antifragile/antifragile-consulting/core/modular-engagements.md

Modular Engagement Architecture

"Not every client is ready for the full journey. Some need to solve one burning problem first. The antifragile approach is architected so that every module stands alone—and every module makes the next one easier."

This document defines the antifragile consulting portfolio as a menu of independent, self-contained modules. Clients can purchase any module without committing to the full 180-day program. Each module delivers measurable value, produces transferable assets, and creates natural appetite for the next phase.

---

The Philosophy: Progressive Resilience

We do not sell monolithic transformation projects. We sell building blocks that stack.

Approach	Traditional Consulting	Antifragile Modular
Sales motion	Sell a 12-month program or nothing	Sell a 30-day module; expand based on proven value
Client commitment	All-in or walk away	Start where the pain is highest
Risk to client	High (unknown ROI until month 6+)	Low (measurable value in 30 days)
Risk to consultant	High (scope creep, payment delays)	Low (bounded scope, phase-gated payment)
Political capital	Consumed defending the program	Generated by visible early wins

The rule: Every module must be sellable on its own, deliverable in 90 days or less, and must produce evidence that the next module is warranted.

---

The Module Menu

Module 1: Endpoint Management Foundation

The Entry Vector. The Most Common Starting Point.

Attribute	Detail
Typical duration	30-45 days
Typical investment	Low (labor only; Intune included in E3)
Prerequisites	M365 E3 or higher; Azure AD tenant
Standalone value	Full device visibility; compliance enforcement; remote management capability
Typical client	Remote-first organization; SCCM retiree; compliance-driven; Intune shelfware

What is delivered:

• Device inventory and enrollment campaign (Windows, macOS, iOS, Android)
• Compliance baseline: encryption, OS version, password policy, firewall
• Application inventory and shadow IT discovery
• Basic conditional access integration (compliant device required for M365 access)
• ASTRAL deployment for Intune configuration backup and drift detection
• Admin training and operational handover

Executive pitch:

"Your devices are in home offices, airports, and coffee shops. In 30 days, we will know exactly what you have, whether it is secure, and how to fix what is not. This is not surveillance. It is ensuring that only healthy devices access your data—wherever they are."

Natural next modules: Module 2 (Identity Security), Module 5 (AI Sovereignty Bridge), Module 6 (On-Premise AD)

See: Endpoint Management Entry Vector

---

Module 2: M365 Identity Security

The Foundation of Everything. The Most Undervalued Module.

Attribute	Detail
Typical duration	30-60 days
Typical investment	Low to medium (labor; E5/P2 licensing upgrade may be recommended selectively)
Prerequisites	M365 tenant (E3 minimum); administrative access
Standalone value	Elimination of standing privileged access; MFA enforcement; legacy auth blocked; guest access governed
Typical client	Post-breach hardening; auditor findings; rapid growth with identity debt; privileged account compromise

What is delivered:

• Full identity census: human accounts, service accounts, guests, enterprise apps
• MFA enforcement for 100% of users (conditional access with MFA for E3; risk-based conditional access and PIM for E5)
• Legacy authentication blocked tenant-wide
• Privileged access workstation (PAW) architecture for admins
• PIM deployment (if E5/Entra ID P2) or manual JIT process (if E3)
• AOC deployment for audit log intelligence and anomalous admin detection
• Guest access audit and time-bounding
• OAuth consent governance

Executive pitch:

"There are currently [X] administrator accounts in your tenant. If any one of them is compromised, an attacker owns your email, your documents, and your identity system. In 30 days, we reduce that to the minimum viable number, enforce multi-factor authentication, and ensure no admin ever logs in from a workstation with email and browsing."

Natural next modules: Module 3 (M365 Security Hardening), Module 6 (On-Premise AD), Module 7 (Recovery & Resilience)

---

Module 3: M365 Security Hardening

The E3 Maximization Play. Configuration, Not Procurement.

Attribute	Detail
Typical duration	30-60 days
Typical investment	Low (primarily labor; no new licensing required for E3 clients)
Prerequisites	M365 tenant; Module 2 (Identity Security) strongly recommended first
Standalone value	EOP tuned to maximum aggression; audit logging operational; Secure Score trending upward; ASR rules (if E5)
Typical client	E3 clients with untapped security potential; post-M365-deployment hardening; Secure Score below 50

What is delivered:

• Exchange Online Protection tuning: anti-phishing, anti-malware, anti-spam
• Mailbox auditing enabled for all users
• Unified Audit Log enabled and forwarded to SIEM
• Microsoft Secure Score baseline and improvement plan
• ASR rule deployment in audit mode (E5) or Defender for Endpoint P1 maximisation (E3)
• ASTRAL configuration baseline capture for all M365 security policies
• Windows Defender Firewall and exploit protection baseline
• LAPS deployment for local admin password randomization

Executive pitch:

"You own E3, which includes enterprise-grade antivirus, email filtering, and audit logging. Most organizations use less than 30% of these capabilities because no one configured them. We turn every available security control to maximum—and prove the improvement with before-and-after metrics. No new software. Just expertise applied to what you already paid for."

Natural next modules: Module 4 (Data Governance), Module 5 (AI Sovereignty Bridge), Module 10 (Red Team & Validation)

See: M365 E3 Hardening, Zero-Budget Hardening, Sovereign Tool Stack

---

Module 4: Data Governance & Compliance

The Regulatory Survival Module.

