cqrenet/antifragile
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add engagement model, consultant field guide, deliverable templates, CQRE tools integration, and Czech localization

Browse Source 
New documents:
- core/engagement-model.md: Full client-facing engagement lifecycle (Sections 1-6) plus consultant delivery discipline (Section 7)
- core/consultant-field-guide.md: Decision models, client qualification, module selection, 10 common mistakes, technical onboarding, proposal writing
- core/about-cqre.md: Company overview template with [PLACEHOLDER] markers for client-facing use
- core/about-cqre-cs.md: Czech version of company overview (O společnosti CQRE)
- core/executive-summary-cs.md: Czech translation of the board executive summary
- assessment-templates/nist-csf-baseline.md: Full Brownhat Diagnostic workshop methodology (NIST CSF 2.0)
- assessment-templates/nist-csf-baseline-cs.md: Czech version of Brownhat Diagnostic (for Czech-language workshops)
- assessment-templates/module-completion-report.md: Module completion package template
- assessment-templates/risk-register-example.md: 8 fully populated risk entries (Meridian Logistics GmbH fictional engagement)
- playbooks/privileged-access-architecture.md: Module 13 - Teleport, Tailscale/Headscale, JIT access, vendor governance
- playbooks/sovereign-communications.md: Module 14 - Delta Chat chatmail relay, Matrix/Element, crisis channels

Updated documents:
- playbooks/sovereign-tool-stack.md: Added Elysium, CAExporter, E8-CAT, macOS_IntuneManagement, IntunePolicyParser, M365-Scripts; updated capability matrix and module pairings
- core/modular-engagements.md: Module 2 now includes CAExporter as first step; Module 6 includes Elysium password audit
- reference/nist-csf-mapping.md: Added back-reference to nist-csf-baseline.md
- assessment-templates/README.md: Changed Q1/Q2/Q3/Q4 to Phase 1/2/3/4, added Status column
- index.md: Registered all new documents; restructured consultant navigation into three labeled groups (1-25)
- README.md: Updated directory tree; updated Quick Start for Consultants

Czech localization pointers:
- executive-summary.md: Added Česká verze pointer
- nist-csf-baseline.md: Added Česká verze pointer
- engagement-model.md: Added note that client-facing Czech translation is planned

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Tomas Kracmar
2026-05-27 21:33:52 +02:00
parent 7bab42398a
commit 64f73371c9
24 changed files with 3325 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files
antifragile-consulting/core/modular-engagements.md
+187 -16
View File
@@ -68,6 +68,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
**What is delivered**:
- Full identity census: human accounts, service accounts, guests, enterprise apps
- **CA policy register** (CAExporter export): readable documentation of every Conditional Access policy before any changes are made
- MFA enforcement for 100% of users (conditional access with MFA for E3; risk-based conditional access and PIM for E5)
- Legacy authentication blocked tenant-wide
- Privileged access workstation (PAW) architecture for admins
@@ -189,6 +190,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
**What is delivered**:
- Full AD identity census with orphan and privilege analysis
- **Elysium password audit**: weak and compromised credential check across all domain accounts; P0 remediation list for accounts on high-value attack paths
- KRBTGT password rotation (if > 180 days stale)
- LAPS deployment to all domain-joined workstations
- Sysmon deployment with SwiftOnSecurity configuration
@@ -362,7 +364,7 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
|-----------|--------|
| **Typical duration** | 60-90 days |
| **Typical investment** | Medium (labor; leverages existing Microsoft security stack) |
| **Prerequisites** | Microsoft Defender (E5) or equivalent EDR; at least one security analyst; willingness to learn |
| **Prerequisites** | An operational EDR — Microsoft Defender E5, CrowdStrike, SentinelOne, or open-source Wazuh+Sysmon (see [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md) for the zero-cost path); at least one security analyst; willingness to learn |
| **Standalone value** | Operating rhythm for SOC; first guided threat hunt; purple team charter; 12-month capability roadmap |
