cqrenet/antifragile
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Rewrite rapid-modernisation-plan and business-case for realism

Browse Source 
rapid-modernisation-plan.md:
- Add honest framing section: what 180 days delivers vs. what takes 2-3 years
- Extend Phase 1 from 30 to 60 days; rename to Visibility
- Remove dangerous 'disable all unknown accounts in week 1-2' instruction
- Replace Phase 3 (AI Sovereignty) with Signal and Retained Capability
- Phase 3 now: detection engineering, alert runbooks, knowledge transfer
- Phase 4 made explicitly open-ended (not complete at day 180)
- Fix success metrics: remove unverifiable targets, replace with honest ones
- Remove 'compress Phases 1-2 into 30 days for small orgs' adaptation
- Add 'What This Plan Is Not' practitioner section
- ASTRAL and PULSAR integrated as Phase 1 deliverables
- AI Sovereignty moved to multi-year parallel initiative

business-case-template.md:
- Break-even corrected: Day 90 -> 12-18 months post-programme
- Phase budget table updated: 30/30/30/90 -> 60/60/60/ongoing
- Phase names and deliverables aligned with revised RMP
- AI sovereignty removed from core deliverables
- Sensitivity analysis: 3 scenarios -> 4 including abort condition
- Alternatives table: AI sovereignty removed from Antifragile programme description
- ROI table: cloud AI cost line replaced with audit preparation time saving
- The Ask: 30-day first gate -> 60-day first gate

Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
This commit is contained in:
Claude Sonnet 4.6
2026-06-05 09:47:25 +00:00
parent 3062e435ca
commit 878fca3f0b
2 changed files with 236 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files
antifragile-consulting/playbooks/business-case-template.md
+21 -20
View File
@@ -14,9 +14,9 @@ This template provides a reusable structure for building financial justification
| Element | Content |
|---------|---------|
| **Investment ask** | €[X] over 180 days, phase-gated with go/no-go decisions at days 30, 60, 90 |
| **Primary return** | Reduction of existential cyber risk; regulatory compliance evidence; competitive differentiation through AI sovereignty |
| **Break-even** | Day 90 (via avoided regulatory fine exposure, reduced insurance premiums, or operational resilience) |
| **Investment ask** | €[X] over 180 days, phase-gated with go/no-go decisions at days 60, 120, 180 |
| **Primary return** | Reduction of existential cyber risk; regulatory compliance evidence; operational resilience demonstrable to auditors and insurers |
| **Break-even** | 1218 months post-programme: insurance premium reductions take one renewal cycle; regulatory evidence value accumulates from day 1; incident avoidance value is probabilistic but compounding |
| **Risk of inaction** | Quantified below; summary: [X]% probability of material incident within 24 months at estimated cost of €[Y] |
### Page 2: Cost of Inaction
@@ -58,11 +58,11 @@ Present this as: *"Without intervention, the organization faces an expected loss
| Phase | Timeline | Primary Activity | Estimated Cost | Go/No-Go Gate |
|-------|----------|-----------------|----------------|---------------|
| **1. Hygiene** | Days 0-30 | Configuration of existing tools; identity cleanse; visibility | €[X] (primarily labor) | Day 30: Demonstrate risk reduction or stop |
| **2. Control** | Days 30-60 | ASR, MFA enforcement, network segmentation, vendor lockdown | €[X] (labor + minimal tooling) | Day 60: Validate control effectiveness |
| **3. Sovereignty** | Days 60-90 | Local AI pilot; recovery drills; T0 asset protection | €[X] (labor + local inference hardware if needed) | Day 90: Prove local AI viability |
| **4. Antifragility** | Days 90-180 | Chaos engineering; red team; continuous improvement | €[X] (labor + external testing) | Day 180: Maturity assessment and next-phase planning |
| **Total** | 180 days | | **€[X]** | |
| **1. Visibility** | Days 060 | Kill chain mapping; T0 identity hardening; ASTRAL/PULSAR deployment; T0 backup verified | €[X] (primarily labor) | Day 60: Kill chain documented and T0 hardening complete |
| **2. Control** | Days 60120 | MFA for all users; CA baseline; attack surface reduction; vendor hardening | €[X] (labor + minimal tooling) | Day 120: MFA enforced 100%; P0/P1 vulnerabilities closed |
| **3. Signal** | Days 120180 | Detection rules; alert runbooks; knowledge transfer; housekeeping stream operational | €[X] (labor) | Day 180: Client operates independently; housekeeping running |
| **4. Retained capability** | Ongoing | Quarterly retained scope; detection engineering; housekeeping; structural improvements | €[X]/quarter | Ongoing: measurable queue reduction; annual BloodHound/Elysium |
| **Total (180-day programme)** | 180 days | | **€[X]** | |
#### Cost Categories
@@ -78,11 +78,11 @@ Present this as: *"Without intervention, the organization faces an expected loss
| Alternative Approach | Cost | Timeline | Risk |
|---------------------|------|----------|------|
| **Do nothing** | €0 | — | Expected loss €[X] over 24 months |
| **Traditional security audit** | €[X] | 90 days | Produces report; no structural change |
| **Full E5 licensing upgrade** | €[X]/user/year | 30 days | Solves some gaps; does not address architecture or AI sovereignty |
| **Managed security service (MSSP)** | €[X]/month | Ongoing | Outsources detection; does not reduce structural fragility |
| **Antifragile program (this proposal)** | €[X] | 180 days | Structural change, regulatory evidence, AI sovereignty, measurable resilience |
| **Do nothing** | €0 | — | Expected loss €[X] over 24 months; growing regulatory exposure |
| **Traditional security audit** | €[X] | 90 days | Produces report; no structural change; findings age immediately |
| **Full E5 licensing upgrade** | €[X]/user/year | 30 days | Solves tooling gaps; does not address architecture, process, or accumulated technical debt |
| **Managed security service (MSSP)** | €[X]/month | Ongoing | Outsources detection; does not reduce structural fragility; dependency without capability transfer |
| **Antifragile programme (this proposal)** | €[X] | 180 days + retained | Structural change, regulatory evidence, measurable kill chain closure, client operational independence |
---
@@ -97,7 +97,7 @@ Present this as: *"Without intervention, the organization faces an expected loss
| Avoided ransomware recovery | Probability reduction × €4.5M | €[X] | €[Y] |
| Avoided regulatory fine | Probability reduction × % GT | €[X] | €[Y] |
| Insurance premium reduction | 10-20% reduction on cyber premium | €[X] | €[Y] |
| Cloud AI cost stabilization | Shift from variable API costs to fixed infra | €[X] | €[Y] |
| Audit preparation time reduction | ASTRAL Git trail replaces manual evidence gathering for ISO 27001, NIS2, DORA | €[X] | €[Y] |
| Reduced incident response cost | Faster detection and containment | €[X] | €[Y] |
| **Total Quantifiable Return** | | **€[X]** | **€[Y]** |
@@ -105,7 +105,7 @@ Present this as: *"Without intervention, the organization faces an expected loss
| Return Category | Description |
|----------------|-------------|
| **Competitive moat** | Proprietary data improves only your models; competitors cannot replicate your operational intelligence |
| **Regulatory agility** | Demonstrable continuous controls accelerate regulatory approvals, certification audits, and partnership due diligence |
| **Regulatory agility** | Demonstrable resilience accelerates regulatory approvals, market entries, and partnership discussions |
| **Talent retention** | Engineers and security professionals prefer organizations that invest in durability over firefighting |
| **M&A readiness** | Clean identity architecture, tested recovery, and documented controls increase valuation and reduce due-diligence friction |
@@ -139,17 +139,18 @@ Present as: *"This program delivers a [X]% return in year one, rising to [Y]% in
| Scenario | Investment Adjustment | Outcome |
|----------|----------------------|---------|
| **Best case** | No additional tooling needed | Program completes under budget; all value from configuration |
| **Base case** | Local AI hardware required for pilot | Slight budget increase; sovereign intelligence proven |
| **Worst case** | Deeper technical debt than anticipated | Extend Phase 1 by 30 days; additional labor cost; still cheaper than incident |
| **Best case** | No additional tooling needed; client IT team engaged and responsive | Programme completes on timeline; all value from configuration; client operational independence achieved at day 180 |
| **Base case** | Minor tooling additions; moderate IT team availability; some change management friction | Programme completes with 24 week slippage on Phase 2 (MFA rollout change management is the usual bottleneck); strong kill chain closure and detection capability |
| **Challenging** | Significant technical debt discovered in Phase 1; IT team constrained; change windows infrequent | Phase 1 extended by 46 weeks; Phase 2 scope narrowed to kill chain critical path; programme value is still genuine — the findings alone are worth the investment; honest client conversation required at day 60 gate |
| **Abort condition** | Executive sponsor departure; IT team fully occupied by another major project; scope fundamentally different from discovery call | Programme paused or stopped at the next gate. Partial phases produce partial value — ASTRAL/PULSAR deployed, kill chain documented. Better to stop honestly than to produce a report that nobody acts on. |
---
### Page 6: Recommendation and Next Steps
**The Ask (Full Program)**:
**The Ask (Full Programme)**:
> *"We recommend approval of a 180-day antifragile enterprise program, structured in four 30-60-90-180 day phases with hard go/no-go gates. The initial 30-day investment is €[X] with a defined deliverable: identification and initial closure of the organizational kill chain. If measurable risk reduction is not demonstrated by Day 30, the program stops with no further obligation."*
> *"We recommend approval of a 180-day antifragile enterprise programme, structured in three 60-day phases with hard go/no-go gates. The initial 60-day investment is €[X] with a defined deliverable: the kill chain documented, T0 accounts hardened, and ASTRAL/PULSAR deployed. If the kill chain is not closed by day 60, the programme stops with no further obligation. The 180-day programme produces a hardened foundation and a client team that can operate it independently — not a complete transformation. What comes after that is a retained capability engagement, scoped separately."*
**The Ask (Modular Alternative)**: