chore: Full consistency scan — AOC->PULSAR, fix training-data claims, fix 90% claim

AOC -> PULSAR across 10 files (engagement-model, retained-capability, modular-engagements, blue-purple-team-foundation, about-cqre, about-cqre-cs, consultant-field-guide, ai-assisted-tvm, m365-e3-hardening, sovereign-tool-stack, risk-register-example). Training-data framing corrected in: - executive-summary.md: opening paragraph and risk table - README.md: 90% solution claim -> 30-60% in 180 days - modular-engagements.md: public API data use claim - cis-controls-mapping.md: data protection framing - antifragile-risk-register.md: risk entry softened to accurate framing - azure-openai-sovereignty-bridge.md: consumer vs enterprise API distinction Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
2026-06-05 07:05:13 +00:00
parent bcebf8ebb3
commit 3062e435ca
16 changed files with 55 additions and 55 deletions
@@ -75,7 +75,7 @@ Jsme malá, specializovaná praxe. Neprovozujeme 24/7 operační centrum. Nepode

 **6. [PLACEHOLDER: Vaše šestá diferenciace]**

-> **INTERNÍ POZNÁMKA** — Přidejte diferenciaci specifickou pro vaši praxi. Příklady: hluboká odbornost v konkrétním odvětví (OT/energie, české regulatorní prostředí); proprietární nástroje (ASTRAL, AOC, Elysium); jazykové schopnosti; specifické certifikace; metodologický přístup.
+> **INTERNÍ POZNÁMKA** — Přidejte diferenciaci specifickou pro vaši praxi. Příklady: hluboká odbornost v konkrétním odvětví (OT/energie, české regulatorní prostředí); proprietární nástroje (ASTRAL, PULSAR, Elysium); jazykové schopnosti; specifické certifikace; metodologický přístup.

 [PLACEHOLDER: konkrétní diferenciace s jedním konkrétním příkladem nebo důkazem]

@@ -81,7 +81,7 @@ We are a small, specialist practice. We do not run a 24/7 SOC. We do not sign of

 **6. [PLACEHOLDER: Your sixth differentiator]**

-> **INTERNAL NOTE** — Add a differentiator specific to your practice. Examples: deep expertise in a specific vertical (OT/utilities, Czech regulatory environment); proprietary tools (ASTRAL, AOC, Elysium); language capability; specific certifications; methodology approach.
+> **INTERNAL NOTE** — Add a differentiator specific to your practice. Examples: deep expertise in a specific vertical (OT/utilities, Czech regulatory environment); proprietary tools (ASTRAL, PULSAR, Elysium); language capability; specific certifications; methodology approach.

 [PLACEHOLDER: specific differentiator with one concrete example or proof point]

@@ -10,7 +10,7 @@ It is designed for M365/Azure consultancies whose clients are not ready for on-p

 ## The Executive Summary

-Your clients are likely using ChatGPT, Claude, or Gemini via public APIs and consumer accounts. Every prompt leaves their perimeter, and the terms of service allow model improvement using that data. This is the worst possible posture.
+Your clients are likely using ChatGPT, Claude, or Gemini via consumer accounts or unmanaged public APIs — where data residency is uncontrolled, audit rights are absent, and (for consumer tiers) terms of service may permit model improvement using submitted data. This is the worst possible posture.

 **Azure OpenAI Service is not fully sovereign.** Microsoft operates the infrastructure. The underlying models are shared. But it offers something critical that public APIs do not:

@@ -204,7 +204,7 @@ For E3 clients, Azure OpenAI is a **separate Azure subscription**—it does not
 |---------|----------|
 | "Is this just another Microsoft lock-in?" | "It reduces lock-in compared to public APIs because your fine-tuned models, embeddings, and RAG pipelines are portable assets. When you are ready for full local AI, you migrate them. We are using Azure as a warehouse, not a prison." |
 | "Why not go straight to local AI?" | "Local AI requires hardware procurement, infrastructure setup, and expertise development—typically 3-6 months. Azure OpenAI stops the data leakage in 2 weeks while we build the local capability in parallel." |
-| "How is this different from just using ChatGPT?" | "ChatGPT trains on your data. Azure OpenAI explicitly does not. ChatGPT has no audit trail. Azure OpenAI logs every prompt. ChatGPT offers no data residency guarantee. Azure OpenAI keeps your data in your region. The difference is governance, not capability." |
+| "How is this different from just using ChatGPT?" | "Consumer ChatGPT may use your data for model improvement; Azure OpenAI explicitly does not. Consumer ChatGPT has no audit trail; Azure OpenAI logs every prompt. Consumer ChatGPT offers no data residency guarantee; Azure OpenAI keeps your data in your chosen region. The difference is governance and compliance, not capability." |
 | "What if Microsoft changes the terms?" | "The data processing agreement is contractually binding. More importantly, the assets we build in Foundry are portable. If terms change unfavorably, we exercise the exit option we have been building toward all along." |
 | "Will this slow down our AI adoption?" | "It will accelerate safe adoption. Employees currently use unauthorized AI because there is no sanctioned alternative. Azure OpenAI gives them a better, safer tool. Adoption goes up; risk goes down." |

