antifragile/antifragile-consulting/playbooks/sovereign-tool-stack.md

The Sovereign Tool Stack: Open-Source Arsenal for Antifragile Consulting

"We do not sell software. We operate a laboratory. Every tool in our stack is either open-source, client-owned, or built by us. The result is intelligence that no vendor can replicate because it is tuned to your specific environment."

This document provides the complete capability map for our consulting practice: the tools we deploy, why we chose them, how they integrate, and what gaps remain. It is designed for three audiences:

1. Clients who want to understand what we bring to an engagement
2. Consultants who need to select the right tool for the right module
3. Our own product team who are building ASTRAL and AOC to close the M365-native gap

---

The Philosophy: Sovereign Means Inspectable

Vendor Black Box	Sovereign Tool
Proprietary detection logic you cannot audit	Open-source code you can read, modify, and extend
Data exfiltrated to vendor cloud	Data stays in your infrastructure or ours
Vendor-defined scan scope and cadence	You control what is scanned, when, and how deeply
Generic report templates	Custom outputs tuned to your compliance and risk language
Per-asset licensing that scales poorly	Free or built-by-us; economics favour the client

The executive framing:

"Tenable is a rented microscope. Our stack is a laboratory. We can ask questions that Tenable never thought to ask because we own the queries, the data, and the integration logic. When we find a gap, we do not open a support ticket. We write a detection rule, a query, or a script—and it is yours forever."

---

Our Current Arsenal

Cloud Posture and Compliance

Prowler

Attribute	Detail
What it does	Multi-cloud security auditing for AWS, Azure, and GCP. 300+ checks against CIS benchmarks, PCI-DSS, ISO 27001, GDPR, and HIPAA.
Why we use it	It is the most mature open-source CSPM. One tool covers all three major clouds. Output is JSON/CSV/HTML—easy to feed into our reporting pipeline.
Antifragile pillar	Sovereign Intelligence, Stress-to-Signal Conversion
Engagement modules	Module 3 (M365 Security Hardening) for Azure; Module 8 (OT Security Assessment) for cloud-connected OT; any cloud-native client
Typical output	Executive dashboard: "247 findings across 12 services; 23 critical; 5 are internet-facing misconfigurations"
Integration	Output feeds into AI-assisted TVM prioritization and CISO Assistant compliance tracking

The conversation:

"Prowler audited your AWS estate in 45 minutes and found an S3 bucket with public read access containing backup files. That is not a theoretical risk. That is a data breach waiting for a journalist. We fixed it in 10 minutes. No vendor invoice."

---

Active Directory Attack Path Analysis

BloodHound

Attribute	Detail
What it does	Maps Active Directory attack paths using graph theory. Shows how an attacker moves from a compromised standard user to Domain Admin in your specific environment.
Why we use it	No commercial tool visualises AD trust relationships and permission chains as clearly. It turns abstract identity risk into a navigable map.
Antifragile pillar	Structural Decoupling, Sovereign Intelligence
Engagement modules	Module 6 (On-Premise AD Hardening); Module 10 (Red Team & Validation); kill chain assessments
Typical output	"There are 4,217 paths from standard users to Domain Admin. The shortest is 3 hops via an overprivileged service account. Here is the exact account, the exact permission, and the exact remediation."
Integration	Findings feed into T0 Asset Framework classification and remediation prioritisation

The conversation:

"Your AD has been growing for 15 years. Nobody remembers why the payroll service account has Replicating Directory Changes permissions. BloodHound remembers. It found 4,217 paths from a standard user to Domain Admin. The shortest is three hops. We are not guessing about AD security anymore."

---

Active Directory Security Assessment

Purple Knight / Forest Druid

Attribute	Detail
What it does	Automated AD security assessment against known vulnerability classes: credential exposure, privileged access gaps, replication security, Kerberos weaknesses, and LDAP/S channel hardening.
Why we use it	Purple Knight (Semperis) and Forest Druid provide rapid, scriptable AD health checks that complement BloodHound's graph analysis with rule-based security scoring. Forest Druid extends coverage to hybrid Entra ID configurations.
Antifragile pillar	Stress-to-Signal Conversion, Optionality Preservation
Engagement modules	Module 6 (On-Premise AD Hardening); Module 12 (Blue/Purple Team Foundation); diagnostic week 1 kill chain assessments
Typical output	AD security score with pass/fail against 50+ indicators; immediate remediation guidance for failed checks
Integration	Scores feed into antifragile risk register; trended across quarterly retests

The conversation:

"Purple Knight scanned your AD forest in 20 minutes and scored 62 out of 100. The failures were not exotic: default LDAP signing disabled, KRBTGT password older than 180 days, and 14 service accounts with SPNs vulnerable to Kerberoasting. These are fixable in a week. Here is the priority order."

---

Governance, Risk, and Compliance

CISO Assistant

Attribute	Detail
What it does	Open-source GRC platform for compliance mapping, risk register management, control evidence collection, and audit readiness tracking.
Why we use it	It replaces €50,000/year GRC platforms with a sovereign alternative. Maps controls to multiple frameworks simultaneously (ISO 27001, NIS2, DORA, SOC 2).
Antifragile pillar	Sovereign Intelligence, Asymmetric Payoff Design
Engagement modules	Module 4 (Data Governance); Module 11 (Embedded Quality); all compliance-driven clients
Typical output	Live compliance dashboard: "DORA Article 12: 14 of 17 controls evidence-complete; 3 gaps assigned to owners with due dates"
Integration	Pulls findings from Prowler, osquery, BloodHound, and AOC into unified evidence packages

The conversation:

"Your auditor wants evidence that you monitor privileged access. CISO Assistant links the BloodHound scan, the Purple Knight score, the AOC admin activity report, and the osquery listening-ports query into a single evidence package for DORA Article 8. No scrambling for screenshots the night before the audit."

