From 3062e435caeb93d1c6e45be1fe35b5ffd832334e Mon Sep 17 00:00:00 2001 From: "Claude Sonnet 4.6" Date: Fri, 5 Jun 2026 07:05:13 +0000 Subject: [PATCH] =?UTF-8?q?chore:=20Full=20consistency=20scan=20=E2=80=94?= =?UTF-8?q?=20AOC->PULSAR,=20fix=20training-data=20claims,=20fix=2090%=20c?= =?UTF-8?q?laim?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AOC -> PULSAR across 10 files (engagement-model, retained-capability, modular-engagements, blue-purple-team-foundation, about-cqre, about-cqre-cs, consultant-field-guide, ai-assisted-tvm, m365-e3-hardening, sovereign-tool-stack, risk-register-example). Training-data framing corrected in: - executive-summary.md: opening paragraph and risk table - README.md: 90% solution claim -> 30-60% in 180 days - modular-engagements.md: public API data use claim - cis-controls-mapping.md: data protection framing - antifragile-risk-register.md: risk entry softened to accurate framing - azure-openai-sovereignty-bridge.md: consumer vs enterprise API distinction Co-Authored-By: Tom Kracmar --- antifragile-consulting/README.md | 2 +- .../antifragile-risk-register.md | 2 +- .../risk-register-example.md | 14 ++--- antifragile-consulting/core/about-cqre-cs.md | 2 +- antifragile-consulting/core/about-cqre.md | 2 +- .../core/azure-openai-sovereignty-bridge.md | 4 +- .../core/blue-purple-team-foundation.md | 2 +- .../core/consultant-field-guide.md | 2 +- .../core/engagement-model.md | 2 +- .../core/executive-summary.md | 6 +- .../core/modular-engagements.md | 4 +- .../core/retained-capability.md | 2 +- .../playbooks/ai-assisted-tvm.md | 2 +- .../playbooks/m365-e3-hardening.md | 4 +- .../playbooks/sovereign-tool-stack.md | 58 +++++++++---------- .../reference/cis-controls-mapping.md | 2 +- 16 files changed, 55 insertions(+), 55 deletions(-) diff --git a/antifragile-consulting/README.md b/antifragile-consulting/README.md index 92cd063..2948045 100644 --- a/antifragile-consulting/README.md +++ b/antifragile-consulting/README.md @@ -79,7 +79,7 @@ The **Brownhat methodology** is the operational posture behind every engagement: This practice is built on a simple, actionable stance: **move fast and fix things**. We do not wait for perfect plans. We identify the kill chain, extract value from existing investments, and close existential gaps before they become incidents. -- **Speed is a security control.** A 90% solution deployed today outperforms a 100% solution that ships in six months. +- **Speed is a security control.** A realistic engagement delivers 30–60% of an ideal posture in 180 days — infinitely better than the 100% solution that stays in planning and never ships. - **Work beats purchases.** Most organizations own 60-80% of the capabilities they need. We configure and operationalize before we shop. - **Every fix must produce a signal.** A remediation without telemetry is a remediation that will rot. diff --git a/antifragile-consulting/assessment-templates/antifragile-risk-register.md b/antifragile-consulting/assessment-templates/antifragile-risk-register.md index d55a2e8..a9eaa37 100644 --- a/antifragile-consulting/assessment-templates/antifragile-risk-register.md +++ b/antifragile-consulting/assessment-templates/antifragile-risk-register.md @@ -64,7 +64,7 @@ Risks related to loss of control over data, intelligence, or infrastructure. | Risk | Kill Chain | T0? | Antifragile Move | |------|-----------|-----|-----------------| -| Proprietary data trains competitor AI models | Data → cloud AI → model improvement → competitive erosion | Yes | Deploy local or Azure OpenAI with data protection guarantees; classify AI data flows | +| Proprietary data processed by uncontrolled AI | Data → cloud AI → residency/audit exposure → regulatory or competitive risk | Yes | Deploy sovereign or enterprise AI with verified data residency and audit rights; classify all AI data flows | | Cloud vendor changes terms or pricing | Terms change → operational disruption → forced migration under duress | Yes | Document exit architecture; maintain data portability; dual-vendor readiness | | Vendor discontinues critical service | Service ends → workflow collapse → emergency procurement | T1 | Maintain abstraction layers; escrow agreements; 90-day exit plans | diff --git a/antifragile-consulting/assessment-templates/risk-register-example.md b/antifragile-consulting/assessment-templates/risk-register-example.md index 9d4aaeb..1ad30e5 100644 --- a/antifragile-consulting/assessment-templates/risk-register-example.md +++ b/antifragile-consulting/assessment-templates/risk-register-example.md @@ -153,14 +153,14 @@ Next review: 14 April 2025 | **Impact** | 3 — Significant. Primarily a compliance and investigation impact rather than operational failure. | | **Traditional risk score** | 9 — P3 (elevated to P2 due to regulatory exposure) | | **Optionality impact** | Moderate. Once logs are deleted, the option to investigate and prove scope is permanently lost. | -| **Convexity** | High. Extending retention to 180 days requires E3 Compliance Add-on (≈€8/user/month) or ingestion into a long-term log store (AOC + blob storage). Cost vs. cost of regulatory non-compliance is asymmetric. | -| **Current control** | M365 Unified Audit Log at 90-day default. No secondary storage. AOC not yet deployed. | -| **Antifragile move** | 1. Deploy AOC to ingest and persist audit logs beyond the 90-day window into the organisation's own infrastructure (MongoDB + blob storage). 2. Alternatively, evaluate E3 Compliance Add-on for extended Microsoft-native retention. 3. Document retention policy and verify it meets applicable regulatory requirements (NIS2 Article 21 recommends 12+ months). | +| **Convexity** | High. Extending retention to 180 days requires E3 Compliance Add-on (≈€8/user/month) or ingestion into a long-term log store (PULSAR + blob storage). Cost vs. cost of regulatory non-compliance is asymmetric. | +| **Current control** | M365 Unified Audit Log at 90-day default. No secondary storage. PULSAR not yet deployed. | +| **Antifragile move** | 1. Deploy PULSAR to ingest and persist audit logs beyond the 90-day window into the organisation's own infrastructure (MongoDB + blob storage). 2. Alternatively, evaluate E3 Compliance Add-on for extended Microsoft-native retention. 