Executive Snapshot Internal & confidential

Microsoft security, turned into a practice.

Enterprises pay for Microsoft E5 and use a fraction of it, the stack is sprawling and AI is multiplying ungoverned agents. This practice turns that complexity into one governed motion: a free diagnostic, paid depth, and a recurring managed annuity, meeting clients where they are and lighting up what they already own.

BriefHealth CheckWorkshopAssessmentArchitectCo-SellImplementManaged MDRQBR
$0
to start (free Health Check)
~$351K
steady-state annual GP
~7 mo
payback
$72-216K
ARR per managed client

Illustrative, conservative scenario. Final figures pending Finance.

Go deeper: Business case → The full motion → Who owns what → Funding readiness →
Program Overview

Seven stages. From eagle's-eye view to managed operations.

The Microsoft Security Practice at Chariot Technology Group runs every engagement through a seven-stage motion. Customer starts free, the practice delivers the envisioning and the depth, partners are introduced where Microsoft hits its ceiling, and the relationship matures into a long-term managed service.

S
Under 500 seats
Under $500K MS spend
M
500 to 2,500 seats
$500K to $2M MS spend
L
2,500 to 10,000 seats
$2M to $10M MS spend
XL
10,000 to 25,000 seats
$10M to $25M MS spend
XXL
25,000+ seats
$25M+ MS spend
Stage 0
Health Check
~1 hour . 20K FT view
Eagle's-eye scan across the eight MCRA-aligned pillars. One-page heatmap.
Chariot Technology Group coveredEric Prater · pre-sales
Stage 1
Workshop
10K FT . Envisioning
Envisioning engagement. Solution Play-aligned roadmap.
EnvisioningEric Prater · pre-sales
Stage 2
Assessment
Ground . White Glove
800+ controls. Practice IP. Free or paid based on scope.
Free or paidEric Prater · pre-sales
Stage 3
Architect
Foundation
Reference architecture per pillar. 12-month roadmap. SOW ready.
PaidEric Prater · pre-sales
Stage 4
Co-Sell
Where MSFT hits ceiling
Partner selection where Microsoft stack reaches its ceiling. CyberArk, SailPoint, Palo Alto, Wiz, Cyera, Tenable.
Partner co-sell
Stage 5
Implement
Build Phase
Configure, deploy, automate. Delivery Team executes. best-practice aligned.
best-practice alignedEric Prater + vetted partner
Stage 6
Managed MDR
Monthly retainer
24/7 monitoring. Co-managed SOC. Content engineering. Annuity.
AnnuityPartner SOC · Eric assures
For Sellers · start here
Stage Zero
Rapid Config Check

The 30-minute, seller-led wedge that quantifies waste and opens the door. Open →

Sales Quick-Start
Journey, questions, when to call VJ

The customer journey, the qualifying questions, and the triggers to pull in the architect. Open →

What we secure Eight pillars, assessed at every stage above. The stages are how we engage; the pillars are what we secure.
IDIdentity
EPEndpoint
EMEmail & Collab
DAData
CLCloud
SOSecOps
AIAI & AgenticNEW
👑 Owner: Michael Heath
NWNetwork
Our approach

The full cycle: free diagnostic, paid depth, recurring annuity

One continuous motion. It starts with a two-minute brief, then a free hour, the practice delivers the depth, and the relationship matures into a managed annuity that re-opens the cycle every quarter.

Pre-step
2-min Brief
Context
details →
Stage 0
Health Check
Free
details →
Stage 1
Workshop
Envision
details →
Stage 2
Assessment
White glove
details →
Stage 3
Architect
Roadmap + SOW
details →
Stage 4
Co-Sell
Beyond the ceiling
details →
Stage 5
Implement
Build
details →
Stage 6
Managed MDR
Annuity
details →
Quarterly Business Review re-runs the Health Check, shows the score improving, and seeds the next pillar. One free hour becomes a multi-year relationship.
Adoption & Change Management runs as a band beneath every stage. Security and AI succeed when behavior changes, not when features ship.
E3 → E5 → E7 maturity sets the sequence: productivity, then security and compliance, then agentic AI. We never skip rungs.
Accountability

Who owns what

Clear ownership across the cycle, by role. The architect designs and assures; delivery and partners execute; every category has a named owner.

