What Happens After the Audit?

Your Compliance Memory. Built-In.

Two months ago, we said your clients aren't just asking "are we secure?" They're asking "can you prove it?" Last month, we showed you how Telivy and Tentacle are connecting: findings flowing into compliance assessments, evidence collection getting simpler, the distance between discovering a risk and documenting the fix getting shorter.

This month, we're shipping the surface that makes proof durable.

Here's the problem most compliance programs still have: you run an assessment, collect evidence, present it to an auditor or an insurance carrier, and then that evidence goes stale. It sits in a shared drive or a spreadsheet. Nobody maintains it between audit cycles. Three months later, an auditor asks "show me this control was satisfied on March 14th" and the scramble begins.

Tentacle's Evidence Locker changes that. It is going live now, partners will start rolling into it over the coming weeks, and it is one of the single most important capabilities we've shipped this year. Every Telivy scan now becomes a timestamped, source-attributed evidence snapshot with a full approval lifecycle. When a control drifts, the approval invalidates automatically. When you fix it and re-scan, the evidence trail picks back up. A 90-day compliance timeline shows the full story: when you were compliant, when you drifted, what you did about it, and who signed off.

Alongside it, Telivy shipped HIPAA Compliance Reports that map scan results directly to Security Rule safeguards, industry vertical tagging that auto-detects relevant frameworks, and unified remediation tasks that surface directly in Tentacle. The "Assess, Prioritize, Remediate, Prove" loop now has real infrastructure behind the Prove step rather than just a PDF export.

And looking ahead, the evidence system is now in place. The next frontier is a platform that doesn't just record that remediation happened, but actively participates in it. We're investing in agentic security operations where the platform identifies the fix, dispatches it, verifies it worked, and captures the proof in one closed loop. The repeatable remediations get handled autonomously. The judgment calls get escalated to you. More on that in the months ahead.

Here's what we shipped over the last month.

Product Updates

Tentacle: The Evidence Locker Is Live

If you're already running compliance programs with Tentacle, our governance, risk, and compliance (GRC) platform, or you've been thinking about adding compliance-as-a-service to your practice, this is the release that changes the conversation with your clients.

What We Just Delivered

Continuous Control Evidence (the "Evidence Locker"), now GA. This is the headline. Tentacle now includes a dedicated evidence management surface on every compliance control. What this gives you:

• Evidence Snapshots. Every control gets a snapshot list with source type, timestamp, approval status, and a downloadable payload. Telivy scan results flow in automatically and carry the Telivy logo so you (and your auditor) can see exactly where the evidence came from.
• Compliance Timeline. A visual 90-day heatmap shows when each control was compliant (green), non-compliant (red), drifting (orange), or unknown (gray). Switch between 30, 90, and 180-day views. This is the artifact that turns "we checked last quarter" into "we've been continuously monitored for six months."
• Evidence Approval Workflow. Draft, Reviewed, Approved, Expired. Approvals invalidate automatically when a control drifts. After remediation and re-scan, evidence re-enters the workflow. No stale sign-offs sitting around pretending compliance is current.
• Operator Notes. Timestamped narrative context attaches to the timeline. Remediation notes, incident explanations, QBR annotations. The story behind the data, attached to the moment it happened.
• Manual Evidence Upload. Upload PDF, DOCX, XLSX, images, CSV, ZIP, or a URL (for example, a link to your Intune portal), up to 25MB per upload. For controls that aren't automated yet, you can still build the evidence trail manually.
• Non-Compliant Controls Dashboard. A "Controls Requiring Attention" panel surfaces on your project workspace, sorted by severity, so you're not hunting for what needs fixing.
• Dedicated Evidence Page. A project-level view sits parallel to the existing Documentation page, with filtering by source type, status, date, and control. Multi-control linking and a right-panel detail drawer make review fast.

Why This Matters

Most GRC tools can tell you whether a control is met right now. Very few can tell you whether it was met last Tuesday, whether it drifted on March 14th, who fixed it, and what the evidence looked like at the moment an auditor asked. That's the gap the Evidence Locker closes.

The partner conversation shifts from "we ran a compliance assessment" to "we've maintained continuous compliance for 180 days, and here's the auditor-ready timeline with source-attributed evidence, approval history, and operator notes." That's a fundamentally different value proposition, and it's the kind of proof that drives retention, justifies premium pricing, and makes renewal conversations easy.

