Claude Sonnet 4.6
dc83336567
New: assessment-templates/assessment-team-guide.md Pre-engagement: access checklist (M365, AD, docs); tool preparation with deployment times; what to do if access is not ready. Day 1 discipline: deploy ASTRAL and PULSAR before workshops start. Step-by-step ASTRAL and PULSAR deployment commands. Passive external scan in background. Microsoft Secure Score baseline. Workshop signals: table of client statements -> likely findings -> what to check on Day 2. Feeds technical assessment planning. Day 2-3 tool runs in sequence: 1. CAExporter (30 min) - CA policy reality check; report-only mode; exclusion groups defeating the purpose 2. BloodHound (1-2h) - 5 required queries; KRBTGT last set check; Domain Admins on workstations; service account attack paths 3. Elysium (2-4h) - privilege requirements noted; privacy model explanation; what to document 4. Purple Knight (30 min) - indicators to focus on; cross-reference with BloodHound 5. Entra ID manual checks (1h) - app registrations, guest accounts, MFA registration status, AD Connect sync account 6. Intune/endpoint check (30 min) - via ASTRAL output 7. External attack surface (30-60 min) - Nmap, Shodan, crt.sh 8. Firewall rule review (30-60 min) - what to look for 9. Backup spot check (30 min) - the 'green tick' test Kill chain synthesis: explicit step-by-step method for tracing from outside to organisational failure. Finding triage: kill chain test table; common priority inflation mistakes. Quick wins: 8-item checklist; three tests a quick win must pass. Report structure: 5 sections, target 15-25 pages, specific guidance per section including what makes a weak vs strong finding. ASERAL/PULSAR handover requirements before leaving site. 9 common assessment mistakes named explicitly. Post-assessment checklist: 10 items before submitting the report. index.md and assessment-templates/README.md updated. Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
15 KiB
15 KiB
Antifragile Enterprise Consulting Repository — Index
For Executives and Board Members
Start here. These documents require no technical background.
| Document | Purpose | Audience |
|---|---|---|
| About CQRE | Who we are, what we do, how we're different — fill this before sharing with clients | CEOs, New Clients, New Hires |
| O společnosti CQRE | Česká verze firemního profilu — pro české klienty a nové členy týmu | Czech Clients, New Hires |
| Executive Summary | One-page strategic overview — read this first | CEOs, Boards, Executive Committees |
| C-Suite Conversation Guide | Scripts, objection handling, and psychological framing | Executives, Advisors |
| Business Case Template | Financial justification, ROI, and risk quantification | CFOs, Boards, Risk Committees |
| Modular Engagements | Menu of independent modules; choose your starting point | CEOs, CFOs, Procurement |
For the strategic philosophy, see Core Frameworks below.
For Practitioners and Consultants
Operational and persuasion documents used in engagements. Start every new client with the NIST CSF 2.0 Baseline Assessment (the Brownhat Diagnostic) to earn the right to recommend anything.
| Document | Purpose | Audience |
|---|---|---|
| README | Repository overview and quick start | Everyone |
| Engagement Model | How engagements work: lifecycle, client requirements, deliverables, pricing, and consultant delivery discipline | Clients, New Consultants |
| Consultant Field Guide | Internal playbook: decision models, client qualification, module selection, common mistakes, technical onboarding, proposal writing | New Consultants |
| NIST CSF 2.0 Baseline Assessment | The Brownhat Diagnostic: entry workshop for every new engagement | Consultants, CISOs, IT Managers |
| AI Operations Inevitability | Defensive AI is inevitable; business AI is optional | CISOs, CTOs, Consultants |
| Azure OpenAI Sovereignty Bridge | Azure OpenAI/Foundry as pragmatic sovereignty step | CTOs, Architects, Consultants |
| Organizational Resilience | Shift left and Dev/Sec/Ops merger talking points | CTOs, CISOs, Consultants |
| Embedded Quality Assurance | Process assurance for teams feeling "not in control" | Heads of Security, Operations, Project Leaders |
| Blue/Purple Team Foundation | Building defensive capability from existing tool investments | CISOs, SOC Managers, Security Architects |
| Retained Capability | What to keep in-house when outsourcing SOC, pentest, compliance | CISOs, CFOs, Procurement |
For the engagement posture and philosophy, see Core Frameworks below.
