Defense Industrial Base

    MDR for Small Defense Contractors

    You hold CUI because the work requires it, which makes you a target for the same state-aligned actors that go after the primes. Here is what is actually coming at you, and what coverage looks like.

    You are a 40-person machine shop, a 15-person engineering firm, a 120-person integrator. You hold CUI because the work requires it. And that makes you a target for the same state-aligned actors that go after the primes, except without their security team, their budget, or their SOC.

    The adversary knows that. It is the entire reason they target you. Breaching a prime through the front door is hard. Breaching the subcontractor who machines the part, then riding the trusted relationship upstream, is how it actually gets done. The Defense Industrial Base is roughly 300,000 companies and most of them are small. You are the backbone. You are not the headline. To the adversary, you are the way in.

    We have been hunting these actors since 2007, and unlike most vendors, we publish the work. Here is what is actually coming at you, from our own hunt desk's research.

    What an attack on you actually looks like, hour by hour

    This is not hypothetical. Our team documented the full MuddyWater and Handala kill chain behind this spring's destruction of roughly 200,000 systems at a major medtech company, and the playbook is the one aimed at contractors like you.

    It starts quietly, weeks early. In February 2026, MuddyWater ran password spraying against OWA and VPN portals, spear-phishing, and exploitation of perimeter appliances, weaponizing CVE-2024-55591 in FortiOS and CVE-2026-1281 in Ivanti EPMM. The kind of edge devices every small contractor runs and nobody watches.

    Then they live in your identity layer. Backdoors signed with stolen certificates ("Amy Cherne," "Donald Gay"), staged through infrastructure like sso.bookairway.com, a phishing proxy built to look like your single sign-on page. Data exfiltrated with Rclone to ordinary Wasabi and Backblaze B2 cloud buckets, traffic that looks like backup software because that is exactly what it is.

    Then, one night, the loud part. On March 11, 2026 at 3:30 a.m. EDT, the operators issued a bulk Wipe and Retire sequence through the Intune API, the victim's own management console, and roughly 200,000 machines died before sunrise.

    Every phase of that chain is detectable, and our public pack ships the 25 Sigma rules, KQL and SPL queries, and 78-entry IOC set to do it. The question for a 40-person shop is simpler: who at your company was awake at 3:30 a.m. to see it?

    The math on being small

    Our hunt desk tracked 2,522 ransomware claims from 81 groups in the first ten weeks of 2026, more than 37 victims a day, and nine organizations were claimed by two separate groups at once. Meanwhile the identity market that feeds these intrusions keeps growing: 1.17 million infostealer logs analyzed this year contained both enterprise credentials and active session cookies, with Entra ID showing up in 79% of enterprise identity logs. Your employees' credentials are likely already for sale; the only question is whether anyone notices the login.

    Small contractors usually have one of three setups. An IT provider who is good at keeping computers running and honest enough to admit monitoring is not their trade. A stack of security software generating alerts nobody reads. Or nothing, and a hope that small means invisible. None of these survive contact with actors who use valid credentials, live off the land, and were inside networks like Cisco ASA firewalls without generating a single log event, as CISA's AR26-113a documented this April.

    What you get

    24/7/365 human hunt teams. Our analysts have the watch around the clock, backed by MILBERT, our agentic AI platform that processes billions of events so humans spend their time on judgment instead of triage. When something fires at 3:30 a.m., a human investigates it at 3:30 a.m., and with our response tiers, contains it then too.

    Threat intelligence you can verify before buying. Everything above is from our published research. The detection packs are free, ungated, and in production use. Most vendors ask you to trust their marketing. We would rather you check our work.

    Evidence your assessor can use. Monitoring you cannot prove is monitoring you do not have, as far as CMMC Level 2 is concerned. Our service is built to carry its share of the NIST SP 800-171 audit (3.3.x), incident response (3.6.x), and system integrity (3.14.x) families, with reporting designed to be handed to a C3PAO, and with your DFARS 252.204-7012 72-hour DIBNet clock in mind: contractors with monitoring report with a timeline and containment already done; contractors without it report "we think something happened" and spend a month finding out, with their contracting officer watching. When it is time to assemble the compliance package itself, our JAXBERT platform is built to carry it: the 110 practices, the SSP, the SPRS score, and the C3PAO evidence.

    A size-appropriate engagement. No 40-page statement of work, no six-month onboarding. Sensors deployed, log sources connected, baseline tuned, hunting live.

    The deadline behind all of this

    After November 10, 2026, CMMC Level 2 certification is a condition of award for contracts involving CUI, and the monitoring controls are the ones you cannot cram for, because assessors ask for operating history, not intentions. If you are starting now, start with the controls that take calendar time to generate evidence. Details on our CMMC deadline page.

    Priced for the backbone, not the primes

    Hunt, Hunt + Respond, and Hunt + Respond + Manage, scoped to your environment, with straight answers from the first call. See our pricing guide for real market numbers before you talk to us or anyone.

    Frequently Asked Questions

    Do small defense contractors really get targeted?

    Yes, deliberately. Subcontractors are the soft path into primes and programs. The February 2026 MuddyWater campaign opened with password spraying and perimeter appliance exploits, techniques that work best against companies without 24/7 monitoring.

    Does MDR satisfy NIST 800-171 monitoring requirements?

    A real MDR service carries significant weight in the audit and accountability (3.3.x), incident response (3.6.x), and system integrity (3.14.x) families, but no provider satisfies all 110 practices, and anyone claiming otherwise is selling something else.

    What should a small contractor expect to pay?

    Serious 24/7 coverage typically lands in the low-to-mid four figures per month for a small contractor. See our pricing guide for what drives the number.