3. Document retention policy and verify it meets applicable regulatory requirements (NIS2 Article 21 recommends 12+ months). | | **Owner** | CISO / IT Manager | | **Target date** | 30 April 2025 (P2 — within 90 days) | | **Status** | Open | -| **Stress-to-signal mandate** | If an incident reveals log gaps: AOC deployed immediately post-incident; retention policy reviewed and extended to regulatory minimum; board notified of compliance gap. | -| **Verification method** | AOC deployed with log ingestion confirmed. Oldest ingested log age exceeds 180 days within 6 months of deployment. Retention policy documented and signed off. | +| **Stress-to-signal mandate** | If an incident reveals log gaps: PULSAR deployed immediately post-incident; retention policy reviewed and extended to regulatory minimum; board notified of compliance gap. | +| **Verification method** | PULSAR deployed with log ingestion confirmed. Oldest ingested log age exceeds 180 days within 6 months of deployment. Retention policy documented and signed off. | --- @@ -178,8 +178,8 @@ Next review: 14 April 2025 | **Traditional risk score** | 12 — P2 | | **Optionality impact** | Moderate. Without detection, the organisation cannot exercise the option to contain and eject an attacker early. | | **Convexity** | High. Building a detection engineering cell (1 FTE equivalent) costs ≈€150K/year and makes the €102K/year MSSP investment 3× more effective. | -| **Current control** | MSSP with generic ruleset. AOC not deployed. No custom detection rules. MSSP SLA measures ticket response time, not detection coverage. | -| **Antifragile move** | 1. Conduct a purple team TTP coverage test against the MSSP (5 TTPs, as described in the Retained Capability document). 2. Deploy AOC to add M365-specific detection on top of the MSSP. 3. Write 3–5 custom detection rules for the highest-priority Meridian-specific TTPs (OT/IT boundary crossing, service account anomalies, large SharePoint exports). 4. Add detection coverage rate to the MSSP SLA. 5. Consider a retained capability arrangement to maintain and extend the custom ruleset. | +| **Current control** | MSSP with generic ruleset. PULSAR not deployed. No custom detection rules. MSSP SLA measures ticket response time, not detection coverage. | +| **Antifragile move** | 1. Conduct a purple team TTP coverage test against the MSSP (5 TTPs, as described in the Retained Capability document). 2. Deploy PULSAR to add M365-specific detection on top of the MSSP. 3. Write 3–5 custom detection rules for the highest-priority Meridian-specific TTPs (OT/IT boundary crossing, service account anomalies, large SharePoint exports). 4. Add detection coverage rate to the MSSP SLA. 5. Consider a retained capability arrangement to maintain and extend the custom ruleset. | | **Owner** | IT Manager / outsourced CISO | | **Target date** | 30 June 2025 (P2 — within 90 days to start; sustained programme) | | **Status** | Open | diff --git a/antifragile-consulting/core/about-cqre-cs.md b/antifragile-consulting/core/about-cqre-cs.md index b049c53..9fda792 100644 --- a/antifragile-consulting/core/about-cqre-cs.md +++ b/antifragile-consulting/core/about-cqre-cs.md @@ -75,7 +75,7 @@ Jsme malá, specializovaná praxe. Neprovozujeme 24/7 operační centrum. Nepode **6. [PLACEHOLDER: Vaše šestá diferenciace]** -> **INTERNÍ POZNÁMKA** — Přidejte diferenciaci specifickou pro vaši praxi. Příklady: hluboká odbornost v konkrétním odvětví (OT/energie, české regulatorní prostředí); proprietární nástroje (ASTRAL, AOC, Elysium); jazykové schopnosti; specifické certifikace; metodologický přístup. +> **INTERNÍ POZNÁMKA** — Přidejte diferenciaci specifickou pro vaši praxi. Příklady: hluboká odbornost v konkrétním odvětví (OT/energie, české regulatorní prostředí); proprietární nástroje (ASTRAL, PULSAR, Elysium); jazykové schopnosti; specifické certifikace; metodologický přístup. [PLACEHOLDER: konkrétní diferenciace s jedním konkrétním příkladem nebo důkazem] diff --git a/antifragile-consulting/core/about-cqre.md b/antifragile-consulting/core/about-cqre.md index bac4919..47f92e2 100644 --- a/antifragile-consulting/core/about-cqre.md +++ b/antifragile-consulting/core/about-cqre.md @@ -81,7 +81,7 @@ We are a small, specialist practice. We do not run a 24/7 SOC. We do not sign of **6. [PLACEHOLDER: Your sixth differentiator]** -> **INTERNAL NOTE** — Add a differentiator specific to your practice. Examples: deep expertise in a specific vertical (OT/utilities, Czech regulatory environment); proprietary tools (ASTRAL, AOC, Elysium); language capability; specific certifications; methodology approach. +> **INTERNAL NOTE** — Add a differentiator specific to your practice. Examples: deep expertise in a specific vertical (OT/utilities, Czech regulatory environment); proprietary tools (ASTRAL, PULSAR, Elysium); language capability; specific certifications; methodology approach. [PLACEHOLDER: specific differentiator with one concrete example or proof point] diff --git a/antifragile-consulting/core/azure-openai-sovereignty-bridge.md b/antifragile-consulting/core/azure-openai-sovereignty-bridge.md index e603f7f..2031c0b 100644 --- a/antifragile-consulting/core/azure-openai-sovereignty-bridge.md +++ b/antifragile-consulting/core/azure-openai-sovereignty-bridge.md @@ -10,7 +10,7 @@ It is designed for M365/Azure consultancies whose clients are not ready for on-p ## The Executive Summary -Your clients are likely using ChatGPT, Claude, or Gemini via public APIs and consumer accounts. Every prompt leaves their perimeter, and the terms of service allow model improvement using that data. This is the worst possible posture. +Your clients are likely using ChatGPT, Claude, or Gemini via consumer accounts or unmanaged public APIs — where data residency is uncontrolled, audit rights are absent, and (for consumer tiers) terms of service may permit model improvement using submitted data. This is the worst possible posture. **Azure OpenAI Service is not fully sovereign.