chore: Full consistency scan — AOC->PULSAR, fix training-data claims, fix 90% claim
AOC -> PULSAR across 10 files (engagement-model, retained-capability, modular-engagements, blue-purple-team-foundation, about-cqre, about-cqre-cs, consultant-field-guide, ai-assisted-tvm, m365-e3-hardening, sovereign-tool-stack, risk-register-example). Training-data framing corrected in: - executive-summary.md: opening paragraph and risk table - README.md: 90% solution claim -> 30-60% in 180 days - modular-engagements.md: public API data use claim - cis-controls-mapping.md: data protection framing - antifragile-risk-register.md: risk entry softened to accurate framing - azure-openai-sovereignty-bridge.md: consumer vs enterprise API distinction Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
This commit is contained in:
Claude Sonnet 4.6
@@ -6,7 +6,7 @@ This document provides the complete capability map for our consulting practice:
|
||||
|
||||
1. **Clients** who want to understand what we bring to an engagement
|
||||
2. **Consultants** who need to select the right tool for the right module
|
||||
3. **Our own product team** who are building ASTRAL and AOC to close the M365-native gap
|
||||
3. **Our own product team** who are building ASTRAL and PULSAR to close the M365-native gap
|
||||
|
||||
---
|
||||
|
||||
@@ -115,11 +115,11 @@ This document provides the complete capability map for our consulting practice:
|
||||
| **Antifragile pillar** | Sovereign Intelligence, Asymmetric Payoff Design |
|
||||
| **Engagement modules** | Module 4 (Data Governance); Module 11 (Embedded Quality); all compliance-driven clients |
|
||||
| **Typical output** | Live compliance dashboard: "DORA Article 12: 14 of 17 controls evidence-complete; 3 gaps assigned to owners with due dates" |
|
||||
| **Integration** | Pulls findings from Prowler, osquery, BloodHound, and AOC into unified evidence packages |
|
||||
| **Integration** | Pulls findings from Prowler, osquery, BloodHound, and PULSAR into unified evidence packages |
|
||||
|
||||
**The conversation**:
|
||||
|
||||
> *"Your auditor wants evidence that you monitor privileged access. CISO Assistant links the BloodHound scan, the Purple Knight score, the AOC admin activity report, and the osquery listening-ports query into a single evidence package for DORA Article 8. No scrambling for screenshots the night before the audit."*
|
||||
> *"Your auditor wants evidence that you monitor privileged access. CISO Assistant links the BloodHound scan, the Purple Knight score, the PULSAR admin activity report, and the osquery listening-ports query into a single evidence package for DORA Article 8. No scrambling for screenshots the night before the audit."*
|
||||
|
||||
---
|
||||
|
||||
@@ -236,7 +236,7 @@ This document provides the complete capability map for our consulting practice:
|
||||
| **Antifragile pillar** | Structural Decoupling, Stress-to-Signal Conversion |
|
||||
| **Engagement modules** | Module 2 (M365 Identity Security); Module 3 (M365 Security Hardening); compliance audits requiring CA policy evidence (NIS2, ISO 27001, DORA) |
|
||||
| **Typical output** | Excel workbook with one row per policy: policy name, conditions, controls, named groups and apps (not object IDs), assignment scope, current state (enabled/disabled/report-only), and export timestamp. Audit-ready without a single screenshot. |
|
||||
| **Integration** | Export feeds into ASTRAL as the human-readable CA policy baseline (state at engagement start); CISO Assistant links the workbook as evidence for Entra ID hardening controls; AOC change alerts are cross-referenced against the export to identify which named policy changed |
|
||||
| **Integration** | Export feeds into ASTRAL as the human-readable CA policy baseline (state at engagement start); CISO Assistant links the workbook as evidence for Entra ID hardening controls; PULSAR change alerts are cross-referenced against the export to identify which named policy changed |