Pre-sales · Eric Prater
Health Check → Architect
Solutions Architect: discovery, scoring, design, SOW. Then TPL.
Co-Sell
Eric Prater + vetted partner
Eric keeps the advisor seat; partner fills the Microsoft gap.
Delivery · build
Microsoft Services team
Implement and operate. Eric assures as TPL, does not build.
Managed MDR
Vetted SOC partner
Runs the 24/7 SOC; Eric owns architecture and the relationship.
AI & Agentic
Forming
Category owner set; delivery likely via subcontractor as it scales.
CategoryOwnerWhat they own
Pipeline / front doorCARE teamWarm-hands existing accounts into the free Health Check; architect joins as technical authority.
Health Check, Workshop, Assessment, ArchitectMicrosoft Security Solutions Architect PRE-SALESLeads discovery, scoring, design, and the SOW as a pre-sales role; stays accountable through delivery as Technical Project Lead (TPL).
AI & Agentic Security pillarMichael Heath, Chariot Technology GroupOwns the AI and agent-security category, concept, and roadmap across the practice.
Scoping & statements of workSolution ArchitectsShape and validate the SOW for each engagement.
Implement & OperateDelivery Team + partner benchExecute configuration, deployment, and run; the architect assures, does not build.
Co-Sell (beyond the Microsoft ceiling)Vetted partnersFill clear Microsoft gaps (CyberArk, Wiz, Abnormal, and similar), surfaced openly in scope.
24/7 Managed MDRMDR fulfillment partnerRun the SOC initially; in-source as the annuity grows.
Microsoft alliance & programsAlliance leadPartner status, specializations, and any future Microsoft funding.
Adoption & value realizationACM workstreamDrive behavior change and prove ROI each quarter through the QBR.

Role view for screen-share safety. Every Health Check is logged as the Microsoft Health Check sales play and tracked on revenue, gross profit, and net-new opportunities.

INTERNAL REVIEW Microsoft Security Practice prototype · For Alpesh, Neeraj, Elliot, the Microsoft Alliance Manager, Bruce · Feedback welcome · Not externally cleared
For CTO Review · June 8, 2026 · Internal

A recurring-revenue security practice: revenue now, Microsoft funding later is upside

This is Chariot Technology Group's Microsoft Security Program: every stage is billable as professional services at roughly 45-55% gross margin plus the Managed MDR annuity, with no Microsoft partner status or funding required. The program is built on the unified Microsoft Defender portal (Microsoft Sentinel and Defender XDR in one SecOps plane), extended with Security Copilot, with partners introduced only where the Microsoft platform reaches its ceiling. If we earn Microsoft funding later, it is a bonus.

$0
Customer cost to enter - Health Check and Workshop
7 stages
Health Check → Workshop → Assessment → Architect → Co-Sell → Implement → Managed MDR
Annuity
Managed MDR converts project work into recurring ARR
Co-sell
Partner co-sell and the managed-service annuity stack on top

The ask

Approve standing up the Microsoft Security Practice. We can begin delivering and billing these services to clients today as professional services - no Microsoft partner status or funding required. The investment we are asking for - skilling and certifications to earn the Solutions Partner for Security designation and specializations - deepens our technical credibility and sharpens the partner co-sell story. The program delivers revenue today as professional services. In short: revenue now, and Microsoft funding later is a bonus.

Business Case

What clients pay - and what we make

Illustrative. The calculator is a conservative scenario for discussion; the Year-1 investment is a placeholder. Final figures to be set with Finance.
Chariot Technology Group owns this end to end

No Microsoft partner status or funding required. Every stage is delivered as Chariot Technology Group professional services and billed directly - real PS revenue plus the Managed MDR annuity, at roughly 45-55% gross margin. The program stands on its own commercially.

