# The Sovereign Tool Stack: Open-Source Arsenal for Antifragile Consulting

> *"We do not sell software. We operate a laboratory. Every tool in our stack is either open-source, client-owned, or built by us. The result is intelligence that no vendor can replicate because it is tuned to your specific environment."*

This document provides the complete capability map for our consulting practice: the tools we deploy, why we chose them, how they integrate, and what gaps remain. It is designed for three audiences:

1. **Clients** who want to understand what we bring to an engagement
2. **Consultants** who need to select the right tool for the right module
3. **Our own product team** who are building ASTRAL and AOC to close the M365-native gap

---

## The Philosophy: Sovereign Means Inspectable

| Vendor Black Box | Sovereign Tool |
|-----------------|----------------|
| Proprietary detection logic you cannot audit | **Open-source code you can read, modify, and extend** |
| Data exfiltrated to vendor cloud | **Data stays in your infrastructure or ours** |
| Vendor-defined scan scope and cadence | **You control what is scanned, when, and how deeply** |
| Generic report templates | **Custom outputs tuned to your compliance and risk language** |
| Per-asset licensing that scales poorly | **Free or built-by-us; economics favour the client** |

**The executive framing**:

> *"Tenable is a rented microscope. Our stack is a laboratory. We can ask questions that Tenable never thought to ask because we own the queries, the data, and the integration logic. When we find a gap, we do not open a support ticket. We write a detection rule, a query, or a script—and it is yours forever."*

---

## Our Current Arsenal

### Cloud Posture and Compliance

#### Prowler

| Attribute | Detail |
|-----------|--------|
| **What it does** | Multi-cloud security auditing for AWS, Azure, and GCP. 300+ checks against CIS benchmarks, PCI-DSS, ISO 27001, GDPR, and HIPAA. |
| **Why we use it** | It is the most mature open-source CSPM. One tool covers all three major clouds. Output is JSON/CSV/HTML—easy to feed into our reporting pipeline. |
| **Antifragile pillar** | Sovereign Intelligence, Stress-to-Signal Conversion |
| **Engagement modules** | Module 3 (M365 Security Hardening) for Azure; Module 8 (OT Security Assessment) for cloud-connected OT; any cloud-native client |
| **Typical output** | Executive dashboard: "247 findings across 12 services; 23 critical; 5 are internet-facing misconfigurations" |
| **Integration** | Output feeds into AI-assisted TVM prioritization and CISO Assistant compliance tracking |

**The conversation**:

> *"Prowler audited your AWS estate in 45 minutes and found an S3 bucket with public read access containing backup files. That is not a theoretical risk. That is a data breach waiting for a journalist. We fixed it in 10 minutes. No vendor invoice."*

---

### Active Directory Attack Path Analysis

#### BloodHound

| Attribute | Detail |
|-----------|--------|
| **What it does** | Maps Active Directory attack paths using graph theory. Shows how an attacker moves from a compromised standard user to Domain Admin in your specific environment. |
| **Why we use it** | No commercial tool visualises AD trust relationships and permission chains as clearly. It turns abstract identity risk into a navigable map. |
| **Antifragile pillar** | Structural Decoupling, Sovereign Intelligence |
| **Engagement modules** | Module 6 (On-Premise AD Hardening); Module 10 (Red Team & Validation); kill chain assessments |
| **Typical output** | "There are 4,217 paths from standard users to Domain Admin. The shortest is 3 hops via an overprivileged service account. Here is the exact account, the exact permission, and the exact remediation." |
| **Integration** | Findings feed into T0 Asset Framework classification and remediation prioritisation |

**The conversation**:

> *"Your AD has been growing for 15 years. Nobody remembers why the payroll service account has Replicating Directory Changes permissions. BloodHound remembers. It found 4,217 paths from a standard user to Domain Admin. The shortest is three hops. We are not guessing about AD security anymore."*

---

### Active Directory Security Assessment

#### Purple Knight / Forest Druid

| Attribute | Detail |
|-----------|--------|
| **What it does** | Automated AD security assessment against known vulnerability classes: credential exposure, privileged access gaps, replication security, Kerberos weaknesses, and LDAP/S channel hardening. |
| **Why we use it** | Purple Knight (Semperis) and Forest Druid provide rapid, scriptable AD health checks that complement BloodHound's graph analysis with rule-based security scoring. Forest Druid extends coverage to hybrid Entra ID configurations. |
| **Antifragile pillar** | Stress-to-Signal Conversion, Optionality Preservation |
| **Engagement modules** | Module 6 (On-Premise AD Hardening); Module 12 (Blue/Purple Team Foundation); diagnostic week 1 kill chain assessments |
| **Typical output** | AD security score with pass/fail against 50+ indicators; immediate remediation guidance for failed checks |
| **Integration** | Scores feed into antifragile risk register; trended across quarterly retests |

**The conversation**:

> *"Purple Knight scanned your AD forest in 20 minutes and scored 62 out of 100. The failures were not exotic: default LDAP signing disabled, KRBTGT password older than 180 days, and 14 service accounts with SPNs vulnerable to Kerberoasting. These are fixable in a week. Here is the priority order."*

---

### Active Directory Password Audit

#### Elysium (Our Platform)

| Attribute | Detail |
|-----------|--------|
| **What it does** | Automated detection of weak and compromised passwords in Active Directory. Downloads a known-hash database (KHDB) of breached credentials, compares it against domain password hashes using the DSInternals suite, and identifies accounts with dictionary passwords, known-breached credentials, default passwords, or missing encryption keys — all without transmitting usernames or plaintext passwords outside the secure host. |
| **Why we built it** | Password spray attacks succeed because users choose weak passwords regardless of policy. No open-source tool audits AD passwords in a privacy-preserving way without expensive PAM integrations. Elysium finds the accounts an attacker would crack first — before they do — while keeping individual identity data confined to a dedicated secure host. Only compressed, encrypted hash data moves between systems; usernames are never part of the transfer. |
| **Antifragile pillar** | Stress-to-Signal Conversion, Sovereign Intelligence |
| **Engagement modules** | Module 6 (On-Premise AD Hardening); Module 10 (Red Team & Validation); any environment where credential-based attacks (password spray, stuffing) are in the threat model |
| **Typical output** | "47 domain accounts match known-compromised hashes. 12 match common dictionary patterns. 3 are privileged accounts. Here is the remediation priority list: force-reset these 3 immediately, notify these 44 via IT policy enforcement." |
| **Integration** | Findings cross-referenced with BloodHound attack path analysis — accounts with weak passwords that also have short paths to Domain Admin become P0 remediations; results tracked in CISO Assistant for credential policy evidence |

**The conversation**:

> *"Your password policy says minimum 12 characters. That tells you the length. It tells you nothing about whether your employees chose 'Summer2024!' or an actual strong password. Elysium tests every account's hash against a database of 800 million known-compromised credentials. We run it on a dedicated host inside your network. No username ever leaves your building. What we find is a list of accounts a standard password spray tool would crack in under an hour. Last time we ran this, three privileged accounts were on the list."*

---

### Governance, Risk, and Compliance

#### CISO Assistant

| Attribute | Detail |
|-----------|--------|
| **What it does** | Open-source GRC platform for compliance mapping, risk register management, control evidence collection, and audit readiness tracking. |
| **Why we use it** | It replaces €50,000/year GRC platforms with a sovereign alternative. Maps controls to multiple frameworks simultaneously (ISO 27001, NIS2, DORA, SOC 2). |
| **Antifragile pillar** | Sovereign Intelligence, Asymmetric Payoff Design |
| **Engagement modules** | Module 4 (Data Governance); Module 11 (Embedded Quality); all compliance-driven clients |
| **Typical output** | Live compliance dashboard: "DORA Article 12: 14 of 17 controls evidence-complete; 3 gaps assigned to owners with due dates" |
| **Integration** | Pulls findings from Prowler, osquery, BloodHound, and AOC into unified evidence packages |