|
||||
|
||||
**The conversation**:
|
||||
|
||||
@@ -255,7 +255,7 @@ This document provides the complete capability map for our consulting practice:
|
||||
┌───────────────┬───────────────┼───────────────┬───────────────┐
|
||||
▼ ▼ ▼ ▼ ▼
|
||||
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
|
||||
│ Prowler │ │BloodHound│ │ ASTRAL │ │ AOC │ │ osquery │
|
||||
│ Prowler │ │BloodHound│ │ ASTRAL │ │ PULSAR │ │ osquery │
|
||||
│(Cloud) │ │ (AD) │ │ (M365) │ │(Audit) │ │(Endpoint)│
|
||||
└────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘
|
||||
│ │ │ │ │
|
||||
@@ -277,7 +277,7 @@ This document provides the complete capability map for our consulting practice:
|
||||
**Data flow**:
|
||||
|
||||
1. **Discovery layer** (Prowler, BloodHound, osquery, ASTRAL) collects raw security state
|
||||
2. **Intelligence layer** (AOC, AI-assisted TVM) correlates, enriches, and prioritises
|
||||
2. **Intelligence layer** (PULSAR, AI-assisted TVM) correlates, enriches, and prioritises
|
||||
3. **Governance layer** (CISO Assistant) maps findings to compliance frameworks and tracks remediation
|
||||
4. **Validation layer** (Purple Knight, Forest Druid, purple team exercises) proves fixes work
|
||||
|
||||
@@ -289,7 +289,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
|
||||
### Gap 1: Endpoint Detection and Response (EDR) — The Visibility Gap
|
||||
|
||||
**Current state**: osquery provides structured endpoint inventory and compliance. AOC ingests M365 audit logs. What is missing is real-time behavioural detection on the endpoint itself.
|
||||
**Current state**: osquery provides structured endpoint inventory and compliance. PULSAR ingests M365 audit logs. What is missing is real-time behavioural detection on the endpoint itself.
|
||||
|
||||
**Recommended close**: **Wazuh + Sysmon** (open-source EDR stack)
|
||||
|
||||
@@ -308,7 +308,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
|
||||
### Gap 2: Security Orchestration and Automated Response (SOAR) — The Response Gap
|
||||
|
||||
**Current state**: AOC detects anomalous admin behaviour. ASTRAL detects configuration drift. What is missing is automated response: disabling a compromised account, isolating a device, or revoking an OAuth grant at machine speed.
|
||||
**Current state**: PULSAR detects anomalous admin behaviour. ASTRAL detects configuration drift. What is missing is automated response: disabling a compromised account, isolating a device, or revoking an OAuth grant at machine speed.
|
||||
|
||||
**Recommended close**: **Shuffle** (open-source SOAR)
|
||||
|
||||
@@ -319,7 +319,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
| Self-hosted: data never leaves client infrastructure |
|
||||
| Replaces €100,000+/year commercial SOAR platforms |
|
||||
|
||||
**Example playbook**: AOC detects impossible-travel sign-in → Shuffle disables account → ASTRAL revokes all active sessions → Slack alerts SOC → CISO Assistant logs incident → Ticket created in client ITSM.
|
||||
**Example playbook**: PULSAR detects impossible-travel sign-in → Shuffle disables account → ASTRAL revokes all active sessions → Slack alerts SOC → CISO Assistant logs incident → Ticket created in client ITSM.
|
||||
|
||||
**When to deploy**: Module 12 (Blue/Purple Team Foundation); retained capability engagements.
|
||||
|
||||
@@ -327,7 +327,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
|
||||
### Gap 3: Incident Response Case Management — The Coordination Gap
|
||||
|
||||
**Current state**: Findings are scattered across Prowler, BloodHound, AOC, and osquery. What is missing is a single case management system that tracks incidents from detection through remediation to post-mortem.
|
||||
**Current state**: Findings are scattered across Prowler, BloodHound, PULSAR, and osquery. What is missing is a single case management system that tracks incidents from detection through remediation to post-mortem.