If compliance-as-a-service is a service line you're building or expanding, particularly for healthcare, financial services, or CMMC work, reach out to your partner manager to walk through how to wire the Evidence Locker into your existing client programs.

Telivy: HIPAA Reports, Vertical Intelligence, and Tighter Tentacle Integration

What We Just Delivered

• HIPAA Compliance Reports (GA). Point-in-time, auditor-ready reports map Telivy scan results to HIPAA Security Rule safeguards and show whether each control is documented and implemented. For healthcare clients, this is the deliverable that turns a scan into a compliance conversation. Pair it with the Evidence Locker in Tentacle and you have the full loop: scan, report, evidence, timeline.
• Industry Vertical Tagging (GA). Select from 20+ industry verticals (healthcare, finance, government, and more) at assessment creation. Telivy auto-detects relevant frameworks and tailors report content to match. The right compliance context, applied automatically.
• Unified Remediation via Tentacle: Tasks and Plan of Action and Milestones (POA&M) (GA). Tasks and POA&M activity now surface directly in Tentacle, so partners manage remediation, compliance activity, and risk decisions in one place rather than switching between products. This is the connective tissue between "find" and "prove" getting tighter in production.
• Agent Autoupdate for Windows and macOS (GA). Agents check hourly and apply updates automatically. Partners opt in via the Telivy console. If you manage a larger device fleet, this removes a recurring maintenance chore.
• Server-Side Pagination Across All Major Views (GA). Installed applications, internal CVEs, network hosts, security findings, browser history, browser passwords, scan targets, Microsoft 365 users and audit logs, and risk analysis views now paginate server-side. Larger assessments load faster with no more browser stalls or timeouts. If you've been hitting performance ceilings with your larger clients, this is the fix.
• Mandatory Review Dates on Risk Decisions (GA). When you accept or resolve a risk, Telivy now requires a preset review interval. This ensures risk decisions get reassessed on a schedule and reduces the "accepted risk drift" that quietly erodes compliance programs over time.
• Company Delete and Archive (GA). Housekeeping partners have been asking for. Clean up your workspace as client relationships change.
• Richer Scan Completion Emails (GA). Finding counts, severity breakdowns, and an AI-generated summary delivered to your inbox before you even log in.

Why This Matters

The HIPAA Compliance Report is the strongest single feature this month for partners with healthcare clients. It's a tangible, client-ready deliverable that connects Telivy's scanning depth to a specific regulatory framework your clients are measured against. Combined with the Evidence Locker and unified remediation in Tentacle, the path from "we ran a scan" to "here's your HIPAA compliance evidence trail" is now a straight line.

The vertical tagging and mandatory review dates are quieter but strategically important: they make Telivy smarter about your client's industry and more disciplined about keeping risk decisions current. Both matter when you're building programs that last rather than running one-time assessments.

UCaaS: Seat Transfers, PSA Integration, and Mobile Modernization

What We Just Delivered

• Seat Transfer Wizard (GA). A guided wizard walks you through moving a user's seat: extensions, mailboxes, direct inward dialing (DID) numbers, and devices. You see a full preview with validation before confirmation, so transfers complete cleanly without the guesswork that has caused ticketable mistakes in the past.
• PSA Integration for Missed Calls (Early Access, Desktop). Missed-call events now automatically create a PSA ticket with caller name, number, timestamp, direction, and Company and Contact IDs when available. A right-side onboarding pane in Desktop walks you through configuration: queue, priority, status, ticket source. Editable any time. This is the second installment of the same integrations architecture behind Autotask v2, so the PSA connection keeps getting deeper.
• Refreshed iOS Messages (Early Access). Cleaner thread list, updated detail view, improved input bar with support for text, images, GIFs, audio, files, and links.
• Refreshed Voicemail on Android and iOS (Early Access). Modern list view, search, expand-to-play with seek bar, speaker routing, and lazy-loaded transcripts. Per-item actions: Call, Message, Share, Delete.
• Refreshed Profile Menu on Android and iOS (Early Access). Avatar upload, SIP registration status, redesigned settings (call strategy, sound and ringtone, biometric login).

Reliability Improvements

• The "Use desk phone to make calls" setting now persists across logout and login on Desktop.
• Click-to-Dial in the Chrome extension works when background requests are blocked by content filters or network policies.
• Google Drive files share correctly in Android messages with a progress indicator.
• The gray screen that could appear after calls ended on Android is resolved.
• The Enter key now sends messages in the Android compose field.