@@ -121,7 +121,7 @@ Many organizations have purchased or inherited an impressive security stack:

 **Deliverable**: Operating Rhythm Playbook

-**Tool stack for the operating rhythm**: See the [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md) for the complete open-source SOC architecture. For M365-centric environments, AOC provides audit log intelligence; Wazuh + Sysmon provide endpoint detection; TheHive + Cortex provide case management; Shuffle provides automated response. This stack replaces €200K+/year commercial SOC tooling for clients who prioritise sovereignty.
+**Tool stack for the operating rhythm**: See the [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md) for the complete open-source SOC architecture. For M365-centric environments, PULSAR provides audit log intelligence; Wazuh + Sysmon provide endpoint detection; TheHive + Cortex provide case management; Shuffle provides automated response. This stack replaces €200K+/year commercial SOC tooling for clients who prioritise sovereignty.
 - Weekly, bi-weekly, and monthly cadence definitions
 - RACI matrix for each activity
 - Dashboard definitions and data sources
@@ -301,7 +301,7 @@ This is the minimum bar for leading (not shadowing) a module. If you are not the

 Before your first client engagement, build a personal lab that lets you safely test deployments:

- **M365 developer tenant** — Microsoft's free developer programme provides an E5 tenant. Use it for ASTRAL, AOC, CAExporter, and M365 module testing. Register via the Microsoft 365 Developer Programme.
+- **M365 developer tenant** — Microsoft's free developer programme provides an E5 tenant. Use it for ASTRAL, PULSAR, CAExporter, and M365 module testing. Register via the Microsoft 365 Developer Programme.
 - **A small Linux VM (any cloud)** — For chatmail relay, Wazuh, TheHive, and Shuffle deployments. A €5–10/month VPS is sufficient for personal lab use.
 - **A Windows Server VM** — For AD module testing: BloodHound, Elysium, LAPS, Sysmon. Can be local (Hyper-V, VMware) or cloud.
 - **A CQRE internal environment** — Ask for access to the shared lab environment used for tool testing and client demos.
@@ -166,7 +166,7 @@ Some clients want ongoing support rather than discrete projects. Three models:
 | Type | Description | Typical cadence |
 |------|-------------|----------------|
 | **Retained advisory** | A fixed number of hours per month for questions, threat model reviews, architecture reviews, and strategic guidance. No new module delivery — advisory only. | Monthly retainer, 8–16 hours/month |
-| **Retained capability support** | Active support operating tools we deployed: reviewing ASTRAL alerts, tuning AOC detection rules, running quarterly AD scans with Elysium and PingCastle, reviewing Huntress findings. | Monthly or quarterly, scoped per tool set |
+| **Retained capability support** | Active support operating tools we deployed: reviewing ASTRAL alerts, tuning PULSAR detection rules, running quarterly AD scans with Elysium and PingCastle, reviewing Huntress findings. | Monthly or quarterly, scoped per tool set |
 | **Module continuation** | Ongoing delivery of a multi-module programme at a structured cadence. Each module planned and scoped before it begins. | Quarterly module delivery |

 Retained relationships are renewed quarterly. Either side can exit with 30 days' notice.
@@ -6,13 +6,13 @@

 ## The Problem in One Sentence

-Your organization is currently engaged in a **massive, unpaid research project for its competitors**—sending proprietary data, strategic reasoning, and operational intelligence to cloud platforms that are incentivized to commoditize your industry.
+Your organization depends on technology infrastructure it does not fully control — cloud platforms whose incentives are not aligned with your survival, AI tools processing your operational intelligence under agreements you cannot audit, and vendors whose pricing, terms, and continued existence are outside your influence.