Microsoft funding is a future bonus

If Chariot Technology Group later earns the Solutions Partner for Security designation, Microsoft funding can offset client cost and lift win rate. That is upside we pursue opportunistically; the program does not depend on it.

Pricing reflects 2025 market benchmarks; final pricing is set per opportunity. White Glove Assessment is shown without a fixed price - it is scoped per client and may be client-paid (management decides per deal). Effort assumes a blended delivery rate of ~$250/hr.

StageWho funds itRealistic client pricingRole
0 · Health CheckChariot Technology Group - no client cost$0 (demand-gen)Top-of-funnel hook
1 · WorkshopChariot Technology Group envisioningChariot Technology Group covered (envisioning)Envisioning
2 · AssessmentClient-dependentScoped per client - management decides (market $15K-$50K+; client paid)Practice IP, qualifies the deal
3 · ArchitectClient paid (PS)$25K-$75KDesign + roadmap + SOW
4 · Co-SellPartner + partner co-sellPartner pull-through (varies)Beyond the Microsoft ceiling
5 · ImplementClient paid (PS)$50K-$500K+ (scope-dependent)The core services engagement
6 · Managed MDRMonthly retainer$6K-$18K/mo mid-market ($72K-$216K ARR)The annuity
Scenario
Funnel (edit live)
Deal values
Economics
$0
Steady-state annual gross profit
-
Payback period
$0
ARR run-rate added / yr
$0
Year-1 gross profit (ramped)
Services revenue, steady (Arch 0 + Impl 0 + Assess 0)$0
Services gross profit$0
New Managed MDR clients / yr (0)$0 ARR
Microsoft funding - future bonus, excluded (0 workshops)$0
Year-1 revenue (ramped)$0
3-year modeled gross profit$0

Illustrative model for discussion; counts rounded. Professional services plus ARR need no Microsoft funding or partner status. Payback = Year-1 investment / steady-state monthly gross profit. Year-1 assumes a partial ramp (new ARR realized at ~half-year). Microsoft funding is excluded from this model; any future funding is upside. Default scenario is Conservative on purpose; toggle to stress-test.

Building the Practice

What it takes to stand this up

Microsoft program facts verified June 2026 - Microsoft Learn & Partner Center

The technical credibility and partner co-sell that sharpen this motion are earned through Microsoft partner status. The path is: earn the Solutions Partner for Security designation, then the security Advanced Specializations, which deepen our specialization credibility (and can unlock Microsoft funding later as a bonus). Each gate is earned through certified people, customer performance, and verified deployments.

1. Microsoft partnership foundation

Solutions Partner for Security

The base designation. Earned via a Partner Capability Score of at least 70 points, with points in each of Performance, Skilling, and Customer Success. Microsoft evaluates both an Enterprise and an SMB path and takes the higher score.

Prerequisite for every security Advanced Specialization.

Microsoft AI Cloud Partner Program

Membership baseline plus Internal Use Rights (IUR) to run E5, Sentinel, and Defender XDR demo/lab tenants at no license cost - essential for the Health Check and demo environments.

Enables the practice lab and demo estate.

2. Security Advanced Specializations

Four specializations sit under Security. Each requires the Solutions Partner for Security prerequisite, certified individuals, performance thresholds, and either a third-party audit (Azure) or customer references. Note: benefits cap at three specializations.

Threat Protection

Defender XDR and Microsoft Sentinel deployment capability. This is the specialization most valued for Microsoft Sentinel and SecOps engagements.

SC-200Sentinel + Defender XDR

Identity & Access Management

Microsoft Entra identity workloads - Conditional Access, PIM, ID Governance.

SC-300Entra

Cloud Security

Defender for Cloud across Azure, hybrid, and multicloud. Requires a third-party (ISSI) audit.

