cqrenet/antifragile
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add sovereign tool stack and integrate ASTRAL/AOC across playbooks

Browse Source 
New document: Sovereign Tool Stack — complete capability map for our
open-source consulting arsenal.

Documents updated:
- sovereign-tool-stack.md (new): Maps Prowler, BloodHound, CISO Assistant,
  Purple Knight/Forest Druid, ASTRAL, and AOC to engagement modules and
  antifragile pillars. Identifies 6 gaps with recommended closes:
  Wazuh+Sysmon (EDR), Shuffle (SOAR), TheHive+Cortex (case management),
  Cartography (cloud asset mapping), Syft+Grype+Trivy (containers),
  Zeek+Suricata (network analysis). Includes per-module tool pairing,
  deployment complexity matrix, and integration architecture.
- m365-e3-hardening.md: Added ASTRAL 'configuration immunity' section
  and AOC audit log integration references
- endpoint-management-entry-vector.md: Added ASTRAL for Intune
  configuration backup and drift detection
- modular-engagements.md: Added ASTRAL and AOC to Module 1/2/3
  deliverables; linked sovereign tool stack
- retained-capability.md: Added AOC and Wazuh to detection engineering
  description
- ai-assisted-tvm.md: Added AOC and Prowler to discovery layer table
- blue-purple-team-foundation.md: Added sovereign tool stack reference
  for open-source SOC architecture
- zero-budget-hardening.md: Linked sovereign tool stack
- README.md + index.md: Added sovereign-tool-stack.md to navigation
This commit is contained in:
Tomas Kracmar
2026-05-09 17:05:18 +02:00
parent 3569cd7c45
commit 2b969af2a8
10 changed files with 434 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
antifragile-consulting/playbooks/ai-assisted-tvm.md
View File

@@ -70,6 +70,8 @@ AI-assisted TVM does not replace basic hygiene. It **accelerates it by an order
| **Cloud security posture** (Defender for Cloud, Prisma, Wiz) | Cloud resource misconfigurations | AI identifies cloud-specific kill chains (e.g., overly permissive S3 → compromised IAM → lateral movement) |
| **Zero-budget discovery** (PowerShell, SSH scripts, Syft/Grype, osquery) | Server inventory, SBOMs, package-level CVE correlation | AI aggregates script-based findings into unified risk view. See [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) |
| **osquery + FleetDM** | Cross-platform endpoint inventory, real-time process/network data, policy compliance | AI queries live endpoint state for prioritization and kill chain simulation. See [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) |
| **AOC (Admin Operations Center)** | M365 audit log intelligence, anomalous admin behaviour, privilege escalation detection | AI enriches insider-threat context with external vulnerability data for complete kill chain picture. See [Sovereign Tool Stack](sovereign-tool-stack.md) |
| **Prowler** | Multi-cloud security posture (AWS, Azure, GCP) | AI correlates cloud misconfigurations with endpoint and identity findings for cross-layer risk scoring. See [Sovereign Tool Stack](sovereign-tool-stack.md) |
| **Attack surface management** (Cortex Xpanse, Shodan, Nuclei, Amass) | External-facing assets unknown to IT | AI maps shadow IT and forgotten assets faster than manual discovery. See [Perimeter Scanning Capability](perimeter-scanning-capability.md) |
| **Software bill of materials (SBOM)** | Known vulnerable components in applications | AI monitors SBOMs against real-time CVE disclosure and exploit availability |

2
antifragile-consulting/playbooks/endpoint-management-entry-vector.md
View File

@@ -137,6 +137,7 @@ This builds **trust and political capital** for the harder conversations that fo
| 10 | Vulnerability management: Integrate Intune compliance data with vulnerability prioritization | Risk-based patch prioritization |
| 11 | Data loss prevention: Endpoint DLP policies (if Purview licensed) or manual controls | DLP baseline |
| 11 | Recovery validation: Test remote wipe, device replacement workflow, backup of device config | Recovery procedure tested |
| 11 | Configuration immunity: Deploy ASTRAL for Intune profile backup, drift detection, and rollback | Configuration changes tracked and reversible |
