What you'll actually be running if you sign with us.
The standardised stack we deploy for Melbourne SMB customers, named tool by named tool. Procurement-grade transparency: read it once and you'll know what you're going to be running, who manages it, and what we won't deploy.
Book a 30-minute call - we'll walk it through with you.
Five rules that decide what makes it into the stack.
- 01
Picked for fit, not for kickbacks.
We don't take vendor margin uplifts that bend tool selection. The vendors below are the ones we'd pick if we were running our own SMB.
- 02
Evidence the auditor will accept first pass.
Every security and compliance tool here generates artefacts that map cleanly to Essential Eight, CIS Controls v8, or both. PowerPoint summaries don't count.
- 03
Co-managed compatible.
Nothing in this stack locks out your in-house IT lead. If you've got one, they get the same admin visibility we do.
- 04
Australian where it matters.
Hosting, voice, and data-residency choices default to Australian regions and Australian carriers. We tell you where every byte lives.
- 05
Portable on exit.
Every licence sits in your name. Every config export is yours. We've written the contract that way and we ship it on request, no fee.
Identity & access
One verified identity per person, MFA on every login, just-in-time admin elevation, and a password vault we can audit.
Cyber Security servicePrimary identity platform and MFA policy engine.
Signal-based access policy (device state, location, risk score).
Just-in-time admin elevation with approval and auto-expiry.
Enterprise password vault with zero-knowledge encryption.
We don't deploy identity products that can't enforce a Conditional Access policy.
If the tool can't see Entra ID signals, it can't be your authentication boundary.
Endpoint & device
Every endpoint enrolled in MDM, encrypted at rest, patched on schedule, and recoverable if it's lost or stolen.
Managed IT servicePrimary MDM across Windows, macOS, iOS, Android.
RMM and remote-support sessions in one platform.
Standard SOE with zero-touch provisioning and cloud-desktop fallback.
Native disk encryption on Windows and macOS, key-escrowed to Entra.
Third-party application patching inside Intune.
Primary hardware: ThinkPad, ThinkCentre, ThinkSystem.
Mac, iPhone, iPad - managed through Intune like everything else.
Hardware alternative for customers standardised on Dell.
We don't deploy unmanaged BYOD.
If a device touches customer data, it gets enrolled. Otherwise it doesn't get access.
Security & threat detection
24/7 detection backed by humans, not just dashboards. Application whitelisting where the controls demand it. Defence in depth, not vendor monoculture.
Cyber Security servicePrimary managed detection and response with 24/7 human analysts.
Security-awareness training tied to the same platform.
EDR layer integrated with Entra and Conditional Access.
Application whitelisting required at Essential Eight ML2.
We don't deploy MDR that's actually a dashboard-and-PDF service.
Huntress sends a human investigator on triggered alerts. That's the bar.
Email security
Block phishing and business email compromise before delivery. DMARC enforced on every domain. Honest false-positive rates.
Cyber Security servicePrimary cloud email security for Microsoft 365 - 99.7% detection rate measured at our largest deployment with zero false positives in Q4 2025.
Sister product for endpoint and browser security where threat model warrants.
Authentication standard enforced on every customer email domain.
Network & comms
Wi-Fi that works, firewalls we can manage, voice on the platform people already collaborate in. No proprietary licence walls.
Network & Comms servicePrimary networking: Wi-Fi, switching, gateway. Controller you own; no per-AP licensing.
Next-gen firewall alternative when threat model or compliance demands.
High-end firewall for regulated environments.
Voice on the same platform people already collaborate in.
Australian voice carrier behind Teams Phone deployments.
Meeting-room platform on certified Android hardware.
Primary meeting-room AV: video bars, conference cameras, VoIP handsets.
Primary alternative for meeting rooms and personal peripherals.
Voice / conferencing alternative for customers standardised on Cisco.
We don't deploy networking gear that prices per-AP or per-port for basic features.
UniFi runs on a controller you own. The math works for SMBs without recurring per-device licence drag.
Cloud & hosting
Azure-native infrastructure backed by Microsoft partner credits, hosted under ConnektCloud with documented restore tests.
Cloud Infrastructure serviceOur managed Azure hosting service. Azure Australia East / Southeast regions, billed through us with partner-tier pricing applied.
Productivity baseline. Exchange Online, SharePoint, OneDrive, Teams - administered, not just resold.