**The conversation**:

> *"Your auditor wants evidence that you monitor privileged access. CISO Assistant links the BloodHound scan, the Purple Knight score, the AOC admin activity report, and the osquery listening-ports query into a single evidence package for DORA Article 8. No scrambling for screenshots the night before the audit."*

---

### M365 Backup and Change Management

#### ASTRAL (Our Platform)

| Attribute | Detail |
|-----------|--------|
| **What it does** | Git-tracked snapshots of Microsoft Intune and Entra ID configuration with Azure DevOps pipeline-driven drift detection, PR-based review and approval workflow, and baseline restore capability. Answers: *"what does my tenant configuration look like, what changed, and can we revert it?"* |
| **Why we built it** | No existing tool treats M365 configuration as code. A tenant with 200 CA policies, 500 Intune profiles, and dozens of authentication methods is unmanageable without version control and drift detection. ASTRAL provides GitOps for M365. |
| **Antifragile pillar** | Structural Decoupling (surface hidden dependencies), Asymmetric Payoff Design (high protection from low deployment cost) |
| **Engagement modules** | Module 1 (Endpoint Management); Module 2 (Identity Security); Module 3 (M365 Security Hardening); retained capability engagements |
| **Typical output** | Rolling PR: "Drift detected: 3 Conditional Access policies modified outside change window; 1 Intune profile deleted; changes attributed to admin@contoso.com via audit log. Reviewer decision: /accept or /reject." |
| **Repository** | [github.com/cqrenet/astral](https://github.com/cqrenet/astral) — free, open source (MIT) |
| **Integration** | Entra ID and Intune baseline; feeds CISO Assistant for compliance evidence; AURORA connects to ASTRAL's MCP server for cross-tool diagnostics |

**What it tracks** (current scope):

*Intune*: App Configuration, App Protection, Applications, Compliance Policies, Device Configurations, Enrollment Configurations, Filters, Scope Tags, Scripts, Settings Catalog.

*Entra*: Named Locations, Authentication Strengths, Conditional Access, App Registrations, Enterprise Applications. Admin role assignments and auth methods policies in development (Phase 1 roadmap).

**Key capabilities**:
- Event-driven change probe (Azure Function App) triggers backup within minutes of a tenant change — no more hourly polling
- Reviewer `/accept` and `/reject` commands in ADO PR threads; auto-queued restore on rejection
- MCP server (Azure Container Apps) exposes tenant state and drift history to AI assistants
- Optional Azure OpenAI PR narratives — BYOAI, fully optional, ASTRAL is complete without it

**The conversation**:

> *"Your M365 tenant has 400 configuration objects and no version control. When an admin accidentally deletes a Conditional Access policy at 2 AM, you discover it 6 hours later because users are complaining. ASTRAL detects the deletion within minutes via its event-driven change probe, attributes it to the specific admin session, and offers one-click rollback through the restore pipeline. This is not backup. This is configuration governance."*

**ASTRAL companion utilities (CQRE)**:

| Tool | What it does | When to use |
|------|-------------|------------|
| **macOS_IntuneManagement** | Cross-platform headless PowerShell toolkit for Intune policy export/import and baseline deployment across tenants. Supports baseline manifests, bulk device operations, and cross-tenant dependency mapping. | Brownfield tenant migrations; deploying a clean Intune baseline into a new acquisition; cross-platform (macOS, Linux, Windows) policy management |
| **IntunePolicyParser** | Converts Intune documentation exports to flat CSV/Excel for policy analysis, deduplication, and Power BI dashboards. | Auditing existing policy sets before rationalisation; generating a readable flat register from an ASTRAL snapshot; compliance evidence |
| **M365-Scripts** | Operational PowerShell scripts for MDE device lifecycle management. Current focus: bulk offboarding of devices by tag via the Defender for Endpoint API with dry-run mode and retry logic. | Module 1 device lifecycle cleanup; decommissioning campaigns; offboarding projects |

---

### M365 Audit Log Intelligence

#### PULSAR (Our Platform)

| Attribute | Detail |
|-----------|--------|
| **What it does** | Ingests Microsoft 365 admin audit events (Entra, Intune, Exchange, SharePoint, Teams) into MongoDB and exposes a UI, REST API, and MCP server for search, filtering, alerting, and SIEM forwarding. Answers: *"what happened in my tenant, when, and by whom?"* |
| **Why we built it** | Native M365 audit log retention is capped at 90 days (E3) or 180 days (E5) — searchable only via slow PowerShell or expensive Sentinel. PULSAR provides permanent retention, fast search, and an MCP interface so AI assistants can query audit history directly. |
| **Antifragile pillar** | Stress-to-Signal Conversion — every admin action becomes permanent, searchable signal |
| **Engagement modules** | Module 12 (Blue/Purple Team Foundation); retained capability (Detection Engineering); any engagement with log retention requirements |
| **Typical output** | UI search: "Show me all Conditional Access policy changes by GlobalAdmin@contoso.com in the last 30 days." MCP query: `search_events(actor="globaladmin@contoso.com", operation="Update conditional access policy", days=30)` |
| **Repository** | [github.com/cqrenet/pulsar](https://github.com/cqrenet/pulsar) — free, open source (MIT) |
| **Integration** | AURORA connects to PULSAR's MCP server for cross-tool diagnostics; alerting rules forward to webhook endpoints; SIEM forwarding to Sentinel/Splunk *(see maturity note)* |

**Sources ingested**:
- Entra ID directory audit logs
- Intune audit logs
- Exchange Online, SharePoint, and Teams via the Office 365 Management Activity API

**MCP tools**: `search_events`, `get_event`, `get_summary` — available over stdio (local) or SSE (remote, with API key or Entra OIDC auth).

> **Maturity note — alerting and SIEM forwarding**: Both features are functional but proof-of-concept quality, suitable for evaluation and non-critical environments. Alerting has no rule management UI and webhook delivery has no retry logic. SIEM forwarding is basic with no delivery guarantees and is not tested at volume. Do not recommend these features for production use in environments where reliability is required — hardening is on the roadmap. AURORA provides production-grade enriched SIEM forwarding for clients who need it now.

**The conversation**:

> *"Microsoft gives you the audit log. They also take it away after 90 days. PULSAR keeps it forever. When you have an incident six months from now — and you will — and you need to know who added that external user, who modified that CA policy, and what that service principal was doing at 3 AM the week before the breach — PULSAR answers in seconds. Without it, the question is unanswerable."*

---

### M365 Governance Intelligence

#### AURORA (Our Platform — Paid)

| Attribute | Detail |
|-----------|--------|
| **What it does** | A unified operations platform connecting PULSAR and ASTRAL via their MCP servers. Provides AI-assisted cross-tool diagnostics, multi-scope orchestration, and enriched SIEM forwarding that neither product can produce alone. Answers: *"what does it mean and what should I do?"* |
| **Why we built it** | Running PULSAR and ASTRAL separately leaves an investigation gap: audit events and configuration state live in different places with no correlation layer. AURORA closes that gap. |
| **Antifragile pillar** | Sovereign Intelligence (owned observability and reasoning infrastructure), Optionality Preservation (data stays yours; AI layer is pluggable) |
| **Engagement modules** | Retained capability engagements; any client running the full PULSAR + ASTRAL stack |
| **Pricing** | Self-hosted: €259/mo (single tenant), €429/mo (≤5 scopes). Hosted: €389/mo, €599/mo. Enterprise: custom. |
| **Repository** | [aurora.cqre.net](https://aurora.cqre.net) — commercial, self-hosted or CQRE-managed |

**Cross-tool diagnostic tools**:

| Tool | What it answers |
|------|----------------|
| `diagnose_policy_errors` | "Why is this Intune compliance policy erroring on some devices but not others?" — pulls ASTRAL policy config and PULSAR audit events for the same policy |
| `explain_device_compliance` | "Why did this device suddenly become non-compliant?" — combines ASTRAL assignment data with PULSAR event timeline |
| `correlate_drift_with_audit` | "Who triggered this configuration drift commit?" — matches ASTRAL Git commits with PULSAR audit events by timestamp |
| `tenant_security_summary` | "What happened this week that I should know about?" — combines open ASTRAL drift PRs with PULSAR event summary |
| `compare_scopes` | "What's different between my production and development CA policies?" |

**AURORA stores no data.** All data lives in PULSAR (MongoDB) and ASTRAL (Git) under the client's control. AURORA is purely the query, orchestration, and intelligence layer.

