White Star Software Case Study: Operated TechOps and SecOps Without a CISO Hire or SOC 2 Certification

White Star Software is a Canadian software company that develops and deploys ProTop, the #1 database and infrastructure monitoring tool for Progress OpenEdge environments, deployed at hundreds of sites globally. As ProTop moved deeper into regulated industries, enterprise customers began applying production-vendor security expectations: SOC 2 style questionnaires, security audits, and ongoing evidence requirements. White Star Software needed the operational security backbone to answer those questions credibly, without hiring a security team or spending a year on SOC 2 certification.

The engagement started in December 2025 across all three Cloud Sentry tiers: L1 Standard Managed Operations, L2 Projects (AWS governance, security hardening), and L3 Fractional Leadership (embedded CISO).

• Customer: White Star Software (WSS), the team behind ProTop, the #1 database and infrastructure monitoring tool for Progress OpenEdge environments.
• Industry: Software, with deep traction in regulated verticals (financial services, healthcare).
• Engagement start: December 2025.
• Cloud Sentry tiers: L1 Standard Managed Operations, L2 Projects (AWS governance + security hardening), L3 Fractional Leadership (embedded CISO).
• Outcome: SOC 2 aligned operating model and a repeatable enterprise security questionnaire response framework, in roughly four months.
• Estimated cost avoided: ~$140K per year in SOC 2 certification overhead and $250K–$350K loaded annually for a dedicated CISO hire.

White Star Software has built a profitable software business and a beloved product over more than three decades. Their engineering team is deep on OpenEdge. Their customer relationships are the kind you read about in business school case studies: multi-decade, multi-generational, personal.

As ProTop moved deeper into regulated verticals, enterprise buyers changed what they expected from software vendors attached to their database. A large financial services enterprise customer sent a 200 question security audit. It took eight months, hundreds of documents, multiple meetings, and significant cost to close it. An enterprise healthcare prospect sent a 24 question initial questionnaire, then followed up with 24 more. The pattern was clear. Every enterprise prospect was going to treat ProTop not as a trusted software partner, but as a production vendor attached to their database, and measure it against SOC 2 equivalent controls.

The team faced three options:

1. Hire a CISO and internal security team. Roughly $250K to $350K loaded for the CISO alone, plus tooling. Hard to justify given White Star Software's size and business model.
2. Go for full SOC 2 certification. Roughly $140K per year between tooling, audit, and program management. Still would not stop the questionnaires.
3. Find an operator who could run the security layer with the same discipline as SOC 2, without the compliance overhead the company did not actually need.

White Star Software chose option 3.

Early in the engagement, Jonathan Csakany, COO of White Star Software, framed the thesis simply: WSS was past the point where ad hoc security was defensible for their new enterprise customer base, but nowhere near the point where dedicating an internal security team was economically sensible. They needed a partner who could operate the security layer, not just monitor it, not just recommend it, while they focused on the product roadmap and customer experience they had built over three decades.

Cloud Sentry fit the model because of four things Jonathan and Jeffrey Brown, CTO of White Star Software, called out in the early conversations:

1. One partner covers the full operational stack.

AWS governance, identity management, SaaS administration, security monitoring, SOC 2 aligned process, all under one team. Not four vendors to coordinate.

2. Operator, not consultant.

The Cloud Sentry engagement model does not end with a recommendation deck. Cloud Sentry hardens identity controls, enables GuardDuty, cleans up stale IAM users, and runs the quarterly access reviews. The recommendations are the side effect of actually doing the work.

3. SOC 2 aligned by default, not by certification.

Every Cloud Sentry process follows SOC 2 standards, so White Star Software gets the audit-ready posture without the audit overhead. When enterprise customers send questionnaires, WSS can answer “yes, we follow this policy” because Cloud Sentry is actually following the policy on their behalf.

4. Plays well with existing partners.

WSS already had a trusted infrastructure partner in Muscatek. Cloud Sentry slotted in alongside that relationship without friction or turf, coordinating directly on the AWS ownership migration and ongoing operational handoffs. The WSS team has called this out unprompted as a differentiator they would highlight to other prospects.

Phase 1: Foundation (December 2025 to January 2026)

• AWS account ownership migration. Cloud Sentry coordinated with WSS's infrastructure partner Muscatek to migrate WSS's AWS environment into a new WSS-owned AWS Organization, with all Savings Plans preserved in the process. WSS now has direct control of its AWS environment, and the Cloud Sentry / Muscatek collaboration set the working pattern for the rest of the engagement.
• IAM cleanup. Identified and revoked access for multiple stale local IAM users, including former vendors.
• GuardDuty deployment across five regions. Every account region active in the WSS environment now has continuous threat detection and real-time monitoring coverage backed by Cloud Sentry 24x7 monitoring.

