Commercial Thesis

Retire the MSP. Engineer the endpoint and the edge.

Surya replaces ticket-driven managed services with engineered endpoint and network edge logistics. For healthcare and manufacturing operators, that's a 40–60% reduction in MSP spend — eliminated at the source, not renegotiated.

See the savings model →Tour the facility

For healthcare and manufacturing operators running real fleets, real sites, and real compliance.

/ Qualifier

Which operator are you?

Three buyer profiles, three operating models. Pick the door that sounds like you and we'll show you exactly how the thesis applies to your spend.

Door / 01 — Industry

Manufacturing operations

I run manufacturing operations and need IT assets handled on the plant floor.

Enter →

Door / 02 — Industry

Healthcare operations

I lead healthcare operations and need compliant, audit-ready device handling.

Enter →

Door / 03 — Situation

Private equity — M&A turnarounds across portfolio companies

I'm in private equity and need a partner for rapid M&A turnarounds across healthcare and manufacturing portfolio companies.

Enter →

/ The Thesis

Whichever door you picked, the math is the same.

Claim / 01

The endpoint is the unit of cost.

Most enterprise MSP spend is endpoint-related: help desk tickets, password resets, broken updates, lost devices, onboarding setup, offboarding cleanup, patch failures, image drift. Add it up and the endpoint is where the money goes.

Claim / 02

Ticket-driven economics reward the wrong thing.

MSP contracts are priced on volume. The vendor's revenue grows when tickets grow. Nothing in that model rewards prevention — and nothing about it gets cheaper as your fleet matures.

Claim / 03

Engineered logistics eliminates the volume.

Surya provisions, hardens, ships, recovers, and lifecycles every endpoint as a unit of engineered work — not a stream of tickets. When the endpoint is right, most of the tickets you're paying to resolve never exist.

Retire the function. Don't renegotiate the contract.

/ The Stack

Design and operate. One persona model. Three layers.

Most vendors stop at one layer. Surya engineers the foundation, operates the endpoint lifecycle, and operates the network edge — all under a single persona model. Identity, endpoint, data, network, and logistics: defined once, enforced consistently.

Engineering Services

/ Design

Operationalize the Microsoft endpoint stack.

Most enterprises pay for M365 Business Premium, E5, Entra Suite, and Intune Suite — and use a fraction of what the licenses entitle them to. Surya engineers the configuration that lights up the SKUs already on the bill: persona-driven Intune policies, Entra Conditional Access, Microsoft Defender XDR, Purview, and Global Secure Access (EIA + EPA) wired together into a Zero Trust architecture mapped to the CISA maturity model. For enterprises with Zscaler or on-premises SASE investments, we integrate around what you already own.

See the engineering tracks →

Endpoint Logistics

/ Operate the Endpoint

Provision, deploy, recover, lifecycle.

Persona-driven gold images, HRIS-triggered Day-1 readiness, 90% remote recovery target, NIST 800-88 sanitization. Laptops, desktops, HMIs — every device handled as a unit of engineered work from a HIPAA-aligned, NIST 800-171 facility in RTP.

See the logistics layer →

Network Edge Logistics

/ Operate the Edge

Templated build, shipped, commissioned, lifecycled.

Firewalls, switches, wireless, SD-WAN appliances — pre-configured to persona-driven site templates, shipped ready to plug in, validated against your management plane, and maintained for the life of the deployment. Multi-site healthcare networks, manufacturing plants with IT/OT boundaries, and PE platforms consolidating heterogeneous estates all run under the same operating model.

See the network edge model →

One persona model. Three operating layers. That's how the MSP function gets retired.

/ How it works

Three things happen, in order.

The shortest possible explanation of what Surya does, written for the executive who's never configured a firewall and the IT manager who oversees offshore delivery teams. The technical depth lives on the engineering and pricing pages — start here for the picture.

Audit

/ 01

We tell you what you're paying for and not using.

We start with a three-week audit of your current environment — every Microsoft license, every managed services contract, every network appliance, every place your IT budget is going. The output is a written report your CFO can audit and your CIO can sign off on: what you own, what you're using, what you're paying for twice, and where the cost reduction actually lives. Most enterprises discover they're paying for security and management capabilities they could turn on tomorrow.