| 12 | Governance handover: Client team trained on Intune operations; runbooks documented; monitoring automated | Operational handover complete |
**The Phase 3 conversation**:
@@ -287,6 +288,7 @@ Month 6-12: Antifragile Architecture (exit architectures, chaos engineering, red
| [M365 Antifragile Project](m365-antifragile-project.md) | Endpoint management is a core workstream in both greenfield and modernisation projects |
| [Rapid Modernisation Plan](rapid-modernisation-plan.md) | Phase 1 (Hygiene) device visibility maps directly to endpoint management deployment |
| [Zero-Budget Hardening](zero-budget-hardening.md) | Intune is free in E3; Sysmon/Wazuh augment E3 endpoint security without new purchases |
| [Sovereign Tool Stack](sovereign-tool-stack.md) | ASTRAL provides M365 configuration backup and drift detection; osquery + FleetDM provide endpoint inventory; Wazuh + Sysmon close the EDR gap for E3 clients |
| [Azure OpenAI Sovereignty Bridge](../core/azure-openai-sovereignty-bridge.md) | Device application inventory reveals shadow AI; Intune becomes the enforcement point for sanctioned AI |
| [AI Operations Inevitability](../core/ai-operations-inevitability.md) | Endpoints are where defensive AI agents run; managed endpoints are prerequisite for AI-driven endpoint security |

17
antifragile-consulting/playbooks/m365-e3-hardening.md
View File

@@ -122,6 +122,7 @@ Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
- Retention: 90 days (E3 default); document the gap vs. 1-year requirement in some regulations
- Export for analysis: `Search-UnifiedAuditLog` or use Microsoft Purview Audit (Standard) if available
- **AOC integration**: For clients with AOC deployed, unified audit logs are ingested automatically and correlated with Entra ID sign-in events to surface anomalous admin behaviour without manual PowerShell queries
**Enable Mailbox Auditing**
@@ -187,6 +188,21 @@ E3 includes **Entra ID P1**, which provides robust conditional access: device co
> *"E3 gives us strong authentication and solid authorization. We can enforce MFA, block legacy auth, and require managed devices. What we cannot do is automatically step up authentication when a sign-in looks risky, or block access from impossible travel. If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P2 for identity protection, not a full E5 jump."*
### Configuration Immunity (ASTRAL)
E3 tenants accumulate hundreds of configuration objects—conditional access policies, Intune profiles, compliance policies, and Exchange transport rules—with no version control. A single accidental deletion or unauthorised change can break authentication or expose data.
**Mitigations within E3**:
- **ASTRAL baseline capture**: Record the state of every M365 configuration object at engagement start
- **Drift detection**: Alert within minutes when policies are created, modified, or deleted outside change windows
- **One-click rollback**: Restore deleted or misconfigured policies without rebuilding from memory
- **Change attribution**: Link every configuration change to the specific admin account and session
**The Strategic Conversation**:
> *"Your M365 tenant has 400 configuration objects and no version control. When an admin accidentally deletes a conditional access policy at 2 AM, you discover it 6 hours later because users are complaining. ASTRAL detects the deletion in 60 seconds, attributes it to the specific admin, and offers one-click rollback. This is not backup. This is configuration immunity."*
### Close the Email Security Gap (No Defender for Office 365 P2)
EOP anti-phishing is reactive. Safe Links and Safe Attachments are proactive.
@@ -328,5 +344,6 @@ See [Vertical: Banking](../reference/vertical-banking.md) for full regulatory al
*Previous: [Zero-Budget Hardening](zero-budget-hardening.md)*
*Next: [AD and Endpoint Hardening](ad-endpoint-hardening.md)*
*For the complete open-source tool arsenal including ASTRAL and AOC, see [Sovereign Tool Stack](sovereign-tool-stack.md)*
For how Intune deployment becomes the natural entry point for broader security transformation, see [Endpoint Management Entry Vector](endpoint-management-entry-vector.md).

