cqrenet/antifragile
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Fix review issues and integrate ASTRAL, PULSAR, AURORA product suite

Browse Source 
Framework fixes:
- antifragile-manifest.md: Correct AI Sovereignty pillar (data residency/audit rights framing); add consultant note
- executive-summary.md: Same AI sovereignty correction; add EU Regulatory Context (NIS2, DORA, GDPR)
- README.md: Add Brownhat brand explanation; expand Standards Alignment with NIS2/DORA/GDPR
- core/about-cqre.md: Prominent TEMPLATE WARNING banner to prevent accidental sharing
- index.md: Add CQRE Product Suite; renumber consultant nav 1-26 consistently

New: playbooks/cqre-product-suite.md - ASTRAL/PULSAR/AURORA product reference with antifragile pillar alignment, regulatory mapping, deployment prerequisites, and objection handling

Updated: sovereign-tool-stack.md - ASTRAL updated to GitHub product spec; AOC replaced with PULSAR; AURORA section added

Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
This commit is contained in:
Claude Sonnet 4.6
2026-06-05 04:59:20 +00:00
parent 64f73371c9
commit 48f891db36
7 changed files with 335 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files
antifragile-consulting/playbooks/cqre-product-suite.md
+213
View File
@@ -0,0 +1,213 @@
# CQRE Product Suite: ASTRAL, PULSAR, and AURORA
> *"Three questions every M365 administrator eventually asks: what does my configuration look like, what happened in my tenant, and what does it mean? The CQRE suite is built to answer all three — each product independently valuable, progressively more powerful in combination."*
This document describes the three CQRE-built products, how they fit into the antifragile consulting framework, and how to position and deploy them in engagements.
---
## Suite Overview
| Product | Full Name | What It Answers | Model | Repo |
|---------|-----------|-----------------|-------|------|
| **ASTRAL** | Admin Security: Tenant Review, Automation & Lifecycle | *What does my M365 configuration look like and what has changed?* | Free, open source | [github.com/cqrenet/astral](https://github.com/cqrenet/astral) |
| **PULSAR** | Platform for Unified Log Search, Alerting & Review | *What happened in my tenant, when, and by whom?* | Free, open source | [github.com/cqrenet/pulsar](https://github.com/cqrenet/pulsar) |
| **AURORA** | Audit, Unified Review, Observability & Remediation for Administrators | *What does it mean and what should I do?* | Paid | [aurora.cqre.net](https://aurora.cqre.net) |
**The product narrative in one sentence**: PULSAR captures the signal, ASTRAL holds the baseline, AURORA makes sense of both.
---
## Framework Alignment
Each product maps directly to specific antifragile pillars from the [Antifragile Manifest](../core/antifragile-manifest.md).
### ASTRAL → Pillar 1 (Structural Decoupling) + Pillar 5 (Asymmetric Payoff Design)
ASTRAL treats M365 configuration as code — Git-tracked snapshots with PR-based review, drift detection, and baseline restore. Every Intune profile, Conditional Access policy, and Entra setting is versioned, auditable, and recoverable.
**Pillar 1 alignment**: ASTRAL surfaces hidden coupling in M365 configuration. Conditional Access policies with undocumented exclusion groups, Intune profiles silently competing, admin roles accumulating without review — these are the dependencies that produce fragility. ASTRAL makes them visible and governable.
**Pillar 5 alignment**: The deployment cost is low (one Azure DevOps project, one Entra app registration). The protection payoff is disproportionately large: compliance evidence produced automatically, configuration changes reviewed before they become incidents, rollback available in minutes.
**Kill chain relevance**: A compromised admin account that modifies Conditional Access policies is a kill-chain event. ASTRAL detects this drift within minutes via the event-driven change probe and surfaces it as a PR requiring review.
### PULSAR → Pillar 3 (Stress-to-Signal Conversion)
PULSAR ingests M365 audit events — Entra directory changes, Intune actions, Exchange/SharePoint/Teams operations — into a searchable, retained store with alerting and SIEM forwarding.
**Pillar 3 alignment**: PULSAR is the instrumentation layer for M365. Without it, admin actions are visible for 90 days in the M365 portal and then gone. With it, every admin action becomes permanent, searchable signal. An incident that would have been un-investigable three months later becomes reconstructible in minutes.
The antifragile principle is explicit: **every stress event produces a signal**. PULSAR ensures no signal is lost.
**Kill chain relevance**: When a threat actor enumerates admin accounts, modifies authentication methods, or creates a new enterprise application for persistence, PULSAR captures these events. Combined with alerting rules, PULSAR converts audit noise into actionable detection.
### AURORA → Pillar 4 (Sovereign Intelligence) + Pillar 2 (Optionality Preservation)
AURORA connects to PULSAR and ASTRAL via their MCP servers and exposes a unified AI-assisted interface for cross-tool diagnostics, multi-scope orchestration, and enriched SIEM forwarding.
**Pillar 4 alignment**: AURORA is sovereign intelligence applied to M365 operations. The cross-tool diagnostic tools — correlating audit events with configuration state — produce intelligence that no commercial tool natively generates. This intelligence lives in your infrastructure (self-hosted) or in EU-hosted infrastructure (managed tier), not in a vendor platform you cannot control.