| **Typical client** | Organizations that own E5/Defender/Sentinel but underutilize them; SOC drowning in noise; no hunt discipline; red and blue teams do not collaborate |
@@ -385,6 +387,72 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
---
### Module 13: Privileged Access Architecture
**The Access Control Module. Replace VPN Sprawl With a Two-Layer Architecture.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 30-60 days |
| **Typical investment** | Low to medium (labor; Teleport CE is free for qualifying clients; Tailscale is per-user commercial) |
| **Prerequisites** | Administrative access to network infrastructure; identity provider (Entra ID, Okta, Google, or any OIDC provider) |
| **Standalone value** | Legacy VPN replaced or supplemented; privileged access recorded; vendor access time-bounded and auditable |
| **Typical client** | Any organisation with legacy VPN sprawl; OT clients with uncontrolled vendor remote access; post-breach clients needing access hardening |
**What is delivered**:
- Access architecture design: which layer handles network access, which handles protocol-aware PAM
- Teleport CE or Enterprise deployment (SSH, RDP, Kubernetes, database proxying; session recording; JIT access)
- Tailscale or Headscale + WireGuard deployment (network-level mesh access)
- Access policy design: who reaches what, when, recorded how
- Vendor access governance: time-bounded, request-approve-record workflow for all third-party access
- Admin training and operational handover
**Executive pitch**:
> *"Your VPN gives everyone on it access to everything behind it. Your vendor credentials have not been rotated in two years. Your admins log into production servers from laptops they also use for email. In 30 days, we replace that with a system where every access request is approved, every session is recorded, and every credential expires the moment it is no longer needed. Your auditor will be able to watch a video of every administrative action ever taken on every critical server."*
**Natural next modules**: Module 2 (Identity Security), Module 6 (On-Premise AD), Module 8 (OT Security)
**See**: [Privileged Access Architecture](../playbooks/privileged-access-architecture.md)
---
### Module 14: Sovereign Communications
**The Resilience Module. Communication That Survives an Incident.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 1-5 days (Delta Chat chatmail); 2-10 days (Matrix/Element) |
| **Typical investment** | Very low (€5-10/month infrastructure for Delta Chat chatmail relay; labor minimal) |
| **Prerequisites** | None — this module has no technical prerequisites |
| **Standalone value** | An operational out-of-band communication channel independent from corporate IT; tested and documented in the incident response plan |
| **Typical client** | Any organisation whose incident response plan assumes Teams or email will be available; OT/utilities/telco operators; organisations with recent breaches or near-misses |
**What is delivered**:
*Tier 1 — Delta Chat (always delivered):*
- Chatmail relay deployed on independent cloud infrastructure (10 minutes; €5-10/month)
- Key personnel enrolled: incident response team, executives, OT operators (as applicable)
- Out-of-band channel documented in incident response runbooks
- Crisis channel tested with a simulated incident
*Tier 2 — Matrix/Element (if full platform warranted):*
- Synapse server deployed (CQRE-managed or client on-premises)
- SSO integration (Entra ID, Okta, Google Workspace)
- Persistent rooms configured for operational teams, incident response, management
- Migration guide for users moving from Teams/Slack
**Executive pitch**:
> *"Your incident response plan says to use Teams. Teams runs on Microsoft's infrastructure, authenticated by your Active Directory, connected through your network. If any of those three things are the incident, your response channel is gone too. We deploy a €7/month server today — it takes ten minutes — that gives your entire response team an encrypted channel on their personal phones, completely independent from everything else you run. This is the cheapest, fastest risk reduction in this entire engagement."*
**Natural next modules**: Module 7 (Recovery & Resilience), Module 8 (OT Security), Module 2 (Identity Security)
**See**: [Sovereign Communications](../playbooks/sovereign-communications.md)
---
## Module Selection Guide
### For the Client Who Knows Their Pain
@@ -404,22 +472,32 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