|
||||
|
||||
**Recommended close**: **TheHive + Cortex** (open-source SOC case management)
|
||||
|
||||
@@ -386,7 +386,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
|----------|--------------|
|
||||
| Protocol analysis: extracts metadata from HTTP, DNS, TLS, SMB without full packet storage | IDS/IPS with 30,000+ signatures and emerging threat rules |
|
||||
| Scales to 10 Gbps+ on commodity hardware | Can drop malicious traffic inline (IPS mode) |
|
||||
| Output is structured JSON—easy to feed into Wazuh or AOC | Native file extraction and malware detection |
|
||||
| Output is structured JSON—easy to feed into Wazuh or PULSAR | Native file extraction and malware detection |
|
||||
|
||||
**When to deploy**: Module 8 (OT Security Assessment) for industrial network segmentation validation; Module 12 (Blue/Purple Team) for detection engineering.
|
||||
|
||||
@@ -401,7 +401,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
| AD security assessment | **Purple Knight / Forest Druid** | PingCastle, ADRecon | Semperis Directory Services Protector | AD hardening engagements |
|
||||
| GRC and compliance | **CISO Assistant** | OpenGRC, SimpleRisk | ServiceNow GRC, RSA Archer | DORA, NIS2, SOC 2 clients |
|
||||
| M365 backup/change mgmt | **ASTRAL** | — (no open-source equivalent) | Veeam, AvePoint, SkyKick | All M365 clients; retained capability |
|
||||
| M365 audit intelligence | **AOC** | — (no open-source equivalent) | Microsoft Sentinel, ManageEngine | All M365 clients; SOC co-management |
|
||||
| M365 audit intelligence | **PULSAR** | — (no open-source equivalent) | Microsoft Sentinel, ManageEngine | All M365 clients; SOC co-management |
|
||||
| CA policy documentation | **CAExporter** | — (no equivalent) | — | Every Module 2 engagement; CA audits |
|
||||
| AD password audit | **Elysium** | — (DSInternals manual use) | Netwrix Password Policy, Specops | Every AD engagement; Module 6 |
|
||||
| Intune baseline deployment | **macOS_IntuneManagement** | — (no cross-platform equivalent) | — | Tenant migrations; brownfield baseline |
|
||||
@@ -438,13 +438,13 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
**CQRE utilities**: macOS_IntuneManagement (baseline deployment, cross-tenant migration); IntunePolicyParser (policy audit register); M365-Scripts (MDE device lifecycle); E8-CAT (pre/post hardening Essential Eight score)
|
||||
|
||||
### Module 2: M365 Identity Security
|
||||
**Primary**: AOC (audit log intelligence) + BloodHound (hybrid identity attack paths)
|
||||
**Primary**: PULSAR (audit log intelligence) + BloodHound (hybrid identity attack paths)
|
||||
**Augmentation**: Purple Knight (AD security baseline)
|
||||
**CQRE utilities**: CAExporter (CA policy documentation baseline — run first, before any CA hardening)
|
||||
|
||||
### Module 3: M365 Security Hardening
|
||||
**Primary**: ASTRAL (configuration state) + Prowler (Azure posture)
|
||||
**Augmentation**: AOC (continuous monitoring of security control changes)
|
||||
**Augmentation**: PULSAR (continuous monitoring of security control changes)
|
||||
**CQRE utilities**: CAExporter (CA policy register as audit evidence); E8-CAT (macro restriction and application hardening verification)
|
||||
|
||||
### Module 6: On-Premise AD Hardening
|
||||
@@ -462,10 +462,10 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
|
||||
### Module 12: Blue/Purple Team Foundation
|
||||
**Primary**: Wazuh + Sysmon + TheHive + Cortex + Shuffle
|
||||
**Augmentation**: AOC (M365-specific detections) + Velociraptor (endpoint forensics) + OpenCanary (deception) + OpenCTI (threat intel correlation)
|
||||
**Augmentation**: PULSAR (M365-specific detections) + Velociraptor (endpoint forensics) + OpenCanary (deception) + OpenCTI (threat intel correlation)
|
||||
|
||||
### Retained Capability: Detection Engineering
|
||||
**Primary**: Wazuh (rule authoring) + AOC (M365 detections) + Shuffle (response playbooks)
|
||||
**Primary**: Wazuh (rule authoring) + PULSAR (M365 detections) + Shuffle (response playbooks)
|
||||
**Augmentation**: Zeek + Suricata (network detection rules)
|
||||
|
||||
---
|
||||