---

M365 Backup and Change Management

ASTRAL (Our Platform)

Attribute	Detail
What it does	Intelligent backup, configuration drift detection, and change management for Microsoft Intune, Entra ID, and M365 tenant configurations. Captures baseline state, detects unauthorised or accidental changes, and enables rapid rollback.
Why we built it	No existing tool treats M365 configuration as code. A tenant with 500 conditional access policies, 200 Intune profiles, and 50 compliance policies is unmanageable without version control and drift detection. ASTRAL provides GitOps for M365.
Antifragile pillar	Structural Decoupling, Stress-to-Signal Conversion
Engagement modules	Module 1 (Endpoint Management); Module 2 (Identity Security); Module 3 (M365 Security Hardening); retained capability engagements
Typical output	"Configuration drift detected: 3 conditional access policies modified outside change window; 1 Intune profile deleted; all changes attributable to [admin account]; rollback initiated automatically"
Integration	Feeds change logs into AOC for audit intelligence; exports configuration state to CISO Assistant for compliance evidence

The conversation:

"Your M365 tenant has 400 configuration objects and no version control. When an admin accidentally deletes a conditional access policy at 2 AM, you discover it 6 hours later because users are complaining. ASTRAL detects the deletion in 60 seconds, attributes it to the specific admin session, and offers one-click rollback. This is not backup. This is configuration immunity."

---

M365 Audit Log Intelligence

AOC — Admin Operations Center (Our Platform)

Attribute	Detail
What it does	Correlates Microsoft 365 Unified Audit Log, Entra ID sign-in logs, and Intune operational logs into actionable intelligence. Detects anomalous admin behaviour, privilege escalation, shadow IT creation, and data exfiltration patterns.
Why we built it	The native M365 audit log is a firehose: 10,000+ events per day in a typical tenant, searchable only via slow PowerShell or expensive Sentinel. AOC extracts the 50 events that matter and enriches them with identity context, device state, and business impact.
Antifragile pillar	Sovereign Intelligence, Stress-to-Signal Conversion
Engagement modules	Module 12 (Blue/Purple Team Foundation); retained capability (Detection Engineering); all M365 hardening engagements
Typical output	Daily brief: "3 anomalous events flagged: Global Admin [X] added external user at 03:14; Exchange Admin [Y] exported 12,000 mailboxes; Service Principal [Z] granted Mail.Read to unverified publisher. All require validation within 4 hours."
Integration	Receives alerts from osquery/FleetDM, Wazuh, and Prowler; pushes cases to CISO Assistant for risk register tracking; enriches AI-assisted TVM with insider-threat context

The conversation:

"Microsoft gives you the audit log. They do not give you the story. AOC reads 50,000 events per night and tells you the three that need human attention: an admin added an external user at 3 AM, another exported 12,000 mailboxes, and a service principal granted Mail.Read to an unverified app. These are not false positives. These are the events that precede breaches."

---

The Stack Architecture

┌─────────────────────────────────────────────────────────────────────────┐
│                         EXECUTIVE DASHBOARD                              │
│  (CISO Assistant + AI synthesis → board-ready risk and compliance view)  │
└─────────────────────────────────────────────────────────────────────────┘
                                    ▲
    ┌───────────────┬───────────────┼───────────────┬───────────────┐
    ▼               ▼               ▼               ▼               ▼
┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐
│ Prowler │   │BloodHound│   │ ASTRAL  │   │  AOC    │   │ osquery │
│(Cloud)  │   │  (AD)   │   │ (M365)  │   │(Audit)  │   │(Endpoint)│
└────┬────┘   └────┬────┘   └────┬────┘   └────┬────┘   └────┬────┘
     │             │             │             │             │
     └─────────────┴─────────────┴─────────────┴─────────────┘
                                   ▼
                    ┌─────────────────────────┐
                    │  AI-Assisted TVM Engine  │
                    │  (Prioritisation +       │
                    │   remediation scripts)    │
                    └─────────────────────────┘
                                   ▼
                    ┌─────────────────────────┐
                    │  Purple Team Validation  │
                    │  (Did the fix work?      │
                    │   Can we still exploit?)  │
                    └─────────────────────────┘

Data flow:

1. Discovery layer (Prowler, BloodHound, osquery, ASTRAL) collects raw security state
2. Intelligence layer (AOC, AI-assisted TVM) correlates, enriches, and prioritises
3. Governance layer (CISO Assistant) maps findings to compliance frameworks and tracks remediation
4. Validation layer (Purple Knight, Forest Druid, purple team exercises) proves fixes work

---

Gap Analysis: What We Recommend Adding

Our current stack covers cloud posture, AD security, GRC, M365 configuration, and endpoint audit intelligence. Here are the gaps and our recommended closes:

Gap 1: Endpoint Detection and Response (EDR) — The Visibility Gap

Current state: osquery provides structured endpoint inventory and compliance. AOC ingests M365 audit logs. What is missing is real-time behavioural detection on the endpoint itself.

Recommended close: Wazuh + Sysmon (open-source EDR stack)

Why Wazuh	Why Sysmon
Centralised SIEM/XDR with 5,000+ detection rules	Windows endpoint telemetry at kernel level
Agent-based or agentless deployment	Maps directly to MITRE ATT&CK
Native integration with Threat Intel (MISP, VirusTotal)	Free, mature, extensively documented
Scales to 100,000+ endpoints	Outputs to any SIEM via standard formats

Deployment model: Wazuh server in client infrastructure (or ours as managed service); Sysmon on all Windows endpoints with SwiftOnSecurity config; Linux agents via Wazuh native agent. Cost: infrastructure only.

