# Antifragile Enterprise Consulting Repository — Index

## For Executives and Board Members

Start here. These documents require no technical background.

| Document | Purpose | Audience |
|----------|---------|----------|
| [About CQRE](core/about-cqre.md) | Who we are, what we do, how we're different — fill this before sharing with clients | CEOs, New Clients, New Hires |
| [O společnosti CQRE](core/about-cqre-cs.md) | Česká verze firemního profilu — pro české klienty a nové členy týmu | Czech Clients, New Hires |
| [Executive Summary](core/executive-summary.md) | One-page strategic overview — read this first | CEOs, Boards, Executive Committees |
| [C-Suite Conversation Guide](core/c-suite-conversation-guide.md) | Scripts, objection handling, and psychological framing | Executives, Advisors |
| [Business Case Template](playbooks/business-case-template.md) | Financial justification, ROI, and risk quantification | CFOs, Boards, Risk Committees |
| [Modular Engagements](core/modular-engagements.md) | Menu of independent modules; choose your starting point | CEOs, CFOs, Procurement |

*For the strategic philosophy, see [Core Frameworks](#core-frameworks) below.*

## For Practitioners and Consultants

Operational and persuasion documents used in engagements. **Start every new client with the [NIST CSF 2.0 Baseline Assessment](assessment-templates/nist-csf-baseline.md)** (the Brownhat Diagnostic) to earn the right to recommend anything.

| Document | Purpose | Audience |
|----------|---------|----------|
| [README](README.md) | Repository overview and quick start | Everyone |
| [Engagement Model](core/engagement-model.md) | How engagements work: lifecycle, client requirements, deliverables, pricing, and consultant delivery discipline | Clients, New Consultants |
| [Consultant Field Guide](core/consultant-field-guide.md) | Internal playbook: decision models, client qualification, module selection, common mistakes, technical onboarding, proposal writing | New Consultants |
| [NIST CSF 2.0 Baseline Assessment](assessment-templates/nist-csf-baseline.md) | The Brownhat Diagnostic: entry workshop for every new engagement | Consultants, CISOs, IT Managers |
| [AI Operations Inevitability](core/ai-operations-inevitability.md) | Defensive AI is inevitable; business AI is optional | CISOs, CTOs, Consultants |
| [Azure OpenAI Sovereignty Bridge](core/azure-openai-sovereignty-bridge.md) | Azure OpenAI/Foundry as pragmatic sovereignty step | CTOs, Architects, Consultants |
| [Organizational Resilience](core/organizational-resilience.md) | Shift left and Dev/Sec/Ops merger talking points | CTOs, CISOs, Consultants |
| [Embedded Quality Assurance](core/quality-management-engagement.md) | Process assurance for teams feeling "not in control" | Heads of Security, Operations, Project Leaders |
| [Blue/Purple Team Foundation](core/blue-purple-team-foundation.md) | Building defensive capability from existing tool investments | CISOs, SOC Managers, Security Architects |
| [Retained Capability](core/retained-capability.md) | What to keep in-house when outsourcing SOC, pentest, compliance | CISOs, CFOs, Procurement |

*For the engagement posture and philosophy, see [Core Frameworks](#core-frameworks) below.*

## Core Frameworks

| Document | Purpose | Audience |
|----------|---------|----------|
| [Move Fast and Fix Things](core/move-fast-and-fix-things.md) | Speed, repair, and maximizing existing investment | Consultants, Executives |
| [Antifragile Manifest](core/antifragile-manifest.md) | Five pillars of antifragile enterprise | Executives, Architects, Consultants |
| [AI Sovereignty Framework](core/ai-sovereignty-framework.md) | Strategic arguments and implementation for local AI | CISOs, CTOs, Security Architects |
| [T0 Asset Framework](core/t0-asset-framework.md) | Tier 0 classification and protection for critical assets | Security Architects, Infrastructure Leads |
| [Quantum Vulnerability Management](core/quantum-vulnerability-management.md) | Sizing remediation into time-budgeted quanta (hours/days/sprint/dark) for the exploitation-first era; companion to Book VII | CISOs, Vulnerability Management, Consultants |
| [Spontaneous Order Principles](core/spontaneous-order-principles.md) | Philosophical foundation for the five pillars | Executives, Architects, Strategists |