@@ -479,7 +479,7 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
| Purple Knight | 30 minutes | None | Low | Medium (AD scan) |
|
||||
| CISO Assistant | 1 day | Docker host or VM | Low | Low-Medium (compliance data) |
|
||||
| ASTRAL | 2 hours | SaaS or client-hosted | Low | High (M365 configuration) |
|
||||
| AOC | 4 hours | SaaS or client-hosted | Medium | High (audit logs, identity data) |
|
||||
| PULSAR | 4 hours | SaaS or client-hosted | Medium | High (audit logs, identity data) |
|
||||
| CAExporter | 30 minutes | None (runs from PowerShell) | Low | Low (read-only CA policy export) |
|
||||
| Elysium | 1–2 hours | Dedicated secure host (on-premises) | Medium | High (domain password hashes — stays on-prem) |
|
||||
| macOS_IntuneManagement | 1 hour | None (PowerShell 7+) | Low | Medium (Intune policy data) |
|
||||
@@ -519,7 +519,7 @@ Beyond the core stack, these tools address specific niches that arise in sophist
|
||||
| **What it does** | Open-source cross-platform adversary simulation and command-and-control (C2) framework. Replaces Cobalt Strike for red team engagements at zero licensing cost. |
|
||||
| **Why we use it** | Cobalt Strike costs €30,000+/year and is fingerprinted by most EDR. Sliver is free, actively maintained by Bishop Fox, and supports DNS, HTTPS, mutual TLS, and WireGuard C2 channels. It generates implants for Windows, macOS, and Linux. |
|
||||
| **When to deploy** | Module 10 (Red Team & Validation); purple team exercises; EDR efficacy testing |
|
||||
| **Integration** | Red team activity detected by Wazuh + Sysmon feeds into TheHive cases; AOC correlates any M365 session anomalies with red team timing |
|
||||
| **Integration** | Red team activity detected by Wazuh + Sysmon feeds into TheHive cases; PULSAR correlates any M365 session anomalies with red team timing |
|
||||
|
||||
**The conversation**:
|
||||
|
||||
@@ -558,7 +558,7 @@ Beyond the core stack, these tools address specific niches that arise in sophist
|
||||
| **What it does** | Runtime security detection for containers, Kubernetes, and Linux hosts. Uses system call monitoring to detect anomalous behaviour: unexpected outbound connections, privileged container escapes, sensitive file access. |
|
||||
| **Why we use it** | Syft + Grype find vulnerable packages at build time. Falco detects exploitation at runtime. Without Falco, a container with a CVE can be exploited silently. |
|
||||
| **When to deploy** | Any client with Kubernetes or containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates |
|
||||
| **Integration** | Falco alerts feed into Wazuh or directly to TheHive; AOC correlates container events with M365 identity context for supply-chain attack detection |
|
||||
| **Integration** | Falco alerts feed into Wazuh or directly to TheHive; PULSAR correlates container events with M365 identity context for supply-chain attack detection |
|
||||
|
||||
---
|
||||
|
||||
@@ -624,7 +624,7 @@ Beyond the core stack, these tools address specific niches that arise in sophist
|
||||
| **What it does** | Scans Git repositories for hardcoded secrets: API keys, passwords, tokens, private keys. Supports pre-commit hooks and CI/CD integration. |
|
||||
| **Why we use it** | The most common cloud breach vector is not zero-day exploitation. It is a developer committing an AWS access key to GitHub. GitLeaks finds it before the commit—or scans historical commits for existing leakage. |
|
||||
| **When to deploy** | Module 9 (Organisational Resilience); DevSecOps engagements; any client with active software development |
|
||||
| **Integration** | CI/CD pipeline integration; findings fed into CISO Assistant for evidence tracking; AOC monitors for any M365 session using leaked credentials |
|
||||
| **Integration** | CI/CD pipeline integration; findings fed into CISO Assistant for evidence tracking; PULSAR monitors for any M365 session using leaked credentials |
|
||||
|
||||
---
|
||||
|
||||
@@ -648,7 +648,7 @@ Beyond the core stack, these tools address specific niches that arise in sophist
|
||||
| **What it does** | Open-source phishing simulation framework. Build campaigns, track click rates, capture credentials (in training mode), and measure user susceptibility over time. |
