Productized IT Logistics

Crush your MSP bill. Half the cost. Published pricing.

Surya is a productized IT logistics service for healthcare and manufacturing operators. Five tiers, two pricing models, published scope. Foundation tier from $2,500/month, month-to-month. No procurement cycle required to start.

See the tiers →Model your savings →

For healthcare and manufacturing operators · Mid-market focused · Productized delivery

/ Quick Estimate

Get a number in 10 seconds.

Pick the closest fleet size. We'll show you a starting monthly.

Standard tier

~$6,500/mo

Platform access · ~$85/in · $110/out per unit (100–499 band)

Customize this estimate →

/ The Service Catalog

Five tiers. Two pricing models. Pick where you start.

Surya is a productized IT logistics service. Every tier has a published scope, a published price, and an inclusion list. The Pilot is the 30-day proof of value. Foundation through Sovereign are recurring relationships. You can book the Pilot today; recurring tiers begin with a scoping call.

Tier

Pilot

$2,500 one-time

30 days · 30 devices

One custom gold image, one HRIS connector, full operations report. Credit applied if you convert within 60 days.

Book a Pilot

Tier

Foundation

$2,500/mo

Up to 100 employees · Month-to-month

Self-service IT logistics. Multiple HRIS support, US/Canada shipping, monthly automated reporting.

Start Foundation

Tier

Standard

$6,500/mo

Up to 500 employees

Pooled CSM, advanced HRIS sync, quarterly review, audit-ready logging.

Scope Standard

Tier

Most Common

Growth

$12,000/mo

Up to 2,500 employees

Dedicated CSM, HIPAA/NIST audit support, OT change-window scheduling, advanced HRIS integration.

Scope Growth

Tier

Enterprise

Starting at $22,000/mo

2,500+ employees or regulated multi-site

Dedicated program manager, named engineering hours, SOC 2 evidence package, ServiceNow integration.

Talk to Enterprise

Tier

Sovereign

Starting at $40,000/mo

OT-critical or 3+ regulated sites

Dedicated provisioning bay, named technicians, validated build maintenance, FDA-aware patch ring management.

Request Sovereign Consultation

Every tier includes: HIPAA-aligned facility · NIST 800-171 handling · NIST 800-88 sanitization · Same-day shipping cutoff 2pm ET · US/Canada coverage

See full feature comparison →Model your MSP savings →

/ Network Edge

Network edge logistics is scoped separately.

Firewalls, switches, wireless access points, and SD-WAN appliances at multi-site operators run on different unit economics than endpoint logistics. The tier pricing above covers endpoint and end-user logistics — laptops, desktops, plant-floor computers, branded kits, accessories. Network edge is a separate engagement scoped from the gap analysis: site templates, per-site lifecycle, and appliance staging priced to your specific footprint, vendor stack, and OT requirements.

See the network edge model →

/ Start small

Run a 30-day pilot for $2,500.

30 devices. One gold image. One HRIS connector. Full ops report at day 60. Pilot credit applied if you sign a contract within 60 days.

Book a pilot

/ How it works

Three things happen, in order.

The shortest possible explanation of what Surya does, written for the executive who's never configured a firewall and the IT manager who oversees offshore delivery teams. The technical depth lives on the engineering and pricing pages — start here for the picture.

Audit

/ 01

We tell you what you're paying for and not using.

We start with a three-week audit of your current environment — every Microsoft license, every managed services contract, every network appliance, every place your IT budget is going. The output is a written report your CFO can audit and your CIO can sign off on: what you own, what you're using, what you're paying for twice, and where the cost reduction actually lives. Most enterprises discover they're paying for security and management capabilities they could turn on tomorrow.

Engineer

/ 02

We make what you already own actually deliver.

Most enterprises pay Microsoft for security and management software they barely use. We turn it on. We configure it so your help desk has less to fix, your new hires get a working laptop on day one, your departing employees can't take data with them, and your audit evidence is ready before the auditor asks. The Microsoft licenses you already pay for start doing the work you bought them to do.

Operate

/ 03

We run the daily work from one place.

Every laptop, desktop, plant-floor computer, and branch-office firewall flows through one 17,000-square-foot facility in Research Triangle Park, North Carolina. We provision the device, ship it to the employee or site, monitor it for the life of the deployment, recover it when someone leaves or hardware refreshes, and certify the disposal. One operator instead of three vendors. One bill instead of a procurement headache. One phone number when something goes wrong.