Engineer

/ 02

We make what you already own actually deliver.

Most enterprises pay Microsoft for security and management software they barely use. We turn it on. We configure it so your help desk has less to fix, your new hires get a working laptop on day one, your departing employees can't take data with them, and your audit evidence is ready before the auditor asks. The Microsoft licenses you already pay for start doing the work you bought them to do.

Operate

/ 03

We run the daily work from one place.

Every laptop, desktop, plant-floor computer, and branch-office firewall flows through one 17,000-square-foot facility in Research Triangle Park, North Carolina. We provision the device, ship it to the employee or site, monitor it for the life of the deployment, recover it when someone leaves or hardware refreshes, and certify the disposal. One operator instead of three vendors. One bill instead of a procurement headache. One phone number when something goes wrong.

That's the whole offering, in three steps. The technical depth — Microsoft 365, Zscaler, Zero Trust architecture, OT segmentation, network edge templating — is how we deliver it. Start with the engineering tracks or the savings model if you want the next layer of detail.

See the savings model →See the engineering tracks

/ Quick Estimate

Get a number in 10 seconds.

Pick the closest fleet size. We'll show you a starting monthly.

Standard tier

~$6,500/mo

Platform access · ~$85/in · $110/out per unit (100–499 band)

Customize this estimate →

A natural extension of the business you already run.

Your HR system already knows who works for you, when they joined, when they're leaving, and what they're allowed to access. Your Microsoft 365 tenant already manages their identity, their devices, and their security. Surya is the connection between those systems and the physical world — so when your HRIS fires an event, the right hardware moves automatically. You don't change how you hire. You don't change how you offboard. The systems you already pay for do the work.

01 / Provision

Day-One Ready

Role-based gold images, BIOS lockdown, peripherals kitted and serialized before the device leaves our floor.

02 / Deploy

White-Glove Deployment

Zero-touch deployment without burdening internal IT. Direct-to-employee shipping for remote hires with secure packaging, tracking, and delivery confirmation. Bench delivery and staging for HMIs and endpoints placed directly onto active manufacturing lines—built for distributed teams, production environments, and day-one readiness at scale.

03 / Recover

Up to 90% Asset Recovery Target

Automated offboarding with predictable results. Pre-paid return kits and guided workflows are built to recover up to 90% of remote devices, with a 72-hour retrieval target. Reduce device loss, shrink offboarding timelines, and maintain chain-of-custody without manual follow-ups.

04 / Re-Stage

Secure Sanitization & Re-Imaging

Enterprise-grade sanitization for audit-ready reuse or redeployment. Devices are wiped to NIST 800-88 standards, physically inspected, and re-imaged inside a HIPAA-aligned, NIST 800-171 secure environment. Every unit exits ready for redeployment, storage, or compliant disposal.

/ Start small

Run a 30-day pilot for $2,500.

30 devices. One gold image. One HRIS connector. Full ops report at day 60. Pilot credit applied if you sign a contract within 60 days.

Book a pilot

/ Services

One operations team for every device on your floor.

Service / 01

Laptop & Desktop Provisioning

Custom OS images, MDM enrollment, and asset tagging at scale for clinical and corporate fleets.

Service / 02

HMI Logistics

Specialized handling of human-machine interfaces and industrial PCs for pharma and advanced manufacturing.

Service / 03

Remote Worker Recovery

Prepaid kits, scheduled pickups, and chase workflows built to recover up to 9 of 10 devices from departing employees.

Service / 04

Secure Storage & Staging

Climate-controlled, access-logged storage with serialized inventory tracking inside a HIPAA-aligned, NIST 800-171 compliant facility.

Service / 05

Network Edge Logistics

Branch routers, firewalls, switches, wireless access points, and SD-WAN appliances — pre-configured against persona-driven site templates, staged in RTP, shipped with guided plug-in runbooks, and lifecycled under continuous management. We standardize per-customer based on footprint, security posture, and existing investments — the gap analysis surfaces the right architecture for your sites.