## Playbooks

| Document | Purpose | Audience |
|----------|---------|----------|
| [Rapid Modernisation Plan](playbooks/rapid-modernisation-plan.md) | 30-60-90-180 day transformation roadmap | Program Managers, Consultants, CISOs |
| [Endpoint Management Entry Vector](playbooks/endpoint-management-entry-vector.md) | Intune/device management as the ideal engagement entry point | M365 Consultants, Account Managers |
| [AI-Assisted TVM Blueprint](playbooks/ai-assisted-tvm.md) | AI-powered vulnerability management for AI-powered adversaries | CTOs, CISOs, Vulnerability Management |
| [Kill Chain Assessment App](playbooks/kill-chain-assessment-app.md) | Spec for the offline tool that maps unknown estates into an attack graph, computes the shortest existential path, and sizes quanta. Tool: [`tools/kill-chain-assessment.html`](tools/kill-chain-assessment.html) | Consultants, Assessors, Security Architects |
| [Zero-Budget Vulnerability Discovery](playbooks/zero-budget-vulnerability-discovery.md) | Script-based and osquery-based server/container vuln discovery without Tenable/Qualys | Security Engineers, Consultants |
| [Perimeter Scanning Capability](playbooks/perimeter-scanning-capability.md) | External attack surface strategy: build, partner, or hybrid | Security Architects, Consultants |
| [Osquery: The Sovereign Discovery Platform](playbooks/osquery-custom-platform.md) | Build a custom vulnerability and asset inventory platform on osquery | Security Engineers, Consultants, CTOs |
| [M365 Antifragile Project](playbooks/m365-antifragile-project.md) | Greenfield and modernisation with antifragile design | M365 Consultants, Project Managers |
| [M365 E3 Hardening](playbooks/m365-e3-hardening.md) | Tactical hardening for M365 E3 environments | M365 Consultants, Security Engineers |
| [AD and Endpoint Hardening](playbooks/ad-endpoint-hardening.md) | On-prem AD, Windows endpoints, hybrid identity | Infrastructure Consultants, Security Engineers |
| [Zero-Budget Hardening](playbooks/zero-budget-hardening.md) | Maximize existing tools, minimize new purchases | Consultants, CISOs, IT Managers |
| [Implementation Playbook](playbooks/implementation-playbook.md) | Tactical step-by-step delivery guide | Technical Leads, Security Engineers |
| [Sample Engagement: Mid-Market Hybrid](playbooks/sample-engagement-mid-market.md) | Complete worked example: 500 employees, AD+M365 E3, NIS2 scope — findings, kill chain, module sequence, Day 30/90/180 deliverables, populated backlog | Consultants, New Hires |
| [CQRE Product Suite](playbooks/cqre-product-suite.md) | ASTRAL, PULSAR, and AURORA: product details, framework alignment, deployment, and positioning | Consultants, Account Managers |
| [Sovereign Tool Stack](playbooks/sovereign-tool-stack.md) | Full arsenal: Prowler, BloodHound, CISO Assistant, ASTRAL, PULSAR, AURORA, Wazuh, Shuffle | Consultants, CTOs, CISOs |
| [Privileged Access Architecture](playbooks/privileged-access-architecture.md) | PAM design: Teleport, Tailscale/Headscale, JIT access, vendor access governance | Security Architects, Infrastructure Consultants, OT Leads |
| [Sovereign Communications](playbooks/sovereign-communications.md) | Delta Chat chatmail relay, Matrix/Element, crisis out-of-band channels | CISOs, Operations Leads, Incident Response |
| [Business Case Template](playbooks/business-case-template.md) | Financial justification, ROI, risk quantification | CFOs, Boards, Consultants |