401
antifragile-consulting/playbooks/sovereign-tool-stack.md Normal file
View File

@@ -0,0 +1,401 @@
# The Sovereign Tool Stack: Open-Source Arsenal for Antifragile Consulting
> *"We do not sell software. We operate a laboratory. Every tool in our stack is either open-source, client-owned, or built by us. The result is intelligence that no vendor can replicate because it is tuned to your specific environment."*
This document provides the complete capability map for our consulting practice: the tools we deploy, why we chose them, how they integrate, and what gaps remain. It is designed for three audiences:
1. **Clients** who want to understand what we bring to an engagement
2. **Consultants** who need to select the right tool for the right module
3. **Our own product team** who are building ASTRAL and AOC to close the M365-native gap
---
## The Philosophy: Sovereign Means Inspectable
| Vendor Black Box | Sovereign Tool |
|-----------------|----------------|
| Proprietary detection logic you cannot audit | **Open-source code you can read, modify, and extend** |
| Data exfiltrated to vendor cloud | **Data stays in your infrastructure or ours** |
| Vendor-defined scan scope and cadence | **You control what is scanned, when, and how deeply** |
| Generic report templates | **Custom outputs tuned to your compliance and risk language** |
| Per-asset licensing that scales poorly | **Free or built-by-us; economics favour the client** |
**The executive framing**:
> *"Tenable is a rented microscope. Our stack is a laboratory. We can ask questions that Tenable never thought to ask because we own the queries, the data, and the integration logic. When we find a gap, we do not open a support ticket. We write a detection rule, a query, or a script—and it is yours forever."*
---
## Our Current Arsenal
### Cloud Posture and Compliance
#### Prowler
| Attribute | Detail |
|-----------|--------|
| **What it does** | Multi-cloud security auditing for AWS, Azure, and GCP. 300+ checks against CIS benchmarks, PCI-DSS, ISO 27001, GDPR, and HIPAA. |
| **Why we use it** | It is the most mature open-source CSPM. One tool covers all three major clouds. Output is JSON/CSV/HTML—easy to feed into our reporting pipeline. |
| **Antifragile pillar** | Sovereign Intelligence, Stress-to-Signal Conversion |
| **Engagement modules** | Module 3 (M365 Security Hardening) for Azure; Module 8 (OT Security Assessment) for cloud-connected OT; any cloud-native client |
| **Typical output** | Executive dashboard: "247 findings across 12 services; 23 critical; 5 are internet-facing misconfigurations" |
| **Integration** | Output feeds into AI-assisted TVM prioritization and CISO Assistant compliance tracking |
**The conversation**:
> *"Prowler audited your AWS estate in 45 minutes and found an S3 bucket with public read access containing backup files. That is not a theoretical risk. That is a data breach waiting for a journalist. We fixed it in 10 minutes. No vendor invoice."*
---
### Active Directory Attack Path Analysis
#### BloodHound
| Attribute | Detail |
|-----------|--------|
| **What it does** | Maps Active Directory attack paths using graph theory. Shows how an attacker moves from a compromised standard user to Domain Admin in your specific environment. |
| **Why we use it** | No commercial tool visualises AD trust relationships and permission chains as clearly. It turns abstract identity risk into a navigable map. |
| **Antifragile pillar** | Structural Decoupling, Sovereign Intelligence |
| **Engagement modules** | Module 6 (On-Premise AD Hardening); Module 10 (Red Team & Validation); kill chain assessments |
| **Typical output** | "There are 4,217 paths from standard users to Domain Admin. The shortest is 3 hops via an overprivileged service account. Here is the exact account, the exact permission, and the exact remediation." |
| **Integration** | Findings feed into T0 Asset Framework classification and remediation prioritisation |
**The conversation**:
> *"Your AD has been growing for 15 years. Nobody remembers why the payroll service account has Replicating Directory Changes permissions. BloodHound remembers. It found 4,217 paths from a standard user to Domain Admin. The shortest is three hops. We are not guessing about AD security anymore."*
---
