Pillar 5 — Network & Endpoint
The endpoint hygiene baseline your auditors actually want.
Cisco/Meraki networking. Continuous endpoint patching. 24×7 monitoring. The unglamorous discipline that keeps the audit short.
Most audit findings come from the boring middle
Most regulated audit findings in the mid-market don't come from sophisticated attacks. They come from the boring middle: an unpatched server, a stale local admin account, a network without segmentation, a laptop that left the building three years ago and was never wiped, a firewall rule from 2019 nobody dares touch.
CPS 234 §15 asks for documented controls. Essential Eight ML1 starts at the patch line. Privacy Act asks for reasonable steps. NDIS asks for information-handling evidence. Cyber insurers ask for an endpoint posture worksheet. Every conversation leads to the same place — can you show endpoint and network hygiene, with evidence, this quarter.
This pillar is the operational discipline that keeps that question short.
Our approach
Five elements that show up on every Network & Endpoint engagement.
Continuous patching — server, endpoint, third-party application
Weekly endpoint, monthly server, with emergency out-of-band cycles for critical CVEs. Microsoft Intune for the Microsoft estate; PatchMyPC for third-party coverage at scale; a documented exception register for legacy apps that can't take the latest patch (with a remediation plan attached, not an excuse). Patch posture reported monthly with trend.
Network monitoring — Cisco and Meraki, instrumented, alerted
Cisco and Meraki design, deployment and managed operations. Azure Monitor and ServiceNow-integrated alerting. SD-WAN where it makes sense, on-prem where it doesn't. An instrumented system, not a black box — you see what we see, in the same dashboard.
Endpoint compliance — Intune posture, conditional access, the auditable baseline
Intune-managed endpoints with compliance policies aligned to Essential Eight ML2. Conditional access on top — non-compliant endpoints are quarantined, not trusted. Reporting goes into your auditor's evidence pack — by device, by user, by compliance state, with trend.
Network segmentation — the strategic move most mid-market firms keep postponing
Flat networks are the cheapest to build and the most expensive to defend. We design segmentation against your actual data flow — finance systems, line-of-business apps, OT/IoT, guest, BYOD — and migrate in waves with rollback gates. Segmentation projects live in IT Projects; steady-state operations live here.
Vendor-aligned support — the firewalls and switches that matter
Cisco and Meraki are our deepest network competence — partnership-level access on both. SentinelOne is our default EDR (the MSSP integration layer). Hardware refresh, RMA management, vendor escalation and lifecycle planning are part of steady-state — not a separate procurement conversation.
“Sydney HQ, globally delivered. Cisco and Meraki partnership depth, Intune-managed estates, PatchMyPC at scale.”
What's on the contract
- Cisco Partner
- Meraki-aware delivery
- Microsoft Intune-managed estates
- PatchMyPC at scale
- SentinelOne EDR baseline
- ISO 27001
- Named accountability
- Privacy Act / NDB compliant
Tech stack on this pillar
- Cisco
- Meraki
- SentinelOne
- Microsoft Intune
- PatchMyPC
- Azure Monitor
- ServiceNow
Engagement models
- Fully Managed Network/Endpoint
- Co-Managed (your team owns architecture)
- Project-Based (refresh, segmentation, Intune)
Self-scored worksheet
Endpoint Hygiene Self-Assessment
A structured worksheet your IT Manager completes in 30–45 minutes. Walks patching cadence, endpoint inventory accuracy, Intune compliance state, local-admin privilege posture, encryption, EDR coverage, joiner-mover-leaver lag, asset disposal evidence and the seven things auditors find first. Self-scored Essential Eight ML1/ML2-mapped result plus a one-page improvement plan ranked by audit risk and time-to-fix.
Frequently asked
Critical CVEs (Microsoft / vendor security advisory) are assessed within 24 hours, with an emergency out-of-band patch cycle for affected estates inside 72 hours where the change risk allows. Lower-severity patches run on the standard weekly endpoint / monthly server cycle. Every emergency cycle produces a post-event report — what was patched, what was deferred and why, what residual risk remains.
Yes — BYOD via Intune Mobile Application Management (MAM) where appropriate, full Mobile Device Management (MDM) for corporate-issued devices, and conditional access policies that distinguish between the two. Most mid-market firms benefit from MAM-only on personal devices and MDM on corporate fleets; we'll write the policy that fits your data-loss tolerance.
Network & Endpoint owns the prevention layer — patch posture, configuration baseline, segmentation, endpoint compliance, EDR deployment. The Managed Security pillar owns the detection and response layer — security operations, SIEM, threat intelligence, incident response. The two share the same EDR (SentinelOne) and the same network telemetry, but with documented ownership boundaries on every account that takes both. We don't double-charge.
OT and IoT segmentation, asset inventory and monitoring are scoped engagements rather than commodity offerings — every environment is genuinely different. We've delivered for healthcare clinical estates, real-estate-property-tech estates, and mid-market industrial environments. We'll tell you honestly where the engagement needs a specialist OT partner alongside us.
Lifecycle planning is part of the steady-state service. We track endpoint age, warranty status, performance trend and refresh-budget alignment. Procurement runs through your existing channels or through us — your choice, not a default. Disposal evidence (data destruction certificates, asset register sign-off) lives in your audit evidence pack.
Both. Greenfield design for new sites or M&A integration, brownfield uplift for ageing estates, and refresh-on-cycle for healthy networks. Design and refresh are project-shaped (defined scope, deadline, budget) and may sit in the IT Projects or Cloud & Infrastructure pillar depending on scale. Steady-state network operations live here.
Patch posture report (by device, by application, with trend); Intune compliance state report; network configuration baseline and change log; endpoint inventory with disposal evidence; local-admin privilege register. Cyber insurance underwriter questionnaires usually ask for a subset of the same documents — we'll fill them out with you in the renewal week.
Keep the audit short.
Twenty minutes. Patch cadence, segmentation appetite, and the endpoint posture your auditor actually asks for.
or call (+61) 413 649 132