/ Scenarios

Built for the moments that break IT.

From PE roll-ups to quarterly refreshes, our playbooks turn high-stakes hardware events into routine operations.

Scenario / 01

OT Laptops — Healthcare

Clinical and biomed laptops, FDA-aware and HIPAA-hardened.

Carts, biomed service laptops, and imaging review workstations built for hospitals and life-sciences sites. We hold OS, browser, and Java/.NET versions to what the device manufacturer (GE Healthcare, Philips, Siemens Healthineers, Medtronic, Stryker) actually supports, and stagger Windows updates behind a clinical change window so MRI, EMR, and infusion-pump tooling don't break overnight.

  • +Vendor-validated builds for GE/Philips/Siemens Healthineers imaging consoles
  • +Locked Java, .NET, and browser stacks for Epic, Cerner, and Meditech Hyperspace
  • +Conservative patch rings tied to FDA-cleared device compatibility statements
  • +HIPAA-hardened: BitLocker, screen-lock, audit logging, and biomed asset tagging

Scenario / 02

OT Laptops — Manufacturing

Plant-floor laptops that talk to Siemens and Fanuc, not Patch Tuesday.

Engineering and maintenance laptops for shop-floor HMIs, PLC programming, and CNC tool support. We image to vendor-validated OS baselines, lock down driver and firmware versions, and run a conservative WSUS ring aligned to Siemens TIA Portal, Fanuc CNC/Roboguide, and Rockwell FactoryTalk compatibility matrices — never auto-patched into a line stoppage.

  • +Custom OT gold images: TIA Portal, Step 7, Fanuc Ladder/Roboguide, RSLogix
  • +Conservative WSUS / Intune rings validated against vendor support matrices
  • +Pinned NIC, USB, and serial drivers for PLC and CNC programming cables
  • +Purdue-aware network profiles, app allow-listing, and removable-media controls

Scenario / 03

M&A Integration

Private equity acquisitions, deployed at velocity.

Custom gold images per portfolio company, mass re-imaging, and coordinated cutovers. We stage thousands of devices for Day-1 close and ship to acquired-entity employees in days, not quarters.

  • +Custom image creation per acquired entity
  • +Mass deployment across distributed workforces
  • +Domain migration and identity cutover support
  • +Asset reconciliation against target-co inventory

Scenario / 04

Equipment Refresh

Device lifecycle at scale.

Quarterly refresh cohorts planned, kitted, and swapped without burning IT cycles. Old fleet returns to RTP for sanitization, resale, or certified destruction with full chain-of-custody.

  • +Cohort-based refresh planning by role and region
  • +Swap-in-place with prepaid return logistics
  • +ITAD: NIST 800-88 wipe, resale, or shred
  • +Sustainability and recovery-value reporting

Scenario / 05

Onboarding & Offboarding

Right laptop, right software, right day.

Hire in your HRIS, and a persona-matched, security-hardened device lands on the new employee's desk for Day 1. On termination, automated recovery kits are built to pull devices back at up to a 90% retrieval rate.

  • +Day-1 device delivery triggered by HRIS event
  • +Persona-driven software and access provisioning
  • +Automated offboarding kits with prepaid return
  • +Up to 90% remote-worker asset recovery target

Scenario / 06

Autopilot & Intune Automation

Zero-touch builds, hardened by default.

We engineer your Autopilot and Intune pipelines so devices arrive fully enrolled, persona-configured, and aligned to zero-trust baselines — no white-glove ticket required.

  • +Windows Autopilot enrollment and registration
  • +Intune persona profiles and app deployment
  • +CIS / NIST security hardening baselines
  • +Zero-trust conditional access alignment

Scenario / 07

RTP Startups & Scaleups

Series A to Series C, without an IT team.

You're hiring fast across the Triangle and remote — Durham, Raleigh, Chapel Hill, and beyond. We act as your outsourced IT logistics arm: founder-friendly month-to-month terms, local pickup and drop-off at our RTP facility, and a kitting runway that scales with every funding round.