** Microsoft operates the infrastructure. The underlying models are shared. But it offers something critical that public APIs do not: @@ -204,7 +204,7 @@ For E3 clients, Azure OpenAI is a **separate Azure subscription**—it does not |---------|----------| | "Is this just another Microsoft lock-in?" | "It reduces lock-in compared to public APIs because your fine-tuned models, embeddings, and RAG pipelines are portable assets. When you are ready for full local AI, you migrate them. We are using Azure as a warehouse, not a prison." | | "Why not go straight to local AI?" | "Local AI requires hardware procurement, infrastructure setup, and expertise development—typically 3-6 months. Azure OpenAI stops the data leakage in 2 weeks while we build the local capability in parallel." | -| "How is this different from just using ChatGPT?" | "ChatGPT trains on your data. Azure OpenAI explicitly does not. ChatGPT has no audit trail. Azure OpenAI logs every prompt. ChatGPT offers no data residency guarantee. Azure OpenAI keeps your data in your region. The difference is governance, not capability." | +| "How is this different from just using ChatGPT?" | "Consumer ChatGPT may use your data for model improvement; Azure OpenAI explicitly does not. Consumer ChatGPT has no audit trail; Azure OpenAI logs every prompt. Consumer ChatGPT offers no data residency guarantee; Azure OpenAI keeps your data in your chosen region. The difference is governance and compliance, not capability." | | "What if Microsoft changes the terms?" | "The data processing agreement is contractually binding. More importantly, the assets we build in Foundry are portable. If terms change unfavorably, we exercise the exit option we have been building toward all along." | | "Will this slow down our AI adoption?" | "It will accelerate safe adoption. Employees currently use unauthorized AI because there is no sanctioned alternative. Azure OpenAI gives them a better, safer tool. Adoption goes up; risk goes down." | diff --git a/antifragile-consulting/core/blue-purple-team-foundation.md b/antifragile-consulting/core/blue-purple-team-foundation.md index 2117e46..d93c540 100644 --- a/antifragile-consulting/core/blue-purple-team-foundation.md +++ b/antifragile-consulting/core/blue-purple-team-foundation.md @@ -121,7 +121,7 @@ Many organizations have purchased or inherited an impressive security stack: **Deliverable**: Operating Rhythm Playbook -**Tool stack for the operating rhythm**: See the [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md) for the complete open-source SOC architecture. For M365-centric environments, AOC provides audit log intelligence; Wazuh + Sysmon provide endpoint detection; TheHive + Cortex provide case management; Shuffle provides automated response. This stack replaces €200K+/year commercial SOC tooling for clients who prioritise sovereignty. +**Tool stack for the operating rhythm**: See the [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md) for the complete open-source SOC architecture. For M365-centric environments, PULSAR provides audit log intelligence; Wazuh + Sysmon provide endpoint detection; TheHive + Cortex provide case management; Shuffle provides automated response. This stack replaces €200K+/year commercial SOC tooling for clients who prioritise sovereignty. - Weekly, bi-weekly, and monthly cadence definitions - RACI matrix for each activity - Dashboard definitions and data sources diff --git a/antifragile-consulting/core/consultant-field-guide.md b/antifragile-consulting/core/consultant-field-guide.md index a3320e2..d8daf6c 100644 --- a/antifragile-consulting/core/consultant-field-guide.md +++ b/antifragile-consulting/core/consultant-field-guide.md @@ -301,7 +301,7 @@ This is the minimum bar for leading (not shadowing) a module. If you are not the Before your first client engagement, build a personal lab that lets you safely test deployments: -- **M365 developer tenant** — Microsoft's free developer programme provides an E5 tenant. Use it for ASTRAL, AOC, CAExporter, and M365 module testing. Register via the Microsoft 365 Developer Programme. +- **M365 developer tenant** — Microsoft's free developer programme provides an E5 tenant. Use it for ASTRAL, PULSAR, CAExporter, and M365 module testing. Register via the Microsoft 365 Developer Programme. - **A small Linux VM (any cloud)** — For chatmail relay, Wazuh, TheHive, and Shuffle deployments. A €5–10/month VPS is sufficient for personal lab use. - **A Windows Server VM** — For AD module testing: BloodHound, Elysium, LAPS, Sysmon. Can be local (Hyper-V, VMware) or cloud. - **A CQRE internal environment** — Ask for access to the shared lab environment used for tool testing and client demos. diff --git a/antifragile-consulting/core/engagement-model.md b/antifragile-consulting/core/engagement-model.md index cd33293..fb8a8a6 100644 --- a/antifragile-consulting/core/engagement-model.md +++ b/antifragile-consulting/core/engagement-model.md @@ -166,7 +166,7 @@ Some clients want ongoing support rather than discrete projects. Three models: | Type | Description | Typical cadence | |------|-------------|----------------| | **Retained advisory** | A fixed number of hours per month for questions, threat model reviews, architecture reviews, and strategic guidance. No new module delivery — advisory only. | Monthly retainer, 8–16 hours/month | -| **Retained capability support** | Active support operating tools we deployed: reviewing ASTRAL alerts, tuning AOC detection rules, running quarterly AD scans with Elysium and PingCastle, reviewing Huntress findings. | Monthly or quarterly, scoped per tool set | +| **Retained capability support** | Active support operating tools we deployed: reviewing ASTRAL alerts, tuning PULSAR detection rules, running quarterly AD scans with Elysium and PingCastle, reviewing Huntress findings. | Monthly or quarterly, scoped per tool set | | **Module continuation** | Ongoing delivery of a multi-module programme at a structured cadence. Each module planned and scoped before it begins. | Quarterly module delivery | Retained relationships are renewed quarterly. Either side can exit with 30 days' notice. diff --git a/antifragile-consulting/core/executive-summary.md b/antifragile-consulting/core/executive-summary.md index a33a7d6..8710fbd 100644 --- a/antifragile-consulting/core/executive-summary.md +++ b/antifragile-consulting/core/executive-summary.md @@ -6,13 +6,13 @@ ## The Problem in One Sentence -Your organization is currently engaged in a **massive, unpaid research project for its competitors**—sending proprietary data, strategic reasoning, and operational intelligence to cloud platforms that are incentivized to commoditize your industry. +Your organization depends on technology infrastructure it does not fully control — cloud platforms whose incentives are not aligned with your survival, AI tools processing your operational intelligence under agreements you cannot audit, and vendors whose pricing, terms, and continued existence are outside your influence. ## What Is at Stake | Asset Category | Current Risk | If Compromised or Extracted | |---------------|-------------|----------------------------| -| Strategic intelligence | Rented from cloud AI providers | Competitors replicate your edge; your strategy becomes public