The starting point
This client came to us through a referral from their funder relations team. Their primary institutional grant — roughly 35% of their annual operating budget — was being renewed under a new compliance regime that required SOC 2 Type II attestation within twelve months. They had no internal IT, no compliance posture, no formal vendor management, and a Microsoft 365 tenant that had been set up incrementally over six years by three different consultants.
The board had two questions for the executive team: Can we actually do this? and What does it cost?
We ran a discovery walkthrough in week one. The picture was familiar — orphaned licenses, MFA enforced for some staff and not others, a backup product that hadn’t been restore-tested in eighteen months, no asset inventory, and four different IT-adjacent vendor contracts (a break-fix MSP, a separate cybersecurity tool reseller, an M365 reseller, and a contracted SOC 2 prep consultant the prior ED had hired and never integrated with anyone else). The number we came back with for SOC 2 readiness was roughly half what they’d been quoted by a Big Four firm — because we proposed running the readiness work continuously inside the IT Partnership, not as a discrete six-month project.
What we built
The engagement scoped to three workstreams running in parallel.
IT operations baseline. Help Desk, Systems Administration, and Managed Network spun up in the first four weeks. We deployed our standard tooling stack (NinjaOne RMM, IT Glue documentation, ConnectWise for ticketing) and rebuilt the M365 tenant — license rightsizing, conditional access, MFA on everything, conditional access for guest users, and a defensible identity baseline. We took over the ISP and equipment-vendor relationships from the executive team so they could stop being the middle of every IT call.
ATM cybersecurity foundation. Huntress MDR onto every endpoint. Microsoft Defender across the M365 tenant. KnowBe4 for phishing simulation and training. Quarterly tabletop exercises with the leadership team. The point was to make the security baseline real — not just a list of products on a slide.
Compliance Management. Drata configured against a SOC 2 control matrix scoped to their actual operations. Customer-tailored policies (not generic templates). Continuous evidence collection. Monthly internal posture reviews with the vITM and vCIO. We sat in every audit walkthrough alongside the executive team — the auditor’s questions came to us, not to staff.
The cadence that mattered
The thing that made this work wasn’t any single product — it was the operating cadence. The vITM ran a weekly stand-up with the COO. The vCIO ran a quarterly business review with the executive team and a twice-yearly board-pack update. The Drata posture report went to the board quarterly. The phishing simulation results were a standing item in the all-staff meeting.
By month six, the conversation in the executive team had shifted from can we get SOC 2 done? to what’s the next thing we should be doing with this IT operation?
The result
SOC 2 Type II attestation came in at month nine — three months ahead of the funder’s deadline. The funder renewed at the existing level plus a 12% increase. The license rightsizing more than paid for the Compliance Management add-on. The four prior IT vendor contracts collapsed into the single Wellforce relationship.
The client renewed at the end of the first year and is now on year three with us.
Why this study is anonymized
The client is a respected regional nonprofit that does politically sensitive work. They prefer not to be publicly identified as a Wellforce client even in a positive case study. We honor that — the alternative would be inventing a logo or paraphrasing a real engagement past recognition. Neither is honest.
If you’d like to talk to a real reference in this space, we can arrange that under NDA.