diff --git a/antifragile-consulting/playbooks/sovereign-tool-stack.md b/antifragile-consulting/playbooks/sovereign-tool-stack.md index 705164c..424b7cb 100644 --- a/antifragile-consulting/playbooks/sovereign-tool-stack.md +++ b/antifragile-consulting/playbooks/sovereign-tool-stack.md @@ -570,6 +570,139 @@ Beyond the core stack, these tools address specific niches that arise in sophist --- +## When to Partner Commercially: The Partnership Doctrine + +> *"We are vendor-independent, not vendor-hostile. We deploy open-source by default. We partner commercially when the partner provides capabilities that open-source cannot match at reasonable cost, or when their managed service layer allows us to deliver 24/7 protection that a small team cannot provide directly."* + +This section addresses a practical reality: our practice is currently 5 people, growing toward 15-20. We cannot build everything. We cannot monitor everything 24/7. And some clients' procurement departments, auditors, or regulators require vendor-backed solutions regardless of technical merit. + +The partnership doctrine is simple: **open-source first, commercial when the gap is structural.** + +--- + +### The Partnership Decision Framework + +| Factor | Open-Source Wins | Commercial Wins | Our Rule | +|--------|-----------------|-----------------|----------| +| **Capability** | Detection logic, queries, custom rules | 24/7 eyes-on-glass, managed response, guaranteed SLA | If it requires a night shift, partner | +| **Compliance** | Operational evidence, configuration data | Audit-ready reports, vendor attestation, certifications | If the auditor demands a vendor logo, partner | +| **Scale** | <5,000 endpoints, <500 cloud resources | >5,000 endpoints, complex multi-cloud, heavy OT | If osquery scripts take 4 hours to run, partner | +| **Time to value** | Days to weeks (configuration, tuning) | Hours to days (SaaS onboarding) | If the client has 30 days and zero patience, partner | +| **Margin** | 100% labour margin, 0% license margin | 15-30% license margin + labour margin | If the partner pays us to sleep, consider it | +| **Differentiation** | Unique queries, custom integrations, our IP | None (every competitor resells the same tool) | If the partner makes us generic, refuse | + +--- + +### Tier 1: Strategic Partnerships (Core to Our Offering) + +These are partnerships we invest in deeply. We train the team, build integration playbooks, and offer them as first-choice solutions in client conversations. + +#### Huntress — Managed Endpoint Detection and Response + +| Attribute | Detail | +|-----------|--------| +| **What they provide** | Managed EDR for SMBs and mid-market: 24/7 threat hunting, incident response, ransomware rollback. Agent deployment via RMM or Intune. | +| **Why we partner** | Our open-source EDR stack (Wazuh + Sysmon) is excellent for clients who want sovereignty. But it requires us to tune rules, investigate alerts, and respond to incidents. Huntress provides the 24/7 layer we cannot staff at 5-20 people. We bring the strategic context; they bring the night shift. | +| **Client archetype** | E3 clients without Defender P2; municipalities; professional services; any client who needs EDR but cannot justify CrowdStrike or SentinelOne | +| **Engagement model** | We deploy and configure Huntress as part of Module 1 or 3. We retain the relationship and add our own detection rules via AOC for M365 context. Huntress handles the endpoint. We handle the narrative. | +| **Financial model** | Per-endpoint licensing with partner margin. We bill labour for deployment, tuning, and quarterly reviews. The recurring license revenue funds our growth without proportional labour increase. | +| **When NOT to use** | Clients who require air-gapped networks; clients with sovereign-data mandates that prohibit third-party agent telemetry; clients who explicitly want to own their detection logic (then we deploy Wazuh) | + +**The conversation**: + +> *"We can build you a sovereign EDR on Wazuh and Sysmon. It will cost less in licensing and you will own every rule. But it requires someone to watch it 24/7. At your size, that someone does not exist yet. Huntress gives you the 24/7 eyes and the ransomware guarantee today. As you grow, we can migrate you to the sovereign stack. You are not locked in. You are staged."