Skip to content
← Home

Case study · Client #1

DBK Group: eating our own dog food.

Outlaw IT's parent group is DBK Group Pty Ltd — a seven-company operation spanning IT services, automotive specialists, and content production. The group is Outlaw IT's first client. This is the only honest answer to "where are your testimonials" — the stack we recommend is the stack we run our own businesses on.

7
Operating companies running on the stack
1
Sole-operator MSP delivering it
100%
Endpoints under MDR + backup coverage
$0
VPN licensing cost — Cloudflare ZTNA replaces it

Background

The group, in one paragraph.

DBK Family Trust → DBK Group Pty Ltd (holding company) → seven operating subsidiaries. The seven cover three sectors: IT services (Outlaw IT — the actively-resourced MSP business at launch); automotive specialists (Halcyon Motors and Halcyon Workshop for sales and mechanical, Kennedy Audio for custom car-audio install + DSP tuning, Hide & Hood for paint correction + ceramic + interior detailing, Black Tie Muscle for muscle-car-and-driver hire for weddings/formals/events); and content production (Fieldwork Studios as the group's photo + video engine, also billing outside clients in the same automotive/trade vertical).

Operating-pace reality: Outlaw IT is actively-resourced. The six car-side brands trade at spare-time pace — registered and legally operating, but work coming into them is slow and gradual. Group IT had to scale to that reality from the start.

All seven operate from a single premises (a 220 m² shed at the Directors' personal property in SEQ Queensland), with per-subsidiary bay-use licences and a shared-infrastructure asset-allocation framework. The IT architecture had to match the asset-protection model: durable IT assets at the holding-co level, leased down to the operating subs via existing bay-use-licence framework.

The challenges

Four things that had to be solved.

01

Seven separate operating subsidiaries on different operating paces

Outlaw IT is the actively-resourced MSP. The other six (Halcyon Motors, Halcyon Workshop, Kennedy Audio, Hide & Hood, Black Tie Muscle, Fieldwork Studios) trade at spare-time pace — registered and legally operating, but light usage. Group IT had to scale from one active business to seven activating businesses without throwing money at it.

02

Two-tenant Microsoft 365 architecture

Outlaw IT runs in its own M365 tenant for client-data isolation and CSP partner-of-record visibility. The other six brands plus DBK Group share a single DBK Group tenant for cost efficiency. Cross-tenant access discipline matters — credentials, file sync, browser sessions all have to stay clean.

03

Single-laptop multi-purpose reality

Director operates from one laptop covering OIT client work + on-site visits + DSP audio tuning + OBD diagnostics + the sister-brand spare-time work. Standard 'one tenant per machine' guidance doesn't apply — needed a working pattern that's secure but doesn't require multiple machines until revenue justifies the second laptop.

04

Cybersecurity sufficient for the group's exposure

Not enterprise-grade; not consumer-grade. The right shape: SMB1001-aligned baseline, modern endpoint detection, identity protection on the multi-tenant M365, defensible backup, and the operational SOPs to run it all at sole-operator scale.

The solution

The same stack we recommend to clients.

Eight architectural decisions, all documented publicly in the OIT Company OS. Each one chosen because it works at sole-operator scale and scales cleanly into client engagements.

M365 architecture

Two M365 tenants (DBK Group + Outlaw IT). DBK Group tenant hosts shared mailboxes for the six car-brand entities (free — no licence cost per brand). Outlaw IT tenant separated for CSP/client-data-isolation reasons. Documented in the holding-co operational plan.

Multi-tenant management via CIPP

Self-hosted Azure deployment. Standards engine + Drift Management applies baseline configuration across both tenants on a 12-hour cycle. GDAP relationships used for cross-tenant access — the modern Microsoft Partner Centre delegation model, not legacy DAP.

Endpoint security

Microsoft Defender for Business (M365 BP-bundled) as primary EDR/MDR. Defender for O365 P2 for advanced email threat protection (Threat Explorer, AIR, Attack Simulator). Production endpoints + lab VMs all monitored via NinjaOne with patch deployment on a defined cadence.

Backup architecture (3-2-1)

Acronis Cyber Protect handles endpoint + M365 backup. Local cache on the Outlaw IT PRD Proxmox server. Off-site copy to Backblaze B2 (cheapest at our backup-egress profile). Verification cadence: weekly file-level spot-check, monthly full-restore test of one critical workload, quarterly DR exercise.

Zero Trust replaces VPN

Cloudflare Tunnel + Access expose CIPP, NinjaOne, Hudu, and Proxmox UI to the Director (and future technicians) over the public internet without opening firewall ports. Identity-aware per-app access via Entra ID SSO + WARP device posture. No VPN licensing cost — replaces traditional VPN entirely at $0 marginal cost.

Network segmentation

UniFi-based network at DBK HQ with VLAN separation: Home / IoT / Guest / Cameras / Servers / OIT Internal / OIT Lab / Brand Workshop / Management. Default-deny inter-VLAN posture with explicit allow rules. CIPP and NinjaOne live on the OIT Internal VLAN, isolated from home and brand-workshop traffic.

Storage architecture

Three-Proxmox-server architecture (PRD + NPRD + dedicated PBS backup host). Replaces a typical NAS appliance with workstation-class compute that's LLM-capable for future use cases. Storage in PRD via ZFS; backup separated to PBS for fault-domain isolation.

AI strategy: cloud-first

Claude API + Microsoft Copilot + Azure OpenAI for content generation, ticket summarisation, document drafting. On-prem LLM deferred indefinitely (existing 3070 PC handles any experimentation). AI governance baked into the SMB1001 path — AI AUP, tool register, annual impact review.

" We run our own seven-company group on this exact stack. If it isn't good enough for our own businesses, it isn't good enough for yours. The decision log is public, the tools are named, the architecture is documented. There's no secret sauce — there's just real operational discipline applied to a stack that works.
Daniel Kennedy Director, Outlaw IT · Director, DBK Group Pty Ltd

What it taught us

Four lessons that apply to client engagements.

  • Single-laptop reality forced a discipline most multi-machine MSPs never develop — primary tenant sync only; cross-tenant via browser; per-tenant browser profiles. Working pattern locked early; will scale cleanly to second machine when revenue justifies it.
  • Cloudflare Free Zero Trust (≤50 users) handles the entire group's roaming and ZTNA needs at $0. The free-tier threshold matches the SMB target client profile exactly — most clients fit the same envelope. Removes a recurring per-user cost line from every tier.
  • Stack transparency works internally too. Every OIT decision is captured in the Company OS — Decision_Log, Memory, structured per-entity files. The same documentation discipline applied to client engagements produces handover-ready knowledge by default.
  • The 'we run our own stack' position takes the abstract MSP claim and grounds it. Clients can see the seven-company group; they can see the architecture documents; they can read the decision log. Specifically what's running on the seven companies' endpoints is the same specifically what we recommend.

Want to see the architecture documents we use for our own group?

The 30-minute discovery call can include a walkthrough of how the stack runs across the group, what we'd deploy in your situation, and what the equivalent cost would be at your scale.

Book a 30-min discovery call