# About CQRE · Brownhat

> ⚠️ **TEMPLATE — NOT READY TO SHARE** ⚠️
>
> This document contains unfilled `[PLACEHOLDER]` sections. **Do not share this file with clients or external contacts until every placeholder has been replaced with real content and all INTERNAL NOTE sections have been removed.**
>
> To check: `grep -r "\[PLACEHOLDER\]" about-cqre.md` should return no results before this file leaves the repository.
>
> *This document introduces CQRE and the Brownhat methodology to new clients and new team members. Fill every `[PLACEHOLDER]` section with specific, honest information. Avoid generic consulting language — clients can tell. The sections marked **INTERNAL NOTE** contain guidance for completing the template; remove them before sharing externally.*
>
> *A Czech-language version of this document is maintained at [about-cqre-cs.md](about-cqre-cs.md).*

---

## Who We Are

**CQRE.NET Ltd** is a specialist cybersecurity consultancy registered in [PLACEHOLDER: United Kingdom / Edinburgh]. We operate primarily from [PLACEHOLDER: Prague, Czech Republic] and work with clients across [PLACEHOLDER: Central Europe, the UK, and Western Europe].

> **INTERNAL NOTE** — Suggested framing: keep this paragraph to 3–5 sentences. Include founding year, geographic base, and the range of clients you work with (industries, sizes). Do not claim capabilities you cannot currently deliver. Example: *"CQRE.NET Ltd was founded in [year] by [name] to provide honest, methodology-driven security consulting to organisations that have outgrown generic advice. We work primarily with mid-market companies, telcos, and utilities across Central Europe — organisations with real environments, existing investments, and specific threats that generic frameworks do not address."*

[PLACEHOLDER: 3–5 sentence company description]

We operate under the **Brownhat** brand when engaging clients — a name that reflects our core philosophy: we work in brownfield environments (built up, lived in, carrying the weight of past decisions) and our job is to recultivate what exists before recommending anything new.

---

## What We Do

We help organisations close the gaps between their security investments and their actual security posture. In practice, this means:

- Auditing what exists, honestly — not what the policies say should exist
- Maximising the value of tools and licences already paid for
- Closing the kill chain — the specific sequence of failures that would end the business — before anything else
- Building retained capability inside client organisations, not dependencies on us

Every engagement begins with the **Brownhat Diagnostic** — a structured two-day assessment that produces an honest picture of where the organisation stands and what matters most to fix. We do not make recommendations before we understand the environment.

*For the full service menu, see [Modular Engagements](modular-engagements.md).*

---

## How We Think

Five principles shape every recommendation we make:

| Principle | What it means in practice |
|-----------|--------------------------|
| **Structural Decoupling** | We identify and remove hidden dependencies before they become fatal. We do not add complexity that creates new ones. |
| **Optionality Preservation** | We spend your budget on things that preserve your ability to change direction. Every unnecessary tool purchase reduces your strategic flexibility. |
| **Stress-to-Signal Conversion** | Every incident, failure, and near-miss is intelligence. We build systems that learn from disruption rather than merely surviving it. |
| **Sovereign Intelligence** | Your proprietary data should improve your own capability, not a vendor's model. We build tools and systems you own and can operate. |
| **Asymmetric Payoff Design** | Small, targeted investments on existential risks yield disproportionate protection. We never distribute effort evenly — we concentrate it where failure is fatal. |

*For the full philosophical foundation, see [The Antifragile Manifest](antifragile-manifest.md).*

---

## What Makes Us Different

> **INTERNAL NOTE** — This section is the honest competitive differentiation. Be specific. Avoid generic consulting claims ("we are client-focused," "we deliver value"). Name what you actually do differently and be prepared to prove it. The six points below are suggested starting points — edit to reflect your actual differentiation.

**1. We start with what you own.**

Most consultants arrive with a shortlist of products. We arrive with a diagnostic. Before any purchase is discussed, we exhaust the capabilities of existing tools. If your Microsoft E3 tenant can close the gap, we configure it. We earn our fees from expertise, not licence margins.