  • +Local to RTP — same-day pickup, drop-off, and bench swaps
  • +Month-to-month with no enterprise minimums
  • +MDM and SSO setup (Google, Okta, Jamf, Intune) from Day 1
  • +Investor-ready asset inventory and SOC 2 evidence

Scenario / 08

Cobot Provisioning

Collaborative robots, imaged and safety-certified before they ship.

Teach pendants, vision controllers, and edge PCs for Universal Robots, FANUC CRX, ABB GoFa, and Doosan cobots — provisioned to the integrator's validated build before they ever touch the cell. We pin URCaps, Robotiq, OnRobot, and Cognex driver versions, lock firmware to the cobot's certified safety configuration, and ship with a documented commissioning packet so the safety assessor isn't chasing version drift on install day.

  • +Validated builds for UR, FANUC CRX, ABB GoFa, Doosan, and Techman cobots
  • +Pinned URCaps, Robotiq, OnRobot, and Cognex vision driver versions
  • +Firmware and safety-config locked to ISO 10218 / TS 15066 assessment
  • +Commissioning packet: checksums, network plan, and rollback image

Scenario / 09

Network Edge — Multi-site

Templated network edge across every site, refreshed without a fire drill.

Healthcare networks running 40 clinics, retail health operations scaling to 200 locations, and PE platforms consolidating three or four acquired estates all face the same problem: a different network mess at every site, with hardware that drifts, certificates that expire, and configuration that nobody remembers. Surya pre-stages every network edge appliance to a site-type template, ships it ready to plug in, validates the bring-up remotely, and runs continuous lifecycle against the template. Refresh cycles become cohort operations instead of site-by-site projects.

  • +Per-site-type templates: clinic, plant, warehouse, corporate, OT-segregated
  • +Pre-staged appliances with certificates, base config, and management plane registration
  • +Guided plug-in runbooks for non-IT site contacts
  • +Continuous lifecycle: firmware leveling, configuration drift remediation, certificate renewal
  • +Cohort-based refresh and decommission with chain-of-custody

Scenario / 10

Network Edge — IT/OT Boundary

The plant network edge, configured for the Purdue model that's actually running.

Manufacturing sites with serious OT requirements don't have a network edge — they have three: the corporate edge, the OT edge, and the segmentation that should sit between them. Surya pre-configures site appliances to the customer's segmentation policy, validates against the OT vendor compatibility matrix (Siemens, Rockwell, Fanuc), and commissions with a documented test plan the OT security team can sign off on. Ship date and validation date are separate milestones — the appliance doesn't go live until the OT team has signed the bring-up record.

  • +Purdue-aware segmentation templates for level 2 / 3 / 3.5 boundaries
  • +Pinned firmware and feature-set validated against OT vendor compatibility
  • +Documented commissioning packet for OT security sign-off
  • +Industrial protocol allow-listing, removable-media controls at the edge
  • +Coordinated bring-up with corporate IT, plant IT, and OT security

/ Cost Replacement

The MSP line items we eliminate.

A traditional MSP charges for volume. Surya engineers the volume out of existence. Here is how the line items map.

Traditional MSP Line Item
Surya Replaces It With
Help desk tickets for endpoint issues
Persona-correct gold images, hardened at provisioning
Onboarding setup and Day-1 IT support
HRIS-triggered Day-1 readiness, zero-touch enrollment
Patch incident response and rollback
Conservative WSUS / Intune patch rings, vendor-validated
Offboarding cleanup and access revocation
Automated recovery kits, 90% retrieval target, Conditional Access cutover
Lost device chase and asset reconciliation
Serialized chain-of-custody, real-time inventory in ServiceNow
Hardware refresh project management
Cohort-based refresh, swap-in-place, prepaid return logistics
Compliance evidence collection (HIPAA, NIST)
Audit-ready logging by default, evidence on demand
Imaging and re-imaging labor
Centralized RTP imaging, NIST 800-88 sanitization on-site
Standing admin rights and privilege sprawl
Intune Endpoint Privilege Management — just-in-time elevation
Legacy VPN and flat network access
Identity-driven Zero Trust access — Entra Private Access (EPA), Zscaler ZPA, or both
Network appliance configuration and change management
Templated site builds, pre-configured at the facility, drift remediation under continuous lifecycle
Multi-site WAN management as a separate vendor relationship
One operator, one persona model, one lifecycle across endpoint and edge

Typical engagement eliminates 40–60% of endpoint-related MSP spend in the first 12 months. Your number depends on your fleet, your industry, and how broken your current model is.