 ## What Is at Stake

 | Asset Category | Current Risk | If Compromised or Extracted |
 |---------------|-------------|----------------------------|
-| Strategic intelligence | Rented from cloud AI providers | Competitors replicate your edge; your strategy becomes public model training data |
+| Strategic intelligence | Rented from cloud AI providers | Vendor dependency, data residency risk, no audit rights over inference — and a strategy that improves their platform, not yours |
 | Customer trust | Protected by compliance theater | Regulatory fines, class-action liability, irreversible reputational damage |
 | Operational continuity | Dependent on vendor stability | Single API change or geopolitical event halts revenue-critical workflows |
 | Technical talent | Wasted on maintenance of fragile systems | Burnout, attrition, inability to attract security-conscious engineers |
@@ -69,7 +69,7 @@ We do not propose a three-year transformation. We propose **four phases, 180 day
 This is not a cost centre. It is **optionality insurance**.

 - **Cost of the program**: Primarily configuration and process—existing tools are leveraged first.
- **Cost of inaction**: A single ransomware incident averages €4.5M in recovery. A single regulatory fine under DORA can reach 2% of global turnover. A single competitor trained on your data renders your proprietary advantage worthless.
+- **Cost of inaction**: A single ransomware incident averages €4.5M in recovery. A single regulatory fine under DORA can reach 2% of global turnover. A single uncontrolled AI vendor relationship can expose your operational data to residency and audit failures that NIS2, DORA, or sector regulators will not overlook.
 - **ROI timeline**: Risk reduction is visible in 30 days. Regulatory evidence is demonstrable in 90 days. Competitive advantage from sovereign intelligence compounds over 12-24 months.

 ## The Decision Required
@@ -73,7 +73,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
 - Legacy authentication blocked tenant-wide
 - Privileged access workstation (PAW) architecture for admins
 - PIM deployment (if E5/Entra ID P2) or manual JIT process (if E3)
- AOC deployment for audit log intelligence and anomalous admin detection
+- PULSAR deployment for audit log intelligence and anomalous admin detection
 - Guest access audit and time-bounding
 - OAuth consent governance

@@ -168,7 +168,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t

 **Executive pitch**:

-> *"Your teams are already using AI—through personal accounts, browser tabs, and mobile apps. Every proprietary document they paste into ChatGPT trains a model that will eventually be sold to your competitors. We stop that leakage in two weeks by giving them a better, safer alternative. Then we build your first custom AI asset on data that never leaves your Azure region."*
+> *"Your teams are already using AI—through personal accounts, browser tabs, and mobile apps. Every proprietary document they send to an unmanaged AI service is processed under terms you haven't reviewed, on infrastructure outside your control, with no data residency guarantees. We stop that leakage in two weeks by giving them a better, safer alternative. Then we build your first custom AI asset on data that never leaves your Azure region."*

 **Natural next modules**: Module 9 (Organizational Resilience), Module 4 (Data Governance), Module 10 (Red Team & Validation)

@@ -32,7 +32,7 @@ When you outsource a security function, you should retain three capabilities int

 | Retained Capability | Why It Cannot Be Outsourced | What It Produces |
 |--------------------|---------------------------|------------------|
-| **Detection Engineering** | Only you know what "normal" looks like in your environment. Only you can write rules that detect anomalies specific to your architecture, your applications, and your user behaviours. | Custom detection rules (KQL, Sigma, YARA, Wazuh) and M365-specific detections via AOC that catch threats generic rules miss |
+| **Detection Engineering** | Only you know what "normal" looks like in your environment. Only you can write rules that detect anomalies specific to your architecture, your applications, and your user behaviours. | Custom detection rules (KQL, Sigma, YARA, Wazuh) and M365-specific detections via PULSAR that catch threats generic rules miss |
 | **Threat Context & Prioritization** | Only you know which assets are crown jewels. Only you can prioritize a vulnerability on your payment gateway over a vulnerability on your marketing blog. | Risk-ranked remediation that aligns with business impact |
 | **Integration & Orchestration** | Only you can connect the SOC to your change management, your identity team, your OT engineers, and your executives. | Closed-loop incident response that produces structural improvement |