We don't deploy on-prem servers when an Azure-native architecture works.
Exception: regulated workloads with data-residency clauses we can't satisfy in cloud. That's a conversation, not a default.
Backup & recovery
Two backup destinations minimum, quarterly restore tests with evidence, and recovery time objectives the customer signs off on.
Cloud Infrastructure servicePrimary backup for Microsoft 365 (Exchange, SharePoint, OneDrive, Teams).
Primary backup for servers and workloads, on-prem or in Azure.
Alternative backup for endpoint and server workloads.
Local backup target where a customer needs an on-site copy.
We don't deploy set-and-forget backup.
If the restore hasn't been tested, the backup is a guess. We test on a quarterly cycle and the evidence goes in your audit pack.
Compliance & vulnerability
Continuous evidence collection, not point-in-time audits. Attack-surface scanning that runs without us asking. Policy drift caught the day it happens.
Compliance serviceExternal attack-surface scanning and exposure monitoring.
Compliance automation for CIS Controls v8, ISO 27001, SOC 2, with continuous evidence collection.
Alternative compliance platform - same outcome, different fit.
Microsoft 365 policy drift detection across tenants.
We don't deploy compliance tools that produce PowerPoint instead of evidence.
The output has to satisfy an auditor on the first pass. If it doesn't, we don't list it as compliance tooling.
AI & Copilot
Microsoft 365 Copilot deployed with the data hygiene to make it useful and the guardrails to stop it being a liability.
AI servicePrimary AI deployment, scoped to your M365 tenant data with audit logging.
We don't deploy generic AI chatbots that bolt on to public LLM APIs.
Customer data leaves the M365 tenant via a path we control, or it doesn't leave.
The platform behind your tickets, patches, and documentation.
You don't license these. We do. We're naming them because co-managed customers ask, and procurement reviewers deserve to know what powers our service.
What buyers usually ask before signing.
- Can we keep our existing Microsoft 365, firewall, or endpoint security vendor?
- Usually yes. The stack above is our recommended deployment, not a lock-in requirement. We run a fit assessment on what you've already got: anything that meets our security baseline and integrates with our management plane stays. Anything that doesn't, we migrate on a schedule we agree with you up front, with the costs published before the work starts.
- Where is our data hosted?
- Microsoft 365 tenants and ConnektCloud workloads run in Azure Australia East (Sydney) and Australia Southeast (Melbourne) by default. Voice runs through Australian carriers (Access4 for Teams Phone deployments). Backup destinations are either Australian Azure regions or on-site (Synology NAS). If you have a specific data-residency requirement we'll confirm it in writing before any migration.
- What happens to our licences if we leave?
- Every licence we resell is in your name. Tenant ownership, domain registrations, vendor contracts, all of it. If you leave, you keep your Microsoft 365 tenant, your Azure subscriptions, your Huntress contract, your backups. We provide the documentation export at no cost. That's the contract, not a negotiation.
- Why don't you use SentinelOne, CrowdStrike, or Sophos?
- We've evaluated each. Huntress wins on two things SMBs need most: a real human analyst on every triggered alert (not just a dashboard), and a price point that doesn't require Fortune-500 budget. CrowdStrike is excellent at enterprise scale; the economics don't fit our customer base. Sophos has consistently underperformed our detection benchmark over the last three years.
- How does this stack cover Essential Eight Maturity Level 2?
- Intune (patching, hardening configs), Patch My PC (third-party patching), Windows Defender Application Control (application control), Entra ID + Conditional Access (MFA, admin restrictions), Huntress + Microsoft Defender (admin privilege monitoring), AvePoint and Veeam (backup), Inforcer and Drata (continuous evidence). The Compliance service page maps each Essential Eight mitigation to the specific tool that delivers it.
- How often does this stack change?
- We re-evaluate the stack annually and document why anything moves. Tool changes mid-year are rare and only happen when a vendor materially fails: missed an SLA we depend on, got acquired with degraded support, or was outperformed in a head-to-head bake-off we ran. We write up the reason and notify affected customers before the migration.
Leave the MSP that doesn’t pick up.
Tell us what your current setup looks like. We’ll send back a quote, a transition plan, and a firm date you’d be onboarded - within 48 hours.
- Response
- Within 48 hours
- Format
- Written quote
- Discovery call
- Not required
- Contracts
- No lock-in terms