24 YEARS OF TRUSTED IT, CYBER & COMPLIANCE

Craig Petronella started this company in 2002 with a workbench, a phone line, and a simple promise: when a Triangle business calls, a real person answers and the problem actually gets fixed. That was the entire pitch. Most local IT shops at the time were break/fix outfits running on hourly billing and limited accountability. We chose to build something different.

Through the early 2000s we did the unglamorous work that earns long-term clients: rebuilding crashed servers at 2am, recovering data from drives the manufacturer had given up on, untangling Exchange databases the night before a CPA firm's tax deadline. The reputation traveled by word of mouth across Raleigh, Durham, and Chapel Hill, plus Cary and Apex. By 2003 the Better Business Bureau gave us our A+ rating, and we have held it without interruption ever since.

Around 2010 we made the deliberate shift from break/fix to managed services. The reasoning was straightforward. Our clients were tired of surprise invoices and we were tired of arriving on-site to fix problems that proper monitoring would have caught two weeks earlier. Flat monthly pricing, 24/7 monitoring, and proactive patching aligned everyone's incentives. Our retention numbers told us we had made the right call.

The next pivot came from the threat landscape itself. By 2015 ransomware was hitting small and mid-size businesses harder than the headlines suggested. Healthcare practices, accounting firms, defense subcontractors, and law firms in our backyard were getting encrypted, and most of them had no idea what to do in the first hour. We built out a dedicated cybersecurity practice, invested in incident response tooling, and Craig pursued the Digital Forensics Examiner credential through North Carolina's Private Protective Services Board. That license, DFE #604180, is what allows us to legally collect, preserve, and present digital evidence in North Carolina. It is also what separates us from the long list of "managed security" providers who can monitor an alert but cannot take a case to court.

From 2018 onward, compliance moved from a niche concern to a survival requirement. HIPAA enforcement got real. CMMC for defense contractors went from talking point to flowdown clause. SOC 2 became table stakes for any vendor selling into the enterprise. We built our compliance practice to handle all of it under one roof. Today our team is fully CMMC Registered Practitioner (CMMC-RP) certified, including Blake Rea, Justin Summers, and Jonathan Wood, which means our clients work with practitioners who have demonstrated formal proficiency in the CMMC ecosystem rather than generalists who read the framework once.

The most recent chapter is artificial intelligence. Starting in 2023 we began building the kind of private AI infrastructure our clients actually need: on-premises GPU clusters, retrieval augmented generation pipelines that respect data boundaries, and small language models tuned for specific compliance and operational tasks. We invested in our own GPU hardware so we can run client workloads without exporting sensitive data to an unknown destination. Our hardware engineering practice grew out of that work and now serves law firms, healthcare networks, and research institutions across North Carolina and nationwide.

Twenty-four years later the company has grown well beyond a single workbench, but the founding promise has not changed. When you call, a real person answers. When something breaks, we own it until it works. When the auditor shows up, the documentation is ready. That is who we are.

Answer: The Better Business Bureau has rated Petronella Technology Group A+ continuously since 2003, a 23-year unbroken record. An A+ rating reflects verified contact information, complaints answered and resolved, and business practices reviewed against BBB standards over continuous operation.

The Better Business Bureau has rated Petronella Technology Group A+ continuously since 2003. That is a 23-year unbroken record, which puts us in a small minority of small businesses anywhere, let alone in the IT services sector where complaint volume tends to run high.

What an A+ actually means in practice: complaints get answered, disputes get resolved, contact information is current and verified, business practices are reviewed against the BBB's standards, and the firm has been in continuous operation for the time stated. It is not a marketing badge you can pay to display. It is the result of how a company handles the hard conversations year after year.

For a prospective client, the BBB record is one of the few independent third-party signals you can verify in two minutes. We encourage you to do exactly that.

What we tell every new client

We will never be the cheapest option. We try very hard to be the most honest one. If a project is not the right fit, we will say so. If a competitor is genuinely better positioned for what you need, we will point you at them. The BBB record reflects that posture and we intend to keep it. Our delivery commitments are backed in writing by our service guarantee.

Healthcare and HIPAA-regulated practices. We have spent years inside dental practices, family medicine clinics, behavioral health groups, dental specialty offices, and Triangle-area healthcare networks. We know what an Office for Civil Rights audit actually looks like. We know which EHR integrations break which security controls. We know how to write a Business Associate Agreement that actually protects you.