AZ-500Defender for Cloud

Data Security (formerly Information Protection & Governance)

Microsoft Purview. As of Aug 2025: at least six individuals passing SC-401 and a 2,500 MAU performance threshold.

SC-401Purview

3. Certifications the team needs

SC-900
Security, Compliance & Identity Fundamentals
Baseline literacy for the whole team and pre-sales.
Fundamentals
SC-200
Security Operations Analyst
Sentinel + Defender XDR. Feeds the Threat Protection specialization and the SOC/MDR practice.
Associate
SC-300
Identity & Access Administrator
Microsoft Entra. Feeds the Identity & Access Management specialization.
Associate
SC-401
Information Security Administrator
Microsoft Purview data security. Replaced SC-400 (retired May 31, 2025). Feeds Data Security.
Associate
AZ-500
Azure Security Engineer
Defender for Cloud and Azure controls. Feeds the Cloud Security specialization.
Associate
SC-100
Cybersecurity Architect (Expert)
The capstone for the practice architect. Requires one associate cert (SC-200/300/AZ-500) first.
Expert

Skilling investment: the specialization thresholds drive headcount - for example, Data Security alone requires six SC-401-certified individuals. A realistic first-year skilling plan is the core of the investment ask: a small certified core team (SC-100 architect lead plus SC-200/300/401/AZ-500 coverage) to clear at least Threat Protection and Identity, then add Cloud Security and Data Security.

4. How the gates build credibility

Gate 1
Solutions Partner for Security
70-point capability score across Performance, Skilling, Customer Success.
Gate 2
Advanced Specialization
Threat Protection / IAM / Cloud Security / Data Security - certs + performance + audit.
Gate 3
Credibility and co-sell
Specializations deepen technical credibility and sharpen the partner co-sell story. They can also unlock Microsoft funding later as a bonus, but are not required to deliver or bill today.

Sources: Microsoft Learn - Solutions Partner for Security; Partner Center specializations; Microsoft security certifications (SC-100/200/300/401, AZ-500); unified security operations (Microsoft Sentinel in the Defender portal). Microsoft funding programs are out of scope for this plan; the program is built to deliver and bill as professional services today. Any future funding is upside to confirm with the Microsoft PDM.

Chariot Technology Group Cybersecurity

The Chariot Technology Group Microsoft Security Practice.

Chariot Technology Group helps enterprises operationalize the Microsoft Security platform they have already invested in. The practice covers assessment, architecture, implementation, and operations across Defender XDR, Sentinel, Entra, Purview, Intune, and Defender for Cloud. Every stage is delivered as professional services and billable today, no Microsoft partner status required; Microsoft funding is layered on as upside as the practice earns its specializations. Engagements begin with a no-cost health check.

Schedule a Threat Protection Workshop → Schedule a Data Security Workshop →
Chariot Technology Group Discovery

Discovery Workshops

Delivered by the practice as a low-cost envisioning step. The practice delivers. Clients receive a defensible roadmap before committing budget.

$0To start (Health Check)
4Workshop Tracks
2 to 4 wkTime to Roadmap
800+Controls Assessed
18+Years architecting Microsoft Security at the enterprise level
700+Production Defender deployments delivered by the practice
8Microsoft Security products covered end to end
6Compliance frameworks mapped in every assessment
$0Client cost to start with a envisioning workshop

License Realization. Operationalize what you already own.

Most E5 and E5 Security customers operationalize less than 40% of what they have licensed. The practice maps active versus dormant capabilities across Defender XDR, Sentinel, Entra, Purview, and Intune, then produces the operationalization plan to close the gap. Outcomes are measurable: posture improvement and tool consolidation savings on capabilities already paid for.

Schedule a license realization session →
<40%Typical E5 capability utilization at first engagement
$180K+Annual overlap savings on a typical SIEM consolidation
40%MTTR reduction after Defender XDR and Sentinel unification
0Standing privileged accounts after Entra PIM rollout
The Practice Hub

Click any area to open the brief.