**When to recommend**: After at least one module cycle with PULSAR + ASTRAL deployed. The upsell is natural — clients who have investigated an incident using both tools separately will immediately understand AURORA's value.

**The conversation**:

> *"You have ASTRAL showing you what changed and PULSAR showing you who did what. AURORA answers the question neither product answers alone: are those two things related? Did the admin action in PULSAR trigger the drift commit in ASTRAL? Was that a legitimate change or a compromise? That correlation currently takes 20 minutes of manual investigation. AURORA does it in 30 seconds."*

---

### Conditional Access Policy Documentation

#### CAExporter (Our Platform)

| Attribute | Detail |
|-----------|--------|
| **What it does** | Documents Entra ID Conditional Access policies and translates cryptic directory object IDs into human-readable names for targeted users, groups, and applications. Exports a complete, structured CA policy register to CSV and formatted Excel workbooks. |
| **Why we built it** | Organisations with 30–200 CA policies have no readable documentation of what those policies actually cover. Object IDs in the Entra admin centre are opaque — group names are invisible, app names are GUIDs. Before you can harden, rationalise, or audit CA policies, you need to know what each one actually does. CAExporter produces that picture in under 10 minutes. |
| **Antifragile pillar** | Structural Decoupling, Stress-to-Signal Conversion |
| **Engagement modules** | Module 2 (M365 Identity Security); Module 3 (M365 Security Hardening); compliance audits requiring CA policy evidence (NIS2, ISO 27001, DORA) |
| **Typical output** | Excel workbook with one row per policy: policy name, conditions, controls, named groups and apps (not object IDs), assignment scope, current state (enabled/disabled/report-only), and export timestamp. Audit-ready without a single screenshot. |
| **Integration** | Export feeds into ASTRAL as the human-readable CA policy baseline (state at engagement start); CISO Assistant links the workbook as evidence for Entra ID hardening controls; AOC change alerts are cross-referenced against the export to identify which named policy changed |

**The conversation**:

> *"Your Entra tenant has 67 Conditional Access policies. Nobody in this room can tell me, right now, what all 67 of them do. Three of them reference groups that no longer exist. Two claim to block legacy authentication — but only for a subset of users. CAExporter generates a readable register in 10 minutes. We use it to find the gaps, document the baseline, and give your auditor evidence that your CA policies are intentional — not the accumulated result of six admins making changes over four years."*

---

## The Stack Architecture

```
┌─────────────────────────────────────────────────────────────────────────┐
│                         EXECUTIVE DASHBOARD                              │
│  (CISO Assistant + AI synthesis → board-ready risk and compliance view)  │
└─────────────────────────────────────────────────────────────────────────┘
                                    ▲
    ┌───────────────┬───────────────┼───────────────┬───────────────┐
    ▼               ▼               ▼               ▼               ▼
┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐
│ Prowler │   │BloodHound│   │ ASTRAL  │   │  AOC    │   │ osquery │
│(Cloud)  │   │  (AD)   │   │ (M365)  │   │(Audit)  │   │(Endpoint)│
└────┬────┘   └────┬────┘   └────┬────┘   └────┬────┘   └────┬────┘
     │             │             │             │             │
     └─────────────┴─────────────┴─────────────┴─────────────┘
                                   ▼
                    ┌─────────────────────────┐
                    │  AI-Assisted TVM Engine  │
                    │  (Prioritisation +       │
                    │   remediation scripts)    │
                    └─────────────────────────┘
                                   ▼
                    ┌─────────────────────────┐
                    │  Purple Team Validation  │
                    │  (Did the fix work?      │
                    │   Can we still exploit?)  │
                    └─────────────────────────┘
```

**Data flow**:

1. **Discovery layer** (Prowler, BloodHound, osquery, ASTRAL) collects raw security state
2. **Intelligence layer** (AOC, AI-assisted TVM) correlates, enriches, and prioritises
3. **Governance layer** (CISO Assistant) maps findings to compliance frameworks and tracks remediation
4. **Validation layer** (Purple Knight, Forest Druid, purple team exercises) proves fixes work

---

## Gap Analysis: What We Recommend Adding

Our current stack covers cloud posture, AD security, GRC, M365 configuration, and endpoint audit intelligence. Here are the gaps and our recommended closes:

### Gap 1: Endpoint Detection and Response (EDR) — The Visibility Gap

**Current state**: osquery provides structured endpoint inventory and compliance. AOC ingests M365 audit logs. What is missing is real-time behavioural detection on the endpoint itself.

**Recommended close**: **Wazuh + Sysmon** (open-source EDR stack)

| Why Wazuh | Why Sysmon |
|-----------|-----------|
| Centralised SIEM/XDR with 5,000+ detection rules | Windows endpoint telemetry at kernel level |
| Agent-based or agentless deployment | Maps directly to MITRE ATT&CK |
| Native integration with Threat Intel (MISP, VirusTotal) | Free, mature, extensively documented |
| Scales to 100,000+ endpoints | Outputs to any SIEM via standard formats |

**Deployment model**: Wazuh server in client infrastructure (or ours as managed service); Sysmon on all Windows endpoints with SwiftOnSecurity config; Linux agents via Wazuh native agent. Cost: infrastructure only.

**When to deploy**: Module 1 (Endpoint Management) for E3 clients lacking Defender for Endpoint P2; Module 12 (Blue/Purple Team) as the detection engineering foundation.

---

### Gap 2: Security Orchestration and Automated Response (SOAR) — The Response Gap

**Current state**: AOC detects anomalous admin behaviour. ASTRAL detects configuration drift. What is missing is automated response: disabling a compromised account, isolating a device, or revoking an OAuth grant at machine speed.

**Recommended close**: **Shuffle** (open-source SOAR)

| Why Shuffle |
|-------------|
| Visual workflow builder (no code required for simple playbooks) |
| Native integrations with M365, Entra ID, Wazuh, TheHive, Slack |
| Self-hosted: data never leaves client infrastructure |
| Replaces €100,000+/year commercial SOAR platforms |

**Example playbook**: AOC detects impossible-travel sign-in → Shuffle disables account → ASTRAL revokes all active sessions → Slack alerts SOC → CISO Assistant logs incident → Ticket created in client ITSM.

**When to deploy**: Module 12 (Blue/Purple Team Foundation); retained capability engagements.

---

### Gap 3: Incident Response Case Management — The Coordination Gap

**Current state**: Findings are scattered across Prowler, BloodHound, AOC, and osquery. What is missing is a single case management system that tracks incidents from detection through remediation to post-mortem.

**Recommended close**: **TheHive + Cortex** (open-source SOC case management)

| Why TheHive | Why Cortex |
|-------------|-----------|
| Case management with IOC tracking, task assignment, and timeline | Automated analysis of observables: hashes, IPs, domains, files |
| Native MISP integration for threat intel correlation | 30+ analyzers (VirusTotal, AbuseIPDB, URLhaus, etc.) |
| Metrics dashboard: MTTR, case volume, analyst workload | Free, extensible, community-maintained |

**When to deploy**: Module 12 (Blue/Purple Team Foundation); retained capability ( Detection Engineering).

---

### Gap 4: Cloud Asset and Dependency Mapping — The Context Gap

**Current state**: Prowler finds misconfigurations. BloodHound maps AD attack paths. What is missing is a unified map of how cloud resources connect to each other and to on-premise assets.