model training data | +| Strategic intelligence | Rented from cloud AI providers | Vendor dependency, data residency risk, no audit rights over inference — and a strategy that improves their platform, not yours | | Customer trust | Protected by compliance theater | Regulatory fines, class-action liability, irreversible reputational damage | | Operational continuity | Dependent on vendor stability | Single API change or geopolitical event halts revenue-critical workflows | | Technical talent | Wasted on maintenance of fragile systems | Burnout, attrition, inability to attract security-conscious engineers | @@ -69,7 +69,7 @@ We do not propose a three-year transformation. We propose **four phases, 180 day This is not a cost centre. It is **optionality insurance**. - **Cost of the program**: Primarily configuration and process—existing tools are leveraged first. -- **Cost of inaction**: A single ransomware incident averages €4.5M in recovery. A single regulatory fine under DORA can reach 2% of global turnover. A single competitor trained on your data renders your proprietary advantage worthless. +- **Cost of inaction**: A single ransomware incident averages €4.5M in recovery. A single regulatory fine under DORA can reach 2% of global turnover. A single uncontrolled AI vendor relationship can expose your operational data to residency and audit failures that NIS2, DORA, or sector regulators will not overlook. - **ROI timeline**: Risk reduction is visible in 30 days. Regulatory evidence is demonstrable in 90 days. Competitive advantage from sovereign intelligence compounds over 12-24 months. ## The Decision Required diff --git a/antifragile-consulting/core/modular-engagements.md b/antifragile-consulting/core/modular-engagements.md index c917fb5..cc63f2f 100644 --- a/antifragile-consulting/core/modular-engagements.md +++ b/antifragile-consulting/core/modular-engagements.md @@ -73,7 +73,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t - Legacy authentication blocked tenant-wide - Privileged access workstation (PAW) architecture for admins - PIM deployment (if E5/Entra ID P2) or manual JIT process (if E3) -- AOC deployment for audit log intelligence and anomalous admin detection +- PULSAR deployment for audit log intelligence and anomalous admin detection - Guest access audit and time-bounding - OAuth consent governance @@ -168,7 +168,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t **Executive pitch**: -> *"Your teams are already using AI—through personal accounts, browser tabs, and mobile apps. Every proprietary document they paste into ChatGPT trains a model that will eventually be sold to your competitors. We stop that leakage in two weeks by giving them a better, safer alternative. Then we build your first custom AI asset on data that never leaves your Azure region."* +> *"Your teams are already using AI—through personal accounts, browser tabs, and mobile apps. Every proprietary document they send to an unmanaged AI service is processed under terms you haven't reviewed, on infrastructure outside your control, with no data residency guarantees. We stop that leakage in two weeks by giving them a better, safer alternative. Then we build your first custom AI asset on data that never leaves your Azure region."* **Natural next modules**: Module 9 (Organizational Resilience), Module 4 (Data Governance), Module 10 (Red Team & Validation) diff --git a/antifragile-consulting/core/retained-capability.md b/antifragile-consulting/core/retained-capability.md index 292cb19..624e2f3 100644 --- a/antifragile-consulting/core/retained-capability.md +++ b/antifragile-consulting/core/retained-capability.md @@ -32,7 +32,7 @@ When you outsource a security function, you should retain three capabilities int | Retained Capability | Why It Cannot Be Outsourced | What It Produces | |--------------------|---------------------------|------------------| -| **Detection Engineering** | Only you know what "normal" looks like in your environment. Only you can write rules that detect anomalies specific to your architecture, your applications, and your user behaviours. | Custom detection rules (KQL, Sigma, YARA, Wazuh) and M365-specific detections via AOC that catch threats generic rules miss | +| **Detection Engineering** | Only you know what "normal" looks like in your environment. Only you can write rules that detect anomalies specific to your architecture, your applications, and your user behaviours. | Custom detection rules (KQL, Sigma, YARA, Wazuh) and M365-specific detections via PULSAR that catch threats generic rules miss | | **Threat Context & Prioritization** | Only you know which assets are crown jewels. Only you can prioritize a vulnerability on your payment gateway over a vulnerability on your marketing blog. | Risk-ranked remediation that aligns with business impact | | **Integration & Orchestration** | Only you can connect the SOC to your change management, your identity team, your OT engineers, and your executives. | Closed-loop incident response that produces structural improvement | diff --git a/antifragile-consulting/playbooks/ai-assisted-tvm.md b/antifragile-consulting/playbooks/ai-assisted-tvm.md index 47bb3cc..50f8147 100644 --- a/antifragile-consulting/playbooks/ai-assisted-tvm.md +++ b/antifragile-consulting/playbooks/ai-assisted-tvm.md @@ -70,7 +70,7 @@ AI-assisted TVM does not replace basic hygiene. It **accelerates it by an order | **Cloud security posture** (Defender for Cloud, Prisma, Wiz) | Cloud resource misconfigurations | AI identifies cloud-specific kill chains (e.g., overly permissive S3 → compromised IAM → lateral movement) | | **Zero-budget discovery** (PowerShell, SSH scripts, Syft/Grype, osquery) | Server inventory, SBOMs, package-level CVE correlation | AI aggregates script-based findings into unified risk view. See [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) | | **osquery + FleetDM** | Cross-platform endpoint inventory, real-time process/network data, policy compliance | AI queries live endpoint state for prioritization and kill chain simulation. See [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) | -| **AOC (Admin Operations Center)** | M365 audit log intelligence, anomalous admin behaviour, privilege escalation detection | AI enriches insider-threat context with external vulnerability data for complete kill chain picture. See [Sovereign Tool Stack](sovereign-tool-stack.md) | +| **PULSAR (Platform for Unified Log Search, Alerting & Review)** | M365 audit log