**Pillar 2 alignment**: AURORA is designed for optionality at every layer. It stores no data itself — data lives in PULSAR's MongoDB and ASTRAL's Git repository, both under your control. The AI layer is pluggable (Azure OpenAI, Ollama, or the managed `llm.cqre.net` endpoint). Switching the underlying model requires one config line.
---
## Product Details
### ASTRAL
**What it tracks**:
*Intune*: App Configuration, App Protection, Applications, Compliance Policies, Device Configurations, Enrollment Configurations, Filters, Scope Tags, Scripts, Settings Catalog, and more.
*Entra*: Named Locations, Authentication Strengths, Conditional Access, App Registrations, Enterprise Applications.
**How it works**:
1. An Azure DevOps pipeline runs daily (and on-demand via an event-driven change probe) to export the full tenant configuration.
2. Drift from the committed baseline is committed to a drift branch and surfaced as a rolling PR.
3. Reviewers approve or reject individual changes in the PR. Approved changes merge; rejected changes trigger an automated restore.
4. The entire history lives in Git — indefinite, auditable, diff-able.
**AI (optional)**: Bring your own Azure OpenAI endpoint to generate human-readable PR narratives. ASTRAL is complete without it — AI is supplementary, not required.
**MCP server**: ASTRAL includes an MCP server (Azure Container Apps) that exposes tenant state and drift history to AI assistants via natural-language queries. This is what AURORA connects to.
**Deployment**: Azure DevOps, one pipeline set per tenant. Full setup guide in [`deploy/onboarding-runbook.md`](https://github.com/cqrenet/astral/blob/main/deploy/onboarding-runbook.md).
**Engagement module pairings**: Modules 15 (all M365 modules), Module 3 (M365 Hardening) as primary drift detection layer. Used in the first-week baseline checklist for every M365 engagement.
---
### PULSAR
**What it ingests**:
- Entra ID directory audit logs
- Intune audit logs
- Exchange Online, SharePoint, and Teams via the Office 365 Management Activity API
**Core capabilities**:
- Watermark-based incremental ingestion with MongoDB persistence
- Search and filter UI with REST API
- Alerting rules engine with webhook delivery *(see maturity note below)*
- SIEM forwarding *(see maturity note below)*
- MCP server (stdio and SSE): `search_events`, `get_event`, `get_summary`
- Entra OIDC auth and Azure Key Vault integration
> **Maturity note — alerting and SIEM forwarding**: Both features are functional but proof-of-concept quality. They are suitable for evaluation and non-critical environments. Alerting has no UI for rule management and webhook delivery has no retry logic. SIEM forwarding is basic with no delivery guarantees. Production hardening of both is on the roadmap. Do not recommend these features for production use in critical environments without documenting this caveat to the client.
**MCP server**: PULSAR's MCP server exposes audit event search to AI assistants. AURORA connects to this endpoint for cross-tool diagnostics.
**Deployment**: Docker Compose. Full quickstart in the [GitHub README](https://github.com/cqrenet/pulsar). Azure deployment guide in `DEPLOY-AZURE.md`.
**Engagement module pairings**: Module 12 (Blue/Purple Team Foundation) as the M365 detection layer; Module 10 (AI-Assisted TVM) for audit-trail enrichment; any retained capability engagement where M365 log retention is a client requirement.
---
### AURORA
**What it does**: A unified operations platform that sits in front of PULSAR and ASTRAL. Connects to both via MCP, exposes a single AI interface, and provides cross-tool diagnostics that neither product can answer alone.
AURORA stores no data. All data lives in PULSAR (MongoDB) and ASTRAL (Git).
**Cross-tool diagnostic tools**:
| Tool | What It Answers |
|------|----------------|
| `diagnose_policy_errors` | "Why is this Intune compliance policy succeeding on most devices but erroring on some?" — pulls ASTRAL policy config and PULSAR audit events for the same policy |
| `explain_device_compliance` | "Why did this device suddenly become non-compliant?" — combines ASTRAL assignment data with PULSAR event timeline |
| `correlate_drift_with_audit` | "Who in the portal triggered this configuration drift commit?" — matches ASTRAL Git commits with PULSAR audit events by timestamp |
| `tenant_security_summary` | "What happened in my tenant this week that I should know about?" — combines open ASTRAL drift PRs with PULSAR event summary, generates executive briefing |
| `compare_scopes` | "What's different between my production and development Conditional Access policies?" — cross-scope comparison |
**Multi-scope orchestration**: AURORA connects to multiple named ASTRAL instances. Production read-only and development read-write in the same interface. Directly useful for clients with strict prod/non-prod separation.
**Enriched SIEM forwarding**: PULSAR forwards raw audit events. AURORA forwards enriched events — audit events correlated with ASTRAL configuration state at the time of the event. This produces materially higher-quality data for SIEM detection rules.