**Recommended close**: **Cartography** (by Lyft, open-source)

| Why Cartography |
|-----------------|
| Neo4j-based graph of AWS, GCP, Azure, and GitHub assets |
| Shows dependency chains: compromised IAM role → S3 bucket → Lambda → RDS |
| Complements BloodHound: BloodHound maps identity; Cartography maps infrastructure |
| Free, queryable via Cypher (same language as BloodHound) |

**When to deploy**: Module 3 (M365 Security Hardening) for Azure environments; Module 5 (AI Sovereignty Bridge) for infrastructure mapping.

---

### Gap 5: Container and Supply Chain Security — The Modernisation Gap

**Current state**: Our vulnerability discovery covers servers and endpoints. What is missing is native container image scanning, SBOM generation, and supply chain integrity verification.

**Recommended close**: **Syft + Grype + Trivy**

| Tool | Role |
|------|------|
| **Syft** | Generate SBOMs from container images, filesystems, and archives |
| **Grype** | Scan SBOMs against NVD and vendor advisory databases |
| **Trivy** | Comprehensive scanner: OS packages, language dependencies, IaC misconfigs, secrets |

**Already in repository**: See [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) for the Syft → Grype pipeline.

**When to deploy**: Any client with containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates.

---

### Gap 6: Network Traffic Analysis — The Blind Spot Gap

**Current state**: We see endpoint state (osquery) and cloud configurations (Prowler). What is missing is visibility into network traffic: lateral movement, C2 beacons, and data exfiltration at the packet level.

**Recommended close**: **Zeek + Suricata**

| Why Zeek | Why Suricata |
|----------|--------------|
| Protocol analysis: extracts metadata from HTTP, DNS, TLS, SMB without full packet storage | IDS/IPS with 30,000+ signatures and emerging threat rules |
| Scales to 10 Gbps+ on commodity hardware | Can drop malicious traffic inline (IPS mode) |
| Output is structured JSON—easy to feed into Wazuh or AOC | Native file extraction and malware detection |

**When to deploy**: Module 8 (OT Security Assessment) for industrial network segmentation validation; Module 12 (Blue/Purple Team) for detection engineering.

---

## Complete Capability Matrix

| Capability | Our Tool | Open-Source Alternative | Commercial Equivalent | When to Recommend |
|-----------|----------|------------------------|----------------------|-------------------|
| Cloud posture management | **Prowler** | ScoutSuite, CloudSploit | Prisma Cloud, Wiz, Orca | Every cloud environment; first sweep |
| AD attack path analysis | **BloodHound** | — (none comparable) | — | Every on-premise or hybrid AD |
| AD security assessment | **Purple Knight / Forest Druid** | PingCastle, ADRecon | Semperis Directory Services Protector | AD hardening engagements |
| GRC and compliance | **CISO Assistant** | OpenGRC, SimpleRisk | ServiceNow GRC, RSA Archer | DORA, NIS2, SOC 2 clients |
| M365 backup/change mgmt | **ASTRAL** | — (no open-source equivalent) | Veeam, AvePoint, SkyKick | All M365 clients; retained capability |
| M365 audit intelligence | **AOC** | — (no open-source equivalent) | Microsoft Sentinel, ManageEngine | All M365 clients; SOC co-management |
| CA policy documentation | **CAExporter** | — (no equivalent) | — | Every Module 2 engagement; CA audits |
| AD password audit | **Elysium** | — (DSInternals manual use) | Netwrix Password Policy, Specops | Every AD engagement; Module 6 |
| Intune baseline deployment | **macOS_IntuneManagement** | — (no cross-platform equivalent) | — | Tenant migrations; brownfield baseline |
| Endpoint hardening baseline | **E8-CAT** | CIS-CAT Lite (Windows only) | CIS-CAT Pro | Module 1/3 pre/post hardening scoring |
| Endpoint inventory | **osquery + FleetDM** | Wazuh (limited), Zentral | Tenable, Qualys | 50-5,000 endpoints; sovereign preference |
| Endpoint detection (EDR) | **Wazuh + Sysmon** | — | CrowdStrike, SentinelOne, Defender P2 | E3 clients without Defender P2; air-gapped environments |
| SIEM / log aggregation | **Wazuh** | Graylog, Grafana Loki, ELK | Splunk, Sentinel, QRadar | All environments needing centralised alerting |
| SOAR / automation | **Shuffle** | — | Palo Alto XSOAR, Splunk SOAR | SOC operationalisation; retained capability |
| SOC case management | **TheHive + Cortex** | — | ServiceNow SecOps, D3 | Blue/purple team foundation; MSSP co-management |
| Container security | **Syft + Grype + Trivy** | Clair, Anchore | Snyk, Aqua | Containerised workloads; DevSecOps |
| Network analysis | **Zeek + Suricata** | — | Corelight, Darktrace | OT environments; high-sensitivity networks |
| Cloud asset mapping | **Cartography** | CloudQuery | Lucidscale, Faddom | Complex multi-cloud; incident response |
| Perimeter scanning | **Nuclei + Amass + Naabu** | OpenVAS, Greenbone | Tenable.asm, Cortex Xpanse | External attack surface management |
| Vulnerability discovery | **osquery + Grype** | OpenVAS, Nessus Essentials | Tenable, Qualys | Zero-budget first sweep; continuous monitoring |
| Red team C2 | **Sliver** | Mythic | Cobalt Strike | Adversary simulation; EDR efficacy testing |
| Cloud attack simulation | **Stratus Red Team** | — | — | Cloud red team; Azure/AWS assessments |
| Cloud privilege analysis | **CloudFox** | PMapper | — | Cloud penetration tests |
| Container runtime detection | **Falco** | Tetragon | Aqua Runtime, Twistlock | Kubernetes workloads |
| Endpoint forensics | **Velociraptor** | KAPE | Encase, FTK | Incident response; threat hunting |
| Threat intelligence platform | **OpenCTI** | MISP, Yeti | ThreatConnect, Anomali | SOC maturity; regulated industries |
| Honeypot / deception | **OpenCanary** | T-Pot | Thinkst Canary | Flat networks; OT/IT bridges |
| Secrets detection | **GitLeaks** | TruffleHog | GitGuardian | DevSecOps; supply chain |
| Static code analysis | **Semgrep** | Bandit, Brakeman | SonarQube, Snyk Code | CI/CD security gates |
| Phishing simulation | **GoPhish** | — | KnowBe4, Cofense | Awareness programmes |
| Certificate monitoring | **CertStream + crt.sh** | Sublist3r | Censys, SecurityTrails | Continuous perimeter monitoring |

---

## Per-Module Tool Pairing

### Module 1: Endpoint Management Foundation
**Primary**: ASTRAL (Intune configuration backup and drift detection) + osquery/FleetDM (endpoint inventory)
**Augmentation**: Wazuh + Sysmon (for E3 clients without Defender P2)
**CQRE utilities**: macOS_IntuneManagement (baseline deployment, cross-tenant migration); IntunePolicyParser (policy audit register); M365-Scripts (MDE device lifecycle); E8-CAT (pre/post hardening Essential Eight score)

### Module 2: M365 Identity Security
**Primary**: AOC (audit log intelligence) + BloodHound (hybrid identity attack paths)
**Augmentation**: Purple Knight (AD security baseline)
**CQRE utilities**: CAExporter (CA policy documentation baseline — run first, before any CA hardening)