### Active Directory Security Assessment
#### Purple Knight / Forest Druid
| Attribute | Detail |
|-----------|--------|
| **What it does** | Automated AD security assessment against known vulnerability classes: credential exposure, privileged access gaps, replication security, Kerberos weaknesses, and LDAP/S channel hardening. |
| **Why we use it** | Purple Knight (Semperis) and Forest Druid provide rapid, scriptable AD health checks that complement BloodHound's graph analysis with rule-based security scoring. Forest Druid extends coverage to hybrid Entra ID configurations. |
| **Antifragile pillar** | Stress-to-Signal Conversion, Optionality Preservation |
| **Engagement modules** | Module 6 (On-Premise AD Hardening); Module 12 (Blue/Purple Team Foundation); diagnostic week 1 kill chain assessments |
| **Typical output** | AD security score with pass/fail against 50+ indicators; immediate remediation guidance for failed checks |
| **Integration** | Scores feed into antifragile risk register; trended across quarterly retests |
**The conversation**:
> *"Purple Knight scanned your AD forest in 20 minutes and scored 62 out of 100. The failures were not exotic: default LDAP signing disabled, KRBTGT password older than 180 days, and 14 service accounts with SPNs vulnerable to Kerberoasting. These are fixable in a week. Here is the priority order."*
---
### Governance, Risk, and Compliance
#### CISO Assistant
| Attribute | Detail |
|-----------|--------|
| **What it does** | Open-source GRC platform for compliance mapping, risk register management, control evidence collection, and audit readiness tracking. |
| **Why we use it** | It replaces €50,000/year GRC platforms with a sovereign alternative. Maps controls to multiple frameworks simultaneously (ISO 27001, NIS2, DORA, SOC 2). |
| **Antifragile pillar** | Sovereign Intelligence, Asymmetric Payoff Design |
| **Engagement modules** | Module 4 (Data Governance); Module 11 (Embedded Quality); all compliance-driven clients |
| **Typical output** | Live compliance dashboard: "DORA Article 12: 14 of 17 controls evidence-complete; 3 gaps assigned to owners with due dates" |
| **Integration** | Pulls findings from Prowler, osquery, BloodHound, and AOC into unified evidence packages |
**The conversation**:
> *"Your auditor wants evidence that you monitor privileged access. CISO Assistant links the BloodHound scan, the Purple Knight score, the AOC admin activity report, and the osquery listening-ports query into a single evidence package for DORA Article 8. No scrambling for screenshots the night before the audit."*
---
### M365 Backup and Change Management
#### ASTRAL (Our Platform)
| Attribute | Detail |
|-----------|--------|
| **What it does** | Intelligent backup, configuration drift detection, and change management for Microsoft Intune, Entra ID, and M365 tenant configurations. Captures baseline state, detects unauthorised or accidental changes, and enables rapid rollback. |
| **Why we built it** | No existing tool treats M365 configuration as code. A tenant with 500 conditional access policies, 200 Intune profiles, and 50 compliance policies is unmanageable without version control and drift detection. ASTRAL provides GitOps for M365. |
| **Antifragile pillar** | Structural Decoupling, Stress-to-Signal Conversion |
| **Engagement modules** | Module 1 (Endpoint Management); Module 2 (Identity Security); Module 3 (M365 Security Hardening); retained capability engagements |
| **Typical output** | "Configuration drift detected: 3 conditional access policies modified outside change window; 1 Intune profile deleted; all changes attributable to [admin account]; rollback initiated automatically" |
| **Integration** | Feeds change logs into AOC for audit intelligence; exports configuration state to CISO Assistant for compliance evidence |
**The conversation**:
> *"Your M365 tenant has 400 configuration objects and no version control. When an admin accidentally deletes a conditional access policy at 2 AM, you discover it 6 hours later because users are complaining. ASTRAL detects the deletion in 60 seconds, attributes it to the specific admin session, and offers one-click rollback. This is not backup. This is configuration immunity."*
---
### M365 Audit Log Intelligence
#### AOC — Admin Operations Center (Our Platform)
| Attribute | Detail |