intelligence, anomalous admin behaviour, privilege escalation detection | AI enriches insider-threat context with external vulnerability data for complete kill chain picture. See [Sovereign Tool Stack](sovereign-tool-stack.md) | | **Prowler** | Multi-cloud security posture (AWS, Azure, GCP) | AI correlates cloud misconfigurations with endpoint and identity findings for cross-layer risk scoring. See [Sovereign Tool Stack](sovereign-tool-stack.md) | | **Attack surface management** (Cortex Xpanse, Shodan, Nuclei, Amass) | External-facing assets unknown to IT | AI maps shadow IT and forgotten assets faster than manual discovery. See [Perimeter Scanning Capability](perimeter-scanning-capability.md) | | **Software bill of materials (SBOM)** | Known vulnerable components in applications | AI monitors SBOMs against real-time CVE disclosure and exploit availability | diff --git a/antifragile-consulting/playbooks/m365-e3-hardening.md b/antifragile-consulting/playbooks/m365-e3-hardening.md index d7b7bb7..692a8c3 100644 --- a/antifragile-consulting/playbooks/m365-e3-hardening.md +++ b/antifragile-consulting/playbooks/m365-e3-hardening.md @@ -122,7 +122,7 @@ Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true - Retention: 90 days (E3 default); document the gap vs. 1-year requirement in some regulations - Export for analysis: `Search-UnifiedAuditLog` or use Microsoft Purview Audit (Standard) if available -- **AOC integration**: For clients with AOC deployed, unified audit logs are ingested automatically and correlated with Entra ID sign-in events to surface anomalous admin behaviour without manual PowerShell queries +- **PULSAR integration**: For clients with PULSAR deployed, unified audit logs are ingested automatically and correlated with Entra ID sign-in events to surface anomalous admin behaviour without manual PowerShell queries **Enable Mailbox Auditing** @@ -344,6 +344,6 @@ See [Vertical: Banking](../reference/vertical-banking.md) for full regulatory al *Previous: [Zero-Budget Hardening](zero-budget-hardening.md)* *Next: [AD and Endpoint Hardening](ad-endpoint-hardening.md)* -*For the complete open-source tool arsenal including ASTRAL and AOC, see [Sovereign Tool Stack](sovereign-tool-stack.md)* +*For the complete open-source tool arsenal including ASTRAL and PULSAR, see [Sovereign Tool Stack](sovereign-tool-stack.md)* For how Intune deployment becomes the natural entry point for broader security transformation, see [Endpoint Management Entry Vector](endpoint-management-entry-vector.md). diff --git a/antifragile-consulting/playbooks/sovereign-tool-stack.md b/antifragile-consulting/playbooks/sovereign-tool-stack.md index ba7f39f..0ad8e58 100644 --- a/antifragile-consulting/playbooks/sovereign-tool-stack.md +++ b/antifragile-consulting/playbooks/sovereign-tool-stack.md @@ -6,7 +6,7 @@ This document provides the complete capability map for our consulting practice: 1. **Clients** who want to understand what we bring to an engagement 2. **Consultants** who need to select the right tool for the right module -3. **Our own product team** who are building ASTRAL and AOC to close the M365-native gap +3. **Our own product team** who are building ASTRAL and PULSAR to close the M365-native gap --- @@ -115,11 +115,11 @@ This document provides the complete capability map for our consulting practice: | **Antifragile pillar** | Sovereign Intelligence, Asymmetric Payoff Design | | **Engagement modules** | Module 4 (Data Governance); Module 11 (Embedded Quality); all compliance-driven clients | | **Typical output** | Live compliance dashboard: "DORA Article 12: 14 of 17 controls evidence-complete; 3 gaps assigned to owners with due dates" | -| **Integration** | Pulls findings from Prowler, osquery, BloodHound, and AOC into unified evidence packages | +| **Integration** | Pulls findings from Prowler, osquery, BloodHound, and PULSAR into unified evidence packages | **The conversation**: -> *"Your auditor wants evidence that you monitor privileged access. CISO Assistant links the BloodHound scan, the Purple Knight score, the AOC admin activity report, and the osquery listening-ports query into a single evidence package for DORA Article 8. No scrambling for screenshots the night before the audit."* +> *"Your auditor wants evidence that you monitor privileged access. CISO Assistant links the BloodHound scan, the Purple Knight score, the PULSAR admin activity report, and the osquery listening-ports query into a single evidence package for DORA Article 8. No scrambling for screenshots the night before the audit."* --- @@ -236,7 +236,7 @@ This document provides the complete capability map for our consulting practice: | **Antifragile pillar** | Structural Decoupling, Stress-to-Signal Conversion | | **Engagement modules** | Module 2 (M365 Identity Security); Module 3 (M365 Security Hardening); compliance audits requiring CA policy evidence (NIS2, ISO 27001, DORA) | | **Typical output** | Excel workbook with one row per policy: policy name, conditions, controls, named groups and apps (not object IDs), assignment scope, current state (enabled/disabled/report-only), and export timestamp. Audit-ready without a single screenshot. | -| **Integration** | Export feeds into ASTRAL as the human-readable CA policy baseline (state at engagement start); CISO Assistant links the workbook as evidence for Entra ID hardening controls; AOC change alerts are cross-referenced against the export to identify which named policy changed | +| **Integration** | Export feeds into ASTRAL as the human-readable CA policy baseline (state at engagement start); CISO Assistant links the workbook as evidence for Entra ID hardening controls; PULSAR change alerts are cross-referenced against the export to identify which named policy changed | **The conversation**: @@ -255,7 +255,7 @@ This document provides the complete capability map for our consulting practice: ┌───────────────┬───────────────┼───────────────┬───────────────┐ ▼ ▼ ▼ ▼ ▼ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ -│ Prowler │ │BloodHound│ │ ASTRAL │ │ AOC │ │ osquery │ +│ Prowler │ │BloodHound│ │ ASTRAL │ │ PULSAR │ │ osquery │ │(Cloud) │ │ (AD) │ │ (M365) │ │(Audit) │ │(Endpoint)│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ │ │ │ │ @@ -277,7 +277,7 @@ This document provides the complete capability map for our consulting practice: **Data flow**: 1. **Discovery layer** (Prowler, BloodHound, osquery, ASTRAL) collects raw security state -2. **Intelligence layer** (AOC, AI-assisted