antifragile/antifragile-consulting/playbooks/rapid-modernisation-plan.md

Rapid Modernisation Plan

"We must change our strategy from 'detect the attacker in time' to 'become the target that is not worth attacking.' Reactive mode is unsustainable. We must ensure the game is played on our field."

For the Executive Reader

This is not a three-year digital transformation. It is a 180-day strategic reset with measurable business outcomes at each phase gate.

Phase	Timeline	What the Board Sees
Hygiene	Days 0-30	Visibility. For the first time, we know every identity, asset, and gap that could end the company.
Control	Days 30-60	Containment. The highest-risk exposures are closed using tools already owned.
Sovereignty	Days 60-90	Ownership. Proprietary intelligence is reclaimed. Recovery from disaster is proven, not assumed.
Antifragility	Days 90-180	Advantage. The organization learns faster from disruption than competitors do.

Investment principle: Configuration first. Procurement only if justified. Most value is extracted from existing tools before any new purchase is discussed.

Governance: Weekly steering committee. Monthly board update. Quarterly antifragility assessment. Hard go/no-go gates at days 30, 60, and 90.

Modularity: While this document presents the full 180-day program, every phase can be delivered as an independent, fixed-scope module. See Modular Engagements for the menu of standalone engagements.

For the business case and financial justification, see Business Case Template. For board conversation guidance, see C-Suite Conversation Guide.

---

For the Practitioner

This playbook provides a time-boxed, phase-gated roadmap for transforming a fragile enterprise into an antifragile one. It is designed for immediate deployment in consulting engagements and can be adapted to organizational size, industry, and regulatory context.

The plan is structured in four phases: Hygiene (30 days), Control (60 days), Sovereignty (90 days), and Antifragility (180 days). Each phase builds on the previous. Skipping phases creates the illusion of progress while leaving structural fragility intact.

Core tenet: Before any new purchase is discussed, exhaust the capabilities of existing tooling. See the Zero-Budget Hardening Playbook for the tactical expression of this principle.

---

Phase 1: Hygiene (Days 0–30)

Theme: You cannot defend what you cannot see.

The first 30 days are aggressive, disruptive, and non-negotiable. The goal is not perfection; it is visibility. Every unknown identity, unmapped dependency, and unmonitored access path is a latent failure waiting to happen.

Week 1-2: Identity and Access Blitz

Tool strategy: Use existing AD / Entra ID / IAM. No new purchases.

Action	Owner	Deliverable	Existing Tool Leverage
Aggressive identity audit	IAM / Security	Complete inventory of all human and non-human identities	ADUC, Entra ID portal, AWS IAM console
Disable all unknown / unused accounts	IAM	List of disabled accounts with business justification for exceptions	Existing IAM + PowerShell / CLI scripts
Rotate all critical passwords and shared secrets	Security Ops	Rotation log with verification	Existing IAM + LAPS (free from Microsoft)
Target: admin accounts, service accounts, krbtgt equivalents	AD / Cloud IAM	Documentation of every privileged account	Existing directory services
Implement password hygiene (minimum: audit)	IAM	Baseline report on password policy compliance	Native password policies + audit logs

Week 2-3: Perimeter and Communication Mapping

Tool strategy: Use native firewall management, open-source scanners, and manual audit before purchasing new NDR/VM platforms.

Action	Owner	Deliverable	Existing Tool Leverage
Audit all vendor / supplier access paths	Security / Procurement	Inventory of VPN, RDP, Citrix, SSH, FTP, SCP, API keys	Existing IAM, VPN logs, firewall logs
Review and document firewall rules	Network Team	Rule set with business justification for each	Native firewall management interfaces
Map public-facing assets from external perspective	Security	Attack surface report with P0 classification	Free/open-source: Shodan, certificate transparency logs, nmap
Implement aggressive vulnerability scanning	Security	Weekly scan results with trending	Existing scanner, Microsoft Defender Vulnerability Management, or OpenVAS

Week 3-4: Visibility and Monitoring Baseline

Tool strategy: Maximize existing EDR/SIEM before considering new platforms. A spreadsheet CMDB is infinitely better than no CMDB.