| "We don't feel in control" | Module 11: Embedded Quality Assurance | 60-90 days |
| "We own tools but can't use them" | Module 12: Blue/Purple Team Foundation | 60-90 days |
| "Our outsourced SOC underperforms" | Module 12 (+ Retained Capability Audit) | 60-90 days |
| "Mythos/AI will find all our vulnerabilities" | AI-assisted TVM Sprint | 30-90 days |
| "AI-powered attackers will outpace our response" | AI-Assisted TVM Sprint | 30-90 days |
| "Our VPN is a mess / vendors have too much access" | Module 13 (Privileged Access Architecture) | 30-60 days |
| "We need a crisis communication channel" | Module 14 (Sovereign Communications) | 1-5 days |
| "We don't know where to start" | Brownhat Diagnostic (NIST CSF Baseline) | 5-10 days |
### For the Client Who Does Not Know Where to Start
**The Diagnostic Path**:
**The Brownhat Diagnostic** — a paid, structured [NIST CSF 2.0 Baseline Assessment](../assessment-templates/nist-csf-baseline.md):
1. **Week 1: Kill Chain Assessment** (included in scoping; no charge)
- Interview stakeholders
- Identify the shortest path to organizational failure
- Recommend the module that closes the most critical gap
1. **Two half-day workshops** with key stakeholders (CIO/CISO, IT lead, one business owner)
- No tools installed; no data collected from systems
- Structured questionnaire across all six NIST CSF 2.0 domains
- Produces an honest picture of current state, not a desired-state checklist
2. **Module selection based on kill chain**:
2. **Deliverables** (5 business days after workshop):
- Current state report: strengths, gaps, and kill chain analysis
- Prioritised module roadmap aligned to findings
- Up to 5 quick wins executable immediately with existing tools
3. **Module selection based on kill chain**:
- Kill chain starts with compromised endpoint → Module 1
- Kill chain starts with stolen credentials → Module 2
- Kill chain starts with unrecoverable systems → Module 7
- Kill chain starts with OT bridge → Module 8
- Kill chain starts with uncontrolled vendor/privileged access → Module 13
- No out-of-band crisis comms capability → Module 14 (deploy immediately, 1 day)
---
@@ -429,14 +507,15 @@ We do not sell monolithic transformation projects. We sell **building blocks** t
```
Month 1-2: Module 1 (Endpoint Management)
↓ Discovers identity and AI gaps
Month 2-3: Module 2 (Identity Security)
↓ Discovers identity and security configuration gaps
Month 2-4: Module 2 (Identity Security) + Module 3 (M365 Security Hardening)
[run in parallel — identity and configuration are different workstreams]
↓ Discovers compliance and data gaps
Month 4-5: Module 4 (Data Governance)
Month 5-6: Module 4 (Data Governance)
↓ Discovers AI shadow usage
Month 5-6: Module 5 (AI Sovereignty Bridge)
Month 6-7: Module 5 (AI Sovereignty Bridge)
↓ Discovers architectural fragility
Month 7-12: Module 10 (Red Team) + selected hardening
Month 8-12: Module 10 (Red Team) + selected hardening
```
### Path B: The Hybrid Infrastructure Organization
@@ -476,11 +555,13 @@ Month 5-7: Module 2 (Identity Security) + Module 3 (M365 Hardening)
Month 8-12: Module 10 (Red Team) + continuous improvement retainer
```
### Path E: The "Mythos / AI Vulnerability Panic" Organization
### Path E: The "AI-Adversary" Organization
*For clients whose leadership has recognized that AI-powered scanners, exploit generators, and vulnerability-discovery tools have permanently shortened the attacker's window.*
```
Week 1-2: AI-assisted TVM Baseline Sprint
Discovers actual exploitable attack surface; beats adversary AI to first move
Week 1-2: AI-Assisted TVM Baseline Sprint
Maps actual exploitable attack surface before adversary tooling does
Month 1-2: Module 1 (Endpoint Management) + Module 2 (Identity Security)
↓ Closes the highest-risk doors while AI TVM operationalizes
Month 2-3: Module 3 (M365 Security Hardening) + AI TVM operationalization
@@ -568,5 +649,95 @@ For clients ready to commit to a multi-module journey, offer **discounted bundle
---
## Platform Adaptation: Non-Microsoft Environments
The strategic framework, assessment methodology, and tool stack (Modules 612) are fully platform-agnostic. Modules 15 use Microsoft 365 as the primary reference environment because it is the dominant client footprint—but every module has direct equivalents on other platforms.