The full practice scope is organized as twelve focus areas. Each opens a panel with the detail: engagement model, MCRA pillars, workshops, the assessment platform, current Microsoft Security developments, and more.

Engagement Model & Full Cycle

Assess. Architect. Implement. Operate.

The four-stage delivery model. The Microsoft Practice Team leads the strategic phases. The Delivery Team scales execution.

Open the blade →
MCRA Pillars

The eight pillars we own end to end.

Identity. SecOps. Endpoint. Data. Every engagement maps to the Microsoft Cybersecurity Reference Architecture.

Open the blade →
Discovery Workshops

Four discovery workshops. $0 to start.

Delivered by the practice; scopes the work before budget. Client gets a defensible roadmap before committing budget.

Open the blade →
Honest Co-Sell

Where Microsoft alone has a gap.

We bring partners openly and architect them in. The integration story stays Microsoft-centered.

Open the blade →
Engagement Examples

Outcomes from comparable enterprises.

Anonymized examples of practice deliverables. Industry-specific references available under NDA.

Open the blade →
The client maturity journey

E3 → E5 → E7: meet clients where they are, then move them up

Every client sits on a rung. The practice maps each engagement to the next rung, never skipping steps (no Foundry before the basics). This is the framework Michael Heath and the practice are aligning the Microsoft Security and AI motion around.

E3 · FOUNDATION
Productivity and the basics

Identity hygiene, endpoint management, email protection. The ground floor that everything else stands on.

Engagements: Health Check, foundational hardening, Intune and Entra basics.

E5 · SECURITY & COMPLIANCE
Defend, govern, operate

Defender XDR, Sentinel, Purview, Entra P2, Zero Trust. The security and compliance core where most of the paid work lives today.

Engagements: assessments, architecture, implementation, Managed MDR.

E7 · AGENTIC & AI
Secure AI transformation

Copilot, Agent 365, Entra Agent ID, Purview DSPM for AI, Defender for AI. Governing the agents and AI the business is racing to adopt.

Engagements: Secure AI Adoption workshop, AI & Agent Security assessment and governance build.

👑 AI pillar owner: Michael Heath

The maturity model is the upsell engine: every QBR shows the client their rung and points at the next one. It also spans clouds, the practice supports Microsoft and Google estates, and aims for 75%+ in-house delivery with selective partner co-delivery for scale.

Adoption & Change Management

The workstream that makes it stick

Security and AI success is less about features and more about changing behavior. ACM runs through Implement and Operate, and value realization becomes a standing part of every QBR. It is also recurring revenue that is not a SOC.

Enablement

Train admins and users on the controls and AI tools we deploy, so capability is actually used.

Adoption

Drive behavior change and measure usage, from MFA and labels to Copilot and agents.

Agent governance

Ongoing sponsorship, access reviews, and lifecycle for AI agents as they scale (Entra Agent ID).

Value realization

Quantify outcomes each quarter, prove ROI, and seed the next pillar. The QBR closes the loop.

Internal · Partnership track

Microsoft funding & partnership readiness

This does not gate the go-to-market. The full motion, discovery to managed operations, is deliverable and billable today as professional services. Microsoft funding is upside we earn in parallel: it lowers client cost and lifts win rate, but we never wait on it to go in front of a client.
Gate 1
Solutions Partner for Security
70-point capability score across Performance, Skilling, and Customer Success.
In progress
Gate 2
Advanced Specializations
Threat Protection and Identity first, then Cloud Security and Data Security.
Targeted
Gate 3
Funding unlocked
MCI workshops, ECIF, Sentinel Accelerator, FastTrack.
Locked until gates 1-2

The programs these gates unlock

ProgramWhat it fundsAmountGate
MCI WorkshopsMicrosoft-funded discovery workshops$5.5K-$8K / workshopSolutions Partner for Security
ECIFPre-sales assessments, POCs, deploymentsPer scopeAdvanced Specialization (hard gate)
Sentinel AcceleratorSentinel adoption fundingTranche-basedThreat Protection specialization
FastTrackRemote deployment guidanceMicrosoft-staffedFastTrack Ready Partner

Confirm all amounts and current standing with the Microsoft PDM. The FY27 program year begins July 1, 2026. Funding economics and partner-margin language never appear in client-facing material.