When to deploy: Module 1 (Endpoint Management) for E3 clients lacking Defender for Endpoint P2; Module 12 (Blue/Purple Team) as the detection engineering foundation.

---

Gap 2: Security Orchestration and Automated Response (SOAR) — The Response Gap

Current state: AOC detects anomalous admin behaviour. ASTRAL detects configuration drift. What is missing is automated response: disabling a compromised account, isolating a device, or revoking an OAuth grant at machine speed.

Recommended close: Shuffle (open-source SOAR)

Why Shuffle
Visual workflow builder (no code required for simple playbooks)
Native integrations with M365, Entra ID, Wazuh, TheHive, Slack
Self-hosted: data never leaves client infrastructure
Replaces €100,000+/year commercial SOAR platforms

Example playbook: AOC detects impossible-travel sign-in → Shuffle disables account → ASTRAL revokes all active sessions → Slack alerts SOC → CISO Assistant logs incident → Ticket created in client ITSM.

When to deploy: Module 12 (Blue/Purple Team Foundation); retained capability engagements.

---

Gap 3: Incident Response Case Management — The Coordination Gap

Current state: Findings are scattered across Prowler, BloodHound, AOC, and osquery. What is missing is a single case management system that tracks incidents from detection through remediation to post-mortem.

Recommended close: TheHive + Cortex (open-source SOC case management)

Why TheHive	Why Cortex
Case management with IOC tracking, task assignment, and timeline	Automated analysis of observables: hashes, IPs, domains, files
Native MISP integration for threat intel correlation	30+ analyzers (VirusTotal, AbuseIPDB, URLhaus, etc.)
Metrics dashboard: MTTR, case volume, analyst workload	Free, extensible, community-maintained

When to deploy: Module 12 (Blue/Purple Team Foundation); retained capability ( Detection Engineering).

---

Gap 4: Cloud Asset and Dependency Mapping — The Context Gap

Current state: Prowler finds misconfigurations. BloodHound maps AD attack paths. What is missing is a unified map of how cloud resources connect to each other and to on-premise assets.

Recommended close: Cartography (by Lyft, open-source)

Why Cartography
Neo4j-based graph of AWS, GCP, Azure, and GitHub assets
Shows dependency chains: compromised IAM role → S3 bucket → Lambda → RDS
Complements BloodHound: BloodHound maps identity; Cartography maps infrastructure
Free, queryable via Cypher (same language as BloodHound)

When to deploy: Module 3 (M365 Security Hardening) for Azure environments; Module 5 (AI Sovereignty Bridge) for infrastructure mapping.

---

Gap 5: Container and Supply Chain Security — The Modernisation Gap

Current state: Our vulnerability discovery covers servers and endpoints. What is missing is native container image scanning, SBOM generation, and supply chain integrity verification.

Recommended close: Syft + Grype + Trivy

Tool	Role
Syft	Generate SBOMs from container images, filesystems, and archives
Grype	Scan SBOMs against NVD and vendor advisory databases
Trivy	Comprehensive scanner: OS packages, language dependencies, IaC misconfigs, secrets

Already in repository: See Zero-Budget Vulnerability Discovery for the Syft → Grype pipeline.

When to deploy: Any client with containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates.

---

Gap 6: Network Traffic Analysis — The Blind Spot Gap

Current state: We see endpoint state (osquery) and cloud configurations (Prowler). What is missing is visibility into network traffic: lateral movement, C2 beacons, and data exfiltration at the packet level.

Recommended close: Zeek + Suricata

Why Zeek	Why Suricata
Protocol analysis: extracts metadata from HTTP, DNS, TLS, SMB without full packet storage	IDS/IPS with 30,000+ signatures and emerging threat rules
Scales to 10 Gbps+ on commodity hardware	Can drop malicious traffic inline (IPS mode)
Output is structured JSON—easy to feed into Wazuh or AOC	Native file extraction and malware detection

When to deploy: Module 8 (OT Security Assessment) for industrial network segmentation validation; Module 12 (Blue/Purple Team) for detection engineering.