Defense Industrial Base contractors. If your DoD prime is asking for a Supplier Performance Risk System score, a System Security Plan, a Plan of Action and Milestones, or CMMC 2.0 readiness, we have the credentialed practitioners and the documentation playbooks to get you there. CMMC-RP across the team is what makes this practice real.

Legal practices and law firms. Our digital forensics work intersects directly with civil litigation and criminal defense, so we understand chain of custody, work product privilege, and the specific evidentiary standards that hold up in North Carolina state and federal courts. We do not market ourselves as a private investigation firm, and we do not do mobile forensics or traditional e-discovery, but we do specialize in network forensics, crypto tracing, SIM swap investigation, and ransomware incident response.

Financial services and accounting firms. SOC 2, PCI DSS, GLBA Safeguards Rule, and state-level privacy obligations all converge in this sector. We help firms build the security architecture and the audit documentation simultaneously, which saves a great deal of money compared to doing them as separate projects.

Real estate, construction, manufacturing, and non-profits. Sectors where we have deep case-study experience ranging from network buildouts on active job sites to ITAR-aware manufacturing environments to budget-constrained mission-driven non-profit IT.

Visit our industries page to see the full list and the dedicated playbooks we have built for each one.

The Petronella team is built around people who treat this as a profession, not a stepping stone. Most of our senior staff have been in the industry for over a decade. The CMMC-RP credential held by Blake, Justin, and Jonathan reflects formal proficiency in the same framework our defense clients are accountable to. Our network engineering and cybersecurity practitioners hold a mix of vendor and vendor-neutral certifications across Cisco, Microsoft, CompTIA, and Cloudflare.

We do not subscribe to the "dispatch a technician and hope" school of managed services. Every account has named senior owners who know the environment, know the people, and know the history. When a client calls about something that broke six months ago, the same engineer who originally fixed it picks up.

For specialty work outside our core competencies, we maintain a trusted partner network of forensics labs, attorneys, insurance brokers, and specialty engineering firms. We never name our partners in customer-facing material because we believe accountability stops with us. If our name is on the engagement, we own the outcome.

Meet the full team at our team page. You can also read individual staff bios and explore our team's credentials and accreditations.

Over the years our work has been covered by ABC, CBS, NBC, FOX, and WRAL Channel 5, with appearances tied to ransomware coverage, identity theft prevention, and small business cybersecurity guidance. Craig has authored books on HIPAA compliance, cybersecurity, and CMMC that have charted on Amazon's best-seller lists in their respective categories. The full archive lives at our press page, and recent coverage plus speaking engagements are collected on the current press and media page. Clients who want closer advisory access can join the Inner Circle advisory program.

Closer to home, we are active in the Raleigh small business community. Past initiatives have included donating meals to WakeMed staff during the COVID response, an annual cybersecurity scholarship program for students pursuing careers in the field, and ongoing pro-bono security guidance for local non-profits. Visit our scholarship program page to learn more about how we support the next generation of cybersecurity practitioners.

We also run an active referral program for clients and partners who want to recommend our work. Full terms are posted at the referral program page.

It is easy in 2026 to assume that managed IT and cybersecurity have been commoditized by AI agents and global service desks. The pricing pressure certainly suggests so. But the ground reality for any business that handles regulated data, intellectual property, or revenue-critical operations tells a different story.

When the SOC desk is in another country and the AI triage agent is running on infrastructure you cannot inspect, the meaningful question is not "how cheap was the contract?" The question is "who picks up the phone at 2am when the encryption starts spreading, and what is their first move?" Those are the moments where local accountability, real credentials, and an actual office address you can drive to become decisive.

Three reasons local still wins

• Relationships. We have known some of our clients' CFOs, attorneys, and insurance brokers for over a decade. That web of trust is what gets a ransomware case resolved in days instead of weeks.
• Accountability. We are physically reachable. The North Carolina PPSB licenses our forensics work. The Better Business Bureau publishes our complaint record. There is nowhere to hide and we have built the company so we never need to.
• Local SLAs. When a Raleigh hospital's EHR goes down or a Durham law firm's case management system gets encrypted, we can be on-site fast. The remote-only national MSPs cannot match that for the engagements that genuinely need it.

AI is changing how we deliver many parts of our service. It is not changing the fundamental promise. When you call, a real person answers. When something breaks, we own it. When the auditor shows up, the documentation is ready.