Go-To-Market Operating Plan

How the practice goes to market

The motion runs through Chariot Technology Group's existing CARE team and captive Microsoft base. The architect designs and assures; the Delivery Team and vetted partners execute. Every engagement is measured.

1. CARE front door

The CARE team (DW) warm-hands existing accounts into a no-cost health check. The first wave: 10 of the ~70 captive Microsoft accounts. Architect joins the call as the technical authority.

2. Meet the client where they are

Health check surfaces the gap, then go straight to a paid enablement SOW where the need is clear. The formal assessment and workshop are used only where warranted or Chariot Technology Group-led - not chained by default, so the sale is not prolonged.

3. Delivery ownership (RACI)

Architect owns Assess + Architect and stays accountable as Technical Project Lead. The Chariot Technology Group Delivery Team and Don's vetted partner bench own Implement + Operate. Scales beyond one person; removes single-threading risk.

4. Measurement

Logged as a Microsoft Health Check sales play in Salesforce. Every health check tracked on revenue, gross profit, and net-new opportunities created. Vendor-agnostic: the win is client spend through Chariot Technology Group, Microsoft or otherwise.

Internal management view. Year-1 skilling/investment figure is a placeholder pending Finance. Microsoft funding amounts vary by program year and region - confirm with the PDM before any external commitment.

The source of truth

How we run this practice, and where it goes

This is the operating system for the Microsoft Security & AI practice: how anyone on the team knows what to run, who owns it, what fits the client's environment, and where a partner plugs in, from discovery to managed operations. One place, start to end.

Dare to Be Great

A real practice with depth and proof, not table stakes. Innovation where Microsoft meets AI.

Own It

The same architect is accountable from the free hour through managed operations. No handoffs to strangers.

Outcomes over capability

We meet clients where they are, light up what they already own, and prove value every quarter.

Vision, where this could go (not yet shipped)

From source of truth to platform

TODAY
Source of truth

This: the practice runbook and the client front door. Proves the model.

NEXT
Internal app, Entra-gated

An assessment engine, partner finder, who-to-reach directory, and a live model, behind Entra ID.

FUTURE
Selective client portal

Parts opened to clients where it adds value, the same Zero Trust posture we sell.

Built the way we secure clients. Behind the identity pillar: Entra ID single sign-on, Conditional Access, and role-based access from day one. We would not sell Zero Trust and build the tool any other way.

Vision only. The platform is a roadmap, not a shipped product. It is earned by the practice proving value first, with a named sponsor and clear ownership.

Ready to start?

Engage the Practice.

Start with a no-cost health check, then a license-realization session, architecture review, or roadmap second opinion. Clients speak with the Microsoft Practice Team from the first conversation. Where an engagement qualifies, we pursue Microsoft funding to offset client cost.

Book via Microsoft Bookings →

Or email the Microsoft Practice Team directly: practice@chariottechgroup.com

Quick Brief

Send the Microsoft Practice Team the context. Get a prepped conversation.

Fill in a few details. We will respond within one business day with a proposed agenda and time.

This opens your email client with the brief pre-formatted. the Microsoft Practice Team responds within one business day.
Sample report

What it does

Where Microsoft has the ceiling it fills

How to position it

When to suggest

Lead with Microsoft; bring a partner only at a genuine ceiling, surfaced openly. Verify current product status and Chariot Technology Group partnership before recommending. Partner landscape verified June 2026.

Owner
What happens at this stage

What the client gets