Model your savings →

/ Doctrine

Resilient security posture starts with endpoint hygiene.

Firewalls, EDR, and zero-trust frameworks are only as strong as the device underneath them. Our core values keep the foundation clean so the rest of your stack can do its job.

Tenet / 01

The endpoint is the perimeter.

Every breach starts where a human touches a keyboard — and every MSP ticket starts there too. Treat the endpoint as the front line of both security and cost, and the rest of the stack gets cheaper and safer at the same time.

Tenet / 02

Hygiene over heroics.

Patched firmware, hardened images, sanitized media, and recovered assets prevent more incidents than any SOC playbook ever will — and prevent more tickets than any help desk ever will. The cheapest support call is the one that never happens.

Tenet / 03

If you can't track it, you can't trust it.

Serialized chain-of-custody from the dock to the desk to the destruction certificate. No ghost devices. No silent risk. No unbilled MSP hours chasing assets that should have been logged at provisioning.

Tenet / 04

One persona model, everywhere.

A clinician, a plant operator, a corporate professional, and a contractor each need a different access posture, a different device baseline, and a different network segment. We define those personas once — at the identity layer — and enforce them consistently across the endpoint and the network edge. Two operating layers, one architectural truth. No translation between systems, no drift between vendors.

/ Enterprise

Different model for different scale.

If your organization is large enough that you negotiate IT services under master agreements, has IT operations measured in tens of thousands of seats, and requires a vendor that can operate alongside your internal team across managed IT, enterprise logistics, and ServiceNow integration — the focused mid-market thesis on this page is not built for your scale. Surya Technologies' enterprise services portfolio is the parallel offering for globally distributed customers.

See enterprise services →

/ Trust & Proof

Trusted by mission-critical operations.

How leading organizations use Surya to automate joiner-mover-leaver, end-user logistics, and Zero Trust endpoint security at scale.

HEALTHCARE

Keeping 40 Clinics Clinical-Ready

How Surya automated JML and endpoint lifecycle for a leading multi-site healthcare provider

~40 clinics4 statesZero-touch provisioning
Rippling·Microsoft 365 E5·Intune·Autopilot
HIPAA-aligned • BAARead the case study

/ Shipping SLA

Request by 2:00 PM ET. It ships today.

Cutoff 14:00 ET / Mon–Fri

RTP Metro

Same-day

Hand-delivered across the Research Triangle by our own fleet.

United States

Next-day

Overnight to any address in the US, coast to coast.

International

Country-dependent

Customs-aware routing; transit time scoped per destination.

/ Branded Kits

The unboxing is the first day. The return is the last impression.

We design, print, and ship co-branded onboarding and offboarding kits — so every employee touchpoint feels like your company, not a logistics vendor.

Kit / 01

Branded Onboarding Kit

Day-1 welcome, fully kitted

  • Custom-printed mailer with your brand and welcome insert
  • Persona-matched laptop, pre-enrolled in Intune / Autopilot
  • Power adapter, dongles, and headset spec'd to the role
  • Signed welcome card and swag (notebook, sticker, tee — optional)
  • Quick-start guide with IT contact and Day-1 checklist

Kit / 02

Offboarding Retrieval Kit

Frictionless return, 90%+ recovery

  • Pre-paid, pre-labeled return mailer dispatched on HRIS termination event
  • Tamper-evident seal and foam-lined protection for the device
  • Cable and accessory pouch with itemized return checklist
  • Automated reminder cadence — email, SMS, and manager escalation
  • Chain-of-custody scan on arrival, wipe certificate issued to your ITAM

/ Accessory Kitting

One box. Everything the remote worker needs to be productive.

