π¨
2 Immediate Actions Required β ATLAS owns both
Google Workspace: LUCA is reselling through its own account (ToS violation, zero margin). Fix: PAX8 Google reseller enrollment β 30 days.
Microsoft: CSP enrollment required β PAX8 indirect reseller path β 30β60 days. Details in Vendor Actions tab.
P1 Response SLA
15 min
All service tiers
Target Uptime
99.5%
Client-reported
Patch Compliance
β₯95%
All managed endpoints
Backup Success
100%
Zero missed > 24hrs
Open P1/P2 Cap
0
Max open > 4 hours
FCR Target
β₯75%
First contact resolution
CSAT Target
β₯4.5
Out of 5.0
Monthly Report
5th
Delivered by 5th of month
π’ Department Overview
| Division | Division 1 β Technology & Software Engineering |
| Operations Lead | NEXUS |
| Security Lead | SENTINEL |
| Procurement Lead | ATLAS |
| Support Intake | RELAY |
| Managing Director | Samuel Mfinanga (Tier 4 escalation) |
| RMM Platform | Kaseya VSA X |
| PSA/Ticketing | Kaseya BMS |
| Security Stack | Datto AV Β· Datto EDR Β· Datto Backup |
| Distribution | PAX8 Cloud Marketplace |
| Markets Served | Lincoln NE Β· Denver/Aurora CO Β· Remote SMB |
π₯ Escalation Tiers
| Tier | Role | Scope |
|---|
| T1 | Helpdesk / RELAY | Passwords, email, basic workstation, app support |
| T2 | Systems / NEXUS | Servers, network, RMM alerts, patch, backup |
| T3 | Senior / SENTINEL | Security incidents, complex infrastructure, migrations |
| T4 | Samuel Mfinanga | Strategic, breach confirmed, outage > 4 hours, client escalation |
π LUCA MTS Mission Statement
"We don't fix problems β we prevent them. LUCA's Managed Technology Services team proactively monitors, patches, secures, and optimizes every system under our management.
Every alert is addressed before the client knows it existed. Every ticket is resolved faster than any internal IT team could. We engineer the friction out of our clients' technology β permanently."
π¨
NEXUS Directive β Ticket Backlog Elimination
Every open ticket gets a status update today. P1/P2 older than 4 hours: immediate action. P3/P4 older than 5 days: escalated to NEXUS. Zero tickets fall through. All work logged in BMS β no shadow tickets.
π Ticket Lifecycle β 8 Stages
Stage 1Intake
RELAY triage
β
Stage 2Acknowledge
Tech confirms
β
Stage 3Diagnose
VSA X remote
β
Stage 4Resolve
Fix or escalate
β
Stage 5Verify
Confirm fix
β
Stage 6Communicate
Client update
β
Stage 7Close
Bill/no-bill
β
Stage 8CSAT + KB
Survey + docs
π₯ Intake Channels
| Channel | How It Works | BMS Result | SLA Starts |
|---|
| π§ Client Email | helpdesk@lucatechnology.com β auto-creates BMS ticket | Auto-ticket with client as requestor | On email receipt |
| π BMS Portal | Client self-service portal submission | Client-selected priority + description | On submission |
| π Phone Call | Tech creates BMS ticket during call | Manual ticket β all details entered | On call start time |
| π₯οΈ VSA X Alert | Automated alert threshold β auto-ticket | Alert details, device, client pre-populated | On alert trigger |
| π‘οΈ Datto Alert | AV/EDR security event β P1/P2 auto-ticket | Security ticket β auto-priority by severity | On detection time |
π BMS Configuration Requirements (NEXUS Must Verify)
- All active clients have a BMS Contract with correct tier, seat count, and billing cycle
- SLA rules configured: P1/P2/P3/P4 response + resolution timers per tier
- helpdesk@lucatechnology.com auto-ticket intake active in BMS
- VSA X β BMS integration active: all alerts auto-create tickets
- Datto Backup failure β P2 BMS ticket auto-creation verified
- Escalation rules: P1 > 1 hr β NEXUS auto-alert; P1 > 2 hr β Samuel auto-alert
- BMS client portal enabled for all active clients β credentials sent at onboarding
- Password vault populated for all clients β no credentials in email or plain text
- Monthly report automation configured β ticket summary by client
π‘ VSA X Alert Response Matrix
| Alert Type | Priority | Auto-Ticket | NEXUS Action |
|---|
| Endpoint Offline | P2 | β | Remote reboot attempt β if fail: call client, check power/network |
| Disk Space Critical (>90%) | P2 | β | Identify large files; run cleanup; expand volume or archive |
| Service Stopped (Critical) | P2 | β | Auto-restart via VSA X; diagnose cause; alert client if > 5 min |
| Datto AV Threat Detected | P2 | β | β SENTINEL immediately; quarantine; full scan; document |
| Datto EDR Behavioral Alert | P1 | β | β SENTINEL: isolate endpoint; contain; analyze; report Samuel |
| Backup Failure | P2 | β | Check agent; rerun; if 2nd failure β P1; check storage capacity |
| CPU High Sustained (>95% / 15 min) | P3 | β | ID process; kill runaway; check for crypto mining / malware β SENTINEL |
| Disk Space Warning (>80%) | P3 | β | Advise client; plan cleanup; log trend |
| Network Scan β Unknown Device | P3 | β | Identify device; add to asset list or flag shadow IT β SENTINEL |
| Patch Deploy Failed | P3 | β | Check log; retry; if persistent β manual review |
| Reboot Pending >72 hrs | P4 | β | Schedule reboot with client; document in BMS |
| WatchGuard IPS Alert (when deployed) | P2 | β | β SENTINEL; review firewall log; block source IP if malicious |
π Daily Monitoring Checklist (NEXUS)
- VSA X: review overnight alerts β acknowledge all
- Datto AV: any active threats? β P1 SENTINEL
- Datto EDR: unresolved detections? Document all
- Datto Backup: all clients successful < 24 hours?