### Module 3: M365 Security Hardening
**Primary**: ASTRAL (configuration state) + Prowler (Azure posture)
**Augmentation**: AOC (continuous monitoring of security control changes)
**CQRE utilities**: CAExporter (CA policy register as audit evidence); E8-CAT (macro restriction and application hardening verification)

### Module 6: On-Premise AD Hardening
**Primary**: BloodHound + Purple Knight / Forest Druid
**Augmentation**: osquery (endpoint state of domain controllers)
**CQRE utilities**: Elysium (weak/compromised password audit — run alongside BloodHound; weak-password accounts on high-value attack paths become P0)

### Module 9: Organisational Resilience and DevSecOps
**Primary**: Falco (container runtime security) + Semgrep (static code analysis) + GitLeaks (secrets detection)
**Augmentation**: Syft + Grype + Trivy (supply chain scanning); Shuffle (CI/CD security automation)

### Module 10: Red Team & Validation
**Primary**: BloodHound (attack path validation) + Nuclei (external validation) + Sliver (adversary simulation)
**Augmentation**: Stratus Red Team (cloud attack simulation); CloudFox (cloud privilege escalation); Zeek + Suricata (detect red team activity from blue team perspective); OpenCanary (deception and early warning)

### Module 12: Blue/Purple Team Foundation
**Primary**: Wazuh + Sysmon + TheHive + Cortex + Shuffle
**Augmentation**: AOC (M365-specific detections) + Velociraptor (endpoint forensics) + OpenCanary (deception) + OpenCTI (threat intel correlation)

### Retained Capability: Detection Engineering
**Primary**: Wazuh (rule authoring) + AOC (M365 detections) + Shuffle (response playbooks)
**Augmentation**: Zeek + Suricata (network detection rules)

---

## Deployment Complexity

| Tool | Time to First Value | Infrastructure Required | Expertise Required | Client Data Sensitivity |
|------|---------------------|------------------------|-------------------|------------------------|
| Prowler | 1 hour | None (runs from consultant laptop) | Low | Low (read-only API) |
| BloodHound | 2 hours | None (collector + laptop) | Medium | Medium (AD enumeration) |
| Purple Knight | 30 minutes | None | Low | Medium (AD scan) |
| CISO Assistant | 1 day | Docker host or VM | Low | Low-Medium (compliance data) |
| ASTRAL | 2 hours | SaaS or client-hosted | Low | High (M365 configuration) |
| AOC | 4 hours | SaaS or client-hosted | Medium | High (audit logs, identity data) |
| CAExporter | 30 minutes | None (runs from PowerShell) | Low | Low (read-only CA policy export) |
| Elysium | 1–2 hours | Dedicated secure host (on-premises) | Medium | High (domain password hashes — stays on-prem) |
| macOS_IntuneManagement | 1 hour | None (PowerShell 7+) | Low | Medium (Intune policy data) |
| E8-CAT | 30 minutes | None (runs on target endpoint) | Low | Low (compliance scan results) |
| osquery + FleetDM | 4 hours | FleetDM server + agents | Medium | High (endpoint data) |
| Wazuh + Sysmon | 1 day | Wazuh server + agents | Medium | High (endpoint + network data) |
| Shuffle | 4 hours | Docker host | Medium | High (SOAR playbooks) |
| TheHive + Cortex | 4 hours | Docker host | Medium | High (case data) |
| Syft + Grype | 1 hour | None | Low | Low (container metadata) |
| Zeek + Suricata | 1 day | Network tap or SPAN port | High | High (network traffic) |
| Cartography | 4 hours | Neo4j + AWS/GCP/Azure APIs | Medium | Medium (cloud metadata) |
| Sliver | 2 hours | C2 server (cloud or on-prem) | High | High (red team infrastructure) |
| Stratus Red Team | 1 hour | AWS/Azure/GCP CLI access | Medium | High (executes real attacks) |
| CloudFox | 1 hour | None (runs from laptop) | Medium | Medium (cloud metadata) |
| Falco | 4 hours | Kubernetes daemonset or Linux host | Medium | High (container runtime data) |
| Velociraptor | 4 hours | Velociraptor server + agents | Medium | High (forensic artefacts) |
| OpenCTI | 1 day | Docker host or VM | Medium | Medium (threat intel data) |
| OpenCanary | 30 minutes | Any Linux/Windows host | Low | Low (honeypot only) |
| GitLeaks | 30 minutes | None (CLI or CI/CD) | Low | Medium (source code access) |
| Semgrep | 1 hour | None (CLI or CI/CD) | Low | Medium (source code access) |
| GoPhish | 2 hours | Docker host or VM | Low | Medium (user email data) |

---

## Extended Arsenal: Advanced and Specialised Tools

Beyond the core stack, these tools address specific niches that arise in sophisticated engagements. They are not deployed on every client, but when the situation demands them, no commercial alternative comes close.

---

### Red Team and Adversary Simulation

#### Sliver

| Attribute | Detail |
|-----------|--------|
| **What it does** | Open-source cross-platform adversary simulation and command-and-control (C2) framework. Replaces Cobalt Strike for red team engagements at zero licensing cost. |
| **Why we use it** | Cobalt Strike costs €30,000+/year and is fingerprinted by most EDR. Sliver is free, actively maintained by Bishop Fox, and supports DNS, HTTPS, mutual TLS, and WireGuard C2 channels. It generates implants for Windows, macOS, and Linux. |
| **When to deploy** | Module 10 (Red Team & Validation); purple team exercises; EDR efficacy testing |
| **Integration** | Red team activity detected by Wazuh + Sysmon feeds into TheHive cases; AOC correlates any M365 session anomalies with red team timing |

**The conversation**:

> *"We ran a controlled adversary simulation against your environment using Sliver. Your EDR detected 3 of 7 techniques. Your MSSP never saw the lateral movement. Your SIEM has no alert for the credential dumping. These are not theoretical gaps. These are tomorrow's breach headlines. Here is the detection engineering backlog to close them."*

---

#### Stratus Red Team

| Attribute | Detail |
|-----------|--------|
| **What it does** | Generates real cloud attack techniques against AWS, Azure, and GCP. Not a scanner—an actual attack simulator that executes TTPs and then cleans up. |
| **Why we use it** | Prowler finds misconfigurations. Stratus proves they are exploitable. It automates the gap between "this S3 bucket is public" and "we exfiltrated 2 GB of data from it and your cloud trail logged nothing useful." |
| **When to deploy** | Module 10 (Red Team); cloud security assessments; purple team exercises in Azure/AWS environments |
| **Integration** | Attack telemetry feeds into Wazuh/SIEM for detection validation; findings enrich AI-assisted TVM cloud risk scores |

---

#### CloudFox

| Attribute | Detail |
|-----------|--------|
| **What it does** | Cloud exploitation framework for AWS, Azure, and GCP. Maps permissions, finds privilege escalation paths, and identifies exposed resources from an attacker's perspective. |
| **Why we use it** | Prowler audits from the compliance perspective. CloudFox thinks like an attacker: "I have this IAM role—what can I actually do with it?" It finds indirect privilege escalation paths that scanners miss. |
| **When to deploy** | Module 10 (Red Team); cloud penetration tests; Azure/AWS security assessments |
| **Integration** | Output feeds into Cartography for unified cloud attack path mapping |

---

### Container and Cloud-Native Runtime Security

#### Falco

| Attribute | Detail |
|-----------|--------|
| **What it does** | Runtime security detection for containers, Kubernetes, and Linux hosts. Uses system call monitoring to detect anomalous behaviour: unexpected outbound connections, privileged container escapes, sensitive file access. |
| **Why we use it** | Syft + Grype find vulnerable packages at build time. Falco detects exploitation at runtime. Without Falco, a container with a CVE can be exploited silently. |
| **When to deploy** | Any client with Kubernetes or containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates |
| **Integration** | Falco alerts feed into Wazuh or directly to TheHive; AOC correlates container events with M365 identity context for supply-chain attack detection |

