cqrenet/antifragile
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add vulnerability-management arc — Book VII, quantum framework, ORION, and kill-chain assessment tool

Browse Source
This commit is contained in:
Tomas Kracmar
2026-06-15 07:56:50 +02:00
parent 633f82c5a7
commit 173704eca5
9 changed files with 1357 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
antifragile-consulting/books/README.md
+11 -1
View File
@@ -68,7 +68,17 @@ For most estates the honest answer to "can you see where it went?" is no. That's
The capstone, because it decides whether everything before it was merely robust or genuinely antifragile. Detection and recovery are not the sad afterthought — they're the feedback loop that changes the structure of the estate after every shock. An org that buries incidents stays fragile. An org that treats them as fuel becomes antifragile. This book covers the recovery lies the industry tells itself (untested backups, undocumented break-glass, AD forest recovery nobody has practised), builds the detection architecture, and — most importantly — describes the machine that turns incidents, alerts, and near-misses into structural improvement.
Read this last. It only makes sense once you've built something worth protecting.
Read this once you've built something worth protecting — it closes the original defensive arc (Books IVI).
---
### [Book VII — Vulnerability Management](06-vulnerability-management.md)
*The patch cycle was built for a world where you had weeks. That world is gone. Stop racing the attacker to the patch — change the race.*
The first six books assume the dominant way into an estate is a phished human. As of the 2026 Verizon DBIR that assumption is wrong: **exploitation of vulnerabilities is now the leading initial-access vector, roughly twice phishing.** This book changes the lens to match. It refuses the two losing moves — sorting 40,000 findings by CVSS, and trying to "patch faster" against a 4-hour exploitation window — and replaces them with the antifragile alternative: subtract the ~90% of criticals that aren't actually reachable, size the rest into **quanta** by time-to-existential-impact (hours / days / sprint, plus the dangerous *dark* quantum you can't yet size), contain the few that matter with compensating controls rather than waiting for a patch, and feed every exploited path back into a shorter kill chain.
It pairs with the [Quantum Vulnerability Management](../core/quantum-vulnerability-management.md) framework and the [Kill Chain Assessment app](../playbooks/kill-chain-assessment-app.md). Read it when the threat landscape — not the maturity model — forces the question.
---