Fixed-fee or T&M, how do we decide?

Fixed-fee for work where the scope is well-understood and the risk profile is bounded -- network designs from a documented current state, firewall deployments against a defined ruleset, scoped assessments. T&M for work where the discovery is part of the engagement and locking the scope before the discovery is finished would force one side to absorb the wrong risk. We will recommend the right model in the SOW; you make the final call.

What is the typical lead time to start?

Two to three weeks for most engagements, longer for work that requires hardware procurement on long lead times. The first week is contracts and scheduling; the second is kickoff and discovery prep. For urgent work we can usually compress this, but compressed lead times forfeit a portion of the discovery quality, which we will flag explicitly in the SOW.

Do you subcontract the work or do you keep it in-house?

In-house. The same principal engineer who scopes the work delivers it. We do not body-shop your engagement to a downstream consultancy. For staff augmentation through our sister entity Kennedy Consulting we share the tiered rate card and consultant tiers transparently up front; you will know exactly who is on the engagement.

What happens if the scope grows mid-engagement?

A change request, in writing, with a delta to the SOW that both sides sign. We do not run "while you are in there" work as silent T&M overages on top of a fixed-fee project. If something material surfaces during discovery (and on real engagements it usually does), we pause, document, and re-scope with you before continuing. The 15% risk buffer we carry in fixed-fee projects is for execution risk, not for absorbing un-scoped work.

Professional services

Professional services is where most of our client relationships actually start. A managed services prospect rarely signs an MSA on the first call. A scoped project, with a clear deliverable and a finite duration, is the lower-risk way for both sides to find out whether we work together well. Our project practice is built around that economic reality: scope it tightly, deliver it cleanly, leave the client with documentation thorough enough that they could operate the result without us if they chose to. Most do not choose to, which is how the recurring practice grows.

What you get from professional services at 4th Octet is the same principal engineer in the room from scope through delivery. There is no inside-sales hand-off, no junior-staff transition midway through, no “your account manager” who is not technical. The person who quotes the work does the work.

What we deliver

The professional services practice covers infrastructure, security, and platform work that has a defined start and a defined end:

Network design and deployment: data center fabric design (spine-leaf VXLAN/EVPN, SONiC where appropriate), campus refresh, multi-site WAN architecture, SD-WAN migration, wireless design and survey, hardware sizing and procurement coordination.
Firewall and security platform deployments: Palo Alto NGFW, Fortinet FortiGate, Cisco Firepower, Sophos. Rule design from policy, migration from legacy platforms, panorama or central-management buildouts.
Identity and access projects: Entra ID Conditional Access design, Tailscale or Headscale deployment, Cloudflare Access integration, application-layer enforcement, identity federation between cloud and on-premises directories.
Observability platform builds: standalone Grafana, Mimir, Loki, Alloy stacks for clients who want the platform without the full managed services wrapper. Multi-tenant where appropriate, single-tenant where simpler suits.
Cloud migrations and landing zones: Azure landing zone design and buildout, AWS Well-Architected reviews, hybrid connectivity (ExpressRoute, Direct Connect, site-to-site VPN), workload migrations with the discovery and risk-modeling steps actually done.
Security implementations and assessments: Wazuh and Sentinel deployments, SIEM migrations, vulnerability assessment programs, posture assessments mapped to NIST 800-53, HIPAA, PCI-DSS, or SOC 2.
Custom automation and integration work: n8n workflow design, ITSM integrations, HaloPSA or other PSA implementations, secret-management migrations, deployment pipeline builds.

How we engage

Three engagement models, picked based on the shape of the work:

Fixed-fee SOW with milestone billing. The default for scoped projects where the deliverable is concrete and the discovery has already happened or is bundled into a small first phase. SOW lists phases, milestones, deliverables, and payment schedule. We carry a 15% risk buffer inside the fixed price to absorb the kind of execution risk we have priced in; we do not pass that buffer through as a hidden line item, and we do not bill it back out unused. The fixed price is the fixed price.

Time and materials against a tiered rate card. For advisory-flavored work, complex discovery, or projects where locking the scope up front would force one side to absorb the wrong risk. T&M engagements run with an NTE (not-to-exceed) ceiling and weekly burn-rate reporting so there are no end-of-month surprises.

Prepaid credit packs. Volume-discounted blocks of hours drawn down over time. The right vehicle for clients who want to keep us on speed-dial for unscheduled engineering work without negotiating a new SOW every time. Pack sizes are 10 / 25 / 40 / 50 hours, each with its own effective hourly rate.

Pricing model

The professional services practice operates against a defined tier structure: Technical (T1), Senior (T2), and Principal (T3) consultant rates, plus the credit-pack volume tiers above. We do not yet publish the specific hourly numbers on this site; that publication is on the near-term roadmap. For now, ask via contact and we will share the current rate card directly, including credit-pack effective rates and any volume terms for larger engagements.

For fixed-fee work the price is in the SOW, not on the rate card. The rate card is the input to scoping; the SOW is the output.

What we have delivered

Recent and in-flight project work includes data center network redesigns with SONiC-based VXLAN/EVPN fabrics on Dell S5232F-ON hardware, professional-services engagements for regional law and consulting firms, observability platform standups for organizations that wanted the stack without the managed wrapper, and several smaller scoped builds across the firewall, identity, and automation lanes.

Specific client references are available under MSA and on request; we do not publish client names without explicit on-record permission, because the level of access we hold during these engagements means client trust is the asset that compounds across the practice.

Where this fits

Professional services is the entry point for most client relationships. The recurring practices (managed network, detection and response, observability and platform, security and architecture advisory) frequently start from a PS engagement that surfaced “we should have someone running this for us” as the conclusion. Either path is fine. Standalone PS engagements are a viable relationship shape; we do not require a managed services attach.

If you have a scoped piece of work, an assessment idea, or a migration on the calendar and you want to see a real proposal, send the environment to /quote/ or start a conversation for the version where we just talk first.

Frequently asked

Fixed-fee or T&M, how do we decide?: Fixed-fee for work where the scope is well-understood and the risk profile is bounded -- network designs from a documented current state, firewall deployments against a defined ruleset, scoped assessments. T&M for work where the discovery is part of the engagement and locking the scope before the discovery is finished would force one side to absorb the wrong risk. We will recommend the right model in the SOW; you make the final call.
What is the typical lead time to start?: Two to three weeks for most engagements, longer for work that requires hardware procurement on long lead times. The first week is contracts and scheduling; the second is kickoff and discovery prep. For urgent work we can usually compress this, but compressed lead times forfeit a portion of the discovery quality, which we will flag explicitly in the SOW.
Do you subcontract the work or do you keep it in-house?: In-house. The same principal engineer who scopes the work delivers it. We do not body-shop your engagement to a downstream consultancy. For staff augmentation through our sister entity Kennedy Consulting we share the tiered rate card and consultant tiers transparently up front; you will know exactly who is on the engagement.
What happens if the scope grows mid-engagement?: A change request, in writing, with a delta to the SOW that both sides sign. We do not run "while you are in there" work as silent T&M overages on top of a fixed-fee project. If something material surfaces during discovery (and on real engagements it usually does), we pause, document, and re-scope with you before continuing. The 15% risk buffer we carry in fixed-fee projects is for execution risk, not for absorbing un-scoped work.