---

#### Tetragon

| Attribute | Detail |
|-----------|--------|
| **What it does** | eBPF-based security observability and runtime enforcement for Kubernetes and Linux. Provides process execution tracing, network monitoring, and file access detection at kernel level with minimal overhead. |
| **Why we use it** | From the creators of Cilium. More granular than Falco in some dimensions. Can kill processes in real-time (not just detect). Ideal for high-security environments that need active runtime protection without commercial agents. |
| **When to deploy** | Critical infrastructure; financial services; high-sensitivity Kubernetes environments |

---

### Endpoint Forensics and Incident Response

#### Velociraptor

| Attribute | Detail |
|-----------|--------|
| **What it does** | Endpoint visibility and digital forensics platform. Hunts across thousands of endpoints in seconds using VQL (Velociraptor Query Language). Collects files, memory artefacts, registry keys, and event logs remotely. |
| **Why we use it** | osquery gives you structured inventory. Velociraptor gives you forensic capability: extract the MFT, hunt for specific malware indicators, collect browser history, or dump credentials from memory—across the entire estate in minutes. |
| **When to deploy** | Incident response retainers; Module 12 (Blue/Purple Team); any engagement where forensic artefact collection is required |
| **Integration** | Hunt results feed into TheHive cases; file hashes submitted to Cortex analyzers; YARA rules shared with Wazuh |

**The conversation**:

> *"A user reported a suspicious email. Three hours later, we used Velociraptor to hunt across 2,000 endpoints and found four machines with the same payload in memory. We extracted the payload, analysed it in Cortex, and determined it was a new variant of a known banking trojan. Total time from alert to attribution: 47 minutes. No endpoint agent was installed on those machines. Velociraptor collected everything remotely."*

---

### Threat Intelligence

#### OpenCTI

| Attribute | Detail |
|-----------|--------|
| **What it does** | Open-source threat intelligence platform from Filigran. Ingests, structures, and correlates threat data from MISP, CVE databases, vendor advisories, and OSINT feeds. Provides relationship mapping between threat actors, TTPs, IOCs, and victimology. |
| **Why we use it** | Most organisations collect threat intel but cannot use it. OpenCTI turns raw IOCs into structured intelligence: "APT29 uses this technique → which targets our industry → and exploits this CVE → which we have on 12 servers." |
| **When to deploy** | Module 12 (Blue/Purple Team); retained capability engagements; clients in regulated industries with threat intel mandates |
| **Integration** | MISP feed ingestion; Wazuh rules enriched with OpenCTI context; TheHive cases auto-populated with threat actor profiles |

---

### Deception and Early Warning

#### OpenCanary

| Attribute | Detail |
|-----------|--------|
| **What it does** | Lightweight, low-interaction honeypot daemon. Simulates services (SMB, RDP, SSH, HTTP, SQL, Git) and alerts when probed. Takes 10 minutes to deploy. |
| **Why we use it** | Every network has blind spots. An attacker scanning for RDP on port 3389 will hit OpenCanary first—and trigger an alert before reaching real systems. It is an asymmetric defence: 10 minutes of deployment for early warning that no EDR can replicate. |
| **When to deploy** | Module 6 (AD Hardening); Module 12 (Blue/Purple Team); any client with flat network topology or legacy protocols |
| **Integration** | Alerts feed into Wazuh or directly to Shuffle for automated response (isolate attacker IP, notify SOC) |

---

### Code and Secrets Security

#### GitLeaks

| Attribute | Detail |
|-----------|--------|
| **What it does** | Scans Git repositories for hardcoded secrets: API keys, passwords, tokens, private keys. Supports pre-commit hooks and CI/CD integration. |
| **Why we use it** | The most common cloud breach vector is not zero-day exploitation. It is a developer committing an AWS access key to GitHub. GitLeaks finds it before the commit—or scans historical commits for existing leakage. |
| **When to deploy** | Module 9 (Organisational Resilience); DevSecOps engagements; any client with active software development |
| **Integration** | CI/CD pipeline integration; findings fed into CISO Assistant for evidence tracking; AOC monitors for any M365 session using leaked credentials |

---

#### Semgrep

| Attribute | Detail |
|-----------|--------|
| **What it does** | Lightweight static analysis engine that scans code for security vulnerabilities, dangerous patterns, and compliance violations. Supports 30+ languages and runs locally without sending code to cloud services. |
| **Why we use it** | SonarQube and Snyk are excellent but expensive and cloud-dependent. Semgrep provides equivalent coverage for common vulnerability classes with full data sovereignty. The rules are open and auditable. |
| **When to deploy** | DevSecOps engagements; Module 9 (Organisational Resilience); software supply chain assessments |
| **Integration** | CI/CD pipeline gating; findings correlated with SBOMs from Syft for complete supply chain visibility |

---

### Phishing Simulation and Email Security Testing

#### GoPhish

| Attribute | Detail |
|-----------|--------|
| **What it does** | Open-source phishing simulation framework. Build campaigns, track click rates, capture credentials (in training mode), and measure user susceptibility over time. |
| **Why we use it** | Commercial phishing platforms cost €5-15/user/year. GoPhish is free, self-hosted, and produces equivalent metrics. It integrates with LDAP for realistic email targeting. |
| **When to deploy** | Module 3 (M365 Security Hardening); security awareness programmes; post-incident user training |
| **Integration** | Results feed into CISO Assistant for training evidence; high-risk users flagged in AOC for enhanced monitoring |

---

### Endpoint Hardening Baseline Verification

#### E8-CAT (Our Platform)

| Attribute | Detail |
|-----------|--------|
| **What it does** | Lightweight PowerShell-based compliance scanner for Windows workstations and servers. Evaluates four Essential Eight strategies — restricting macros, hardening applications, enforcing application control, and limiting administrator privileges — across maturity levels 1–3. Produces JSON, CSV, and HTML compliance reports with pass/fail evidence for each check. |
| **Why we built it** | CIS-CAT Pro costs money and requires a licence; CIS-CAT Lite is Windows-only and limited. The Essential Eight (ACSC) overlaps heavily with what Modules 1 and 3 deliver. Running E8-CAT before and after a hardening engagement produces a concrete, evidence-backed maturity level improvement score that clients and auditors can read. It is lightweight, free, and runs from the target system without an agent. |
| **Antifragile pillar** | Stress-to-Signal Conversion, Asymmetric Payoff Design |
| **Engagement modules** | Module 1 (Endpoint Management) and Module 3 (M365 Security Hardening) as pre/post hardening verification; any engagement that requires documented baseline improvement evidence |
| **Typical output** | "Pre-hardening: Maturity Level 1 across 3 of 4 strategies, Maturity Level 0 on application control. Post-hardening: Maturity Level 2 across all 4 strategies. Evidence: 47 individual check results with registry keys, feature states, and policy values." |
| **Integration** | Results stored in CISO Assistant as control evidence; trends tracked over time for continuous improvement reporting |

**The conversation**:

> *"Before we change anything, E8-CAT scores your endpoints against the Essential Eight hardening framework. You are at Maturity Level 1 on two strategies and Level 0 on two others. When we are done with Module 1 and Module 3, we run it again. That before-and-after score is your evidence: not our word, not screenshots, but a reproducible scan result you can show your auditor and your board."*

---

### Certificate and Subdomain Monitoring

#### CertStream + Crt.sh

| Attribute | Detail |
|-----------|--------|
| **What it does** | CertStream monitors certificate transparency logs in real-time; crt.sh provides historical certificate search. Together they reveal subdomains, infrastructure changes, and unauthorised certificates issued for client domains. |
| **Why we use it** | Attackers register subdomains for phishing campaigns. Developers register subdomains they forget to secure. Certificate monitoring finds both before they become incidents. |
| **When to deploy** | Perimeter scanning engagements; shadow IT discovery; continuous external monitoring |
| **Integration** | New subdomains feed into Nuclei for immediate vulnerability scanning; findings enrich perimeter scanning reports |