|-----------|--------|
| **What it does** | Correlates Microsoft 365 Unified Audit Log, Entra ID sign-in logs, and Intune operational logs into actionable intelligence. Detects anomalous admin behaviour, privilege escalation, shadow IT creation, and data exfiltration patterns. |
| **Why we built it** | The native M365 audit log is a firehose: 10,000+ events per day in a typical tenant, searchable only via slow PowerShell or expensive Sentinel. AOC extracts the 50 events that matter and enriches them with identity context, device state, and business impact. |
| **Antifragile pillar** | Sovereign Intelligence, Stress-to-Signal Conversion |
| **Engagement modules** | Module 12 (Blue/Purple Team Foundation); retained capability (Detection Engineering); all M365 hardening engagements |
| **Typical output** | Daily brief: "3 anomalous events flagged: Global Admin [X] added external user at 03:14; Exchange Admin [Y] exported 12,000 mailboxes; Service Principal [Z] granted Mail.Read to unverified publisher. All require validation within 4 hours." |
| **Integration** | Receives alerts from osquery/FleetDM, Wazuh, and Prowler; pushes cases to CISO Assistant for risk register tracking; enriches AI-assisted TVM with insider-threat context |
**The conversation**:
> *"Microsoft gives you the audit log. They do not give you the story. AOC reads 50,000 events per night and tells you the three that need human attention: an admin added an external user at 3 AM, another exported 12,000 mailboxes, and a service principal granted Mail.Read to an unverified app. These are not false positives. These are the events that precede breaches."*
---
## The Stack Architecture
```
┌─────────────────────────────────────────────────────────────────────────┐
│ EXECUTIVE DASHBOARD │
│ (CISO Assistant + AI synthesis → board-ready risk and compliance view) │
└─────────────────────────────────────────────────────────────────────────┘
┌───────────────┬───────────────┼───────────────┬───────────────┐
▼ ▼ ▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ Prowler │ │BloodHound│ │ ASTRAL │ │ AOC │ │ osquery │
│(Cloud) │ │ (AD) │ │ (M365) │ │(Audit) │ │(Endpoint)│
└────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘
│ │ │ │ │
└─────────────┴─────────────┴─────────────┴─────────────┘
┌─────────────────────────┐
│ AI-Assisted TVM Engine │
│ (Prioritisation + │
│ remediation scripts) │
└─────────────────────────┘
┌─────────────────────────┐
│ Purple Team Validation │
│ (Did the fix work? │
│ Can we still exploit?) │
└─────────────────────────┘
```
**Data flow**:
1. **Discovery layer** (Prowler, BloodHound, osquery, ASTRAL) collects raw security state
2. **Intelligence layer** (AOC, AI-assisted TVM) correlates, enriches, and prioritises
3. **Governance layer** (CISO Assistant) maps findings to compliance frameworks and tracks remediation
4. **Validation layer** (Purple Knight, Forest Druid, purple team exercises) proves fixes work
---
## Gap Analysis: What We Recommend Adding
Our current stack covers cloud posture, AD security, GRC, M365 configuration, and endpoint audit intelligence. Here are the gaps and our recommended closes:
### Gap 1: Endpoint Detection and Response (EDR) — The Visibility Gap
**Current state**: osquery provides structured endpoint inventory and compliance. AOC ingests M365 audit logs. What is missing is real-time behavioural detection on the endpoint itself.
**Recommended close**: **Wazuh + Sysmon** (open-source EDR stack)
| Why Wazuh | Why Sysmon |
|-----------|-----------|
| Centralised SIEM/XDR with 5,000+ detection rules | Windows endpoint telemetry at kernel level |
| Agent-based or agentless deployment | Maps directly to MITRE ATT&CK |
| Native integration with Threat Intel (MISP, VirusTotal) | Free, mature, extensively documented |
| Scales to 100,000+ endpoints | Outputs to any SIEM via standard formats |
**Deployment model**: Wazuh server in client infrastructure (or ours as managed service); Sysmon on all Windows endpoints with SwiftOnSecurity config; Linux agents via Wazuh native agent. Cost: infrastructure only.
**When to deploy**: Module 1 (Endpoint Management) for E3 clients lacking Defender for Endpoint P2; Module 12 (Blue/Purple Team) as the detection engineering foundation.