Action	Owner	Deliverable	Existing Tool Leverage
Deploy endpoint detection on all managed devices	SOC / MDE	Coverage report: % of estate monitored	Existing EDR (Defender, CrowdStrike, SentinelOne)
Establish log aggregation for critical systems	Security	Centralized logging for T0 and T1 assets	Existing SIEM, syslog server, or cloud native logging (Sentinel, CloudWatch, Cloud Logging)
Create initial CMDB seed for critical systems	IT / Security	CMDB populated with crown jewels	Existing ITAM, ServiceNow, or spreadsheet
Document "kill chain": shortest path to organizational failure	Security Architect	Threat model and mitigation map	Manual analysis + stakeholder interviews

Phase 1 Exit Criteria

• 100% of identities known and validated
• 100% of privileged access reviewed
• All public-facing assets identified and scanned
• Centralized logging operational for critical systems
• CMDB seeded with T0/T1 assets
• Initial "kill chain" documented

Phase 1 Mantra

"Do not be afraid to break things temporarily. Disable first, justify second. Visibility before permission."

---

Phase 2: Control (Days 30–60)

Theme: What we have seen, we must now contain.

With visibility established, the next 30 days focus on closing the highest-risk gaps without introducing operational paralysis. This is the phase of quick wins and surface reduction.

Week 5-6: Attack Surface Reduction (ASR)

Tool strategy: ASR rules and PAWs are native Microsoft capabilities. For non-Microsoft environments, use existing endpoint management.

Action	Owner	Deliverable	Existing Tool Leverage
Eliminate shared accounts where possible	IAM	Reduction metric: % of shared accounts decommissioned	Existing IAM + access review process
Implement Attack Surface Reduction rules on endpoints	Endpoint Security	ASR policy deployed and compliance measured	Microsoft Defender ASR (already owned in E3/E5)
Harden admin access: dedicated PAWs, no browsing, no email	Security	PAW architecture documented and deployed	Existing Windows / Intune / GPO
Review and minimize permissions across all platforms	IAM / App Owners	Permission matrix with least-privilege gaps identified	Native IAM interfaces + scripts

Week 6-7: Network and DNS Security

Tool strategy: Use existing DNS infrastructure, firewall segmentation, and open-source sensors (Zeek/Suricata) before buying NDR.

Action	Owner	Deliverable	Existing Tool Leverage
Deploy DNS security (filtering, logging, anomaly detection)	Network	DNS security coverage report	Existing DNS infrastructure, Quad9/Cloudflare free tiers, Microsoft DNS security
Segment IT/OT networks where they intersect	Network / OT	Network segmentation diagram and policy	Existing firewalls and VLANs
Deploy network sensors at critical boundaries	SOC	Sensor coverage map with alerting validated	Zeek or Suricata (open-source) or existing IDS/IPS

Week 7-8: Multi-Factor Authentication and Conditional Access

Tool strategy: MFA and conditional access are native capabilities of Entra ID, Okta, and cloud IAM. No additional purchase required.

Action	Owner	Deliverable	Existing Tool Leverage
Enforce MFA on all remote access paths	IAM	MFA coverage: 100% of remote access	Entra ID, Okta, Duo, or native cloud IAM MFA
Implement conditional access policies	IAM / Cloud	Policy set: device compliance, location, risk score	Entra ID Conditional Access, AWS IAM, GCP IAM
Review and harden M365 / Google Workspace security	Cloud Team	Cloud security posture report	Microsoft Secure Score, Google Security Health Analytics

Phase 2 Exit Criteria

• Shared accounts reduced by minimum 50%
• ASR rules active on all managed endpoints
• MFA enforced on 100% of remote and privileged access
• DNS security operational
• Network segmentation policy defined and initial segments implemented
• Conditional access policies active for cloud workloads

Phase 2 Mantra

"The goal is not to block everything. It is to ensure that every allowed path is known, justified, and monitored."

---

Phase 3: Sovereignty (Days 60–90)

Theme: Reclaim what should never have been rented.

This is where the antifragile approach diverges sharply from conventional hardening. The focus shifts from defending the perimeter to owning the intelligence that drives the organization.