---

### Complete Extended Arsenal Matrix

| Capability | Tool | Gap Filled | When to Deploy |
|-----------|------|-----------|----------------|
| C2 / Adversary simulation | **Sliver** | Cobalt Strike replacement; EDR efficacy testing | Red team; purple team |
| Cloud attack simulation | **Stratus Red Team** | Proves cloud misconfigs are exploitable, not just visible | Cloud red team; Azure/AWS assessments |
| Cloud privilege analysis | **CloudFox** | Attacker-view cloud permission mapping | Cloud penetration tests |
| Container runtime detection | **Falco** | Detects container exploitation at runtime | Kubernetes workloads |
| eBPF runtime enforcement | **Tetragon** | Kernel-level process killing and tracing | Critical infrastructure K8s |
| Endpoint forensics | **Velociraptor** | Remote artefact collection and hunting | Incident response; threat hunting |
| Threat intelligence platform | **OpenCTI** | Structured threat actor/TTP/IOC correlation | SOC maturity; regulated industries |
| Honeypot / deception | **OpenCanary** | Early warning for network reconnaissance | Flat networks; OT/IT bridges |
| Secrets detection | **GitLeaks** | Hardcoded credentials in source code | DevSecOps; supply chain |
| Static code analysis | **Semgrep** | Vulnerability detection without cloud dependency | CI/CD security gates |
| Phishing simulation | **GoPhish** | User susceptibility measurement and training | Awareness programmes |
| Certificate monitoring | **CertStream + crt.sh** | Subdomain discovery and unauthorised certs | Continuous perimeter monitoring |
| Endpoint hardening baseline | **E8-CAT** | Free Essential Eight scanner; pre/post hardening maturity score | Module 1/3 hardening evidence |

---

## When to Partner Commercially: The Partnership Doctrine

> *"We are vendor-independent, not vendor-hostile. We deploy open-source by default. We partner commercially when the partner provides capabilities that open-source cannot match at reasonable cost, or when their managed service layer allows us to deliver 24/7 protection that a small team cannot provide directly."*

This section addresses a practical reality: our practice is currently 5 people, growing toward 15-20. We cannot build everything. We cannot monitor everything 24/7. And some clients' procurement departments, auditors, or regulators require vendor-backed solutions regardless of technical merit.

The partnership doctrine is simple: **open-source first, commercial when the gap is structural.**

---

### The Partnership Decision Framework

| Factor | Open-Source Wins | Commercial Wins | Our Rule |
|--------|-----------------|-----------------|----------|
| **Capability** | Detection logic, queries, custom rules | 24/7 eyes-on-glass, managed response, guaranteed SLA | If it requires a night shift, partner |
| **Compliance** | Operational evidence, configuration data | Audit-ready reports, vendor attestation, certifications | If the auditor demands a vendor logo, partner |
| **Scale** | <5,000 endpoints, <500 cloud resources | >5,000 endpoints, complex multi-cloud, heavy OT | If osquery scripts take 4 hours to run, partner |
| **Time to value** | Days to weeks (configuration, tuning) | Hours to days (SaaS onboarding) | If the client has 30 days and zero patience, partner |
| **Margin** | 100% labour margin, 0% license margin | 15-30% license margin + labour margin | If the partner pays us to sleep, consider it |
| **Differentiation** | Unique queries, custom integrations, our IP | None (every competitor resells the same tool) | If the partner makes us generic, refuse |

---

### Tier 1: Strategic Partnerships (Core to Our Offering)

These are partnerships we invest in deeply. We train the team, build integration playbooks, and offer them as first-choice solutions in client conversations.

#### Huntress — Managed Endpoint Detection and Response

| Attribute | Detail |
|-----------|--------|
| **What they provide** | Managed EDR for SMBs and mid-market: 24/7 threat hunting, incident response, ransomware rollback. Agent deployment via RMM or Intune. |
| **Why we partner** | Our open-source EDR stack (Wazuh + Sysmon) is excellent for clients who want sovereignty. But it requires us to tune rules, investigate alerts, and respond to incidents. Huntress provides the 24/7 layer we cannot staff at 5-20 people. We bring the strategic context; they bring the night shift. |
| **Client archetype** | E3 clients without Defender P2; municipalities; professional services; any client who needs EDR but cannot justify CrowdStrike or SentinelOne |
| **Engagement model** | We deploy and configure Huntress as part of Module 1 or 3. We retain the relationship and add our own detection rules via AOC for M365 context. Huntress handles the endpoint. We handle the narrative. |
| **Financial model** | Per-endpoint licensing with partner margin. We bill labour for deployment, tuning, and quarterly reviews. The recurring license revenue funds our growth without proportional labour increase. |
| **When NOT to use** | Clients who require air-gapped networks; clients with sovereign-data mandates that prohibit third-party agent telemetry; clients who explicitly want to own their detection logic (then we deploy Wazuh) |

**The conversation**:

> *"We can build you a sovereign EDR on Wazuh and Sysmon. It will cost less in licensing and you will own every rule. But it requires someone to watch it 24/7. At your size, that someone does not exist yet. Huntress gives you the 24/7 eyes and the ransomware guarantee today. As you grow, we can migrate you to the sovereign stack. You are not locked in. You are staged."*

---

#### Thinkst Canary — Deception and Early Warning

| Attribute | Detail |
|-----------|--------|
| **What they provide** | Hardware and virtual canaries that simulate valuable services (RDP, SMB, SQL, Git, AWS keys). When probed, they alert instantly with zero false positives. |
| **Why we partner** | OpenCanary is excellent for simple deployments. Thinkst Canary is enterprise-grade: tamper-proof hardware, cloud console, automated fleet management, and legal-grade evidence collection. For regulated clients, the difference matters. |
| **Client archetype** | Banking, utilities, telco, any client with flat network topology or legacy protocols; any client who has had an undetected breach |
| **Engagement model** | We conduct a deception architecture design (where to place canaries, what to simulate, how to integrate with SOC). Thinkst provides the devices. We manage the fleet and respond to alerts. |
| **Financial model** | Hardware/virtual license with partner margin. Annual management fee from us for monitoring, tuning, and incident response. High margin, low touch after initial deployment. |
| **When NOT to use** | Very small clients with <50 endpoints and flat Wi-Fi (OpenCanary is sufficient); clients who cannot justify the hardware cost |

**The conversation**:

> *"Your network is a haystack. Your EDR looks for needles. We are going to place a few golden needles—devices that look exactly like your domain controllers and file servers—and watch who touches them. Nobody legitimate will ever touch them. Any alert is an attacker. Thinkst Canary is the only product I have seen with a genuine zero false positive rate."*

---

#### Tenable — Enterprise Vulnerability Management

| Attribute | Detail |
|-----------|--------|
| **What they provide** | Tenable.sc (on-premise), Tenable.io (cloud), and Tenable.asm (attack surface management). The gold standard for compliance-auditable vulnerability management. |
| **Why we partner** | Our osquery + FleetDM + Prowler stack finds vulnerabilities at low cost for small-to-mid estates. Tenable provides audit-ready reports, authenticated deep scanning, OT/ICS compatibility, and the vendor attestation that regulators and auditors demand. We do not lead with Tenable. We lead with our stack. We bring Tenable in when the client needs compliance evidence or exceeds the scale where open-source is efficient. |
| **Client archetype** | Banking (DORA audit), utilities (NIS2), telco (regulatory), any client with >5,000 endpoints or OT networks |
| **Engagement model** | Phase 1: osquery + Prowler discovery sprint proves value and identifies gaps. Phase 2: Tenable deployed for continuous compliance scanning and audit reporting. We operate the platform and interpret results. Tenable provides the engine. |
| **Financial model** | Per-asset license with partner margin. We bill for platform operation, report interpretation, and remediation management. |
| **When NOT to use** | Clients with <500 endpoints and no compliance mandate (overkill); clients who explicitly want sovereign vulnerability management (osquery + Grype is sufficient) |

