Tomas Kracmar
763da003d3
Complete repository of frameworks, playbooks, and assessment resources for cybersecurity consultations focused on antifragile enterprise design. Includes: - Core philosophy and manifest (5 pillars) - 12 modular engagement packages - AI sovereignty and operations frameworks - Zero-budget vulnerability discovery and hardening playbooks - M365 E3 hardening and antifragile project plans - Osquery sovereign discovery platform blueprint - Perimeter scanning capability guide - AI-assisted TVM blueprint for AI-powered adversaries - Vertical specializations: banking, telco, power/utilities - CIS Controls v8 and NIST CSF 2.0 mappings - Risk registers and assessment templates - C-suite conversation guide and business case templates
12 KiB
AI for Operations and Security: The Inevitable Imperative
"We are not here to sell you AI. We are here to tell you that your adversaries are already using it—and that operational AI is no longer optional for defenders."
This document clarifies the antifragile position on artificial intelligence adoption: business-facing AI pilots are optional and should be evaluated on their merits; AI for security, operations, and resilience is becoming inevitable. The two must not be confused.
The Distinction That Matters
Most of your clients are currently running AI pilots for business tools: chatbots for customer service, content generation for marketing, summarization for legal, coding assistants for engineering. These are revenue-adjacent experiments. They should be evaluated like any other business investment—ROI, risk, strategic fit.
This document is not about those pilots.
This document is about operational AI: the use of artificial intelligence to defend systems, detect anomalies, prioritize vulnerabilities, accelerate incident response, and maintain operational continuity. This category is not an experiment. It is becoming table stakes for organizational survival.
| Category | Examples | Strategic Posture |
|---|---|---|
| Business AI | Customer chatbots, marketing content, sales outreach, HR screening | Optional. Evaluate per pilot. Sovereign if proprietary. |
| Operational AI | Log anomaly detection, vulnerability prioritization, threat hunting, code security review, incident triage | Inevitable. The question is not whether, but who owns the models and the data. |
| Strategic AI | Competitive intelligence, scenario modeling, board decision support | High-value, high-risk. Must be sovereign. |
| TVM / Vulnerability Management | Vulnerability prioritization, exploit prediction, remediation generation, attack surface mapping | Inevitable. AI-powered adversaries scan faster than human teams. AI-assisted TVM is the only asymmetric response. |
Why Operational AI Is Inevitable
1. The Attackers Are Already Using It
Adversaries—criminal and state-sponsored—are deploying AI to:
- Generate polymorphic malware that evades signature-based detection
- Craft spear-phishing campaigns at scale, personalized by scraped social media and leaked databases
- Automate reconnaissance of target infrastructure, identifying weakest paths in hours rather than weeks
- Bypass CAPTCHAs, behavioural biometrics, and traditional fraud controls
A defender operating without AI assistance is now fighting an asymmetric battle: human analysts versus machine-scale adversaries. The math does not favor the humans.
The executive framing:
"Your security team is not slower than the adversary. Your security team is smaller. AI is how we scale human judgment without scaling human headcount."
2. The Volume Problem Is Unsolvable Without Machine Assistance
Modern enterprises generate:
- Billions of log events per day
- Hundreds of thousands of endpoint telemetry signals
- Tens of thousands of vulnerability findings
- Thousands of identity access events
- Hundreds of third-party risk indicators
No human team can review this volume. Current approaches rely on rules and thresholds—which adversaries study and evade. AI-driven detection looks for behavioural anomalies that rules cannot express.
The executive framing:
"We are not buying AI to replace your analysts. We are buying AI to ensure your analysts see the one signal that matters instead of drowning in a thousand false alarms."
3. The Mythos Lesson: Technical Debt at Scale
The Anthropic Mythos incident demonstrated that even sophisticated AI providers carry technical debt that can be weaponized. The response to Mythos was not to abandon AI—it was to accelerate defensive AI capabilities that can scan, detect, and remediate faster than human teams.
Your clients' current vulnerability backlogs span months or years. A small team with reasonable AI tooling can:
- Scan and prioritize vulnerabilities across the entire estate in hours, not weeks
- Identify configuration drift before it becomes an incident
- Generate and validate remediation code for common misconfigurations
- Simulate adversarial paths through the environment to find the real kill chain
This is not science fiction. It is defensive AI pilot territory—and it is the fastest way to address decades of accumulated technical debt.
The executive framing:
"We cannot clear twenty years of technical debt with human labor alone. But a small team with defensive AI can do the work of dozens—finding, prioritizing, and proposing fixes for the vulnerabilities that actually matter."
4. Regulatory Pressure Is Coming
Regulators are beginning to mandate continuous monitoring and rapid remediation:
- DORA requires ICT risk management that can adapt to evolving threats
- NIS2 demands vulnerability handling with demonstrable timelines
- Banking regulators increasingly expect AI-assisted fraud detection and anomaly monitoring
- Cyber insurers are pricing premiums based on mean-time-to-remediate; AI-assisted prioritization directly reduces this metric
Organizations that cannot demonstrate AI-assisted security operations will face higher premiums, stricter scrutiny, and competitive disadvantage in regulated procurement.
The Sovereignty Requirement for Operational AI
Here is where the antifragile posture becomes non-negotiable:
Operational AI must be sovereign.