---
### Gap 2: Security Orchestration and Automated Response (SOAR) — The Response Gap
**Current state**: AOC detects anomalous admin behaviour. ASTRAL detects configuration drift. What is missing is automated response: disabling a compromised account, isolating a device, or revoking an OAuth grant at machine speed.
**Recommended close**: **Shuffle** (open-source SOAR)
| Why Shuffle |
|-------------|
| Visual workflow builder (no code required for simple playbooks) |
| Native integrations with M365, Entra ID, Wazuh, TheHive, Slack |
| Self-hosted: data never leaves client infrastructure |
| Replaces €100,000+/year commercial SOAR platforms |
**Example playbook**: AOC detects impossible-travel sign-in → Shuffle disables account → ASTRAL revokes all active sessions → Slack alerts SOC → CISO Assistant logs incident → Ticket created in client ITSM.
**When to deploy**: Module 12 (Blue/Purple Team Foundation); retained capability engagements.
---
### Gap 3: Incident Response Case Management — The Coordination Gap
**Current state**: Findings are scattered across Prowler, BloodHound, AOC, and osquery. What is missing is a single case management system that tracks incidents from detection through remediation to post-mortem.
**Recommended close**: **TheHive + Cortex** (open-source SOC case management)
| Why TheHive | Why Cortex |
|-------------|-----------|
| Case management with IOC tracking, task assignment, and timeline | Automated analysis of observables: hashes, IPs, domains, files |
| Native MISP integration for threat intel correlation | 30+ analyzers (VirusTotal, AbuseIPDB, URLhaus, etc.) |
| Metrics dashboard: MTTR, case volume, analyst workload | Free, extensible, community-maintained |
**When to deploy**: Module 12 (Blue/Purple Team Foundation); retained capability ( Detection Engineering).
---
### Gap 4: Cloud Asset and Dependency Mapping — The Context Gap
**Current state**: Prowler finds misconfigurations. BloodHound maps AD attack paths. What is missing is a unified map of how cloud resources connect to each other and to on-premise assets.
**Recommended close**: **Cartography** (by Lyft, open-source)
| Why Cartography |
|-----------------|
| Neo4j-based graph of AWS, GCP, Azure, and GitHub assets |
| Shows dependency chains: compromised IAM role → S3 bucket → Lambda → RDS |
| Complements BloodHound: BloodHound maps identity; Cartography maps infrastructure |
| Free, queryable via Cypher (same language as BloodHound) |
**When to deploy**: Module 3 (M365 Security Hardening) for Azure environments; Module 5 (AI Sovereignty Bridge) for infrastructure mapping.
---
### Gap 5: Container and Supply Chain Security — The Modernisation Gap
**Current state**: Our vulnerability discovery covers servers and endpoints. What is missing is native container image scanning, SBOM generation, and supply chain integrity verification.
**Recommended close**: **Syft + Grype + Trivy**
| Tool | Role |
|------|------|
| **Syft** | Generate SBOMs from container images, filesystems, and archives |
| **Grype** | Scan SBOMs against NVD and vendor advisory databases |
| **Trivy** | Comprehensive scanner: OS packages, language dependencies, IaC misconfigs, secrets |
**Already in repository**: See [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) for the Syft → Grype pipeline.
**When to deploy**: Any client with containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates.
---
### Gap 6: Network Traffic Analysis — The Blind Spot Gap
**Current state**: We see endpoint state (osquery) and cloud configurations (Prowler). What is missing is visibility into network traffic: lateral movement, C2 beacons, and data exfiltration at the packet level.
**Recommended close**: **Zeek + Suricata**
| Why Zeek | Why Suricata |
|----------|--------------|
| Protocol analysis: extracts metadata from HTTP, DNS, TLS, SMB without full packet storage | IDS/IPS with 30,000+ signatures and emerging threat rules |
| Scales to 10 Gbps+ on commodity hardware | Can drop malicious traffic inline (IPS mode) |
| Output is structured JSON—easy to feed into Wazuh or AOC | Native file extraction and malware detection |
**When to deploy**: Module 8 (OT Security Assessment) for industrial network segmentation validation; Module 12 (Blue/Purple Team) for detection engineering.