---

Complete Capability Matrix

Capability	Our Tool	Open-Source Alternative	Commercial Equivalent	When to Recommend
Cloud posture management	Prowler	ScoutSuite, CloudSploit	Prisma Cloud, Wiz, Orca	Every cloud environment; first sweep
AD attack path analysis	BloodHound	— (none comparable)	—	Every on-premise or hybrid AD
AD security assessment	Purple Knight / Forest Druid	PingCastle, ADRecon	Semperis Directory Services Protector	AD hardening engagements
GRC and compliance	CISO Assistant	OpenGRC, SimpleRisk	ServiceNow GRC, RSA Archer	DORA, NIS2, SOC 2 clients
M365 backup/change mgmt	ASTRAL	— (no open-source equivalent)	Veeam, AvePoint, SkyKick	All M365 clients; retained capability
M365 audit intelligence	AOC	— (no open-source equivalent)	Microsoft Sentinel, ManageEngine	All M365 clients; SOC co-management
Endpoint inventory	osquery + FleetDM	Wazuh (limited), Zentral	Tenable, Qualys	50-5,000 endpoints; sovereign preference
Endpoint detection (EDR)	Wazuh + Sysmon	—	CrowdStrike, SentinelOne, Defender P2	E3 clients without Defender P2; air-gapped environments
SIEM / log aggregation	Wazuh	Graylog, Grafana Loki, ELK	Splunk, Sentinel, QRadar	All environments needing centralised alerting
SOAR / automation	Shuffle	—	Palo Alto XSOAR, Splunk SOAR	SOC operationalisation; retained capability
SOC case management	TheHive + Cortex	—	ServiceNow SecOps, D3	Blue/purple team foundation; MSSP co-management
Container security	Syft + Grype + Trivy	Clair, Anchore	Snyk, Aqua	Containerised workloads; DevSecOps
Network analysis	Zeek + Suricata	—	Corelight, Darktrace	OT environments; high-sensitivity networks
Cloud asset mapping	Cartography	CloudQuery	Lucidscale, Faddom	Complex multi-cloud; incident response
Perimeter scanning	Nuclei + Amass + Naabu	OpenVAS, Greenbone	Tenable.asm, Cortex Xpanse	External attack surface management
Vulnerability discovery	osquery + Grype	OpenVAS, Nessus Essentials	Tenable, Qualys	Zero-budget first sweep; continuous monitoring
Red team C2	Sliver	Mythic	Cobalt Strike	Adversary simulation; EDR efficacy testing
Cloud attack simulation	Stratus Red Team	—	—	Cloud red team; Azure/AWS assessments
Cloud privilege analysis	CloudFox	PMapper	—	Cloud penetration tests
Container runtime detection	Falco	Tetragon	Aqua Runtime, Twistlock	Kubernetes workloads
Endpoint forensics	Velociraptor	KAPE	Encase, FTK	Incident response; threat hunting
Threat intelligence platform	OpenCTI	MISP, Yeti	ThreatConnect, Anomali	SOC maturity; regulated industries
Honeypot / deception	OpenCanary	T-Pot	Thinkst Canary	Flat networks; OT/IT bridges
Secrets detection	GitLeaks	TruffleHog	GitGuardian	DevSecOps; supply chain
Static code analysis	Semgrep	Bandit, Brakeman	SonarQube, Snyk Code	CI/CD security gates
Phishing simulation	GoPhish	—	KnowBe4, Cofense	Awareness programmes
Certificate monitoring	CertStream + crt.sh	Sublist3r	Censys, SecurityTrails	Continuous perimeter monitoring

---

Per-Module Tool Pairing

Module 1: Endpoint Management Foundation

Primary: ASTRAL (Intune configuration backup and drift detection) + osquery/FleetDM (endpoint inventory) Augmentation: Wazuh + Sysmon (for E3 clients without Defender P2)

Module 2: M365 Identity Security

Primary: AOC (audit log intelligence) + BloodHound (hybrid identity attack paths) Augmentation: Purple Knight (AD security baseline)

Module 3: M365 Security Hardening

Primary: ASTRAL (configuration state) + Prowler (Azure posture) Augmentation: AOC (continuous monitoring of security control changes)

Module 6: On-Premise AD Hardening

Primary: BloodHound + Purple Knight / Forest Druid Augmentation: osquery (endpoint state of domain controllers)

Module 9: Organisational Resilience and DevSecOps

Primary: Falco (container runtime security) + Semgrep (static code analysis) + GitLeaks (secrets detection) Augmentation: Syft + Grype + Trivy (supply chain scanning); Shuffle (CI/CD security automation)

Module 10: Red Team & Validation

Primary: BloodHound (attack path validation) + Nuclei (external validation) + Sliver (adversary simulation) Augmentation: Stratus Red Team (cloud attack simulation); CloudFox (cloud privilege escalation); Zeek + Suricata (detect red team activity from blue team perspective); OpenCanary (deception and early warning)

Module 12: Blue/Purple Team Foundation

Primary: Wazuh + Sysmon + TheHive + Cortex + Shuffle Augmentation: AOC (M365-specific detections) + Velociraptor (endpoint forensics) + OpenCanary (deception) + OpenCTI (threat intel correlation)

Retained Capability: Detection Engineering

Primary: Wazuh (rule authoring) + AOC (M365 detections) + Shuffle (response playbooks) Augmentation: Zeek + Suricata (network detection rules)

---

Deployment Complexity

Tool	Time to First Value	Infrastructure Required	Expertise Required	Client Data Sensitivity
Prowler	1 hour	None (runs from consultant laptop)	Low	Low (read-only API)
BloodHound	2 hours	None (collector + laptop)	Medium	Medium (AD enumeration)
Purple Knight	30 minutes	None	Low	Medium (AD scan)
CISO Assistant	1 day	Docker host or VM	Low	Low-Medium (compliance data)
ASTRAL	2 hours	SaaS or client-hosted	Low	High (M365 configuration)
AOC	4 hours	SaaS or client-hosted	Medium	High (audit logs, identity data)
osquery + FleetDM	4 hours	FleetDM server + agents	Medium	High (endpoint data)
Wazuh + Sysmon	1 day	Wazuh server + agents	Medium	High (endpoint + network data)
Shuffle	4 hours	Docker host	Medium	High (SOAR playbooks)
TheHive + Cortex	4 hours	Docker host	Medium	High (case data)
Syft + Grype	1 hour	None	Low	Low (container metadata)
Zeek + Suricata	1 day	Network tap or SPAN port	High	High (network traffic)
Cartography	4 hours	Neo4j + AWS/GCP/Azure APIs	Medium	Medium (cloud metadata)
Sliver	2 hours	C2 server (cloud or on-prem)	High	High (red team infrastructure)
Stratus Red Team	1 hour	AWS/Azure/GCP CLI access	Medium	High (executes real attacks)
CloudFox	1 hour	None (runs from laptop)	Medium	Medium (cloud metadata)
Falco	4 hours	Kubernetes daemonset or Linux host	Medium	High (container runtime data)
Velociraptor	4 hours	Velociraptor server + agents	Medium	High (forensic artefacts)
OpenCTI	1 day	Docker host or VM	Medium	Medium (threat intel data)
OpenCanary	30 minutes	Any Linux/Windows host	Low	Low (honeypot only)
GitLeaks	30 minutes	None (CLI or CI/CD)	Low	Medium (source code access)
Semgrep	1 hour	None (CLI or CI/CD)	Low	Medium (source code access)
GoPhish	2 hours	Docker host or VM	Low	Medium (user email data)

---

Extended Arsenal: Advanced and Specialised Tools

Beyond the core stack, these tools address specific niches that arise in sophisticated engagements. They are not deployed on every client, but when the situation demands them, no commercial alternative comes close.