Why This Matters

The Seat Transfer Wizard removes a real friction point for partners managing user changes across their client base. The PSA missed-call integration is worth paying attention to beyond the feature itself: it's built on the same integrations architecture as Autotask v2, which means every new integration we ship benefits from the same foundation. The pattern is: build the architecture once, extend it everywhere.

The mobile refreshes continue the UX modernization we started last month. If you're in Early Access, you're seeing a meaningfully different mobile experience. If you're not, now is a good time to opt in.

ControlOne: Portal Polish and VPN Reliability

What We Just Delivered

• Routing Policy Renaming. Partner-managed routing policies can now be renamed in the ControlOne portal. Cytracom-managed policies remain protected.
• Clearer Microsoft Entra ID Directory Sync Messaging. Status text now waits longer before shifting tone, reflects real queue timing, and explicitly tells users they can leave the page without disconnecting a running sync.
• IPsec NAT Validation Fix. Configurations where the original IP source does not overlap local tunnel selectors now validate correctly. If you've been working around this for multi-site tunnel setups, the workaround is no longer needed.
• Portal Modernization. Additional admin and reporting screens moved to the new theme and shared table component.

Why This Matters

ControlOne in April was a polish and reliability month. These are the kinds of improvements that don't make headlines but remove daily friction: clearer status messaging so your techs aren't confused, naming flexibility so your portal reflects your terminology, and a VPN fix that eliminates a real blocker for partners setting up multi-site tunnels.

A Quick Look at What's Ahead

Later this quarter, you'll see Telivy ship Browser Password Risk Intelligence, giving you visibility into one of the most common and under-assessed credential risks in your clients' environments. Custom Security Reports are coming so you can tailor deliverables to your specific client conversations. And the Evidence Locker will continue to deepen with audit package export, cross-framework evidence mapping, and a "Continuously Monitored" certification badge.

On the integration front, more PSA integrations are in active development for UCaaS, extending the same architecture powering the Autotask and missed-call integrations today.

And as we said up top: we're building toward a world where the platform doesn't just record remediation. It executes it. Agentic security operations, where repeatable fixes are dispatched, verified, and evidenced automatically, is the strategic direction we're investing in. The evidence system is now the foundation. The autonomous remediation layer is what comes next.

The through-line for 2026 remains: Assess. Prioritize. Remediate. Prove. Every release deepens that loop.

Upcoming Events

Upcoming Events: Let’s Connect

If you're planning to attend any of the following events, we'd welcome the opportunity to connect while you're there!

• TruPeer | May 3-7 |Orlando
• MSPGeekCon | May 17-19 | Orlando
• Huntress Roadshow | May 13th | Detroit
• Pax8 Beyond | June 7-9 | Salt Lake City
• Rewst FLOW | June 23-25 | Nashville
• Huntress Roadshow | June 17 | Atlanta

Let us know if you will be attending any of the events - we'd love to catch up!

Standardization Momentum Across TeamLogic IT

Standardization remains one of the clearest levers MSPs have to simplify operations and build a more scalable business.

Across both UC and ControlOne, partners who commit to standardization are reducing the day-to-day friction that comes from managing exceptions, one-off environments, and disconnected tools. The result is a more consistent service experience, cleaner deployments, and a stronger foundation for delivering secure connectivity and communications as true managed infrastructure, not piecemeal solutions.

When UC and network security are aligned under a standardized approach, MSPs gain tighter operational control, clearer packaging, and a more compelling story for customers who are increasingly asking about reliability, security, and accountability.

If you’re looking at where to simplify your stack and create more consistency across clients, we’re happy to share how other partners are approaching standardization across Cytracom UC and ControlOne, and what it’s enabling for their teams.

Welcome to the Family!

We’re excited to welcome the newest TeamLogic IT partners to Cytracom. As you get up and running, our focus is on helping you build a more scalable, standardized foundation across your services, so you can grow with less friction and more confidence.

We look forward to working alongside you as you expand your offerings, strengthen your operations, and continue building long-term customer value.

• TeamLogic IT of Danbury CT
• TeamLogic IT of Malvern PA
• TeamLogic IT of Northglenn, CO
• TeamLogic IT of VA Beach, VA
• TeamLogic IT of Greater New Haven, CT

Welcome Aboard!

Supporting Your Success

We want to hear from you!

Which top-of-mind topics would you like to hear about? Email swise@cytracom.com with what you'd like covered in the upcoming newsletter - and we will put it on our radar!

Thank you for your continued partnership and leadership within the TeamLogic IT community.

— The Cytracom Team