TVM) correlates, enriches, and prioritises +2. **Intelligence layer** (PULSAR, AI-assisted TVM) correlates, enriches, and prioritises 3. **Governance layer** (CISO Assistant) maps findings to compliance frameworks and tracks remediation 4. **Validation layer** (Purple Knight, Forest Druid, purple team exercises) proves fixes work @@ -289,7 +289,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an ### Gap 1: Endpoint Detection and Response (EDR) — The Visibility Gap -**Current state**: osquery provides structured endpoint inventory and compliance. AOC ingests M365 audit logs. What is missing is real-time behavioural detection on the endpoint itself. +**Current state**: osquery provides structured endpoint inventory and compliance. PULSAR ingests M365 audit logs. What is missing is real-time behavioural detection on the endpoint itself. **Recommended close**: **Wazuh + Sysmon** (open-source EDR stack) @@ -308,7 +308,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an ### Gap 2: Security Orchestration and Automated Response (SOAR) — The Response Gap -**Current state**: AOC detects anomalous admin behaviour. ASTRAL detects configuration drift. What is missing is automated response: disabling a compromised account, isolating a device, or revoking an OAuth grant at machine speed. +**Current state**: PULSAR detects anomalous admin behaviour. ASTRAL detects configuration drift. What is missing is automated response: disabling a compromised account, isolating a device, or revoking an OAuth grant at machine speed. **Recommended close**: **Shuffle** (open-source SOAR) @@ -319,7 +319,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an | Self-hosted: data never leaves client infrastructure | | Replaces €100,000+/year commercial SOAR platforms | -**Example playbook**: AOC detects impossible-travel sign-in → Shuffle disables account → ASTRAL revokes all active sessions → Slack alerts SOC → CISO Assistant logs incident → Ticket created in client ITSM. +**Example playbook**: PULSAR detects impossible-travel sign-in → Shuffle disables account → ASTRAL revokes all active sessions → Slack alerts SOC → CISO Assistant logs incident → Ticket created in client ITSM. **When to deploy**: Module 12 (Blue/Purple Team Foundation); retained capability engagements. @@ -327,7 +327,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an ### Gap 3: Incident Response Case Management — The Coordination Gap -**Current state**: Findings are scattered across Prowler, BloodHound, AOC, and osquery. What is missing is a single case management system that tracks incidents from detection through remediation to post-mortem. +**Current state**: Findings are scattered across Prowler, BloodHound, PULSAR, and osquery. What is missing is a single case management system that tracks incidents from detection through remediation to post-mortem. **Recommended close**: **TheHive + Cortex** (open-source SOC case management) @@ -386,7 +386,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an |----------|--------------| | Protocol analysis: extracts metadata from HTTP, DNS, TLS, SMB without full packet storage | IDS/IPS with 30,000+ signatures and emerging threat rules | | Scales to 10 Gbps+ on commodity hardware | Can drop malicious traffic inline (IPS mode) | -| Output is structured JSON—easy to feed into Wazuh or AOC | Native file extraction and malware detection | +| Output is structured JSON—easy to feed into Wazuh or PULSAR | Native file extraction and malware detection | **When to deploy**: Module 8 (OT Security Assessment) for industrial network segmentation validation; Module 12 (Blue/Purple Team) for detection engineering. @@ -401,7 +401,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an | AD security assessment | **Purple Knight / Forest Druid** | PingCastle, ADRecon | Semperis Directory Services Protector | AD hardening engagements | | GRC and compliance | **CISO Assistant** | OpenGRC, SimpleRisk | ServiceNow GRC, RSA Archer | DORA, NIS2, SOC 2 clients | | M365 backup/change mgmt | **ASTRAL** | — (no open-source equivalent) | Veeam, AvePoint, SkyKick | All M365 clients; retained capability | -| M365 audit intelligence | **AOC** | — (no open-source equivalent) | Microsoft Sentinel, ManageEngine | All M365 clients; SOC co-management | +| M365 audit intelligence | **PULSAR** | — (no open-source equivalent) | Microsoft Sentinel, ManageEngine | All M365 clients; SOC co-management | | CA policy documentation | **CAExporter** | — (no equivalent) | — | Every Module 2 engagement; CA audits | | AD password audit | **Elysium** | — (DSInternals manual use) | Netwrix Password Policy, Specops | Every AD engagement; Module 6 | | Intune baseline deployment | **macOS_IntuneManagement** | — (no cross-platform equivalent) | — | Tenant migrations; brownfield baseline | @@ -438,13 +438,13 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an **CQRE utilities**: macOS_IntuneManagement (baseline deployment, cross-tenant migration); IntunePolicyParser (policy audit register); M365-Scripts (MDE device lifecycle); E8-CAT (pre/post hardening Essential Eight score) ### Module 2: M365 Identity Security -**Primary**: AOC (audit log intelligence) + BloodHound (hybrid identity attack paths) +**Primary**: PULSAR (audit log intelligence) + BloodHound (hybrid identity attack paths) **Augmentation**: Purple Knight (AD security baseline) **CQRE utilities**: CAExporter (CA policy documentation baseline — run first, before any CA hardening) ### Module 3: M365 Security Hardening **Primary**: ASTRAL (configuration state) + Prowler (Azure posture) -**Augmentation**: AOC (continuous monitoring of security control changes) +**Augmentation**: PULSAR (continuous monitoring of security control changes) **CQRE utilities**: CAExporter (CA policy register as audit evidence); E8-CAT (macro restriction and application hardening verification) ### Module 6: On-Premise AD Hardening @@ -462,10 +462,10 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an ### Module 12: Blue/Purple Team Foundation **Primary**: Wazuh + Sysmon + TheHive + Cortex + Shuffle -**Augmentation**: AOC (M365-specific detections) + Velociraptor (endpoint forensics) + OpenCanary (deception) + OpenCTI (threat intel correlation) +**Augmentation**: PULSAR (M365-specific detections) + Velociraptor (endpoint forensics) + OpenCanary (deception) + OpenCTI (threat intel correlation) ### Retained Capability: Detection Engineering -**Primary**: Wazuh (rule authoring) + AOC (M365 detections) + Shuffle (response playbooks) +**Primary**: