exposure, donor-data sensitivity, or grant-funder compliance pressure.
See Govern →
Tier 06 · AI security cross-cut
CompleteCare Intelligence
Microsoft 365 Copilot and agents. AI security operations cross-cut with Shield where SOC-grade monitoring of AI workloads is required. Intelligence and Shield together cover the full attack surface of a Copilot deployment.
See Intelligence →
All seven tiers
The full CompleteCare stack
One umbrella, seven stackable services, one master agreement. CompleteCare is how Centered Networks delivers the Microsoft platform to mission-driven organizations.
See the full stack →
Questions
Frequently asked questions about CompleteCare Shield.
What is the difference between Foundations alerting and Shield?
Foundations configures alerts and performs standard runbook response: session revocation, password reset, MFA re-registration. Shield is 24x7 SOC operations on the full Defender XDR stack plus Sentinel, with active threat hunting, SOAR playbooks, and full incident response by L1/L2/L3 analysts. Foundations is the configuration baseline. Shield is the operational watch on top of it.
Can we start with Shield without Foundations?
No. A SOC operating on a tenant without baseline identity, device, and email controls would be defending chaos. Alerts on a misconfigured tenant generate noise, not signal. Foundations comes first. This is operational protection, not a sales upsell.
How does Sentinel ingest pricing work?
Microsoft Sentinel is pay-as-you-go based on data ingested. Typical CompleteCare clients ingest 5 to 25 GB per day depending on log sources, which is $300 to $3,000 per month at Microsoft's published rates. Microsoft bills you directly for ingest; Centered Networks does not mark up Sentinel consumption. The retainer includes FinOps oversight: we actively manage what goes into Sentinel to keep ingest economics sane.
What about HIPAA and other regulatory frameworks?
Shield directly supports HIPAA by delivering documented operational controls: 24x7 monitoring, EDR, IR plan, and audit trail. The three HIPAA Security Rule safeguard categories covered are administrative safeguards (164.308), physical safeguards (164.310), and technical safeguards (164.312). The Quarterly Security Posture Report is structured to support compliance audits. Rural hospitals and FQHCs are a primary audience because HIPAA plus ransomware exposure makes the 24x7 SOC math obvious.
Do you handle forensic-grade incident response?
Shield delivers operational IR: investigation, containment, eradication, recovery, and RCA. For forensic-grade work (digital forensics, malware reverse engineering, threat-actor attribution), we partner with specialist IR firms. The Shield SOC handles the operational response that limits damage and restores service. The specialist firm handles the after-action forensic work if the incident warrants it.
Why month-to-month when every other MSSP requires 12 to 36 months?
Because the value should be self-evident in any given month. Mean-time-to-detect, mean-time-to-respond, SOAR-driven containment, executive dashboard, posture report: all of it is measurable. If we are not delivering the value, you should be able to leave. The lock-in model in the rest of the industry is a structural concession the client makes to the MSSP. We don't think that's how the relationship should work.
What does a project SOW look like?
A fixed-fee Sentinel plus Defender XDR deployment with defined scope, milestones, and acceptance. Same components as the managed Kickoff (XDR proof of concept, full Defender XDR deployment, Sentinel workspace, connectors, analytics rules, SOAR playbooks, IR plan, tabletop), packaged without recurring obligation. Typical price: $50,000 to $75,000. You operate the SOC internally afterward, contract a different provider, or return for 24x7 retainer later.
What is the difference between Shield and a generic MSSP?
Shield is built specifically on Microsoft Sentinel plus Defender XDR for clients on the Microsoft platform. Generic MSSPs typically run their own SIEM and bolt on Microsoft connectors, which produces a less coherent operational picture. Shield's SOAR playbooks are tuned to the Microsoft platform; the analysts know the Defender stack; the IR procedures use Microsoft Graph and Entra ID actions natively. For organizations standardized on Microsoft, that integration is the difference.
Does Microsoft co-sell Shield?
Yes. Shield maps to Microsoft's highest-priority FY26 solution play in Security: Modernize SecOps with Microsoft Sentinel plus XDR. This is one of the top-priority Microsoft co-sell plays for the year, with significant Marketing Development Fund opportunity and joint go-to-market support. Centered Networks is positioned as a named managed Sentinel SOC partner for mission-driven organizations.
Schedule your security assessment.
60 minutes. We tell you whether Shield is the right next step, or whether something else needs to happen first. You walk away with a written assessment either way.
Prefer a fixed-scope deployment? Request a project SOW →
See how Shield fits the full stack: CompleteCare umbrella →
Working with a rural hospital? See our rural hospital work →
We've got it.
A senior member of our security practice will reply within one business day to set up your assessment.