**The conversation**:

> *"In our first 5-day sprint, we found 340 vulnerabilities using open-source tools. We fixed the critical ones in two weeks. Now your auditor wants a quarterly attestation report from a vendor-recognised platform. Tenable provides that. We do not replace our discovery stack with Tenable. We add Tenable for the compliance layer while our stack handles the operational intelligence."*

---

### Tier 2: Situational Partnerships (Deploy When Client Need Dictates)

These are tools we do not lead with, but we have partnership relationships ready when the specific gap arises.

| Partner | Gap Filled | Client Trigger | Why Not Open-Source? |
|---------|-----------|----------------|---------------------|
| **Delinea** (formerly Thycotic) | Privileged Access Management (PAM) | Client needs vaulting, session recording, or just-in-time access; CyberArk is overbudget | Secret Server is mid-market friendly; open-source PAM (Teleport, Vault) requires more engineering than most clients can sustain |
| **KnowBe4** | Security awareness training and phishing simulation | Compliance mandate (ISO 27001, NIS2) requires documented training; GoPhish lacks content library | GoPhish is free but building campaigns and content takes consultant labour. KnowBe4 automates the content and reporting, freeing us for higher-value work. |
| **Veeam** | Backup and disaster recovery | Module 7 (Recovery & Resilience) requires validated backup architecture; native M365 backup is insufficient | ASTRAL backs up configuration, not data. Veeam is the standard for on-premise, cloud, and M365 data protection. Strong channel margins. |
| **Proofpoint / Mimecast** | Email security gateway | EOP is insufficient; client has had phishing-driven breaches; regulated industry mandates advanced filtering | These are specialised email security platforms with mature partner programmes. We deploy, tune, and manage. The client gets defence in depth. |

---

### Tier 3: Consultant Productivity Tools (Not Client-Facing Partnerships)

These are tools we purchase for our own team to deliver services more effectively. They are not resold to clients, but they enable us to compete with larger consultancies.

| Tool | Purpose | Why We Pay For It |
|------|---------|-------------------|
| **Burp Suite Professional** | Web application penetration testing | The industry standard. Community edition is too limited for professional engagements. |
| **Cobalt Strike** (or **Sliver** for budget-conscious) | Red team C2 and adversary simulation | When clients specifically require Cobalt Strike for insurance or compliance validation. Sliver is our default; Cobalt Strike is the enterprise alternative. |
| **Offensive Security / SANS training** | Consultant skill development | Our team must maintain current certifications. Training is a cost of doing business, not a partnership. |
| **Microsoft Action Pack / CSP** | Internal M365 licensing for testing | We need sandbox tenants to test ASTRAL and AOC before client deployment. Microsoft's partner programme provides this at low cost. |

---

### What We Do NOT Partner With (And Why)

| Category | Example | Why We Refuse |
|----------|---------|---------------|
| **All-in-one security platforms** | CrowdStrike, Palo Alto, SentinelOne | They replace our entire stack with a black box. We become a reseller, not a consultant. The client loses sovereignty. We lose differentiation. |
| **Generic SIEM** | Splunk, Datadog, Elastic Cloud | Wazuh + TheHive + AOC covers 90% of client needs. Splunk requires a €100K+ commitment and a dedicated engineer. We refer complex SIEM needs to specialists rather than pretending to be one. |
| **AI security startups** | Any vendor claiming "AI-powered" threat detection with no transparent model | Our AI strategy is sovereign: Azure OpenAI bridge and local LLMs. We do not resell opaque AI tools that we cannot explain to a board. |
| **M365 management competitors** | CoreView, AdminDroid, Quest | ASTRAL and AOC are our proprietary differentiators. Partnering here would undermine our own product investment. |

---

### The Partnership Portfolio for a 5→20 Person Practice

**Year 1 (5 people, ~€500K revenue)**:
- Tier 1: Huntress (managed EDR recurring revenue) + Thinkst Canary (deception, high margin)
- Tier 2: Delinea and KnowBe4 (referral relationships, not yet deep)
- Tier 3: Burp Suite Pro + Sliver + Microsoft Action Pack
- Open-source first for everything else

**Year 3 (15 people, ~€2M revenue)**:
- Tier 1: Huntress + Thinkst + Tenable (full enterprise VM partnership)
- Tier 2: Delinea, KnowBe4, Veeam, Proofpoint (active partner status, trained engineers)
- Tier 3: Cobalt Strike license for red team; additional SANS/training budget
- ASTRAL and AOC monetised as SaaS products with their own revenue stream

**The rule**: Every commercial partnership must either (a) provide a capability we cannot build, (b) generate recurring revenue without proportional labour, or (c) satisfy a compliance requirement that open-source cannot meet. If it does none of these, we decline.

---

## The Honest Limitations

| What Our Stack Does Well | What It Cannot Do |
|-------------------------|-------------------|
| Provides complete visibility without vendor lock-in | Requires more expertise to deploy and maintain than commercial SaaS |
| Costs a fraction of commercial equivalents | Does not come with 24/7 vendor support (we provide that) |
| Customisable to client-specific needs | Customisation takes time; commercial tools are faster to deploy out-of-the-box |
| Data sovereignty by default | Some clients' procurement departments prefer vendor-backed solutions for audit comfort |
| Integrates across tools via open APIs | Integration requires engineering; commercial suites are pre-integrated |

**The framing**:

> *"Our stack is not for everyone. If you want a dashboard that takes 15 minutes to deploy and requires no expertise, buy CrowdStrike. If you want intelligence that answers questions no vendor thought to ask, and you want to own that intelligence forever, our stack is the right choice. We provide the expertise so you do not need to hire it."*

---

## Integration With Existing Frameworks

| Document | Integration |
|----------|-------------|
| [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) | Syft + Grype container pipeline; osquery endpoint discovery; Prowler cloud-native discovery; GitLeaks secrets scanning |
| [AI-Assisted TVM Blueprint](ai-assisted-tvm.md) | All discovery tools feed the AI prioritisation engine; AOC provides insider-threat context; OpenCTI enriches with threat actor context |
| [Perimeter Scanning Capability](perimeter-scanning-capability.md) | Nuclei + Amass + Naabu form the open-source active scanning layer; Prowler covers cloud perimeter; CertStream monitors for new subdomains |
| [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) | osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection; Velociraptor adds forensic hunting |
| [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection; Sliver enables adversary simulation; OpenCanary provides deception |
| [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex + OpenCTI |
| [Modular Engagements](../core/modular-engagements.md) | Each module has a recommended tool pairing in the matrix above; partnership doctrine defines when commercial tools supplement open-source |
| [AD and Endpoint Hardening](ad-endpoint-hardening.md) | BloodHound maps attack paths; Purple Knight / Forest Druid score AD security; Velociraptor hunts for indicators of compromise on domain controllers |
| [Business Case Template](business-case-template.md) | Partnership financial models (Huntress recurring, Thinkst margin, Tenable compliance) feed into client ROI calculations |

---

*For the cloud-native vulnerability discovery methods, see [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md).*
*For the endpoint discovery platform, see [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md).*
*For the AI prioritisation layer that consumes these tools' output, see [AI-Assisted TVM Blueprint](ai-assisted-tvm.md).*
*For the organisational model that operates this stack, see [Retained Capability](../core/retained-capability.md).*