Wazuh (rule authoring) + PULSAR (M365 detections) + Shuffle (response playbooks) **Augmentation**: Zeek + Suricata (network detection rules) --- @@ -479,7 +479,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an | Purple Knight | 30 minutes | None | Low | Medium (AD scan) | | CISO Assistant | 1 day | Docker host or VM | Low | Low-Medium (compliance data) | | ASTRAL | 2 hours | SaaS or client-hosted | Low | High (M365 configuration) | -| AOC | 4 hours | SaaS or client-hosted | Medium | High (audit logs, identity data) | +| PULSAR | 4 hours | SaaS or client-hosted | Medium | High (audit logs, identity data) | | CAExporter | 30 minutes | None (runs from PowerShell) | Low | Low (read-only CA policy export) | | Elysium | 1–2 hours | Dedicated secure host (on-premises) | Medium | High (domain password hashes — stays on-prem) | | macOS_IntuneManagement | 1 hour | None (PowerShell 7+) | Low | Medium (Intune policy data) | @@ -519,7 +519,7 @@ Beyond the core stack, these tools address specific niches that arise in sophist | **What it does** | Open-source cross-platform adversary simulation and command-and-control (C2) framework. Replaces Cobalt Strike for red team engagements at zero licensing cost. | | **Why we use it** | Cobalt Strike costs €30,000+/year and is fingerprinted by most EDR. Sliver is free, actively maintained by Bishop Fox, and supports DNS, HTTPS, mutual TLS, and WireGuard C2 channels. It generates implants for Windows, macOS, and Linux. | | **When to deploy** | Module 10 (Red Team & Validation); purple team exercises; EDR efficacy testing | -| **Integration** | Red team activity detected by Wazuh + Sysmon feeds into TheHive cases; AOC correlates any M365 session anomalies with red team timing | +| **Integration** | Red team activity detected by Wazuh + Sysmon feeds into TheHive cases; PULSAR correlates any M365 session anomalies with red team timing | **The conversation**: @@ -558,7 +558,7 @@ Beyond the core stack, these tools address specific niches that arise in sophist | **What it does** | Runtime security detection for containers, Kubernetes, and Linux hosts. Uses system call monitoring to detect anomalous behaviour: unexpected outbound connections, privileged container escapes, sensitive file access. | | **Why we use it** | Syft + Grype find vulnerable packages at build time. Falco detects exploitation at runtime. Without Falco, a container with a CVE can be exploited silently. | | **When to deploy** | Any client with Kubernetes or containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates | -| **Integration** | Falco alerts feed into Wazuh or directly to TheHive; AOC correlates container events with M365 identity context for supply-chain attack detection | +| **Integration** | Falco alerts feed into Wazuh or directly to TheHive; PULSAR correlates container events with M365 identity context for supply-chain attack detection | --- @@ -624,7 +624,7 @@ Beyond the core stack, these tools address specific niches that arise in sophist | **What it does** | Scans Git repositories for hardcoded secrets: API keys, passwords, tokens, private keys. Supports pre-commit hooks and CI/CD integration. | | **Why we use it** | The most common cloud breach vector is not zero-day exploitation. It is a developer committing an AWS access key to GitHub. GitLeaks finds it before the commit—or scans historical commits for existing leakage. | | **When to deploy** | Module 9 (Organisational Resilience); DevSecOps engagements; any client with active software development | -| **Integration** | CI/CD pipeline integration; findings fed into CISO Assistant for evidence tracking; AOC monitors for any M365 session using leaked credentials | +| **Integration** | CI/CD pipeline integration; findings fed into CISO Assistant for evidence tracking; PULSAR monitors for any M365 session using leaked credentials | --- @@ -648,7 +648,7 @@ Beyond the core stack, these tools address specific niches that arise in sophist | **What it does** | Open-source phishing simulation framework. Build campaigns, track click rates, capture credentials (in training mode), and measure user susceptibility over time. | | **Why we use it** | Commercial phishing platforms cost €5-15/user/year. GoPhish is free, self-hosted, and produces equivalent metrics. It integrates with LDAP for realistic email targeting. | | **When to deploy** | Module 3 (M365 Security Hardening); security awareness programmes; post-incident user training | -| **Integration** | Results feed into CISO Assistant for training evidence; high-risk users flagged in AOC for enhanced monitoring | +| **Integration** | Results feed into CISO Assistant for training evidence; high-risk users flagged in PULSAR for enhanced monitoring | --- @@ -738,7 +738,7 @@ These are partnerships we invest in deeply. We train the team, build integration | **What they provide** | Managed EDR for SMBs and mid-market: 24/7 threat hunting, incident response, ransomware rollback. Agent deployment via RMM or Intune. | | **Why we partner** | Our open-source EDR stack (Wazuh + Sysmon) is excellent for clients who want sovereignty. But it requires us to tune rules, investigate alerts, and respond to incidents. Huntress provides the 24/7 layer we cannot staff at 5-20 people. We bring the strategic context; they bring the night shift. | | **Client archetype** | E3 clients without Defender P2; municipalities; professional services; any client who needs EDR but cannot justify CrowdStrike or SentinelOne | -| **Engagement model** | We deploy and configure Huntress as part of Module 1 or 3. We retain the relationship and add our own detection rules via AOC for M365 context. Huntress handles the endpoint. We handle the narrative. | +| **Engagement model** | We deploy and configure Huntress as part of Module 1 or 3. We retain the relationship and add our own detection rules via PULSAR for M365 context. Huntress handles the endpoint. We handle the narrative. | | **Financial model** | Per-endpoint licensing with partner margin. We bill labour for deployment, tuning, and quarterly reviews. The recurring license revenue funds our growth without proportional labour increase. | | **When NOT to use** | Clients who require air-gapped networks; clients with sovereign-data mandates that prohibit third-party agent telemetry; clients who explicitly want to own their detection logic (then we deploy Wazuh) | @@ -804,7 +804,7 @@ These are tools we purchase for our own team to deliver services more effectivel | **Burp Suite