Core Frameworks
| Document | Purpose | Audience |
|---|---|---|
| Move Fast and Fix Things | Speed, repair, and maximizing existing investment | Consultants, Executives |
| Antifragile Manifest | Five pillars of antifragile enterprise | Executives, Architects, Consultants |
| AI Sovereignty Framework | Strategic arguments and implementation for local AI | CISOs, CTOs, Security Architects |
| T0 Asset Framework | Tier 0 classification and protection for critical assets | Security Architects, Infrastructure Leads |
| Spontaneous Order Principles | Philosophical foundation for the five pillars | Executives, Architects, Strategists |
Playbooks
| Document | Purpose | Audience |
|---|---|---|
| Rapid Modernisation Plan | 30-60-90-180 day transformation roadmap | Program Managers, Consultants, CISOs |
| Endpoint Management Entry Vector | Intune/device management as the ideal engagement entry point | M365 Consultants, Account Managers |
| AI-Assisted TVM Blueprint | AI-powered vulnerability management for AI-powered adversaries | CTOs, CISOs, Vulnerability Management |
| Zero-Budget Vulnerability Discovery | Script-based and osquery-based server/container vuln discovery without Tenable/Qualys | Security Engineers, Consultants |
| Perimeter Scanning Capability | External attack surface strategy: build, partner, or hybrid | Security Architects, Consultants |
| Osquery: The Sovereign Discovery Platform | Build a custom vulnerability and asset inventory platform on osquery | Security Engineers, Consultants, CTOs |
| M365 Antifragile Project | Greenfield and modernisation with antifragile design | M365 Consultants, Project Managers |
| M365 E3 Hardening | Tactical hardening for M365 E3 environments | M365 Consultants, Security Engineers |
| AD and Endpoint Hardening | On-prem AD, Windows endpoints, hybrid identity | Infrastructure Consultants, Security Engineers |
| Zero-Budget Hardening | Maximize existing tools, minimize new purchases | Consultants, CISOs, IT Managers |
| Implementation Playbook | Tactical step-by-step delivery guide | Technical Leads, Security Engineers |
| Sample Engagement: Mid-Market Hybrid | Complete worked example: 500 employees, AD+M365 E3, NIS2 scope — findings, kill chain, module sequence, Day 30/90/180 deliverables, populated backlog | Consultants, New Hires |
| CQRE Product Suite | ASTRAL, PULSAR, and AURORA: product details, framework alignment, deployment, and positioning | Consultants, Account Managers |
| Sovereign Tool Stack | Full arsenal: Prowler, BloodHound, CISO Assistant, ASTRAL, PULSAR, AURORA, Wazuh, Shuffle | Consultants, CTOs, CISOs |
| Privileged Access Architecture | PAM design: Teleport, Tailscale/Headscale, JIT access, vendor access governance | Security Architects, Infrastructure Consultants, OT Leads |
| Sovereign Communications | Delta Chat chatmail relay, Matrix/Element, crisis out-of-band channels | CISOs, Operations Leads, Incident Response |
| Business Case Template | Financial justification, ROI, risk quantification | CFOs, Boards, Consultants |
Standards Reference
| Document | Purpose | Audience |
|---|---|---|
| CIS Controls v8 Mapping | IG1-IG3 alignment with antifragile actions | Consultants, Auditors, Compliance |
| NIST CSF 2.0 Mapping | CSF function mapping and evidence package | Consultants, Auditors, Compliance |
Vertical References
| Document | Purpose | Audience |
|---|---|---|
| Vertical: Power and Utilities | Power generation, transmission, water, OT, NIS2/CER | Consultants in energy/water sectors |
| Vertical: Telco | Mobile/fixed operators, signaling security, 5G, fraud | Consultants in telecommunications |
| Vertical: Banking | Financial services, DORA, PSD2, SWIFT CSP alignment | Consultants in banking/fintech sectors |
Assessment and Tools
| Document | Purpose | Audience |
|---|---|---|
| Assessment Team Guide | Technical execution guide for the Brownhat Diagnostic: tool sequence, what to run, what to look for, kill chain synthesis, report structure | Assessors, Technical Consultants |
| Findings Backlog | Single source of truth for all findings across every engagement; input queue for the housekeeping stream; pragmatic alternative to a formal risk register | Consultants, IT Leads, Client Teams |