**2. We price by deliverable, not by the hour.**

Every engagement has a defined scope and a defined deliverable before work begins. You know exactly what you are paying for. You know exactly what you will hold at the end. There are no open-ended retainers disguised as "ongoing support."

**3. Everything we build belongs to you.**

Every script, detection rule, configuration, and runbook produced during an engagement is delivered to your own repository. We do not leave proprietary tools running in your environment. We do not hold your own documentation behind a retainer. When an engagement closes, you are operationally independent.

**4. We disclose our commercial relationships.**

We have commercial partnerships with Huntress, Tailscale, Thinkst Canary, and Tenable. When we recommend one of these tools, we say so and explain why the open-source alternative does not meet your specific need. We do not recommend tools because of margin.

**5. We tell you what we cannot do.**

We are a small, specialist practice. We do not run a 24/7 SOC. We do not sign off on compliance audits. We do not replace your IT team. We work alongside your people, build capability inside your organisation, and leave. If a need falls outside our practice, we say so and point you to the right provider.

**6. [PLACEHOLDER: Your sixth differentiator]**

> **INTERNAL NOTE** — Add a differentiator specific to your practice. Examples: deep expertise in a specific vertical (OT/utilities, Czech regulatory environment); proprietary tools (ASTRAL, PULSAR, Elysium); language capability; specific certifications; methodology approach.

[PLACEHOLDER: specific differentiator with one concrete example or proof point]

---

## The Team

> **INTERNAL NOTE** — Keep this honest and specific. Do not list certifications you have not maintained or expertise you cannot demonstrate in an engagement. A one-paragraph bio per person is sufficient. If the team is small, own it — "We are a specialist practice of [N] consultants" is a stronger statement than trying to imply scale you do not have.

### [PLACEHOLDER: Name, role]

[PLACEHOLDER: 2–3 sentence bio. Include relevant background, certifications, and the specific expertise this person brings to engagements. E.g., "15 years in enterprise security across financial services and critical infrastructure. OSCP, CISSP. Deep expertise in Active Directory architecture and Microsoft 365 security. Lead consultant for all AD hardening and blue/purple team engagements."]

### [PLACEHOLDER: Name, role — repeat as needed]

[PLACEHOLDER: Bio]

**Certifications held by the team** (as of [PLACEHOLDER: date]):

[PLACEHOLDER: list relevant certifications — e.g., OSCP, CISSP, CEH, AZ-500, SC-200, etc.]

---

## Our Clients

> **INTERNAL NOTE** — Be specific without naming clients who have not given permission. Industry archetypes are fine; specific organisation names require consent. The "what our clients typically look like" framing is honest and does not require disclosure.

We work primarily with:

- **[PLACEHOLDER: industry/archetype]** — [one sentence description of what these clients typically look like and what brings them to us]
- **[PLACEHOLDER: industry/archetype]** — [description]
- **[PLACEHOLDER: industry/archetype]** — [description]

**What our clients typically have in common**: They have been building and running IT infrastructure for years. They have accumulated technical debt, partially deployed tools, and security gaps they know exist but have not had the resources to address systematically. They do not need a new platform — they need someone to make what they have work properly.

---

## Selected Work

> **INTERNAL NOTE** — Anonymised case studies are more credible than logo walls. Use a consistent structure: industry/size + problem + what we did + specific outcome. Three examples are enough. Do not fabricate outcomes or exaggerate scope.

### [PLACEHOLDER: Industry and size, e.g., "Mid-market logistics company, 300 employees"]

**Situation**: [PLACEHOLDER: 1–2 sentences describing the client situation and the trigger for engagement]

**What we did**: [PLACEHOLDER: 1–2 sentences on the specific modules or work performed]

**Outcome**: [PLACEHOLDER: specific, measurable result. E.g., "BloodHound attack paths to Domain Admin reduced from 4,217 to 23. PingCastle score improved from 52 to 81. KRBTGT rotated for the first time in 843 days."]

---

### [PLACEHOLDER: Industry and size]

**Situation**: [PLACEHOLDER]

**What we did**: [PLACEHOLDER]

**Outcome**: [PLACEHOLDER]

---

### [PLACEHOLDER: Industry and size]

**Situation**: [PLACEHOLDER]

**What we did**: [PLACEHOLDER]

**Outcome**: [PLACEHOLDER]

---

## Partnerships and Accreditations

> **INTERNAL NOTE** — Only list active partnerships and current accreditations. Lapsed certifications or partnerships where you have no formal agreement should not appear here.