Professional** | Web application penetration testing | The industry standard. Community edition is too limited for professional engagements. | | **Cobalt Strike** (or **Sliver** for budget-conscious) | Red team C2 and adversary simulation | When clients specifically require Cobalt Strike for insurance or compliance validation. Sliver is our default; Cobalt Strike is the enterprise alternative. | | **Offensive Security / SANS training** | Consultant skill development | Our team must maintain current certifications. Training is a cost of doing business, not a partnership. | -| **Microsoft Action Pack / CSP** | Internal M365 licensing for testing | We need sandbox tenants to test ASTRAL and AOC before client deployment. Microsoft's partner programme provides this at low cost. | +| **Microsoft Action Pack / CSP** | Internal M365 licensing for testing | We need sandbox tenants to test ASTRAL and PULSAR before client deployment. Microsoft's partner programme provides this at low cost. | --- @@ -813,9 +813,9 @@ These are tools we purchase for our own team to deliver services more effectivel | Category | Example | Why We Refuse | |----------|---------|---------------| | **All-in-one security platforms** | CrowdStrike, Palo Alto, SentinelOne | They replace our entire stack with a black box. We become a reseller, not a consultant. The client loses sovereignty. We lose differentiation. | -| **Generic SIEM** | Splunk, Datadog, Elastic Cloud | Wazuh + TheHive + AOC covers 90% of client needs. Splunk requires a €100K+ commitment and a dedicated engineer. We refer complex SIEM needs to specialists rather than pretending to be one. | +| **Generic SIEM** | Splunk, Datadog, Elastic Cloud | Wazuh + TheHive + PULSAR covers 90% of client needs. Splunk requires a €100K+ commitment and a dedicated engineer. We refer complex SIEM needs to specialists rather than pretending to be one. | | **AI security startups** | Any vendor claiming "AI-powered" threat detection with no transparent model | Our AI strategy is sovereign: Azure OpenAI bridge and local LLMs. We do not resell opaque AI tools that we cannot explain to a board. | -| **M365 management competitors** | CoreView, AdminDroid, Quest | ASTRAL and AOC are our proprietary differentiators. Partnering here would undermine our own product investment. | +| **M365 management competitors** | CoreView, AdminDroid, Quest | ASTRAL and PULSAR are our proprietary differentiators. Partnering here would undermine our own product investment. | --- @@ -831,7 +831,7 @@ These are tools we purchase for our own team to deliver services more effectivel - Tier 1: Huntress + Thinkst + Tenable (full enterprise VM partnership) - Tier 2: Delinea, KnowBe4, Veeam, Proofpoint (active partner status, trained engineers) - Tier 3: Cobalt Strike license for red team; additional SANS/training budget -- ASTRAL and AOC monetised as SaaS products with their own revenue stream +- ASTRAL and PULSAR monetised as SaaS products with their own revenue stream **The rule**: Every commercial partnership must either (a) provide a capability we cannot build, (b) generate recurring revenue without proportional labour, or (c) satisfy a compliance requirement that open-source cannot meet. If it does none of these, we decline. @@ -858,11 +858,11 @@ These are tools we purchase for our own team to deliver services more effectivel | Document | Integration | |----------|-------------| | [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) | Syft + Grype container pipeline; osquery endpoint discovery; Prowler cloud-native discovery; GitLeaks secrets scanning | -| [AI-Assisted TVM Blueprint](ai-assisted-tvm.md) | All discovery tools feed the AI prioritisation engine; AOC provides insider-threat context; OpenCTI enriches with threat actor context | +| [AI-Assisted TVM Blueprint](ai-assisted-tvm.md) | All discovery tools feed the AI prioritisation engine; PULSAR provides insider-threat context; OpenCTI enriches with threat actor context | | [Perimeter Scanning Capability](perimeter-scanning-capability.md) | Nuclei + Amass + Naabu form the open-source active scanning layer; Prowler covers cloud perimeter; CertStream monitors for new subdomains | | [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) | osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection; Velociraptor adds forensic hunting | -| [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection; Sliver enables adversary simulation; OpenCanary provides deception | -| [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex + OpenCTI | +| [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; PULSAR adds M365-specific detection; Sliver enables adversary simulation; OpenCanary provides deception | +| [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + PULSAR + Shuffle; Threat Context on TheHive + Cortex + OpenCTI | | [Modular Engagements](../core/modular-engagements.md) | Each module has a recommended tool pairing in the matrix above; partnership doctrine defines when commercial tools supplement open-source | | [AD and Endpoint Hardening](ad-endpoint-hardening.md) | BloodHound maps attack paths; Purple Knight / Forest Druid score AD security; Velociraptor hunts for indicators of compromise on domain controllers | | [Business Case Template](business-case-template.md) | Partnership financial models (Huntress recurring, Thinkst margin, Tenable compliance) feed into client ROI calculations | diff --git a/antifragile-consulting/reference/cis-controls-mapping.md b/antifragile-consulting/reference/cis-controls-mapping.md index 03ccd9b..9987574 100644 --- a/antifragile-consulting/reference/cis-controls-mapping.md +++ b/antifragile-consulting/reference/cis-controls-mapping.md @@ -38,7 +38,7 @@ IG1 is the **safeguards that every organization should implement to protect agai | Sovereignty (Days 60-90) | Ensure proprietary AI data never leaves perimeter | Local AI infrastructure | | Antifragility (Days 90-180) | Automated data loss prevention | Existing CASB or DLP | -**Antifragile Angle**: Data protection is not encryption at rest. It is **ensuring your proprietary signal does not train your competitor's model**. Local AI is a data protection control. +**Antifragile Angle**: Data protection is not encryption at rest. It is **ensuring your proprietary operational data stays under your control, with audit rights and data residency you can verify**. Local or sovereign AI is a data protection control. ### Control 4: Secure Configuration of Enterprise Assets and Software