Week 9-10: AI Sovereignty Assessment

Tool strategy: Discovery requires interviews and proxy log analysis. No purchase needed for assessment.

Action	Owner	Deliverable	Existing Tool Leverage
Inventory all AI usage: approved and shadow	Security / AI Lead	AI usage map with data classification	Proxy logs, SaaS billing review, employee interviews
Classify AI workloads by sovereignty requirement	Security Architect	T0/T1/T2 AI asset classification	Existing data classification framework
Identify highest-value local AI pilot candidate	AI Lead / Business	Pilot scope document with success criteria	Business stakeholder interviews
Assess vendor AI terms: data usage, training, termination	Legal / Security	Risk register for each AI provider	Legal review of existing contracts

Week 10-11: Local AI Infrastructure Deployment

Tool strategy: Start with existing hardware or low-cost sovereign cloud. Use open-source inference servers (Ollama, vLLM, llama.cpp).

Action	Owner	Deliverable	Existing / Low-Cost Tool Leverage
Deploy local inference infrastructure (on-prem or sovereign cloud)	Infrastructure	Operational inference cluster	Underutilized servers, retired workstations, or sovereign cloud VM
Establish model versioning and artifact management	MLOps / Security	Model registry with provenance tracking	Git + DVC or simple artifact storage
Implement access controls for model weights and training data	Security	T0-class protection for AI assets	Existing file servers, encryption, IAM
Deploy initial pilot: RAG or fine-tuned model on proprietary data	AI Team	Working pilot with performance baseline	Ollama, llama.cpp, or vLLM (open-source) + quantized open models

Week 11-12: Backup, Recovery, and Validation

Tool strategy: Use existing backup and DR infrastructure. The goal is to test and document, not to buy.

Action	Owner	Deliverable	Existing Tool Leverage
Perform full recovery drill of one critical system from backup	IT / Security	Recovery time documented, gaps identified	Existing backup solution
Validate backup integrity for all T0 assets	Backup Admin	Integrity report with sample restorations	Existing backup solution + integrity scripts
Test local AI pilot under degraded network conditions	AI / Infrastructure	Resilience validation report	Existing network infrastructure + manual testing
Document and exercise incident response for AI-specific threats	SOC / Security	Runbook: model poisoning, data exfiltration, adversarial input	Existing IR framework + internal knowledge

Phase 3 Exit Criteria

• All AI usage inventoried and classified
• Local inference infrastructure operational
• One high-value AI pilot deployed and measured
• T0 protection applied to model weights and training data
• Critical system recovery drill completed successfully
• AI-specific incident response runbook created

Phase 3 Mantra

"We are moving from being consumers of intelligence to manufacturers of our own. The vault is built; now we fill it."

---

Phase 4: Antifragility (Days 90–180)

Theme: Build systems that grow stronger from disruption.

The final phase converts the hardened foundation into an adaptive, learning organization. This is where antifragility becomes operational reality.

Month 4: Structural Decoupling and Optionality

Tool strategy: Documentation, architecture, and open-source chaos tools (Chaos Mesh, Gremlin free tier, custom scripts). Work, not purchases.

Action	Owner	Deliverable	Existing / Free Tool Leverage
Document exit architecture for all major platform dependencies	Enterprise Architecture	90-day exit plan per critical vendor	Architecture documentation, existing runbooks
Implement abstraction layers for proprietary integrations	Engineering	Interface documentation and migration test	Existing development tools and frameworks
Establish dual-vendor readiness for one critical category	Procurement / Engineering	Technical proof of capability	Existing engineering capacity, open standards
Deploy chaos engineering: simulate critical dependency failure	Resilience Team	Chaos experiment report with findings	Chaos Mesh (open-source), custom scripts, Gremlin free tier

Month 5: Stress-to-Signal Conversion

Tool strategy: Process and culture changes require no licensing. Use existing EDR/SIEM for detection validation.