When you use cloud AI for security operations, you are sending your vulnerability data, your configuration details, your incident artifacts, and your network topology to a third party. That third party is:
- Training its models on your defensive posture
- Potentially subject to jurisdictional access (e.g., CLOUD Act)
- Able to change terms, pricing, or availability without your consent
- A target for adversaries who understand that compromising the AI provider gives them insight into thousands of customers
The rule: Business AI pilots can be evaluated case-by-case. Operational AI must run on infrastructure you control, with data that never leaves your perimeter.
| AI Use Case | Can It Run in the Cloud? | Must It Be Local? |
|---|---|---|
| Marketing content generation | Yes (if no proprietary data) | No |
| Public-facing chatbot | Yes | No |
| Internal code review | No | Yes |
| Vulnerability scanning and prioritization | No | Yes |
| Security log anomaly detection | No | Yes |
| Incident response triage | No | Yes |
| Threat intelligence analysis | No | Yes |
| OT anomaly detection (power/telco) | Absolutely no | Absolutely yes |
The "Not AI for Everything" Position
When clients ask why you are not pushing AI across every department, your answer is:
"AI is a tool, not a strategy. We support business AI pilots where they make sense and where data can be protected. But we are not here to automate your culture. We are here to ensure that the systems protecting your business can keep pace with the adversaries attacking it. Operational AI is not an experiment. It is infrastructure."
This position:
- Builds credibility: You are not an AI hype merchant. You are a security architect.
- Preserves trust: Clients do not feel pressured to adopt AI in areas where it adds no value.
- Concentrates investment: Resources flow to operational AI where the return is survival, not convenience.
The Contrast Statement
Use this to differentiate from AI consultants who push indiscriminate adoption:
"Most AI consultants are here to increase your consumption of cloud APIs. We are here to ensure your defensive capabilities match your adversaries' offensive capabilities. If a business AI pilot does not protect revenue, reduce risk, or create a defensible moat, it is not our priority. If a defensive AI pilot reduces your vulnerability backlog from months to weeks, it is not optional."
Implementation Posture: Operational AI
Immediate (0-30 days): Assessment and Pilot Scope
- Inventory current AI usage: business vs. operational vs. shadow
- Identify the highest-volume, lowest-signal security workflow (usually vulnerability management or log review)
- Select one defensive AI pilot with clear success metrics
- For vulnerability management: Launch AI-assisted TVM baseline sprint. See AI-Assisted TVM Blueprint.
- Establish the sovereignty boundary: no security data leaves the perimeter
Short-term (30-90 days): Defensive AI Pilot
- Deploy local inference for one security use case:
- Vulnerability prioritization: AI-assisted ranking of scan results by exploitability, asset criticality, and business context. See AI-Assisted TVM Blueprint for the full 30-60-90 day program.
- Log anomaly detection: Baseline normal behaviour; alert on deviations
- Code security review: Local model trained on your codebase finds patterns human reviewers miss
- Measure: false positive rate, analyst time saved, mean time to prioritize
Medium-term (90-180 days): Expansion
- Integrate defensive AI into SOC workflow: triage, enrichment, initial response recommendations
- Deploy OT anomaly detection for critical infrastructure clients (power, telco)
- Build internal capability to fine-tune models on proprietary data
Long-term (180+ days): Autonomous Operations
- Closed-loop remediation: AI identifies, proposes, and (with human approval) applies fixes for common misconfigurations
- Predictive maintenance: AI forecasts system failures before they impact operations
- Continuous red-teaming: AI agents perpetually probe defenses and report findings
Talking Points for the Board
| Concern | Response |
|---|---|
| "We are already running AI pilots in marketing and sales." | "Those are business experiments. This is defensive infrastructure. The question is not whether to adopt AI. It is whether your defenders can keep pace with AI-powered attackers." |
| "This sounds like another expensive technology project." | "Defensive AI runs on the same local infrastructure we are already proposing for sovereignty. The incremental cost is minimal. The incremental protection is disproportionate." |
| "Our security team is skeptical of AI hype." | "Good. Skepticism is warranted for business AI. It is not warranted for operational AI when adversaries are already using it against you. We will prove value with a bounded pilot before any expansion." |
| "We do not have the expertise to run AI models." | "Modern tooling has reduced the barrier dramatically. We are not training foundation models. We are deploying quantized open models on your hardware with your data. This is achievable in weeks, not years." |
| "Will this replace our security team?" | "No. It will make them effective. Your analysts currently spend 80% of their time on noise. AI reduces the noise so they can focus on judgment, investigation, and structural improvement." |
Integration With Existing Frameworks
The Rapid Modernisation Plan
Operational AI appears in:
- Phase 1 (Hygiene): AI-assisted identity and asset discovery
- Phase 2 (Control): AI-assisted vulnerability prioritization and configuration validation
- Phase 3 (Sovereignty): Local AI infrastructure deployment; defensive AI pilot
- Phase 4 (Antifragility): Continuous AI-assisted red teaming; autonomous remediation loops
The Zero-Budget Hardening Approach
Defensive AI can run on:
- Existing server hardware (quantized models require modest resources)
- Retired workstations with GPU
- Sovereign cloud instances (for clients without on-premises capacity)
The incremental cost is primarily labor for configuration, not hardware or licensing.
For the AI sovereignty strategic argument, see AI Sovereignty Framework. For the business case including defensive AI ROI, see Business Case Template.