That's the whole offering, in three steps. The technical depth — Microsoft 365, Zscaler, Zero Trust architecture, OT segmentation, network edge templating — is how we deliver it. Start with the engineering tracks or the savings model if you want the next layer of detail.

See the savings model →See the engineering tracks

/ Cost Replacement

The MSP line items we eliminate.

A traditional MSP charges for volume. Surya engineers the volume out of existence. Here is how the line items map.

Traditional MSP Line Item
Surya Replaces It With
Help desk tickets for endpoint issues
Persona-correct gold images, hardened at provisioning
Onboarding setup and Day-1 IT support
HRIS-triggered Day-1 readiness, zero-touch enrollment
Patch incident response and rollback
Conservative WSUS / Intune patch rings, vendor-validated
Offboarding cleanup and access revocation
Automated recovery kits, 90% retrieval target, Conditional Access cutover
Lost device chase and asset reconciliation
Serialized chain-of-custody, real-time inventory in ServiceNow
Hardware refresh project management
Cohort-based refresh, swap-in-place, prepaid return logistics
Compliance evidence collection (HIPAA, NIST)
Audit-ready logging by default, evidence on demand
Imaging and re-imaging labor
Centralized RTP imaging, NIST 800-88 sanitization on-site
Standing admin rights and privilege sprawl
Intune Endpoint Privilege Management — just-in-time elevation
Legacy VPN and flat network access
Identity-driven Zero Trust access — Entra Private Access (EPA), Zscaler ZPA, or both
Network appliance configuration and change management
Templated site builds, pre-configured at the facility, drift remediation under continuous lifecycle
Multi-site WAN management as a separate vendor relationship
One operator, one persona model, one lifecycle across endpoint and edge

Typical engagement eliminates 40–60% of endpoint-related MSP spend in the first 12 months. Your number depends on your fleet, your industry, and how broken your current model is.

Model your savings →

/ Scenarios

Built for the moments that break IT.

From PE roll-ups to quarterly refreshes, our playbooks turn high-stakes hardware events into routine operations.

Scenario / 01

Healthcare

When a software update breaks the machine a patient is waiting on.

Your clinicians' laptops run the imaging consoles, the patient records, and the infusion tools. When an automatic update breaks one of them overnight, care stops until someone fixes it. We make sure that update never ships before it's safe.

  • +Vendor-validated builds for GE/Philips/Siemens Healthineers imaging consoles
  • +Locked Java, .NET, and browser stacks for Epic, Cerner, and Meditech Hyperspace
  • +Conservative patch rings tied to FDA-cleared device compatibility statements
  • +HIPAA-hardened: BitLocker, screen-lock, audit logging, and biomed asset tagging

Scenario / 02

Manufacturing

A laptop update at 2am shouldn't be able to stop your production line.

The laptops your plant engineers use to run the floor are one bad update away from a line stoppage that costs you real money per hour. We keep those machines off the update cycles that break them.

  • +Custom OT gold images: TIA Portal, Step 7, Fanuc Ladder/Roboguide, RSLogix
  • +Conservative WSUS / Intune rings validated against vendor support matrices
  • +Pinned NIC, USB, and serial drivers for PLC and CNC programming cables
  • +Purdue-aware network profiles, app allow-listing, and removable-media controls

Scenario / 03

M&A Integration

You closed the deal. Now 2,000 people need working laptops on Monday.

When private equity buys a company, the integration clock starts immediately — and nothing signals chaos faster than new employees who can't log in on day one. We stage and ship thousands of ready-to-work devices in days, not quarters.

  • +Custom image creation per acquired entity
  • +Mass deployment across distributed workforces
  • +Domain migration and identity cutover support
  • +Asset reconciliation against target-co inventory

Scenario / 04

Equipment Refresh

Replacing every laptop in the company without burning out your IT team.

Fleet refreshes turn into months of disruption when your internal team has to do them between everything else. We plan it in waves, swap devices in place, and take the old fleet back for secure disposal — without your team touching a box.

  • +Cohort-based refresh planning by role and region
  • +Swap-in-place with prepaid return logistics
  • +ITAD: NIST 800-88 wipe, resale, or shred
  • +Sustainability and recovery-value reporting

Scenario / 05

Onboarding & Offboarding

The new hire's laptop is on their desk before they are.

