What We Deploy in the First 30 Days for a New Client

Switching IT providers is the part that stops most business owners from making the move. You know your current setup isn’t working, but the transition feels risky. What if something breaks? What if there’s a gap in coverage? What if the new provider takes months to get up to speed?

Those concerns are valid. We’ve written about the real costs of switching providers and they’re not trivial. But the risk of a bad transition comes from poor planning, not from the switch itself. A structured onboarding process with clear milestones eliminates the guesswork and keeps your business protected from day one.

Here’s exactly what happens during the first 30 days when a new client starts working with us, broken down week by week.

Week 1: Discovery and Documentation

Nothing gets deployed in week one. That’s intentional. The biggest mistake an IT provider can make is installing tools on top of an environment they don’t understand. We’ve covered what we evaluate first in detail, but here’s the summary of what this week produces.

Network and infrastructure audit. We document every server, workstation, switch, access point, and firewall in your environment. Firmware versions, configurations, warranty status, and how everything connects. Most clients are surprised by what we find because their previous provider never documented it properly.

Microsoft 365 tenant review. We pull your Secure Score, review Conditional Access policies, check for stale accounts, audit admin privileges, and evaluate your email security posture. M365 is the operational backbone for most of our clients, so understanding the current state is critical before we make changes.

User and access inventory. Every active user account, their access levels, which applications they use, and whether MFA is enabled. We also identify former employees who still have active credentials, which is more common than you’d expect.

Backup verification. We test existing backups before we trust them. Can they actually restore? When was the last successful test? What’s covered and what isn’t? Backup systems that haven’t been verified are backup systems that might not work when you need them.

Documentation handoff. If your current provider has documentation (network diagrams, credentials, configuration records), we collect and verify it during this week. If they don’t, which is the more common scenario, the audit itself becomes the foundation of your documentation.

By Friday of week one, we have a complete picture of your environment and a prioritized list of what needs to happen next.

Week 2: Security Baseline Deployment

Week two is when tools start going in. The order matters because each layer builds on the one before it.

Endpoint detection and response (EDR). SentinelOne gets deployed to every workstation and server. This isn’t traditional antivirus that scans for known signatures. EDR monitors behavior in real time, detects anomalies, and can isolate a compromised device before an attacker moves laterally through your network. Every endpoint gets protected before we make other changes, because visibility into endpoint activity is the foundation of everything else. Your endpoint protection is connected to our SOC for 24/7 monitoring from the moment it goes live.

Email security. Proofpoint goes in front of your email to filter phishing attempts, business email compromise attacks, and malicious attachments before they reach your users’ inboxes. Email remains the number one attack vector for SMBs, and native Microsoft 365 filtering misses too much. We configure it to match your organization’s communication patterns so legitimate mail doesn’t get caught in the crossfire.

Firewall review and hardening. We review your existing firewall (typically Fortinet FortiGate or Palo Alto) configuration against current best practices. That means checking firmware versions, reviewing access rules, closing unnecessary open ports, enabling intrusion prevention features, and verifying that logging is configured correctly. If the firewall hardware is end-of-life or fundamentally inadequate, we flag it in the 90-day roadmap rather than making a rushed replacement.

Microsoft 365 hardening. Based on the week-one audit, we start closing the gaps: enforcing MFA across all accounts, tightening Conditional Access policies, removing unnecessary admin privileges, disabling legacy authentication protocols, and configuring audit logging. These changes are rolled out in stages with clear communication to your team so nobody gets locked out of their accounts on a Tuesday morning.

Week 3: Monitoring, Management, and Training

With security tools in place and the environment hardened, week three focuses on ongoing management infrastructure and your people.

RMM agent deployment. ConnectWise Automate (our remote monitoring and management platform) gets installed on every managed device. This gives us real-time visibility into hardware health, disk space, patch status, software inventory, and performance metrics. It also enables remote support so our help desk can resolve issues without scheduling an on-site visit. When something starts failing, we typically know before your employees do.

Patch management automation. We configure automated patching schedules for operating systems and critical applications. Patches get tested, staged, and deployed on a defined cadence rather than applied randomly or forgotten entirely. Automated patch management eliminates one of the most common attack surfaces for SMBs: known vulnerabilities that simply never got patched.

Backup configuration. Based on the week-one assessment, we either verify and optimize your existing backup solution or deploy a new one. Backups cover servers, workstations, and cloud data (including Microsoft 365, which is not backed up by Microsoft by default). We configure backup schedules, retention policies, and automated restore testing so your disaster recovery actually works when you need it.

Security awareness training. Your employees are the last line of defense, and the most frequently exploited one. We enroll your team in security awareness training that covers phishing recognition, password hygiene, social engineering tactics, and safe browsing practices. This isn’t a one-time video. It includes simulated phishing campaigns that give us (and you) real data on who’s clicking what, so training can be targeted where it’s needed most.

Week 4: Optimization and Handoff

The final week is about tuning what’s been deployed and making sure your team knows how to work with us going forward.

Alert tuning. Every monitoring tool generates noise during initial deployment. Week four is when we refine alert thresholds, suppress known false positives, and calibrate the system to your environment’s normal patterns. This step is what separates useful monitoring from a flood of ignored notifications.

Escalation procedures. We finalize the communication plan: who gets called for what severity level, how after-hours incidents are handled, what decisions our team can make autonomously versus what requires your approval. Getting this right prevents confusion during real incidents. We’ve seen firsthand how the first 48 hours of an incident play out, and clear escalation paths make the difference between a contained event and an extended crisis.

90-day roadmap delivery. Not everything can or should happen in 30 days. The onboarding process generates a prioritized roadmap of medium-term improvements: projects like network infrastructure upgrades, compliance gap remediation, cloud migration planning, or additional security stack layers. Each item includes a clear description of the risk it addresses and a recommended timeline.

Ongoing support handoff. Your team gets introduced to our help desk, including how to submit tickets, expected response times, and the direct line for urgent issues. We also schedule the first quarterly business review, where we’ll walk through environment health metrics, security posture changes, and progress against the 90-day roadmap.

Why the Timeline Matters

Thirty days is tight enough to maintain momentum and long enough to do things correctly. Providers who promise to have everything running in a week are cutting corners. Providers who take 90 days to finish onboarding are either understaffed or disorganized.

The structured timeline also reduces risk during the transition. Your old provider’s tools don’t get removed until ours are verified and running. There’s no gap in coverage, no period where endpoints are unprotected, and no moment where nobody is watching the network.

If you’re evaluating whether to make a change, our MSP evaluation checklist covers what to ask any provider about their onboarding process. The answers will tell you a lot about how they run the rest of the relationship.