---
## Complete Capability Matrix
| Capability | Our Tool | Open-Source Alternative | Commercial Equivalent | When to Recommend |
|-----------|----------|------------------------|----------------------|-------------------|
| Cloud posture management | **Prowler** | ScoutSuite, CloudSploit | Prisma Cloud, Wiz, Orca | Every cloud environment; first sweep |
| AD attack path analysis | **BloodHound** | — (none comparable) | — | Every on-premise or hybrid AD |
| AD security assessment | **Purple Knight / Forest Druid** | PingCastle, ADRecon | Semperis Directory Services Protector | AD hardening engagements |
| GRC and compliance | **CISO Assistant** | OpenGRC, SimpleRisk | ServiceNow GRC, RSA Archer | DORA, NIS2, SOC 2 clients |
| M365 backup/change mgmt | **ASTRAL** | — (no open-source equivalent) | Veeam, AvePoint, SkyKick | All M365 clients; retained capability |
| M365 audit intelligence | **AOC** | — (no open-source equivalent) | Microsoft Sentinel, ManageEngine | All M365 clients; SOC co-management |
| Endpoint inventory | **osquery + FleetDM** | Wazuh (limited), Zentral | Tenable, Qualys | 50-5,000 endpoints; sovereign preference |
| Endpoint detection (EDR) | **Wazuh + Sysmon** | — | CrowdStrike, SentinelOne, Defender P2 | E3 clients without Defender P2; air-gapped environments |
| SIEM / log aggregation | **Wazuh** | Graylog, Grafana Loki, ELK | Splunk, Sentinel, QRadar | All environments needing centralised alerting |
| SOAR / automation | **Shuffle** | — | Palo Alto XSOAR, Splunk SOAR | SOC operationalisation; retained capability |
| SOC case management | **TheHive + Cortex** | — | ServiceNow SecOps, D3 | Blue/purple team foundation; MSSP co-management |
| Container security | **Syft + Grype + Trivy** | Clair, Anchore | Snyk, Aqua | Containerised workloads; DevSecOps |
| Network analysis | **Zeek + Suricata** | — | Corelight, Darktrace | OT environments; high-sensitivity networks |
| Cloud asset mapping | **Cartography** | CloudQuery | Lucidscale, Faddom | Complex multi-cloud; incident response |
| Perimeter scanning | **Nuclei + Amass + Naabu** | OpenVAS, Greenbone | Tenable.asm, Cortex Xpanse | External attack surface management |
| Vulnerability discovery | **osquery + Grype** | OpenVAS, Nessus Essentials | Tenable, Qualys | Zero-budget first sweep; continuous monitoring |
---
## Per-Module Tool Pairing
### Module 1: Endpoint Management Foundation
**Primary**: ASTRAL (Intune configuration backup and drift detection) + osquery/FleetDM (endpoint inventory)
**Augmentation**: Wazuh + Sysmon (for E3 clients without Defender P2)
### Module 2: M365 Identity Security
**Primary**: AOC (audit log intelligence) + BloodHound (hybrid identity attack paths)
**Augmentation**: Purple Knight (AD security baseline)
### Module 3: M365 Security Hardening
**Primary**: ASTRAL (configuration state) + Prowler (Azure posture)
**Augmentation**: AOC (continuous monitoring of security control changes)
### Module 6: On-Premise AD Hardening
**Primary**: BloodHound + Purple Knight / Forest Druid
**Augmentation**: osquery (endpoint state of domain controllers)
### Module 10: Red Team & Validation
**Primary**: BloodHound (attack path validation) + Nuclei (external validation)
**Augmentation**: Zeek + Suricata (detect red team activity from blue team perspective)
### Module 12: Blue/Purple Team Foundation
**Primary**: Wazuh + Sysmon + TheHive + Cortex + Shuffle
**Augmentation**: AOC (M365-specific detections) + osquery (endpoint telemetry)
### Retained Capability: Detection Engineering
**Primary**: Wazuh (rule authoring) + AOC (M365 detections) + Shuffle (response playbooks)
**Augmentation**: Zeek + Suricata (network detection rules)
---
## Deployment Complexity
| Tool | Time to First Value | Infrastructure Required | Expertise Required | Client Data Sensitivity |
|------|---------------------|------------------------|-------------------|------------------------|