We source, stock, and bundle peripherals against persona-driven SKUs — so a software engineer, a clinician, and a field tech each get the right kit without a single IT ticket. Inventory held in RTP, replenished on demand.

Displays & Docks

Monitors, USB-C docks, hubs, KVM switches

Input Peripherals

Keyboards, mice, trackpads, ergonomic kits

Audio & Video

Headsets, webcams, conference speakers

Power & Cabling

Adapters, surge protectors, region-specific cables

Mobile & Workspace

Laptop stands, carry sleeves, travel routers

Security

YubiKeys, privacy screens, cable locks

Enterprise laptop being scanned during provisioning at the Surya IT Logistics facility

/ Facility — Research Triangle Park, NC

A facility built for the hardware your business runs on.

Healthcare and manufacturing don't have time for missing assets, slow imaging queues, or compliance gaps. Our RTP operations center is engineered to remove all three.

  • +17,000 sq ft of secured, access-logged floor space
  • +HIPAA-aligned and NIST 800-171 compliant handling, storage, and disposal
  • +Serialized inventory with real-time asset tracking
  • +On-site NIST 800-88 sanitization and certified shred
  • +Climate-controlled staging for HMIs and clinical hardware

/ Integrations

Your HRIS is the remote control.

Our AI-driven middleware plugs directly into the major HRIS platforms. When you hire, transfer, or terminate inside your system of record, the physical workflow at our facility kicks off automatically — no tickets, no spreadsheets.

  • Real-time HRIS status sync, bidirectional
  • AI-routed shipping with carrier optimization
  • Audit-ready dashboards for every asset event
Workday
Rippling
BambooHR
SAP SuccessFactors
ADP
UKG
Greenhouse
Paylocity

/ Delivery Platforms

Built on the platforms your IT team already trusts.

Transparency by default. Every Surya engagement runs on enterprise-standard tooling — no black boxes, no proprietary agents.

ITSM & Workflow

ServiceNow

Tickets, asset records, and approvals flow end-to-end inside your ServiceNow instance — every device event auditable in your system of record.

MDM & Policy

Microsoft 365 Intune

Persona-driven configuration, app deployment, and CIS/NIST hardening baselines pushed at enrollment and enforced for the life of the device.

Zero-Touch Provisioning

Windows Autopilot

Devices register to your tenant before they leave RTP. The end user opens the box, signs in, and lands on a fully managed, policy-aligned desktop.

Imaging & Application Delivery

SmartDeploy

Layered gold images and on-demand application packages keep clinical, engineering, and field personas consistent — without hand-built reference machines.

Third-Party Patching

PatchMyPC

Continuous third-party application updates published into Intune and ConfigMgr, closing the patch gap that ships most ransomware.

Compliance & Posture

HIPAA AlignedNIST 800-171NIST 800-88 SanitizationRTP, NC Local

/ Onsite Visit

Come to RTP. Tour the floor. Design your deployment.

Every onsite visit pairs a hands-on facilities tour with a working session in our customer briefing center — built so your team leaves with a concrete plan, not a sales deck.

Track / 01

Facilities Tour

Walk the 17,000 sq ft RTP floor — provisioning bays, secure storage, kitting lines, and the HIPAA-aligned, NIST 800-171 zone. See the chain of custody in motion.

  • Provisioning and imaging bays
  • Climate-controlled secure storage
  • Onboarding and offboarding kit lines
  • ITAD and NIST 800-88 sanitization zone

Track / 02

Design Your Deployment

A working session in our customer briefing center. We map your user mix, surface the provisioning challenges that actually slow you down, and translate your automation goals into a concrete Surya runbook.

  • User personas and role-based image strategy
  • Specific provisioning and logistics challenges
  • HRIS, Intune, Autopilot, and ServiceNow automation goals
  • A draft runbook you take home the same day

/ Contact

Tour the facility. Get a quote.

Tell us about your fleet — number of devices, vertical, and HRIS — and our RTP team will be in touch within one business day.

Facility

Surya IT Logistics
Research Triangle Park, NC 27703

Verticals

Healthcare · Manufacturing