---

Red Team and Adversary Simulation

Sliver

Attribute	Detail
What it does	Open-source cross-platform adversary simulation and command-and-control (C2) framework. Replaces Cobalt Strike for red team engagements at zero licensing cost.
Why we use it	Cobalt Strike costs €30,000+/year and is fingerprinted by most EDR. Sliver is free, actively maintained by Bishop Fox, and supports DNS, HTTPS, mutual TLS, and WireGuard C2 channels. It generates implants for Windows, macOS, and Linux.
When to deploy	Module 10 (Red Team & Validation); purple team exercises; EDR efficacy testing
Integration	Red team activity detected by Wazuh + Sysmon feeds into TheHive cases; AOC correlates any M365 session anomalies with red team timing

The conversation:

"We ran a controlled adversary simulation against your environment using Sliver. Your EDR detected 3 of 7 techniques. Your MSSP never saw the lateral movement. Your SIEM has no alert for the credential dumping. These are not theoretical gaps. These are tomorrow's breach headlines. Here is the detection engineering backlog to close them."

---

Stratus Red Team

Attribute	Detail
What it does	Generates real cloud attack techniques against AWS, Azure, and GCP. Not a scanner—an actual attack simulator that executes TTPs and then cleans up.
Why we use it	Prowler finds misconfigurations. Stratus proves they are exploitable. It automates the gap between "this S3 bucket is public" and "we exfiltrated 2 GB of data from it and your cloud trail logged nothing useful."
When to deploy	Module 10 (Red Team); cloud security assessments; purple team exercises in Azure/AWS environments
Integration	Attack telemetry feeds into Wazuh/SIEM for detection validation; findings enrich AI-assisted TVM cloud risk scores

---

CloudFox

Attribute	Detail
What it does	Cloud exploitation framework for AWS, Azure, and GCP. Maps permissions, finds privilege escalation paths, and identifies exposed resources from an attacker's perspective.
Why we use it	Prowler audits from the compliance perspective. CloudFox thinks like an attacker: "I have this IAM role—what can I actually do with it?" It finds indirect privilege escalation paths that scanners miss.
When to deploy	Module 10 (Red Team); cloud penetration tests; Azure/AWS security assessments
Integration	Output feeds into Cartography for unified cloud attack path mapping

---

Container and Cloud-Native Runtime Security

Falco

Attribute	Detail
What it does	Runtime security detection for containers, Kubernetes, and Linux hosts. Uses system call monitoring to detect anomalous behaviour: unexpected outbound connections, privileged container escapes, sensitive file access.
Why we use it	Syft + Grype find vulnerable packages at build time. Falco detects exploitation at runtime. Without Falco, a container with a CVE can be exploited silently.
When to deploy	Any client with Kubernetes or containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates
Integration	Falco alerts feed into Wazuh or directly to TheHive; AOC correlates container events with M365 identity context for supply-chain attack detection

---

Tetragon

Attribute	Detail
What it does	eBPF-based security observability and runtime enforcement for Kubernetes and Linux. Provides process execution tracing, network monitoring, and file access detection at kernel level with minimal overhead.
Why we use it	From the creators of Cilium. More granular than Falco in some dimensions. Can kill processes in real-time (not just detect). Ideal for high-security environments that need active runtime protection without commercial agents.
When to deploy	Critical infrastructure; financial services; high-sensitivity Kubernetes environments

---

Endpoint Forensics and Incident Response

Velociraptor

Attribute	Detail
What it does	Endpoint visibility and digital forensics platform. Hunts across thousands of endpoints in seconds using VQL (Velociraptor Query Language). Collects files, memory artefacts, registry keys, and event logs remotely.
Why we use it	osquery gives you structured inventory. Velociraptor gives you forensic capability: extract the MFT, hunt for specific malware indicators, collect browser history, or dump credentials from memory—across the entire estate in minutes.
When to deploy	Incident response retainers; Module 12 (Blue/Purple Team); any engagement where forensic artefact collection is required
Integration	Hunt results feed into TheHive cases; file hashes submitted to Cortex analyzers; YARA rules shared with Wazuh

The conversation:

"A user reported a suspicious email. Three hours later, we used Velociraptor to hunt across 2,000 endpoints and found four machines with the same payload in memory. We extracted the payload, analysed it in Cortex, and determined it was a new variant of a known banking trojan. Total time from alert to attribution: 47 minutes. No endpoint agent was installed on those machines. Velociraptor collected everything remotely."

---

Threat Intelligence

OpenCTI

Attribute	Detail
What it does	Open-source threat intelligence platform from Filigran. Ingests, structures, and correlates threat data from MISP, CVE databases, vendor advisories, and OSINT feeds. Provides relationship mapping between threat actors, TTPs, IOCs, and victimology.
Why we use it	Most organisations collect threat intel but cannot use it. OpenCTI turns raw IOCs into structured intelligence: "APT29 uses this technique → which targets our industry → and exploits this CVE → which we have on 12 servers."
When to deploy	Module 12 (Blue/Purple Team); retained capability engagements; clients in regulated industries with threat intel mandates
Integration	MISP feed ingestion; Wazuh rules enriched with OpenCTI context; TheHive cases auto-populated with threat actor profiles