| Prowler | 1 hour | None (runs from consultant laptop) | Low | Low (read-only API) |
| BloodHound | 2 hours | None (collector + laptop) | Medium | Medium (AD enumeration) |
| Purple Knight | 30 minutes | None | Low | Medium (AD scan) |
| CISO Assistant | 1 day | Docker host or VM | Low | Low-Medium (compliance data) |
| ASTRAL | 2 hours | SaaS or client-hosted | Low | High (M365 configuration) |
| AOC | 4 hours | SaaS or client-hosted | Medium | High (audit logs, identity data) |
| osquery + FleetDM | 4 hours | FleetDM server + agents | Medium | High (endpoint data) |
| Wazuh + Sysmon | 1 day | Wazuh server + agents | Medium | High (endpoint + network data) |
| Shuffle | 4 hours | Docker host | Medium | High (SOAR playbooks) |
| TheHive + Cortex | 4 hours | Docker host | Medium | High (case data) |
| Syft + Grype | 1 hour | None | Low | Low (container metadata) |
| Zeek + Suricata | 1 day | Network tap or SPAN port | High | High (network traffic) |
| Cartography | 4 hours | Neo4j + AWS/GCP/Azure APIs | Medium | Medium (cloud metadata) |
---
## The Honest Limitations
| What Our Stack Does Well | What It Cannot Do |
|-------------------------|-------------------|
| Provides complete visibility without vendor lock-in | Requires more expertise to deploy and maintain than commercial SaaS |
| Costs a fraction of commercial equivalents | Does not come with 24/7 vendor support (we provide that) |
| Customisable to client-specific needs | Customisation takes time; commercial tools are faster to deploy out-of-the-box |
| Data sovereignty by default | Some clients' procurement departments prefer vendor-backed solutions for audit comfort |
| Integrates across tools via open APIs | Integration requires engineering; commercial suites are pre-integrated |
**The framing**:
> *"Our stack is not for everyone. If you want a dashboard that takes 15 minutes to deploy and requires no expertise, buy CrowdStrike. If you want intelligence that answers questions no vendor thought to ask, and you want to own that intelligence forever, our stack is the right choice. We provide the expertise so you do not need to hire it."*
---
## Integration With Existing Frameworks
| Document | Integration |
|----------|-------------|
| [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) | Syft + Grype container pipeline; osquery endpoint discovery; Prowler cloud-native discovery |
| [AI-Assisted TVM Blueprint](ai-assisted-tvm.md) | All discovery tools feed the AI prioritisation engine; AOC provides insider-threat context |
| [Perimeter Scanning Capability](perimeter-scanning-capability.md) | Nuclei + Amass + Naabu form the open-source active scanning layer; Prowler covers cloud perimeter |
| [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) | osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection |
| [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection |
| [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex |
| [Modular Engagements](../core/modular-engagements.md) | Each module has a recommended tool pairing in the matrix above |
---
*For the cloud-native vulnerability discovery methods, see [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md).*
*For the endpoint discovery platform, see [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md).*
*For the AI prioritisation layer that consumes these tools' output, see [AI-Assisted TVM Blueprint](ai-assisted-tvm.md).*
*For the organisational model that operates this stack, see [Retained Capability](../core/retained-capability.md).*

1
antifragile-consulting/playbooks/zero-budget-hardening.md
View File

@@ -264,3 +264,4 @@ The Zero-Budget Hardening Playbook maps directly onto the [Rapid Modernisation P
*Previous: [Rapid Modernisation Plan](rapid-modernisation-plan.md)*
*Next: [Implementation Playbook](implementation-playbook.md)*
*For the complete open-source tool arsenal and capability map, see [Sovereign Tool Stack](sovereign-tool-stack.md)*