When someone joins, a configured laptop should be waiting — not stuck in an IT queue while they watch orientation videos on their phone. When someone leaves, the laptop should come back automatically, not disappear into a closet. We handle both, triggered by your HR system.

  • +Day-1 device delivery triggered by HRIS event
  • +Persona-driven software and access provisioning
  • +Automated offboarding kits with prepaid return
  • +Up to 90% remote-worker asset recovery target

Scenario / 06

Autopilot & Intune Automation

New hires set up their own laptop. No IT visit. No ticket.

A new employee opens the box at home, signs in, and the laptop configures itself with everything their role needs — fully secured, no IT person required. We build the automation that makes that happen.

  • +Windows Autopilot enrollment and registration
  • +Intune persona profiles and app deployment
  • +CIS / NIST security hardening baselines
  • +Zero-trust conditional access alignment

Scenario / 07

RTP Startups & Scaleups

You're hiring faster than you can hand out laptops.

Growing companies in the Triangle outgrow their ability to handle IT logistics long before they have an IT department to do it. We're your outsourced logistics arm — local, month-to-month, scaling with every funding round.

  • +Local to RTP — same-day pickup, drop-off, and bench swaps
  • +Month-to-month with no enterprise minimums
  • +MDM and SSO setup (Google, Okta, Jamf, Intune) from Day 1
  • +Investor-ready asset inventory and SOC 2 evidence

Scenario / 08

Cobot Provisioning

The robot arrives on the floor already safety-certified and ready to run.

When a collaborative robot ships to your plant unconfigured, your team loses days getting it safe and production-ready — with a safety assessor waiting. We configure and certify it before it ever reaches the cell.

  • +Validated builds for UR, FANUC CRX, ABB GoFa, Doosan, and Techman cobots
  • +Pinned URCaps, Robotiq, OnRobot, and Cognex vision driver versions
  • +Firmware and safety-config locked to ISO 10218 / TS 15066 assessment
  • +Commissioning packet: checksums, network plan, and rollback image

Scenario / 09

Network Edge — Multi-site

Forty locations. Forty different network messes. One fix.

When you run dozens or hundreds of sites, every one has slightly different network gear that drifts, breaks, and nobody remembers how it was set up. We build every site to one template, ship it ready to plug in, and keep it current for life.

  • +Per-site-type templates: clinic, plant, warehouse, corporate, OT-segregated
  • +Pre-staged appliances with certificates, base config, and management plane registration
  • +Guided plug-in runbooks for non-IT site contacts
  • +Continuous lifecycle: firmware leveling, configuration drift remediation, certificate renewal
  • +Cohort-based refresh and decommission with chain-of-custody

Scenario / 10

Network Edge — IT/OT Boundary

Keep the factory floor and the office network apart — without slowing either down.

In a plant, the gear connecting your office network to your production systems is where security and uptime both live or die. We configure that boundary correctly, prove it works, and don't turn it on until your team signs off.

  • +Purdue-aware segmentation templates for level 2 / 3 / 3.5 boundaries
  • +Pinned firmware and feature-set validated against OT vendor compatibility
  • +Documented commissioning packet for OT security sign-off
  • +Industrial protocol allow-listing, removable-media controls at the edge
  • +Coordinated bring-up with corporate IT, plant IT, and OT security

/ Doctrine

Most breaches and most help-desk tickets start in the same place.

The endpoint. Get hygiene right at the device, and the rest of your security and support spend gets cheaper at the same time. Four principles we don't bend on.

Tenet / 01

The endpoint is the perimeter.

Every breach starts where a human touches a keyboard — and every MSP ticket starts there too. Treat the endpoint as the front line of both security and cost, and the rest of the stack gets cheaper and safer at the same time.

Tenet / 02

Hygiene over heroics.

Patched firmware, hardened images, sanitized media, and recovered assets prevent more incidents than any SOC playbook ever will — and prevent more tickets than any help desk ever will. The cheapest support call is the one that never happens.

Tenet / 03

If you can't track it, you can't trust it.

Serialized chain-of-custody from the dock to the desk to the destruction certificate. No ghost devices. No silent risk. No unbilled MSP hours chasing assets that should have been logged at provisioning.