|
||||
| **Why we use it** | Commercial phishing platforms cost €5-15/user/year. GoPhish is free, self-hosted, and produces equivalent metrics. It integrates with LDAP for realistic email targeting. |
|
||||
| **When to deploy** | Module 3 (M365 Security Hardening); security awareness programmes; post-incident user training |
|
||||
| **Integration** | Results feed into CISO Assistant for training evidence; high-risk users flagged in AOC for enhanced monitoring |
|
||||
| **Integration** | Results feed into CISO Assistant for training evidence; high-risk users flagged in PULSAR for enhanced monitoring |
|
||||
|
||||
---
|
||||
|
||||
@@ -738,7 +738,7 @@ These are partnerships we invest in deeply. We train the team, build integration
|
||||
| **What they provide** | Managed EDR for SMBs and mid-market: 24/7 threat hunting, incident response, ransomware rollback. Agent deployment via RMM or Intune. |
|
||||
| **Why we partner** | Our open-source EDR stack (Wazuh + Sysmon) is excellent for clients who want sovereignty. But it requires us to tune rules, investigate alerts, and respond to incidents. Huntress provides the 24/7 layer we cannot staff at 5-20 people. We bring the strategic context; they bring the night shift. |
|
||||
| **Client archetype** | E3 clients without Defender P2; municipalities; professional services; any client who needs EDR but cannot justify CrowdStrike or SentinelOne |
|
||||
| **Engagement model** | We deploy and configure Huntress as part of Module 1 or 3. We retain the relationship and add our own detection rules via AOC for M365 context. Huntress handles the endpoint. We handle the narrative. |
|
||||
| **Engagement model** | We deploy and configure Huntress as part of Module 1 or 3. We retain the relationship and add our own detection rules via PULSAR for M365 context. Huntress handles the endpoint. We handle the narrative. |
|
||||
| **Financial model** | Per-endpoint licensing with partner margin. We bill labour for deployment, tuning, and quarterly reviews. The recurring license revenue funds our growth without proportional labour increase. |
|
||||
| **When NOT to use** | Clients who require air-gapped networks; clients with sovereign-data mandates that prohibit third-party agent telemetry; clients who explicitly want to own their detection logic (then we deploy Wazuh) |
|
||||
|
||||
@@ -804,7 +804,7 @@ These are tools we purchase for our own team to deliver services more effectivel
|
||||
| **Burp Suite Professional** | Web application penetration testing | The industry standard. Community edition is too limited for professional engagements. |
|
||||
| **Cobalt Strike** (or **Sliver** for budget-conscious) | Red team C2 and adversary simulation | When clients specifically require Cobalt Strike for insurance or compliance validation. Sliver is our default; Cobalt Strike is the enterprise alternative. |
|
||||
| **Offensive Security / SANS training** | Consultant skill development | Our team must maintain current certifications. Training is a cost of doing business, not a partnership. |
|
||||
| **Microsoft Action Pack / CSP** | Internal M365 licensing for testing | We need sandbox tenants to test ASTRAL and AOC before client deployment. Microsoft's partner programme provides this at low cost. |
|
||||
| **Microsoft Action Pack / CSP** | Internal M365 licensing for testing | We need sandbox tenants to test ASTRAL and PULSAR before client deployment. Microsoft's partner programme provides this at low cost. |
|
||||
|
||||
---
|
||||
|
||||
@@ -813,9 +813,9 @@ These are tools we purchase for our own team to deliver services more effectivel
|
||||
| Category | Example | Why We Refuse |
|
||||
|----------|---------|---------------|
|
||||
| **All-in-one security platforms** | CrowdStrike, Palo Alto, SentinelOne | They replace our entire stack with a black box. We become a reseller, not a consultant. The client loses sovereignty. We lose differentiation. |
|
||||
| **Generic SIEM** | Splunk, Datadog, Elastic Cloud | Wazuh + TheHive + AOC covers 90% of client needs. Splunk requires a €100K+ commitment and a dedicated engineer. We refer complex SIEM needs to specialists rather than pretending to be one. |