---

Deception and Early Warning

OpenCanary

Attribute	Detail
What it does	Lightweight, low-interaction honeypot daemon. Simulates services (SMB, RDP, SSH, HTTP, SQL, Git) and alerts when probed. Takes 10 minutes to deploy.
Why we use it	Every network has blind spots. An attacker scanning for RDP on port 3389 will hit OpenCanary first—and trigger an alert before reaching real systems. It is an asymmetric defence: 10 minutes of deployment for early warning that no EDR can replicate.
When to deploy	Module 6 (AD Hardening); Module 12 (Blue/Purple Team); any client with flat network topology or legacy protocols
Integration	Alerts feed into Wazuh or directly to Shuffle for automated response (isolate attacker IP, notify SOC)

---

Code and Secrets Security

GitLeaks

Attribute	Detail
What it does	Scans Git repositories for hardcoded secrets: API keys, passwords, tokens, private keys. Supports pre-commit hooks and CI/CD integration.
Why we use it	The most common cloud breach vector is not zero-day exploitation. It is a developer committing an AWS access key to GitHub. GitLeaks finds it before the commit—or scans historical commits for existing leakage.
When to deploy	Module 9 (Organisational Resilience); DevSecOps engagements; any client with active software development
Integration	CI/CD pipeline integration; findings fed into CISO Assistant for evidence tracking; AOC monitors for any M365 session using leaked credentials

---

Semgrep

Attribute	Detail
What it does	Lightweight static analysis engine that scans code for security vulnerabilities, dangerous patterns, and compliance violations. Supports 30+ languages and runs locally without sending code to cloud services.
Why we use it	SonarQube and Snyk are excellent but expensive and cloud-dependent. Semgrep provides equivalent coverage for common vulnerability classes with full data sovereignty. The rules are open and auditable.
When to deploy	DevSecOps engagements; Module 9 (Organisational Resilience); software supply chain assessments
Integration	CI/CD pipeline gating; findings correlated with SBOMs from Syft for complete supply chain visibility

---

Phishing Simulation and Email Security Testing

GoPhish

Attribute	Detail
What it does	Open-source phishing simulation framework. Build campaigns, track click rates, capture credentials (in training mode), and measure user susceptibility over time.
Why we use it	Commercial phishing platforms cost €5-15/user/year. GoPhish is free, self-hosted, and produces equivalent metrics. It integrates with LDAP for realistic email targeting.
When to deploy	Module 3 (M365 Security Hardening); security awareness programmes; post-incident user training
Integration	Results feed into CISO Assistant for training evidence; high-risk users flagged in AOC for enhanced monitoring

---

Certificate and Subdomain Monitoring

CertStream + Crt.sh

Attribute	Detail
What it does	CertStream monitors certificate transparency logs in real-time; crt.sh provides historical certificate search. Together they reveal subdomains, infrastructure changes, and unauthorised certificates issued for client domains.
Why we use it	Attackers register subdomains for phishing campaigns. Developers register subdomains they forget to secure. Certificate monitoring finds both before they become incidents.
When to deploy	Perimeter scanning engagements; shadow IT discovery; continuous external monitoring
Integration	New subdomains feed into Nuclei for immediate vulnerability scanning; findings enrich perimeter scanning reports

---

Complete Extended Arsenal Matrix

Capability	Tool	Gap Filled	When to Deploy
C2 / Adversary simulation	Sliver	Cobalt Strike replacement; EDR efficacy testing	Red team; purple team
Cloud attack simulation	Stratus Red Team	Proves cloud misconfigs are exploitable, not just visible	Cloud red team; Azure/AWS assessments
Cloud privilege analysis	CloudFox	Attacker-view cloud permission mapping	Cloud penetration tests
Container runtime detection	Falco	Detects container exploitation at runtime	Kubernetes workloads
eBPF runtime enforcement	Tetragon	Kernel-level process killing and tracing	Critical infrastructure K8s
Endpoint forensics	Velociraptor	Remote artefact collection and hunting	Incident response; threat hunting
Threat intelligence platform	OpenCTI	Structured threat actor/TTP/IOC correlation	SOC maturity; regulated industries
Honeypot / deception	OpenCanary	Early warning for network reconnaissance	Flat networks; OT/IT bridges
Secrets detection	GitLeaks	Hardcoded credentials in source code	DevSecOps; supply chain
Static code analysis	Semgrep	Vulnerability detection without cloud dependency	CI/CD security gates
Phishing simulation	GoPhish	User susceptibility measurement and training	Awareness programmes
Certificate monitoring	CertStream + crt.sh	Subdomain discovery and unauthorised certs	Continuous perimeter monitoring

---

When to Partner Commercially: The Partnership Doctrine

"We are vendor-independent, not vendor-hostile. We deploy open-source by default. We partner commercially when the partner provides capabilities that open-source cannot match at reasonable cost, or when their managed service layer allows us to deliver 24/7 protection that a small team cannot provide directly."

This section addresses a practical reality: our practice is currently 5 people, growing toward 15-20. We cannot build everything. We cannot monitor everything 24/7. And some clients' procurement departments, auditors, or regulators require vendor-backed solutions regardless of technical merit.

The partnership doctrine is simple: open-source first, commercial when the gap is structural.

---

The Partnership Decision Framework

Factor	Open-Source Wins	Commercial Wins	Our Rule
Capability	Detection logic, queries, custom rules	24/7 eyes-on-glass, managed response, guaranteed SLA	If it requires a night shift, partner
Compliance	Operational evidence, configuration data	Audit-ready reports, vendor attestation, certifications	If the auditor demands a vendor logo, partner
Scale	<5,000 endpoints, <500 cloud resources	>5,000 endpoints, complex multi-cloud, heavy OT	If osquery scripts take 4 hours to run, partner
Time to value	Days to weeks (configuration, tuning)	Hours to days (SaaS onboarding)	If the client has 30 days and zero patience, partner
Margin	100% labour margin, 0% license margin	15-30% license margin + labour margin	If the partner pays us to sleep, consider it
Differentiation	Unique queries, custom integrations, our IP	None (every competitor resells the same tool)	If the partner makes us generic, refuse

---

Tier 1: Strategic Partnerships (Core to Our Offering)

These are partnerships we invest in deeply. We train the team, build integration playbooks, and offer them as first-choice solutions in client conversations.