- BMS: P1/P2 tickets open > 2 hours? Act now
- Patch compliance: endpoints > 30 days unpatched?
- Disk space: any endpoints approaching 90%?
- Offline endpoints: any down > 30 min in biz hours?
- Log daily status in BMS Operations ticket
π§ Patch Management Schedule
| Patch Type | Window | Approval |
|---|
| Windows Critical/Security | Sundays 2:00 AM | Auto after 7 days |
| Windows Optional/Features | Scheduled with client | NEXUS manual |
| macOS Updates | Scheduled with client | NEXUS manual |
| 3rd Party (Chrome, Zoom) | Tuesdays 2:00 AM | Auto after 3 days |
| Server OS Updates | Maintenance window | Change ticket required |
| Zero-Day / Emergency | Within 4 hours | NEXUS + SENTINEL |
Essentials
$125 / user / month
βKaseya VSA X monitoring
βKaseya BMS ticketing
βDatto AV (all endpoints)
βDatto EDR (add-on)
βDatto Backup (local)
βWatchGuard (add-on)
βMonthly patching
βvCIO: none
P1: 15 min ack
P2: 1 hr ack
Business
$175 / user / month
βEverything in Essentials
βDatto EDR included
βDatto Backup (local + cloud 30-day)
βWatchGuard (add-on available)
βWeekly patching + emergency
βPriority SLAs
βQuarterly vCIO review
βEmergency after-hours
P1: 15 min ack
P2: 30 min ack
Enterprise
$225 / user / month
βEverything in Business
βWatchGuard included + monitored
βDatto Backup cloud 90-day + DR test
βSENTINEL Zero-Trust architecture
βMonthly vCIO review
β24/7 after-hours support
βHIPAA/compliance-ready
βDedicated tech queue
P1: 15 min ack
P2: 15 min ack
β±οΈ Full SLA Priority Matrix
| Priority | Definition | Essentials | Business | Enterprise |
|---|
| P1 Critical | Complete outage or breach | Ack 15 min / Res 4 hr | Ack 15 min / Res 2 hr | Ack 15 min / Res 1 hr |
| P2 High | Major degradation, multi-user | Ack 1 hr / Res 8 hr | Ack 30 min / Res 4 hr | Ack 15 min / Res 2 hr |
| P3 Medium | Single user, workaround available | Ack 4 hr / Next BD | Ack 2 hr / Same day | Ack 1 hr / Same day |
| P4 Low | Minor, no immediate impact | Ack 8 hr / 2 BD | Ack 4 hr / Next BD | Ack 2 hr / Same day |
| P5 Request | Project work, new user, procurement | Next sprint | Within 3 days | Within 24β48 hr |
π¨
ACTION REQUIRED β ATLAS owns both items below. Target completion: 30β60 days.
