# Antifragile Enterprise Consulting Repository

> *"Wind extinguishes a candle and energizes fire. You want to be the fire and wish for the wind."* — Nassim Nicholas Taleb

This repository contains reusable frameworks, playbooks, and assessment resources for consulting engagements focused on building **antifragile organizations**—enterprises that do not merely survive disruption but grow stronger from it.

## What Is Antifragile?

Most security and resilience frameworks optimize for **robustness**—the ability to withstand shocks. Antifragility goes further. An antifragile system:

- **Benefits from volatility** and stressors
- **Learns faster** from failures than from successes
- **Decentralizes critical functions** to avoid single points of failure
- **Treats optionality as a strategic asset**, not overhead

## Repository Structure

```
├── core/                           # Foundational frameworks and principles
│   ├── move-fast-and-fix-things.md # Company philosophy: speed, repair, existing tools
│   ├── antifragile-manifest.md     # The five pillars of antifragile enterprise
│   ├── modular-engagements.md      # Menu of independent, self-contained modules
│   ├── ai-sovereignty-framework.md # AI sovereignty as a strategic mandate
│   ├── ai-operations-inevitability.md # Why defensive AI is inevitable (business AI is optional)
│   ├── azure-openai-sovereignty-bridge.md # Azure OpenAI/Foundry as sovereignty stepping stone
│   ├── organizational-resilience.md  # Dev/Sec/Ops merger and shift-left arguments
│   ├── quality-management-engagement.md   # Embedded process assurance for teams feeling "not in control"
│   ├── blue-purple-team-foundation.md     # Building defensive capability from existing tools
│   ├── retained-capability.md             # What to keep in-house when outsourcing security (MSSP, pentest, compliance)
│   ├── executive-summary.md          # One-page board brief
│   ├── c-suite-conversation-guide.md # Persuasion scripts for top management
│   └── t0-asset-framework.md       # Tier 0 asset classification and protection
├── playbooks/                      # Executable modernisation and response plans
│   ├── rapid-modernisation-plan.md # 30-60-90-180 day transformation roadmap
│   ├── endpoint-management-entry-vector.md # Intune/device management as engagement entry point
│   ├── ai-assisted-tvm.md          # AI-powered vulnerability management blueprint
│   ├── zero-budget-vulnerability-discovery.md # Script-based vuln discovery without commercial scanners
│   ├── perimeter-scanning-capability.md # External attack surface scanning strategy
│   ├── osquery-custom-platform.md    # Build a sovereign vuln/asset discovery platform on osquery
│   ├── m365-antifragile-project.md # M365 greenfield/modernisation with antifragile design
│   ├── m365-e3-hardening.md        # M365 E3-specific tactical hardening
│   ├── ad-endpoint-hardening.md    # On-prem AD, Windows endpoint, hybrid identity
│   ├── zero-budget-hardening.md    # Maximize existing tool investment
│   ├── implementation-playbook.md  # Step-by-step operational guide
│   └── business-case-template.md   # Financial justification and ROI framework
│   ├── sovereign-tool-stack.md       # Open-source arsenal and capability map
├── assessment-templates/           # Diagnostic tools and maturity models
│   ├── README.md                   # Assessment roadmap and development plan
│   ├── antifragile-risk-register.md # Antifragile risk taxonomy and register template
│   └── m365-project-risk-register.md # M365 project-specific risk register
├── reference/                      # External standards, mappings, and citations
│   ├── cis-controls-mapping.md     # CIS Controls v8 alignment
│   ├── nist-csf-mapping.md         # NIST CSF 2.0 alignment
│   ├── vertical-power-utilities.md # Power generation, transmission, water utilities
│   ├── vertical-telco.md           # Telecommunications and mobile operators
│   └── vertical-banking.md         # Financial services regulatory alignment
└── assets/                         # Diagrams, visuals, and presentation materials
```

## Our Posture: Move Fast and Fix Things

This practice is built on a simple, actionable stance: **move fast and fix things**. We do not wait for perfect plans. We identify the kill chain, extract value from existing investments, and close existential gaps before they become incidents.

- **Speed is a security control.** A 90% solution deployed today outperforms a 100% solution that ships in six months.
- **Work beats purchases.** Most organizations own 60-80% of the capabilities they need. We configure and operationalize before we shop.
- **Every fix must produce a signal.** A remediation without telemetry is a remediation that will rot.

Read the full [Move Fast and Fix Things](core/move-fast-and-fix-things.md) philosophy.

## Core Pillars

1. **[Structural Decoupling](core/antifragile-manifest.md#pillar-1-structural-decoupling)** — Remove hidden dependencies before they become fatal ones
2. **[Optionality Preservation](core/antifragile-manifest.md#pillar-2-optionality-preservation)** — Maintain strategic exits and alternatives at every layer
3. **[Stress-to-Signal Conversion](core/antifragile-manifest.md#pillar-3-stress-to-signal-conversion)** — Turn failures, attacks, and outages into intelligence
4. **[Sovereign Intelligence](core/antifragile-manifest.md#pillar-4-sovereign-intelligence)** — Own your cognitive infrastructure; never rent your ability to think
5. **[Asymmetric Payoff Design](core/antifragile-manifest.md#pillar-5-asymmetric-payoff-design)** — Engineer outcomes where small investments yield disproportionate protection

## Standards Alignment

Our approach is not an alternative to established frameworks. It is the fastest path to meeting them while building real resilience:

- **[CIS Controls v8](reference/cis-controls-mapping.md)** — IG1 as a non-negotiable 90-day floor, achieved primarily through existing tool configuration
- **[NIST CSF 2.0](reference/nist-csf-mapping.md)** — All six functions addressed with emphasis on GOVERN as the missing keystone

## Quick Start for Executives and Board Members

1. **Read** [Executive Summary](core/executive-summary.md) — one page, five minutes, the full case
2. **Review** [Business Case Template](playbooks/business-case-template.md) — financial justification, ROI, and risk quantification
3. **Browse** [C-Suite Conversation Guide](core/c-suite-conversation-guide.md) — how your advisors should frame the conversation

## Quick Start for Consultants

1. **Open** `core/move-fast-and-fix-things.md` — understand the engagement posture
2. **Read** `core/antifragile-manifest.md` — understand the philosophy
3. **Study** `playbooks/m365-e3-hardening.md` — master the primary client environment (most clients are E3)
4. **Study** `playbooks/ad-endpoint-hardening.md` — cover on-premises AD and endpoint gaps
5. **Study** `playbooks/zero-budget-hardening.md` — extract value from existing tools in 30 days
6. **Deploy** `playbooks/rapid-modernisation-plan.md` — run the 30-60-90-180 day roadmap
7. **Reference** `core/t0-asset-framework.md` and `core/ai-sovereignty-framework.md` — classify assets and own intelligence
8. **Map** `reference/cis-controls-mapping.md` and `reference/nist-csf-mapping.md` — align to standards
9. **Adapt** `reference/vertical-power-utilities.md`, `reference/vertical-telco.md`, or `reference/vertical-banking.md` — tailor for regulated critical infrastructure clients

## Usage and Licensing

These documents are designed for reuse across client engagements. Adapt, remix, and extend. Credit the framework when presenting externally.

---

*Built for practitioners who defend the future, not just the perimeter.*