Phase 2: Process and policy development (January 2026 onwards)

With the foundation in place, Cloud Sentry turned to the process and policy layer that converts a secure environment into a defensible, repeatable operating model. Every process is built to SOC 2 aligned standards, so WSS can answer enterprise questionnaires truthfully and produce evidence on request.

• Policy authoring. Drafting and maintaining acceptable use, vendor risk assessment, new access request, access review, and incident response policies. Written for how WSS actually operates rather than copied from templates, and mapped to SOC 2 aligned controls.
• Security questionnaire response framework. Instead of each customer questionnaire becoming an eight month project, Cloud Sentry built a repeatable response process backed by policy documentation and evidence artifacts. Proven on a financial services enterprise customer (where the prior cycle consumed eight months) and currently supporting a healthcare enterprise prospect through follow-up rounds.
• Vendor risk assessment process. Standardized intake and review so every new SaaS vendor is evaluated against the same controls before it touches production.
• New access request process. Every new access grant across AWS, Google Workspace, and core SaaS flows through a standardized intake, review, approval, and provisioning workflow. Requests, approvers, and grant details are captured as audit-ready evidence.
• Incident response playbook. Documented escalation paths, communication templates, and post-incident review cadence so WSS is not improvising under pressure.

Phase 3: Fully supported ongoing operations

With the foundation built and the process and policy layer in place, Cloud Sentry runs the day-to-day security and identity operations as a fully supported service. The operating cadence is designed for steady-state delivery, not firefighting.

• Quarterly access reviews. Every user, role, and privileged permission across AWS, Google Workspace, and core SaaS is reviewed on a quarterly cadence, with results logged as audit-ready evidence.
• Identity and access management. Ongoing administration of AWS IAM roles, Google Workspace identity, privileged access, federation, and MFA posture. New hires, departures, and role changes are handled end-to-end by Cloud Sentry.
• 24x7 security monitoring. GuardDuty findings across all five active regions are triaged by Cloud Sentry against documented runbooks. High severity events are escalated immediately.
• SaaS and workspace governance. Google Workspace and Cloudflare administered to consistent security standards. Configuration drift is caught before it becomes an audit finding.
• CISO level executive reporting. Regular updates to the WSS executive team on hardening progress, questionnaire status, open risk, and upcoming work.

Cloud Sentry didn’t feel like a vendor from day one. They felt like a part of our company. Everyone wants them in the room. They bring ideas that don’t just solve the problem in front of you, they prevent the next three problems from ever happening. — Jonathan Csakany, COO, White Star Software

I was jumping up and down seeing all the changes and the collaboration. It was really nice to see that. — Jonathan Csakany, COO, White Star Software, on the AWS ownership migration

I really do feel better having you behind us. — Jonathan Csakany, COO, White Star Software

What did we do before Cloud Sentry? — Jeffrey Brown, CTO, White Star Software

• AWS account ownership migrated to a new WSS-owned AWS Organization, with zero disruption to production and Savings Plans intact.
• Multiple stale IAM users decommissioned, plus former external vendor access revoked. Hardening phase 2 in progress.
• GuardDuty enabled across five regions with 24x7 Cloud Sentry triage.
• Two enterprise security questionnaires processed on a repeatable operator-led model (financial services customer and healthcare prospect), compared to the prior eight month pattern.
• Seamless co-delivery with WSS's infrastructure partner Muscatek, including a clean AWS ownership migration with no friction between teams.
• Estimated avoided cost: roughly $140K per year in SOC 2 certification overhead, plus the $250K to $350K loaded annual cost of a dedicated CISO hire.

1. Continue active risk management. Ongoing hardening, monitoring, and access hygiene across the WSS AWS environment so risk stays contained as the business scales.
2. Scale the repeatable enterprise security response model. Turn each new questionnaire into a faster, lower-effort cycle that supports WSS's enterprise sales motion rather than stalling it.
3. Mature the governance and policy framework. Build out the policy set, change management, and audit-ready documentation that keep WSS aligned with SOC 2 standards without pursuing certification.

Cloud Sentry runs the operated TechOps and SecOps layer for software companies selling into regulated verticals. If your enterprise customers are starting to ask the same questions White Star Software's were, the answer is not always a CISO hire or a SOC 2 program. Sometimes it is an operator.