**Commercial partnerships** (tools we can procure and manage on behalf of clients):

| Partner | What they provide | When we recommend them |
|---------|------------------|----------------------|
| [PLACEHOLDER: e.g., Huntress] | [PLACEHOLDER: e.g., Managed EDR, 24/7 threat hunting] | [PLACEHOLDER: e.g., Clients without Defender P2 who need 24/7 endpoint coverage] |
| [PLACEHOLDER] | | |

**Accreditations and registrations**:

[PLACEHOLDER: company registration numbers, relevant accreditations, professional memberships, cyber insurance, etc.]

---

## What We Do Not Do

> **INTERNAL NOTE** — This section sets honest expectations. A client who discovers a "we don't do that" during an engagement is a dissatisfied client. Better to say it here.

**We do not run a 24/7 operations centre.** We deploy, configure, and enable monitoring tools. For round-the-clock managed response, we work with commercial partners (Huntress, Thinkst Canary) or help clients build internal capability.

**We do not sign off on compliance audits.** We prepare clients for audits — mapping controls, building evidence packages, and closing gaps. The audit opinion belongs to the qualified auditor your regulator requires.

**We do not replace your IT team.** We work alongside your people. Knowledge transfer is part of every engagement. When we leave, your team must be able to operate what we built.

**We do not resell tools we would not use ourselves.** Every commercial recommendation is disclosed and explained. If an open-source alternative meets your need, we deploy that instead.

**We do not take engagements outside our competence.** [PLACEHOLDER: if there are specific areas you decline — e.g., specific industries, specific regulatory regimes, specific geographies — state them here. "We do not currently take on clients requiring SOC 2 Type II certification" or similar.]

---

## How to Engage

**The starting point** for every new client is the Brownhat Diagnostic — a two-day structured assessment that produces a prioritised picture of your security posture and a recommended module sequence. It is a paid, bounded engagement that delivers value regardless of whether any further work follows.

*For the full diagnostic methodology, see [NIST CSF 2.0 Baseline Assessment](../assessment-templates/nist-csf-baseline.md).*

**To start a conversation**:

| | |
|-|-|
| **Email** | [PLACEHOLDER: primary contact email] |
| **Web** | [PLACEHOLDER: website URL] |
| **Languages** | [PLACEHOLDER: e.g., Czech, English, Slovak] |
| **Geography** | [PLACEHOLDER: e.g., Czech Republic, Slovakia, UK; remote engagements across EU] |
| **Response time** | [PLACEHOLDER: e.g., Initial response within 1 business day] |

**Commercial terms summary**:

- Engagements are fixed-scope, fixed-price, with deliverables agreed in writing before work begins
- Payment: [PLACEHOLDER: e.g., 50% at kickoff, 50% at completion]
- Currency: [PLACEHOLDER: CZK / EUR / GBP]
- Contracts governed by: [PLACEHOLDER: Czech law / English law]
- [PLACEHOLDER: any other standard commercial terms worth stating upfront]

---

## In Czech

> *Tato stránka je k dispozici také v češtině: [O společnosti CQRE](about-cqre-cs.md).*

---

## Integration With Existing Frameworks

| Document | Integration |
|----------|-------------|
| [Engagement Model](engagement-model.md) | The full engagement lifecycle, pricing model, and client requirements referenced in this document |
| [Modular Engagements](modular-engagements.md) | The complete service menu |
| [NIST CSF 2.0 Baseline Assessment](../assessment-templates/nist-csf-baseline.md) | The Brownhat Diagnostic described in the "How to Engage" section |
| [C-Suite Conversation Guide](c-suite-conversation-guide.md) | Client-facing persuasion scripts for executive conversations |
| [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md) | The tools and partnerships referenced in this document |

---

*For the engagement process, see [Engagement Model](engagement-model.md).*
*For the full service menu, see [Modular Engagements](modular-engagements.md).*