New: assessment-templates/assessment-team-guide.md
Pre-engagement: access checklist (M365, AD, docs); tool preparation
with deployment times; what to do if access is not ready.
Day 1 discipline: deploy ASTRAL and PULSAR before workshops start.
Step-by-step ASTRAL and PULSAR deployment commands. Passive external
scan in background. Microsoft Secure Score baseline.
Workshop signals: table of client statements -> likely findings ->
what to check on Day 2. Feeds technical assessment planning.
Day 2-3 tool runs in sequence:
1. CAExporter (30 min) - CA policy reality check; report-only mode;
exclusion groups defeating the purpose
2. BloodHound (1-2h) - 5 required queries; KRBTGT last set check;
Domain Admins on workstations; service account attack paths
3. Elysium (2-4h) - privilege requirements noted; privacy model
explanation; what to document
4. Purple Knight (30 min) - indicators to focus on; cross-reference
with BloodHound
5. Entra ID manual checks (1h) - app registrations, guest accounts,
MFA registration status, AD Connect sync account
6. Intune/endpoint check (30 min) - via ASTRAL output
7. External attack surface (30-60 min) - Nmap, Shodan, crt.sh
8. Firewall rule review (30-60 min) - what to look for
9. Backup spot check (30 min) - the 'green tick' test
Kill chain synthesis: explicit step-by-step method for tracing
from outside to organisational failure.
Finding triage: kill chain test table; common priority inflation
mistakes.
Quick wins: 8-item checklist; three tests a quick win must pass.
Report structure: 5 sections, target 15-25 pages, specific guidance
per section including what makes a weak vs strong finding.
ASERAL/PULSAR handover requirements before leaving site.
9 common assessment mistakes named explicitly.
Post-assessment checklist: 10 items before submitting the report.
index.md and assessment-templates/README.md updated.
Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
New: assessment-templates/findings-backlog.md
Design principles: lives where client works, every finding has an owner,
feeds the housekeeping stream, accumulates from all sources.
Format: 6-field minimal entry (ID, finding, source, priority, owner,
status) with optional target date/effort/notes/closed date.
P0/P1/P2 priority using kill chain test.
Flat file template for Git-based clients.
Population guide: Day 30 (from Brownhat), subsequent modules, continuous
tools (ASTRAL drift, PULSAR alerts, Elysium, BloodHound).
Monthly housekeeping cycle structure.
Relationship to formal risk register explained.
Backlog health indicators (warning signs it is not functioning).
Wired into existing framework:
move-fast-and-fix-things.md: Rule 4 now names the backlog as the queue
rapid-modernisation-plan.md: Day 30 item 7 and Phase 1 action updated
engagement-model.md: Section 4 deliverables table updated at all stages
assessment-templates/README.md: Production-ready templates section added
index.md: Findings Backlog added to Assessment and Tools table
Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
AOC -> PULSAR across 10 files (engagement-model, retained-capability,
modular-engagements, blue-purple-team-foundation, about-cqre, about-cqre-cs,
consultant-field-guide, ai-assisted-tvm, m365-e3-hardening,
sovereign-tool-stack, risk-register-example).
Training-data framing corrected in:
- executive-summary.md: opening paragraph and risk table
- README.md: 90% solution claim -> 30-60% in 180 days
- modular-engagements.md: public API data use claim
- cis-controls-mapping.md: data protection framing
- antifragile-risk-register.md: risk entry softened to accurate framing
- azure-openai-sovereignty-bridge.md: consumer vs enterprise API distinction
Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
tomas.kracmar
Claude Sonnet 4.6