**The principle never changes. The tool that implements it does.**
### Module 1: Endpoint Management Foundation
| Environment | Equivalent Tooling |
|-------------|-------------------|
| Microsoft (default) | Intune + Entra ID |
| Apple-heavy | Jamf Pro or Kandji + Entra ID (BYOD) |
| Mixed SMB | JumpCloud MDM or NinjaRMM |
| Linux-heavy | Ansible + osquery (see [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md)) |
| Multi-platform enterprise | VMware Workspace ONE or Ivanti |
### Module 2: Identity Security
| Environment | Equivalent Platform |
|-------------|-------------------|
| Microsoft 365 | Entra ID — Conditional Access, PIM, SSPR |
| Google Workspace | Cloud Identity + BeyondCorp Enterprise |
| Independent IdP | Okta (MFA, lifecycle), JumpCloud, or self-hosted Authentik |
| AWS-native | IAM Identity Center + SCPs + CloudTrail |
| Legacy/hybrid | Okta or Ping Identity as federation layer over AD |
**The non-negotiables remain identical across all platforms**: MFA on every account, no shared admin credentials, least-privilege access, full audit logging, and PAW architecture for administrators.
### Module 3: Security Hardening
| Environment | Equivalent Approach |
|-------------|-------------------|
| Microsoft 365 | Secure Score + EOP + ASR rules + LAPS |
| Google Workspace | Admin Security Health Advisory + Workspace Security Advisor + Alert Center |
| AWS | Security Hub + Config Rules + GuardDuty + CloudTrail validation |
| Multi-cloud | Prowler (covers AWS, Azure, GCP — see [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md)) |
### Module 4: Data Governance and Compliance
| Environment | Equivalent Tooling |
|-------------|-------------------|
| Microsoft 365 | Microsoft Purview (sensitivity labels, DLP, retention) |
| Google Workspace | Google Vault + DLP + Drive labels |
| Cloud-native | AWS Macie (data discovery) + S3 Object Lock (retention) |
| Platform-agnostic | CISO Assistant (open-source GRC) for evidence tracking regardless of platform |
### Module 5: AI Sovereignty Bridge
| Environment | Approach |
|-------------|---------|
| Azure (default) | Azure OpenAI Service + Private Endpoints + Foundry |
| AWS | Amazon Bedrock + VPC endpoints + AWS PrivateLink |
| Self-hosted / sovereign | Ollama or vLLM + quantized open models (Llama 3, Mistral, Phi) |
| Hybrid regulated | On-premise inference + Azure or AWS for burst capacity with data boundary controls |
**The sovereignty test is the same regardless of platform**: Does your proprietary data leave your environment? Can you audit what the model sees? Can you operate if the provider goes down?
### Path F: The Non-Microsoft Organization
```
Month 1-2: Module 6 (On-Premise AD Hardening) if AD is present
— OR —
Module 2 equivalent (Okta / JumpCloud / Google Identity hardening)
↓ Establishes identity foundation
Month 2-3: Module 1 equivalent (Jamf / JumpCloud MDM / Ansible endpoint management)
↓ Establishes device visibility and compliance baseline
Month 3-4: Module 3 equivalent (Prowler cloud scan / Google Workspace hardening)
↓ Closes misconfiguration and hardening gaps
Month 5-6: Module 8 (OT Security) if critical infrastructure
— OR —
Module 9 (Organizational Resilience) if development-heavy
Month 7-12: Module 10 (Red Team) + Module 12 (Blue/Purple Team Foundation)
```
**The Sovereign Tool Stack remains unchanged**: BloodHound, osquery, Prowler, CISO Assistant, Wazuh, TheHive, and the rest of the arsenal operate independently of Microsoft licensing.
---
## Integration With Existing Frameworks
| Document | Integration |
|----------|-------------|
| [Rapid Modernisation Plan](../playbooks/rapid-modernisation-plan.md) | Each module maps to one or more rapid modernisation phases |
| [Business Case Template](../playbooks/business-case-template.md) | Modular pricing structure; per-module ROI |
| [C-Suite Conversation Guide](c-suite-conversation-guide.md) | Modular pitching scripts and objection handling |
| [M365 Antifragile Project](../playbooks/m365-antifragile-project.md) | Modules 1-5 map directly to M365 project workstreams |
| [Antifragile Risk Register](../assessment-templates/antifragile-risk-register.md) | Each module closes a defined risk category |
---
*For the full 180-day rapid modernisation plan, see [Rapid Modernisation Plan](../playbooks/rapid-modernisation-plan.md).*
*For module-specific tactical guidance, see the linked playbooks in each module description.*