Huntress — Managed Endpoint Detection and Response

Attribute	Detail
What they provide	Managed EDR for SMBs and mid-market: 24/7 threat hunting, incident response, ransomware rollback. Agent deployment via RMM or Intune.
Why we partner	Our open-source EDR stack (Wazuh + Sysmon) is excellent for clients who want sovereignty. But it requires us to tune rules, investigate alerts, and respond to incidents. Huntress provides the 24/7 layer we cannot staff at 5-20 people. We bring the strategic context; they bring the night shift.
Client archetype	E3 clients without Defender P2; municipalities; professional services; any client who needs EDR but cannot justify CrowdStrike or SentinelOne
Engagement model	We deploy and configure Huntress as part of Module 1 or 3. We retain the relationship and add our own detection rules via AOC for M365 context. Huntress handles the endpoint. We handle the narrative.
Financial model	Per-endpoint licensing with partner margin. We bill labour for deployment, tuning, and quarterly reviews. The recurring license revenue funds our growth without proportional labour increase.
When NOT to use	Clients who require air-gapped networks; clients with sovereign-data mandates that prohibit third-party agent telemetry; clients who explicitly want to own their detection logic (then we deploy Wazuh)

The conversation:

"We can build you a sovereign EDR on Wazuh and Sysmon. It will cost less in licensing and you will own every rule. But it requires someone to watch it 24/7. At your size, that someone does not exist yet. Huntress gives you the 24/7 eyes and the ransomware guarantee today. As you grow, we can migrate you to the sovereign stack. You are not locked in. You are staged."

---

Thinkst Canary — Deception and Early Warning

Attribute	Detail
What they provide	Hardware and virtual canaries that simulate valuable services (RDP, SMB, SQL, Git, AWS keys). When probed, they alert instantly with zero false positives.
Why we partner	OpenCanary is excellent for simple deployments. Thinkst Canary is enterprise-grade: tamper-proof hardware, cloud console, automated fleet management, and legal-grade evidence collection. For regulated clients, the difference matters.
Client archetype	Banking, utilities, telco, any client with flat network topology or legacy protocols; any client who has had an undetected breach
Engagement model	We conduct a deception architecture design (where to place canaries, what to simulate, how to integrate with SOC). Thinkst provides the devices. We manage the fleet and respond to alerts.
Financial model	Hardware/virtual license with partner margin. Annual management fee from us for monitoring, tuning, and incident response. High margin, low touch after initial deployment.
When NOT to use	Very small clients with <50 endpoints and flat Wi-Fi (OpenCanary is sufficient); clients who cannot justify the hardware cost

The conversation:

"Your network is a haystack. Your EDR looks for needles. We are going to place a few golden needles—devices that look exactly like your domain controllers and file servers—and watch who touches them. Nobody legitimate will ever touch them. Any alert is an attacker. Thinkst Canary is the only product I have seen with a genuine zero false positive rate."

---

Tenable — Enterprise Vulnerability Management

Attribute	Detail
What they provide	Tenable.sc (on-premise), Tenable.io (cloud), and Tenable.asm (attack surface management). The gold standard for compliance-auditable vulnerability management.
Why we partner	Our osquery + FleetDM + Prowler stack finds vulnerabilities at low cost for small-to-mid estates. Tenable provides audit-ready reports, authenticated deep scanning, OT/ICS compatibility, and the vendor attestation that regulators and auditors demand. We do not lead with Tenable. We lead with our stack. We bring Tenable in when the client needs compliance evidence or exceeds the scale where open-source is efficient.
Client archetype	Banking (DORA audit), utilities (NIS2), telco (regulatory), any client with >5,000 endpoints or OT networks
Engagement model	Phase 1: osquery + Prowler discovery sprint proves value and identifies gaps. Phase 2: Tenable deployed for continuous compliance scanning and audit reporting. We operate the platform and interpret results. Tenable provides the engine.
Financial model	Per-asset license with partner margin. We bill for platform operation, report interpretation, and remediation management.
When NOT to use	Clients with <500 endpoints and no compliance mandate (overkill); clients who explicitly want sovereign vulnerability management (osquery + Grype is sufficient)

The conversation:

"In our first 5-day sprint, we found 340 vulnerabilities using open-source tools. We fixed the critical ones in two weeks. Now your auditor wants a quarterly attestation report from a vendor-recognised platform. Tenable provides that. We do not replace our discovery stack with Tenable. We add Tenable for the compliance layer while our stack handles the operational intelligence."

---

Tier 2: Situational Partnerships (Deploy When Client Need Dictates)

These are tools we do not lead with, but we have partnership relationships ready when the specific gap arises.

Partner	Gap Filled	Client Trigger	Why Not Open-Source?
Delinea (formerly Thycotic)	Privileged Access Management (PAM)	Client needs vaulting, session recording, or just-in-time access; CyberArk is overbudget	Secret Server is mid-market friendly; open-source PAM (Teleport, Vault) requires more engineering than most clients can sustain
KnowBe4	Security awareness training and phishing simulation	Compliance mandate (ISO 27001, NIS2) requires documented training; GoPhish lacks content library	GoPhish is free but building campaigns and content takes consultant labour. KnowBe4 automates the content and reporting, freeing us for higher-value work.
Veeam	Backup and disaster recovery	Module 7 (Recovery & Resilience) requires validated backup architecture; native M365 backup is insufficient	ASTRAL backs up configuration, not data. Veeam is the standard for on-premise, cloud, and M365 data protection. Strong channel margins.
Proofpoint / Mimecast	Email security gateway	EOP is insufficient; client has had phishing-driven breaches; regulated industry mandates advanced filtering	These are specialised email security platforms with mature partner programmes. We deploy, tune, and manage. The client gets defence in depth.

