feat: Add sovereign tool stack and integrate ASTRAL/AOC across playbooks

New document: Sovereign Tool Stack — complete capability map for our
open-source consulting arsenal.

Documents updated:
- sovereign-tool-stack.md (new): Maps Prowler, BloodHound, CISO Assistant,
  Purple Knight/Forest Druid, ASTRAL, and AOC to engagement modules and
  antifragile pillars. Identifies 6 gaps with recommended closes:
  Wazuh+Sysmon (EDR), Shuffle (SOAR), TheHive+Cortex (case management),
  Cartography (cloud asset mapping), Syft+Grype+Trivy (containers),
  Zeek+Suricata (network analysis). Includes per-module tool pairing,
  deployment complexity matrix, and integration architecture.
- m365-e3-hardening.md: Added ASTRAL 'configuration immunity' section
  and AOC audit log integration references
- endpoint-management-entry-vector.md: Added ASTRAL for Intune
  configuration backup and drift detection
- modular-engagements.md: Added ASTRAL and AOC to Module 1/2/3
  deliverables; linked sovereign tool stack
- retained-capability.md: Added AOC and Wazuh to detection engineering
  description
- ai-assisted-tvm.md: Added AOC and Prowler to discovery layer table
- blue-purple-team-foundation.md: Added sovereign tool stack reference
  for open-source SOC architecture
- zero-budget-hardening.md: Linked sovereign tool stack
- README.md + index.md: Added sovereign-tool-stack.md to navigation

antifragile-consulting/core/blue-purple-team-foundation.md

@@ -120,6 +120,8 @@ Many organizations have purchased or inherited an impressive security stack:
 **For MSSP clients**: The first hunt often reveals gaps in MSSP detection coverage. These gaps become the first custom detection rules the retained capability cell writes and deploys.
 
 **Deliverable**: Operating Rhythm Playbook
+
+**Tool stack for the operating rhythm**: See the [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md) for the complete open-source SOC architecture. For M365-centric environments, AOC provides audit log intelligence; Wazuh + Sysmon provide endpoint detection; TheHive + Cortex provide case management; Shuffle provides automated response. This stack replaces €200K+/year commercial SOC tooling for clients who prioritise sovereignty.
 - Weekly, bi-weekly, and monthly cadence definitions
 - RACI matrix for each activity
 - Dashboard definitions and data sources

antifragile-consulting/core/modular-engagements.md

@@ -41,6 +41,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
 - Compliance baseline: encryption, OS version, password policy, firewall
 - Application inventory and shadow IT discovery
 - Basic conditional access integration (compliant device required for M365 access)
+- ASTRAL deployment for Intune configuration backup and drift detection
 - Admin training and operational handover
 
 **Executive pitch**:
@@ -71,6 +72,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
 - Legacy authentication blocked tenant-wide
 - Privileged access workstation (PAW) architecture for admins
 - PIM deployment (if E5/Entra ID P2) or manual JIT process (if E3)
+- AOC deployment for audit log intelligence and anomalous admin detection
 - Guest access audit and time-bounding
 - OAuth consent governance
 
@@ -99,7 +101,8 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
 - Mailbox auditing enabled for all users
 - Unified Audit Log enabled and forwarded to SIEM
 - Microsoft Secure Score baseline and improvement plan
-- ASR rule deployment in audit mode (E5) or Defender Antivirus maximization (E3)
+- ASR rule deployment in audit mode (E5) or Defender for Endpoint P1 maximisation (E3)
+- ASTRAL configuration baseline capture for all M365 security policies
 - Windows Defender Firewall and exploit protection baseline
 - LAPS deployment for local admin password randomization
 
@@ -109,7 +112,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
 
 **Natural next modules**: Module 4 (Data Governance), Module 5 (AI Sovereignty Bridge), Module 10 (Red Team & Validation)
 
-**See**: [M365 E3 Hardening](../playbooks/m365-e3-hardening.md), [Zero-Budget Hardening](../playbooks/zero-budget-hardening.md)
+**See**: [M365 E3 Hardening](../playbooks/m365-e3-hardening.md), [Zero-Budget Hardening](../playbooks/zero-budget-hardening.md), [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md)
 
 ---
 

antifragile-consulting/core/retained-capability.md

@@ -32,7 +32,7 @@ When you outsource a security function, you should retain three capabilities int
 
 | Retained Capability | Why It Cannot Be Outsourced | What It Produces |
 |--------------------|---------------------------|------------------|
-| **Detection Engineering** | Only you know what "normal" looks like in your environment. Only you can write rules that detect anomalies specific to your architecture, your applications, and your user behaviours. | Custom detection rules (KQL, Sigma, YARA) that catch threats generic rules miss |
+| **Detection Engineering** | Only you know what "normal" looks like in your environment. Only you can write rules that detect anomalies specific to your architecture, your applications, and your user behaviours. | Custom detection rules (KQL, Sigma, YARA, Wazuh) and M365-specific detections via AOC that catch threats generic rules miss |
 | **Threat Context & Prioritization** | Only you know which assets are crown jewels. Only you can prioritize a vulnerability on your payment gateway over a vulnerability on your marketing blog. | Risk-ranked remediation that aligns with business impact |
 | **Integration & Orchestration** | Only you can connect the SOC to your change management, your identity team, your OT engineers, and your executives. | Closed-loop incident response that produces structural improvement |