## Standards Reference

| Document | Purpose | Audience |
|----------|---------|----------|
| [CIS Controls v8 Mapping](reference/cis-controls-mapping.md) | IG1-IG3 alignment with antifragile actions | Consultants, Auditors, Compliance |
| [NIST CSF 2.0 Mapping](reference/nist-csf-mapping.md) | CSF function mapping and evidence package | Consultants, Auditors, Compliance |

## Vertical References

| Document | Purpose | Audience |
|----------|---------|----------|
| [Vertical: Power and Utilities](reference/vertical-power-utilities.md) | Power generation, transmission, water, OT, NIS2/CER | Consultants in energy/water sectors |
| [Vertical: Telco](reference/vertical-telco.md) | Mobile/fixed operators, signaling security, 5G, fraud | Consultants in telecommunications |
| [Vertical: Banking](reference/vertical-banking.md) | Financial services, DORA, PSD2, SWIFT CSP alignment | Consultants in banking/fintech sectors |

## Assessment and Tools

| Document | Purpose | Audience |
|----------|---------|----------|
| [Assessment Team Guide](assessment-templates/assessment-team-guide.md) | Technical execution guide for the Brownhat Diagnostic: tool sequence, what to run, what to look for, kill chain synthesis, report structure | Assessors, Technical Consultants |
| [Findings Backlog](assessment-templates/findings-backlog.md) | Single source of truth for all findings across every engagement; input queue for the housekeeping stream; pragmatic alternative to a formal risk register | Consultants, IT Leads, Client Teams |
| [NIST CSF 2.0 Baseline Assessment](assessment-templates/nist-csf-baseline.md) | The Brownhat Diagnostic: structured 2-half-day workshop, gap analysis, prioritised module roadmap | Consultants, CISOs, IT Managers |
| [NIST CSF 2.0 — česká verze](assessment-templates/nist-csf-baseline-cs.md) | Brownhat Diagnostika: dotazníky a průvodce workshopem v češtině | Consultants running Czech-language workshops |
| [Module Completion Report](assessment-templates/module-completion-report.md) | Template for the deliverable package at the end of every module | Consultants |
| [Risk Register Example](assessment-templates/risk-register-example.md) | 8 fully populated risk entries from a realistic engagement — calibration reference for consultants | Consultants |
| [Antifragile Risk Register](assessment-templates/antifragile-risk-register.md) | Kill chain-aware risk taxonomy and register template | Risk Managers, Consultants |
| [M365 Project Risk Register](assessment-templates/m365-project-risk-register.md) | M365-specific risk register with phase gates | Project Managers, M365 Consultants |
| [Assessment Templates](assessment-templates/README.md) | Future diagnostic tools and maturity models | Consultants, Auditors |

## Navigation by Role

### For the Executive Sponsor

1. [Move Fast and Fix Things](core/move-fast-and-fix-things.md) — understand the engagement posture and speed philosophy
2. [Spontaneous Order Principles](core/spontaneous-order-principles.md) — understand why antifragile design works at a systems level
3. [Antifragile Manifest](core/antifragile-manifest.md) — understand the strategic philosophy
4. [AI Sovereignty Framework](core/ai-sovereignty-framework.md) — read the executive summary and five strategic arguments
5. [Rapid Modernisation Plan](playbooks/rapid-modernisation-plan.md) — review phases and governance cadence
6. [Zero-Budget Hardening](playbooks/zero-budget-hardening.md) — understand how existing investments are maximized

### For the Security Architect

1. [T0 Asset Framework](core/t0-asset-framework.md) — master the classification and protection model
2. [Implementation Playbook](playbooks/implementation-playbook.md) — follow the workstreams for identity, perimeter, and resilience
3. [Spontaneous Order Principles](core/spontaneous-order-principles.md) — architectural philosophy for why decentralized resilience outperforms centralized control
4. [Rapid Modernisation Plan](playbooks/rapid-modernisation-plan.md) — adapt phases to organizational context