* + +--- + +#### Thinkst Canary — Deception and Early Warning + +| Attribute | Detail | +|-----------|--------| +| **What they provide** | Hardware and virtual canaries that simulate valuable services (RDP, SMB, SQL, Git, AWS keys). When probed, they alert instantly with zero false positives. | +| **Why we partner** | OpenCanary is excellent for simple deployments. Thinkst Canary is enterprise-grade: tamper-proof hardware, cloud console, automated fleet management, and legal-grade evidence collection. For regulated clients, the difference matters. | +| **Client archetype** | Banking, utilities, telco, any client with flat network topology or legacy protocols; any client who has had an undetected breach | +| **Engagement model** | We conduct a deception architecture design (where to place canaries, what to simulate, how to integrate with SOC). Thinkst provides the devices. We manage the fleet and respond to alerts. | +| **Financial model** | Hardware/virtual license with partner margin. Annual management fee from us for monitoring, tuning, and incident response. High margin, low touch after initial deployment. | +| **When NOT to use** | Very small clients with <50 endpoints and flat Wi-Fi (OpenCanary is sufficient); clients who cannot justify the hardware cost | + +**The conversation**: + +> *"Your network is a haystack. Your EDR looks for needles. We are going to place a few golden needles—devices that look exactly like your domain controllers and file servers—and watch who touches them. Nobody legitimate will ever touch them. Any alert is an attacker. Thinkst Canary is the only product I have seen with a genuine zero false positive rate."* + +--- + +#### Tenable — Enterprise Vulnerability Management + +| Attribute | Detail | +|-----------|--------| +| **What they provide** | Tenable.sc (on-premise), Tenable.io (cloud), and Tenable.asm (attack surface management). The gold standard for compliance-auditable vulnerability management. | +| **Why we partner** | Our osquery + FleetDM + Prowler stack finds vulnerabilities at low cost for small-to-mid estates. Tenable provides audit-ready reports, authenticated deep scanning, OT/ICS compatibility, and the vendor attestation that regulators and auditors demand. We do not lead with Tenable. We lead with our stack. We bring Tenable in when the client needs compliance evidence or exceeds the scale where open-source is efficient. | +| **Client archetype** | Banking (DORA audit), utilities (NIS2), telco (regulatory), any client with >5,000 endpoints or OT networks | +| **Engagement model** | Phase 1: osquery + Prowler discovery sprint proves value and identifies gaps. Phase 2: Tenable deployed for continuous compliance scanning and audit reporting. We operate the platform and interpret results. Tenable provides the engine. | +| **Financial model** | Per-asset license with partner margin. We bill for platform operation, report interpretation, and remediation management. | +| **When NOT to use** | Clients with <500 endpoints and no compliance mandate (overkill); clients who explicitly want sovereign vulnerability management (osquery + Grype is sufficient) | + +**The conversation**: + +> *"In our first 5-day sprint, we found 340 vulnerabilities using open-source tools. We fixed the critical ones in two weeks. Now your auditor wants a quarterly attestation report from a vendor-recognised platform. Tenable provides that. We do not replace our discovery stack with Tenable. We add Tenable for the compliance layer while our stack handles the operational intelligence."* + +--- + +### Tier 2: Situational Partnerships (Deploy When Client Need Dictates) + +These are tools we do not lead with, but we have partnership relationships ready when the specific gap arises. + +| Partner | Gap Filled | Client Trigger | Why Not Open-Source? | +|---------|-----------|----------------|---------------------| +| **Delinea** (formerly Thycotic) | Privileged Access Management (PAM) | Client needs vaulting, session recording, or just-in-time access; CyberArk is overbudget | Secret Server is mid-market friendly; open-source PAM (Teleport, Vault) requires more engineering than most clients can sustain | +| **KnowBe4** | Security awareness training and phishing simulation | Compliance mandate (ISO 27001, NIS2) requires documented training; GoPhish lacks content library | GoPhish is free but building campaigns and content takes consultant labour. KnowBe4 automates the content and reporting, freeing us for higher-value work. | +| **Veeam** | Backup and disaster recovery | Module 7 (Recovery & Resilience) requires validated backup architecture; native M365 backup is insufficient | ASTRAL backs up configuration, not data. Veeam is the standard for on-premise, cloud, and M365 data protection. Strong channel margins. | +| **Proofpoint / Mimecast** | Email security gateway | EOP is insufficient; client has had phishing-driven breaches; regulated industry mandates advanced filtering | These are specialised email security platforms with mature partner programmes. We deploy, tune, and manage. The client gets defence in depth. | + +--- + +### Tier 3: Consultant Productivity Tools (Not Client-Facing Partnerships) + +These are tools we purchase for our own team to deliver services more effectively. They are not resold to clients, but they enable us to compete with larger consultancies. + +| Tool | Purpose | Why We Pay For It | +|------|---------|-------------------| +| **Burp Suite Professional** | Web application penetration testing | The industry standard. Community edition is too limited for professional engagements. | +| **Cobalt Strike** (or **Sliver** for budget-conscious) | Red team C2 and adversary simulation | When clients specifically require Cobalt Strike for insurance or compliance validation. Sliver is our default; Cobalt Strike is the enterprise alternative. | +| **Offensive Security / SANS training** | Consultant skill development | Our team must maintain current certifications. Training is a cost of doing business, not a partnership. | +| **Microsoft Action Pack / CSP** | Internal M365 licensing for testing | We need sandbox tenants to test ASTRAL and AOC before client deployment. Microsoft's partner programme provides this at low cost. | + +--- + +### What We Do NOT Partner With (And Why) + +| Category | Example | Why We Refuse | +|----------|---------|---------------| +| **All-in-one security platforms** | CrowdStrike, Palo Alto, SentinelOne | They replace our entire stack with a black box. We become a reseller, not a consultant. The client loses sovereignty. We lose differentiation. | +| **Generic SIEM** | Splunk, Datadog, Elastic Cloud | Wazuh + TheHive + AOC covers 90% of client needs. Splunk requires a €100K+ commitment and a dedicated engineer. We refer complex SIEM needs to specialists rather than pretending to be one. | +| **AI security startups** | Any vendor claiming "AI-powered" threat detection with no transparent model | Our AI strategy is sovereign: Azure OpenAI bridge and local LLMs. We do not resell opaque AI tools that we cannot explain to a board. | +| **M365 management competitors** | CoreView, AdminDroid, Quest | ASTRAL and AOC are our proprietary differentiators. Partnering here would undermine our own product investment. | + +--- + +### The Partnership Portfolio for a 5→20 Person Practice + +**Year 1 (5 people, ~€500K revenue)**: +- Tier 1: Huntress (managed EDR recurring revenue) + Thinkst Canary (deception, high margin) +- Tier 2: Delinea and KnowBe4 (referral relationships, not yet deep) +- Tier 3: Burp Suite Pro + Sliver + Microsoft Action Pack +- Open-source first for everything else + +**Year 3 (15 people, ~€2M revenue)**: +- Tier 1: Huntress + Thinkst + Tenable (full enterprise VM partnership) +- Tier 2: Delinea, KnowBe4, Veeam, Proofpoint (active partner status, trained engineers) +- Tier 3: Cobalt Strike license for red team; additional SANS/training budget +- ASTRAL and AOC monetised as SaaS products with their own revenue stream + +**The rule**: Every commercial partnership must either (a) provide a capability we cannot build, (b) generate recurring revenue without proportional labour, or (c) satisfy a compliance requirement that open-source cannot meet. If it does none of these, we decline. + +--- + ## The Honest Limitations | What Our Stack Does Well | What It Cannot Do | @@ -596,8 +729,9 @@ Beyond the core stack, these tools address specific niches that arise in sophist | [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) | osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection; Velociraptor adds forensic hunting | | [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection; Sliver enables adversary simulation; OpenCanary provides deception | | [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex + OpenCTI | -| [Modular Engagements](../core/modular-engagements.md) | Each module has a recommended tool pairing in the matrix above | -| [AD and Endpoint Hardening](ad-endpoint-hardening.md) | BloodHound maps attack paths; Purple Knight / Forest Druid score AD security; Velociraptor hunts forIndicators of Compromise on domain controllers | +| [Modular Engagements](../core/modular-engagements.md) | Each module has a recommended tool pairing in the matrix above; partnership doctrine defines when commercial tools supplement open-source | +| [AD and Endpoint Hardening](ad-endpoint-hardening.md) | BloodHound maps attack paths; Purple Knight / Forest Druid score AD security; Velociraptor hunts for indicators of compromise on domain controllers | +| [Business Case Template](business-case-template.md) | Partnership financial models (Huntress recurring, Thinkst margin, Tenable compliance) feed into client ROI calculations | ---