|
||||
| **Generic SIEM** | Splunk, Datadog, Elastic Cloud | Wazuh + TheHive + PULSAR covers 90% of client needs. Splunk requires a €100K+ commitment and a dedicated engineer. We refer complex SIEM needs to specialists rather than pretending to be one. |
|
||||
| **AI security startups** | Any vendor claiming "AI-powered" threat detection with no transparent model | Our AI strategy is sovereign: Azure OpenAI bridge and local LLMs. We do not resell opaque AI tools that we cannot explain to a board. |
|
||||
| **M365 management competitors** | CoreView, AdminDroid, Quest | ASTRAL and AOC are our proprietary differentiators. Partnering here would undermine our own product investment. |
|
||||
| **M365 management competitors** | CoreView, AdminDroid, Quest | ASTRAL and PULSAR are our proprietary differentiators. Partnering here would undermine our own product investment. |
|
||||
|
||||
---
|
||||
|
||||
@@ -831,7 +831,7 @@ These are tools we purchase for our own team to deliver services more effectivel
|
||||
- Tier 1: Huntress + Thinkst + Tenable (full enterprise VM partnership)
|
||||
- Tier 2: Delinea, KnowBe4, Veeam, Proofpoint (active partner status, trained engineers)
|
||||
- Tier 3: Cobalt Strike license for red team; additional SANS/training budget
|
||||
- ASTRAL and AOC monetised as SaaS products with their own revenue stream
|
||||
- ASTRAL and PULSAR monetised as SaaS products with their own revenue stream
|
||||
|
||||
**The rule**: Every commercial partnership must either (a) provide a capability we cannot build, (b) generate recurring revenue without proportional labour, or (c) satisfy a compliance requirement that open-source cannot meet. If it does none of these, we decline.
|
||||
|
||||
@@ -858,11 +858,11 @@ These are tools we purchase for our own team to deliver services more effectivel
|
||||
| Document | Integration |
|
||||
|----------|-------------|
|
||||
| [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) | Syft + Grype container pipeline; osquery endpoint discovery; Prowler cloud-native discovery; GitLeaks secrets scanning |
|
||||
| [AI-Assisted TVM Blueprint](ai-assisted-tvm.md) | All discovery tools feed the AI prioritisation engine; AOC provides insider-threat context; OpenCTI enriches with threat actor context |
|
||||
| [AI-Assisted TVM Blueprint](ai-assisted-tvm.md) | All discovery tools feed the AI prioritisation engine; PULSAR provides insider-threat context; OpenCTI enriches with threat actor context |
|
||||
| [Perimeter Scanning Capability](perimeter-scanning-capability.md) | Nuclei + Amass + Naabu form the open-source active scanning layer; Prowler covers cloud perimeter; CertStream monitors for new subdomains |
|
||||
| [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) | osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection; Velociraptor adds forensic hunting |
|
||||
| [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection; Sliver enables adversary simulation; OpenCanary provides deception |
|
||||
| [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex + OpenCTI |
|
||||
| [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; PULSAR adds M365-specific detection; Sliver enables adversary simulation; OpenCanary provides deception |
|
||||
| [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + PULSAR + Shuffle; Threat Context on TheHive + Cortex + OpenCTI |
|
||||
| [Modular Engagements](../core/modular-engagements.md) | Each module has a recommended tool pairing in the matrix above; partnership doctrine defines when commercial tools supplement open-source |
|
||||
| [AD and Endpoint Hardening](ad-endpoint-hardening.md) | BloodHound maps attack paths; Purple Knight / Forest Druid score AD security; Velociraptor hunts for indicators of compromise on domain controllers |
|
||||
| [Business Case Template](business-case-template.md) | Partnership financial models (Huntress recurring, Thinkst margin, Tenable compliance) feed into client ROI calculations |
|
||||
|
||||
Reference in New Issue
Block a user