Action	Owner	Deliverable	Existing Tool Leverage
Implement blameless post-mortem process with structural mandates	Culture / Security	Post-mortem template and governance	Existing collaboration tools (Confluence, SharePoint, Notion)
Deploy production chaos engineering with automated rollback	Resilience Team	Monthly chaos experiment schedule	Existing orchestration + open-source chaos tools
Create feedback loop: incident findings → architecture changes	Security Architect	Closed-loop metrics: mean time to structural fix	Existing ticketing system (Jira, ServiceNow)
Launch "red team as a service": continuous adversarial testing	Security	Monthly red team report	Internal team + existing EDR/SIEM for detection validation

Month 6: Defensive AI and Continuous Modernisation

Tool strategy: Defensive AI runs on the local inference infrastructure already deployed. Posture measurement uses existing APIs and open-source dashboards.

Action	Owner	Deliverable	Existing / Low-Cost Tool Leverage
Expand local AI to defensive use cases: anomaly detection, code review, vulnerability prioritization	AI / Security	Defensive AI capability map	Local AI cluster deployed in Phase 3
Implement automated security posture measurement	Security	Continuous compliance dashboard	Existing APIs (Microsoft Graph, AWS APIs) + Grafana or open-source dashboard
Evaluate and migrate additional AI workloads to local infrastructure	AI Lead	Migration roadmap with quarterly targets	Local AI infrastructure + business case templates
Conduct first antifragility maturity assessment	Consultant / Security	Baseline maturity score with gap analysis	Spreadsheet or existing GRC tool
Pilot organizational integration: embed security in one product team	Consultant / Engineering	Shift-left pilot metrics	Existing team structure + collaboration tools
Deploy AI-assisted TVM operationalization	AI / Security	AI TVM dashboard; <48h critical CVE response	Defender Exposure Management + Azure OpenAI or local LLM; see AI-Assisted TVM Blueprint

Phase 4 Exit Criteria

• Exit architectures documented for top 5 vendor dependencies
• Chaos engineering operational in production
• Mean time to structural fix < 14 days from incident
• Defensive AI pilot operational
• First antifragility maturity assessment completed
• Quarterly antifragility review calendar established

Phase 4 Mantra

"We do not want fewer incidents. We want incidents that teach us something we could not have learned any other way."

---

Governance and Cadence

Weekly Steering Committee

• Review blockers and escalations
• Validate phase exit criteria
• Adjust scope based on organizational readiness

Monthly Board Update

• Risk reduction metrics
• Antifragility maturity trend
• Investment vs. risk-exposure reduction
• Strategic narrative: "This is not a cost centre; it is optionality insurance"

Quarterly Retrospective

• What failed that taught us something?
• What assumptions have been invalidated?
• What new dependencies have emerged?
• What can be simplified or removed?

---

Success Metrics

Dimension	Metric	Target
Visibility	% of assets in CMDB	100% of T0/T1 within 30 days
Control	Mean time to contain new identity	< 1 hour
Sovereignty	% of proprietary AI workloads local	100% of T0-class within 90 days
Resilience	Recovery time for critical system	< 4 hours
Learning	Structural fixes per incident	≥ 1
Optionality	Vendor dependencies without exit plan	0

---

Adaptation Guide

Small Organizations (< 100 employees)

• Compress Phases 1-2 into 30 days
• Use managed sovereign cloud for local AI instead of on-premises hardware
• Focus on identity, backup, and one high-value AI pilot
• Leverage Microsoft Business Premium or Google Workspace security features fully before any additional purchase

Regulated Industries (Finance, Healthcare, Critical Infrastructure)

• Extend Phase 1 to 45 days for compliance mapping
• Integrate regulatory requirements into T0 classification
• Add compliance validation gates at each phase exit

Highly Distributed Organizations

• Prioritize network segmentation and DNS security in Phase 1
• Deploy edge inference nodes in Phase 3 instead of central cluster
• Emphasize operational resilience and disconnected operations

Organizations with Heavy Technical Debt

• Accept that 20 years of debt cannot be cleared in 180 days
• Use defensive AI in Phase 4 to accelerate debt identification and prioritization
• Focus on "kill chain" protection rather than comprehensive cleanup
• Map every action to CIS IG1 to show standards alignment without additional framework investment

---

Next: Implementation Playbook Previous: T0 Asset Framework