π§ Google Workspace β Partner Fix (30 days)
β Current State: LUCA is reselling Google Workspace seats through its own internal Google account β this violates Google's Terms of Service. Zero partner margin. No partner support. No customer management tools.
| Step | Action | Owner |
|---|
| 1 | Log into PAX8 portal β Add Product β Google Workspace | ATLAS |
| 2 | PAX8 submits LUCA for Google Cloud Partner reseller enrollment (15β30 days) | PAX8 |
| 3 | After enrollment: all NEW client subscriptions created in PAX8 | ATLAS |
| 4 | Migrate existing client subscriptions from LUCA's own account to PAX8 | ATLAS + NEXUS |
| 5 | LUCA purchases at ~20% below MSRP; bills clients at MSRP = ~25% margin | LEDGER reconcile |
| 6 | All Google admin/billing/support now through PAX8 Google Partner portal | ATLAS |
β Revenue impact: 20β25% gross margin on every Google Workspace seat sold
πͺ Microsoft 365 β CSP Enrollment Fix (30β60 days)
β Current State: Selling Microsoft licenses without CSP program enrollment creates billing, support, and compliance exposure. Microsoft issues likely stem from not being a registered CSP Indirect Reseller.
| Step | Action | Owner |
|---|
| 1 | Create / verify Microsoft Partner Center account: partner.microsoft.com | Samuel / ATLAS |
| 2 | Link LUCA's MPN ID to PAX8 in PAX8 portal (PAX8 = CSP Indirect Provider) | ATLAS |
| 3 | Complete Microsoft CSP Indirect Reseller agreement in Partner Center | Samuel signs |
| 4 | Migrate all existing client M365 subscriptions to PAX8 CSP (30β60 days) | ATLAS + NEXUS |
| 5 | All future M365 via BMS quote β PAX8 β client subscription | ATLAS |
| 6 | Ensure all subscriptions on NCE (New Commerce Experience) terms | ATLAS |
β Do NOT sell new Microsoft licenses through old method until CSP enrollment complete
π₯ WatchGuard Evaluation Plan β SENTINEL + ATLAS (Q2 2026)
| Action | Timeline | Owner | Outcome |
|---|
| Register for WatchGuard MSP program via PAX8 | April 2026 | ATLAS | MSP pricing + partner support access |
| Complete WatchGuard training (free via partner portal) | AprilβMay 2026 | SENTINEL + NEXUS | Certified team before first deployment |
| Pilot: Internal LUCA or 1 willing Business/Enterprise client | MayβJune 2026 | NEXUS + SENTINEL | Validated configuration + runbook |
| Add WatchGuard to Business tier (add-on) + Enterprise (included) | July 2026 | Samuel approves | New revenue line item in service catalog |
| Recommended models: Firebox M290 (25β100 seats) / M390 (100β250 seats) | Per client | ATLAS quotes | Via PAX8 hardware + software bundle |
π PAX8 β ATLAS Procurement Workflow
| Product Category | LUCA Workflow | Margin |
|---|
| Google Workspace | PAX8 purchase β bill at MSRP | ~25% |
| Microsoft 365 (CSP) | PAX8 CSP β bill per MS licensing | ~15β20% |
| Datto AV/EDR/Backup | PAX8 volume β bill per seat/device | ~20β30% |
| WatchGuard (future) | PAX8 MSP program β hardware + software | ~25β35% |
| Additional security tools | PAX8 marketplace β evaluate per client | Varies |
Ticket SLA Rate
100%
P1/P2 within SLA
Resolution Rate
β₯90%
All priorities within SLA
FCR Rate
β₯75%
First contact resolution
Patch Compliance
β₯95%
Endpoints current
Backup Rate
100%
Success < 24 hours
Client Uptime
β₯99.5%
Reported monthly
CSAT Score
β₯4.5
Out of 5.0 β weekly review
P1 Backlog Cap
0
Max open > 4 hours
π
Monthly Operations Cadence
| Frequency | Activity | Owner | Output |
|---|
| Daily | VSA X alert review + BMS P1/P2 queue | NEXUS | Alert log cleared; zero P1 open > 4 hrs |
| Weekly | Patch batch: approve + deploy pending patches | NEXUS | Patch compliance report in BMS |
| Weekly | Backup health check: all clients < 24 hrs | NEXUS | Backup status table in BMS |
| Weekly | EDR threat report review | SENTINEL | No active threats; incidents documented |
| Weekly | Ticket queue: open > 3 days require update | RELAY | All stale tickets actioned |
| Monthly | Client MTS report: uptime, tickets, patches, backup | NEXUS + RELAY | Client report sent by 5th of month |
| Monthly | CSAT review: any score < 4.0 β Samuel | RELAY | Low CSAT addressed within 48 hrs |
| Monthly | PAX8 invoice reconcile vs. BMS contracts | ATLAS + LEDGER | Billing accuracy confirmed |
| Quarterly | vCIO review: Business/Enterprise clients | Samuel + NEXUS | vCIO report + roadmap update |
| Quarterly | Security posture assessment per client | SENTINEL | Security scorecard delivered |
| Annually | Contract renewal review β all clients | ATLAS + Samuel | Renewal signed or offboarded |
| Annually | DR test β Enterprise tier clients | NEXUS + client | DR test documented in BMS |