---

Tier 3: Consultant Productivity Tools (Not Client-Facing Partnerships)

These are tools we purchase for our own team to deliver services more effectively. They are not resold to clients, but they enable us to compete with larger consultancies.

Tool	Purpose	Why We Pay For It
Burp Suite Professional	Web application penetration testing	The industry standard. Community edition is too limited for professional engagements.
Cobalt Strike (or Sliver for budget-conscious)	Red team C2 and adversary simulation	When clients specifically require Cobalt Strike for insurance or compliance validation. Sliver is our default; Cobalt Strike is the enterprise alternative.
Offensive Security / SANS training	Consultant skill development	Our team must maintain current certifications. Training is a cost of doing business, not a partnership.
Microsoft Action Pack / CSP	Internal M365 licensing for testing	We need sandbox tenants to test ASTRAL and AOC before client deployment. Microsoft's partner programme provides this at low cost.

---

What We Do NOT Partner With (And Why)

Category	Example	Why We Refuse
All-in-one security platforms	CrowdStrike, Palo Alto, SentinelOne	They replace our entire stack with a black box. We become a reseller, not a consultant. The client loses sovereignty. We lose differentiation.
Generic SIEM	Splunk, Datadog, Elastic Cloud	Wazuh + TheHive + AOC covers 90% of client needs. Splunk requires a €100K+ commitment and a dedicated engineer. We refer complex SIEM needs to specialists rather than pretending to be one.
AI security startups	Any vendor claiming "AI-powered" threat detection with no transparent model	Our AI strategy is sovereign: Azure OpenAI bridge and local LLMs. We do not resell opaque AI tools that we cannot explain to a board.
M365 management competitors	CoreView, AdminDroid, Quest	ASTRAL and AOC are our proprietary differentiators. Partnering here would undermine our own product investment.

---

The Partnership Portfolio for a 5→20 Person Practice

Year 1 (5 people, ~€500K revenue):

• Tier 1: Huntress (managed EDR recurring revenue) + Thinkst Canary (deception, high margin)
• Tier 2: Delinea and KnowBe4 (referral relationships, not yet deep)
• Tier 3: Burp Suite Pro + Sliver + Microsoft Action Pack
• Open-source first for everything else

Year 3 (15 people, ~€2M revenue):

• Tier 1: Huntress + Thinkst + Tenable (full enterprise VM partnership)
• Tier 2: Delinea, KnowBe4, Veeam, Proofpoint (active partner status, trained engineers)
• Tier 3: Cobalt Strike license for red team; additional SANS/training budget
• ASTRAL and AOC monetised as SaaS products with their own revenue stream

The rule: Every commercial partnership must either (a) provide a capability we cannot build, (b) generate recurring revenue without proportional labour, or (c) satisfy a compliance requirement that open-source cannot meet. If it does none of these, we decline.

---

The Honest Limitations

What Our Stack Does Well	What It Cannot Do
Provides complete visibility without vendor lock-in	Requires more expertise to deploy and maintain than commercial SaaS
Costs a fraction of commercial equivalents	Does not come with 24/7 vendor support (we provide that)
Customisable to client-specific needs	Customisation takes time; commercial tools are faster to deploy out-of-the-box
Data sovereignty by default	Some clients' procurement departments prefer vendor-backed solutions for audit comfort
Integrates across tools via open APIs	Integration requires engineering; commercial suites are pre-integrated

The framing:

"Our stack is not for everyone. If you want a dashboard that takes 15 minutes to deploy and requires no expertise, buy CrowdStrike. If you want intelligence that answers questions no vendor thought to ask, and you want to own that intelligence forever, our stack is the right choice. We provide the expertise so you do not need to hire it."

---

Integration With Existing Frameworks

Document	Integration
Zero-Budget Vulnerability Discovery	Syft + Grype container pipeline; osquery endpoint discovery; Prowler cloud-native discovery; GitLeaks secrets scanning
AI-Assisted TVM Blueprint	All discovery tools feed the AI prioritisation engine; AOC provides insider-threat context; OpenCTI enriches with threat actor context
Perimeter Scanning Capability	Nuclei + Amass + Naabu form the open-source active scanning layer; Prowler covers cloud perimeter; CertStream monitors for new subdomains
Osquery: The Sovereign Discovery Platform	osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection; Velociraptor adds forensic hunting
Blue/Purple Team Foundation	Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection; Sliver enables adversary simulation; OpenCanary provides deception
Retained Capability	Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex + OpenCTI
Modular Engagements	Each module has a recommended tool pairing in the matrix above; partnership doctrine defines when commercial tools supplement open-source
AD and Endpoint Hardening	BloodHound maps attack paths; Purple Knight / Forest Druid score AD security; Velociraptor hunts for indicators of compromise on domain controllers
Business Case Template	Partnership financial models (Huntress recurring, Thinkst margin, Tenable compliance) feed into client ROI calculations

---

For the cloud-native vulnerability discovery methods, see Zero-Budget Vulnerability Discovery. For the endpoint discovery platform, see Osquery: The Sovereign Discovery Platform. For the AI prioritisation layer that consumes these tools' output, see AI-Assisted TVM Blueprint. For the organisational model that operates this stack, see Retained Capability.