**Pricing** (EUR, ex. VAT):
| Tier | Self-hosted | Hosted (fully managed) |
|------|-------------|----------------------|
| Single tenant | €259/mo (€2,590/yr) | €389/mo (€3,890/yr) |
| Up to 5 scopes | €429/mo (€4,290/yr) | €599/mo (€5,990/yr) |
| Enterprise | Custom | Custom |
Self-hosted customers bring their own Azure OpenAI endpoint (or any OpenAI-compatible API including Ollama for local models). Hosted tier includes managed AI (~500 queries/month fair use).
---
## Regulatory Alignment (EU)
The CQRE suite was designed with EU regulatory requirements as primary constraints, not afterthoughts.
| Regulation | Requirement | CQRE capability |
|------------|-------------|-----------------|
| **NIS2** Art. 21 | Configuration management, logging and monitoring, access control | ASTRAL (config), PULSAR (logging), AURORA (cross-tool analysis) |
| **DORA** Art. 10 | ICT incident log retention and monitoring | PULSAR (permanent audit log retention, searchable) |
| **DORA** Art. 11 | ICT change management records | ASTRAL Git trail (timestamped, reviewed, approved) |
| **GDPR** Art. 5(2) | Accountability principle — demonstrate compliance | ASTRAL Git history is directly usable as audit evidence |
| **GDPR** Art. 32 | Appropriate technical measures for data protection | Continuous config governance + audit log retention |
| **GDPR** Art. 33 | 72-hour breach notification | PULSAR enables rapid incident reconstruction |
| **ISO 27001** A.8.9 | Configuration management | ASTRAL |
| **ISO 27001** A.8.1516 | Logging and monitoring | PULSAR |
**Consultant talking point**: For clients in NIS2-regulated sectors (health, finance, digital infrastructure, public sector), the CQRE suite is not a nice-to-have — it directly maps onto mandatory Article 21 measures. Frame the deployment cost against the supervisory authority's enforcement posture in their country, not against a generic security ROI.
---
## Positioning in Engagements
### Combination A — PULSAR + ASTRAL (free entry, any engagement)
Deploy the free stack at the start of any M365 engagement. ASTRAL provides the baseline capture that week 1 requires. PULSAR provides the audit trail that retained capability clients need. Both are free — there is no procurement barrier.
### Combination B — ASTRAL only (compliance-driven clients)
Clients with ISO 27001 in progress, DORA obligations, or NIS2 scope often need the config change governance story before they need event correlation. ASTRAL alone answers the auditor's question: "show me every M365 change in the last 12 months with evidence it was reviewed and approved."
### Combination C — PULSAR only (incident-response or log-retention clients)
Clients who have had a recent incident and discovered their audit logs were gone, or clients facing insurance requirements for log retention, are natural PULSAR deployments. Value is immediate — longer retention, bulk search, alerting.
### Combination D — Full stack with AURORA (mature clients, retained relationships)
Clients who have run PULSAR + ASTRAL for at least one module cycle are ready for AURORA. The upsell requires no education — they already know the cross-tool investigation pain that AURORA removes. AURORA self-hosted is the right recommendation for technically capable clients with data sovereignty requirements. AURORA hosted is the right recommendation for SMBs who want zero operational burden.
### What to avoid
Do not lead with AURORA in a first engagement. The value of the cross-tool diagnostics is only legible to clients who have experienced the investigation friction of running PULSAR and ASTRAL separately. Clients who have not felt that pain will not pay for the solution.
---
## Deployment Prerequisites
| Product | Prerequisites |
|---------|--------------|
| ASTRAL | Azure DevOps organisation, Entra app registration (provisioned by bootstrap script), write access to ADO Git repo |
| PULSAR | Docker Compose capable host (or Azure Container Apps for cloud deploy), Entra app registration (provisioned by bootstrap script), MongoDB |
| AURORA | Running PULSAR + ASTRAL with MCP servers enabled; AURORA licence key; Docker Compose or Azure Container Apps |
---
## Objection Handling
**"We already have Microsoft Purview / Sentinel."**
Purview and Sentinel are E5 features — €28+/user/month. The CQRE free stack provides comparable log retention and config governance for the entire engineering cost of deploying it. For clients already at E5, AURORA provides the correlation layer that Sentinel and Purview still do not natively deliver.
**"We don't want to run our own infrastructure."**
AURORA hosted solves this. CQRE manages the entire stack. Single tenant starts at €389/month — less than one day of external incident response.
**"We tried open source tools before and found them too complex."**
The complexity objection is usually a maintenance objection, not a deployment objection. Address it directly: who will own this after we leave? If the client cannot name a person, the sovereign stack requires a retained capability support arrangement. If they can, the deployment is a few hours of consultant time.
**"Can we see the code?"**
ASTRAL and PULSAR are fully open source (MIT licensed) on GitHub. AURORA is commercial source — clients can request a code review under NDA as part of enterprise procurement.
---
*For the full sovereign tool stack including third-party open source tools, see [Sovereign Tool Stack](sovereign-tool-stack.md).*
*For module pairings and engagement sequencing, see [Modular Engagements](../core/modular-engagements.md).*
*For retained capability support arrangements, see [Retained Capability](../core/retained-capability.md).*