| NIST CSF 2.0 Baseline Assessment | The Brownhat Diagnostic: structured 2-half-day workshop, gap analysis, prioritised module roadmap | Consultants, CISOs, IT Managers |
| NIST CSF 2.0 — česká verze | Brownhat Diagnostika: dotazníky a průvodce workshopem v češtině | Consultants running Czech-language workshops |
| Module Completion Report | Template for the deliverable package at the end of every module | Consultants |
| Risk Register Example | 8 fully populated risk entries from a realistic engagement — calibration reference for consultants | Consultants |
| Antifragile Risk Register | Kill chain-aware risk taxonomy and register template | Risk Managers, Consultants |
| M365 Project Risk Register | M365-specific risk register with phase gates | Project Managers, M365 Consultants |
| Assessment Templates | Future diagnostic tools and maturity models | Consultants, Auditors |
Navigation by Role
For the Executive Sponsor
- Move Fast and Fix Things — understand the engagement posture and speed philosophy
- Spontaneous Order Principles — understand why antifragile design works at a systems level
- Antifragile Manifest — understand the strategic philosophy
- AI Sovereignty Framework — read the executive summary and five strategic arguments
- Rapid Modernisation Plan — review phases and governance cadence
- Zero-Budget Hardening — understand how existing investments are maximized
For the Security Architect
- T0 Asset Framework — master the classification and protection model
- Implementation Playbook — follow the workstreams for identity, perimeter, and resilience
- Spontaneous Order Principles — architectural philosophy for why decentralized resilience outperforms centralized control
- Rapid Modernisation Plan — adapt phases to organizational context
For the Consultant
Start here (read in order before your first engagement):
- README — repository orientation
- Move Fast and Fix Things — the Brownhat methodology and engagement posture
- Engagement Model — lifecycle, scoping, pricing, delivery discipline, and how to handle difficult situations
- Consultant Field Guide — decision models, client qualification, module selection, the ten common mistakes, technical onboarding, and proposal writing
- Antifragile Manifest — the five pillars and their client-facing translation
- Spontaneous Order Principles — the philosophical foundation for why antifragile design works
- C-Suite Conversation Guide — scripts, objection handling, and psychological framing for every executive archetype
Then study the module delivery toolkit:
- NIST CSF 2.0 Baseline Assessment — run this first with every new client (the Brownhat Diagnostic)
- Modular Engagements — the full module menu (Modules 1–14) and platform adaptation guide
- CQRE Product Suite — ASTRAL, PULSAR, and AURORA: what they do, how they fit the framework, and how to deploy them
- Sovereign Tool Stack — the full arsenal: CQRE tools, open-source stack, commercial partnerships, and when to use each
- M365 E3 Hardening — primary client environment for MS clients (most are E3)
- AD and Endpoint Hardening — on-premises identity and endpoint depth
- Privileged Access Architecture — Module 13: Teleport, Tailscale/Headscale, JIT access, vendor remote access governance
- Sovereign Communications — Module 14: Delta Chat chatmail relay, Matrix/Element, crisis out-of-band channels
Reference when needed:
- AI Sovereignty Framework — persuasive arguments and objection handling
- AI Operations Inevitability — why defensive AI is not optional
- Organizational Resilience — shift left and Dev/Sec/Ops merger talking points
- Retained Capability — what to keep in-house when outsourcing SOC, pentest, compliance
- Zero-Budget Hardening — extract value from existing tools in 30 days
- Zero-Budget Vulnerability Discovery — script-based and osquery-based discovery before scanner procurement
- Osquery: The Sovereign Discovery Platform — build owned vulnerability and asset inventory capability
- Rapid Modernisation Plan — structured engagement roadmap
- Implementation Playbook — tactical delivery guidance
- Vertical: Power and Utilities, Vertical: Telco, or Vertical: Banking — sector-specific adaptations
- CIS Controls Mapping and NIST CSF Mapping — standards alignment for auditors and regulators
This index is updated as the repository grows.