Tenet / 04

One persona model, everywhere.

A clinician, a plant operator, a corporate professional, and a contractor each need a different access posture, a different device baseline, and a different network segment. We define those personas once — at the identity layer — and enforce them consistently across the endpoint and the network edge. Two operating layers, one architectural truth. No translation between systems, no drift between vendors.

/ Trust & Proof

Trusted by mission-critical operations.

How leading organizations use Surya to automate joiner-mover-leaver, end-user logistics, and Zero Trust endpoint security at scale.

HEALTHCARE

Forty clinics. Day-one access for every new hire.

How a multi-state healthcare provider stopped losing clinical hours to laptop logistics.

~40 clinics4 statesZero-touch provisioning
Rippling·Microsoft 365 E5·Intune·Autopilot
HIPAA-aligned • BAARead the case study
Enterprise laptop being scanned during provisioning at the Surya IT Logistics facility

/ Facility — Research Triangle Park, NC

A facility built for the hardware your business runs on.

Healthcare and manufacturing don't have time for missing assets, slow imaging queues, or compliance gaps. Our RTP operations center is engineered to remove all three.

  • +17,000 sq ft of secured, access-logged floor space
  • +HIPAA-aligned and NIST 800-171 compliant handling, storage, and disposal
  • +Serialized inventory with real-time asset tracking
  • +On-site NIST 800-88 sanitization and certified shred
  • +Climate-controlled staging for HMIs and clinical hardware

/ Integrations

Your HR system decides. Laptops follow.

When you hire or fire someone in your HR system, the right thing should just happen — a laptop ships, or a laptop comes back. No tickets, no spreadsheets, no one remembering to do it. We connect to the HR system you already use and make the physical work automatic.

  • Real-time HRIS status sync, bidirectional
  • AI-routed shipping with carrier optimization
  • Audit-ready dashboards for every asset event
Workday
Rippling
BambooHR
SAP SuccessFactors
ADP
UKG
Greenhouse
Paylocity

/ Delivery Platforms

No black boxes. No proprietary agents to learn.

We run on the same tools your IT team already trusts — so everything we do is visible inside the platforms you already own.

ITSM & Workflow

ServiceNow

Tickets, asset records, and approvals flow end-to-end inside your ServiceNow instance — every device event auditable in your system of record.

MDM & Policy

Microsoft 365 Intune

Persona-driven configuration, app deployment, and CIS/NIST hardening baselines pushed at enrollment and enforced for the life of the device.

Zero-Touch Provisioning

Windows Autopilot

Devices register to your tenant before they leave RTP. The end user opens the box, signs in, and lands on a fully managed, policy-aligned desktop.

Imaging & Application Delivery

SmartDeploy

Layered gold images and on-demand application packages keep clinical, engineering, and field personas consistent — without hand-built reference machines.

Third-Party Patching

PatchMyPC

Continuous third-party application updates published into Intune and ConfigMgr, closing the patch gap that ships most ransomware.

Compliance & Posture

HIPAA AlignedNIST 800-171NIST 800-88 SanitizationRTP, NC Local

/ Onsite Visit

Come to RTP. Tour the floor. Design your deployment.

Every onsite visit pairs a hands-on facilities tour with a working session in our customer briefing center — built so your team leaves with a concrete plan, not a sales deck.

Track / 01

Facilities Tour

Walk the 17,000 sq ft RTP floor — provisioning bays, secure storage, kitting lines, and the HIPAA-aligned, NIST 800-171 zone. See the chain of custody in motion.

  • Provisioning and imaging bays
  • Climate-controlled secure storage
  • Onboarding and offboarding kit lines
  • ITAD and NIST 800-88 sanitization zone

Track / 02

Design Your Deployment

A working session in our customer briefing center. We map your user mix, surface the provisioning challenges that actually slow you down, and translate your automation goals into a concrete Surya runbook.

  • User personas and role-based image strategy
  • Specific provisioning and logistics challenges
  • HRIS, Intune, Autopilot, and ServiceNow automation goals
  • A draft runbook you take home the same day

/ Contact

Tour the facility. Get a quote.

Tell us about your fleet — number of devices, vertical, and HRIS — and our RTP team will be in touch within one business day.

Facility

Surya IT Logistics
Research Triangle Park, NC 27703

Verticals

Healthcare · Manufacturing