### For the Consultant

**Start here (read in order before your first engagement):**

1. [README](README.md) — repository orientation
2. [Move Fast and Fix Things](core/move-fast-and-fix-things.md) — the Brownhat methodology and engagement posture
3. [Engagement Model](core/engagement-model.md) — lifecycle, scoping, pricing, delivery discipline, and how to handle difficult situations
4. [Consultant Field Guide](core/consultant-field-guide.md) — decision models, client qualification, module selection, the ten common mistakes, technical onboarding, and proposal writing
5. [Antifragile Manifest](core/antifragile-manifest.md) — the five pillars and their client-facing translation
6. [Spontaneous Order Principles](core/spontaneous-order-principles.md) — the philosophical foundation for why antifragile design works
7. [C-Suite Conversation Guide](core/c-suite-conversation-guide.md) — scripts, objection handling, and psychological framing for every executive archetype

**Then study the module delivery toolkit:**

8. [NIST CSF 2.0 Baseline Assessment](assessment-templates/nist-csf-baseline.md) — run this first with every new client (the Brownhat Diagnostic)
9. [Modular Engagements](core/modular-engagements.md) — the full module menu (Modules 1–14) and platform adaptation guide
10. [CQRE Product Suite](playbooks/cqre-product-suite.md) — ASTRAL, PULSAR, and AURORA: what they do, how they fit the framework, and how to deploy them
11. [Sovereign Tool Stack](playbooks/sovereign-tool-stack.md) — the full arsenal: CQRE tools, open-source stack, commercial partnerships, and when to use each
12. [M365 E3 Hardening](playbooks/m365-e3-hardening.md) — primary client environment for MS clients (most are E3)
13. [AD and Endpoint Hardening](playbooks/ad-endpoint-hardening.md) — on-premises identity and endpoint depth
14. [Privileged Access Architecture](playbooks/privileged-access-architecture.md) — Module 13: Teleport, Tailscale/Headscale, JIT access, vendor remote access governance
15. [Sovereign Communications](playbooks/sovereign-communications.md) — Module 14: Delta Chat chatmail relay, Matrix/Element, crisis out-of-band channels

**Reference when needed:**

16. [AI Sovereignty Framework](core/ai-sovereignty-framework.md) — persuasive arguments and objection handling
17. [AI Operations Inevitability](core/ai-operations-inevitability.md) — why defensive AI is not optional
18. [Organizational Resilience](core/organizational-resilience.md) — shift left and Dev/Sec/Ops merger talking points
19. [Retained Capability](core/retained-capability.md) — what to keep in-house when outsourcing SOC, pentest, compliance
20. [Zero-Budget Hardening](playbooks/zero-budget-hardening.md) — extract value from existing tools in 30 days
21. [Zero-Budget Vulnerability Discovery](playbooks/zero-budget-vulnerability-discovery.md) — script-based and osquery-based discovery before scanner procurement
22. [Osquery: The Sovereign Discovery Platform](playbooks/osquery-custom-platform.md) — build owned vulnerability and asset inventory capability
23. [Rapid Modernisation Plan](playbooks/rapid-modernisation-plan.md) — structured engagement roadmap
24. [Implementation Playbook](playbooks/implementation-playbook.md) — tactical delivery guidance
25. [Vertical: Power and Utilities](reference/vertical-power-utilities.md), [Vertical: Telco](reference/vertical-telco.md), or [Vertical: Banking](reference/vertical-banking.md) — sector-specific adaptations
26. [CIS Controls Mapping](reference/cis-controls-mapping.md) and [NIST CSF Mapping](reference/nist-csf-mapping.md) — standards alignment for auditors and regulators

---

*This index is updated as the repository grows.*