Attribute	Detail
Typical duration	45-90 days
Typical investment	Medium (labor; Purview licensing may be required for advanced features)
Prerequisites	M365 tenant; Module 3 (Security Hardening) recommended
Standalone value	Data classification deployed; retention policies enforced; DLP active; eDiscovery ready; regulatory evidence produced
Typical client	Regulated industries (banking, healthcare, critical infrastructure); litigation hold requirements; GDPR/DORA/NIS2 compliance

What is delivered:

• Sensitivity label deployment (Public, Internal, Confidential, Highly Confidential)
• Retention policies for all M365 workloads (email, Teams, SharePoint, OneDrive)
• Data Loss Prevention (DLP) policies for high-sensitivity data types
• External sharing lockdown and per-site governance
• eDiscovery readiness: legal hold procedures, retention hold capability
• Teams governance: controlled creation, expiration, access reviews
• SharePoint site provisioning governance

Executive pitch:

"Your auditor does not want to see a policy document. They want to see evidence that sensitive data is classified, that emails are retained according to regulation, and that you can produce documents for legal hold within 48 hours. We build the evidence—not the theater."

Natural next modules: Module 5 (AI Sovereignty Bridge), Module 7 (Recovery & Resilience), Module 10 (Red Team & Validation)

---

Module 5: AI Sovereignty Bridge

The Strategic Differentiator. The Conversation Starter.

Attribute	Detail
Typical duration	30-60 days
Typical investment	Low to medium (labor; Azure OpenAI consumption; optional local inference hardware)
Prerequisites	M365 tenant; Azure subscription; data governance baseline strongly recommended
Standalone value	Shadow AI eliminated; sanctioned Azure OpenAI deployed; proprietary data protected; first custom model or RAG pipeline operational
Typical client	Organizations using ChatGPT/Claude/Gemini without governance; leadership asking "what is our AI strategy?"; competitors investing in AI

What is delivered:

• Shadow AI usage inventory (proxy logs, endpoint scans, surveys)
• Azure OpenAI Service deployment with private endpoints and customer-managed keys
• Conditional access policies restricting AI access to approved users and devices
• Azure AI Foundry pilot: one RAG pipeline or fine-tuned model on proprietary data
• AI governance policy: approved use cases, prohibited data types, human-in-the-loop requirements
• User education: why sanctioned AI is safer and often better than public alternatives

Executive pitch:

"Your teams are already using AI—through personal accounts, browser tabs, and mobile apps. Every proprietary document they paste into ChatGPT trains a model that will eventually be sold to your competitors. We stop that leakage in two weeks by giving them a better, safer alternative. Then we build your first custom AI asset on data that never leaves your Azure region."

Natural next modules: Module 9 (Organizational Resilience), Module 4 (Data Governance), Module 10 (Red Team & Validation)

See: Azure OpenAI Sovereignty Bridge, AI Sovereignty Framework

---

Module 6: On-Premise AD & Endpoint Hardening

The Legacy Debt Cleanup. For Organizations with Feet in Both Worlds.

Attribute	Detail
Typical duration	45-60 days
Typical investment	Medium (labor; Sysmon/Wazuh deployment; possible hardware for PAWs)
Prerequisites	On-premise Active Directory; administrative access to domain controllers
Standalone value	KRBTGT rotated; LAPS deployed; Sysmon operational; privileged access tiered; Azure AD Connect secured
Typical client	Hybrid identity environments; SCCM/AD shops; post-Active-Directory-compromise recovery; NIS2-critical infrastructure

What is delivered:

• Full AD identity census with orphan and privilege analysis
• KRBTGT password rotation (if > 180 days stale)
• LAPS deployment to all domain-joined workstations
• Sysmon deployment with SwiftOnSecurity configuration
• Privileged Access Workstation (PAW) architecture for Tier 0 admins
• Azure AD Connect hardening and audit
• AD FS security review (if present)
• Windows Defender maximization and firewall hardening

Executive pitch:

"Your Active Directory has been running for fifteen years. It has accounts from employees who left a decade ago, service accounts with passwords that never expire, and administrator accounts that log in from the same laptops used for email and browsing. In 45 days, we clean the foundation—and make it significantly harder for an adversary to gain a foothold."

Natural next modules: Module 2 (Identity Security), Module 7 (Recovery & Resilience), Module 8 (OT Security Assessment)

See: AD and Endpoint Hardening

---

Module 7: Recovery & Resilience Validation

The Insurance Policy. Prove You Can Rebuild Before You Need To.

Attribute	Detail
Typical duration	30-45 days
Typical investment	Low to medium (labor; third-party backup if not already owned)
Prerequisites	Backup solution in place (even if untested); administrative access to critical systems
Standalone value	One critical system recovered from backup; runbooks documented; CMDB seeded; quarterly drill cadence established
Typical client	Organizations that have never tested recovery; recent ransomware scare; DORA/NIS2 compliance preparation; board demanding evidence

What is delivered:

• Backup coverage inventory: what is backed up, how often, where, by what mechanism
• Recovery drill: one critical system restored to isolated environment with full validation
• CMDB seeding: T0 and T1 assets documented with owners, dependencies, and recovery requirements
• Recovery runbooks: documented, tested, and transferable to non-designers
• Immutable backup validation: ensure backups cannot be deleted by compromised admin accounts
• Quarterly recovery drill calendar established

Executive pitch:

"Most organizations discover they cannot recover from backup at 3 AM during an active ransomware incident. We discover it in a controlled test during business hours—when we can fix it without pressure. The question is not whether you have backups. The question is whether you have ever proven they work. We prove it."

Natural next modules: Module 10 (Red Team & Validation), Module 8 (OT Security Assessment), Module 3 (M365 Security Hardening)

---

Module 8: OT Security Assessment

The Critical Infrastructure Module. For Power, Utilities, and Telco.

Attribute	Detail
Typical duration	45-90 days
Typical investment	Medium to high (labor; potential network hardware for segmentation)
Prerequisites	OT network access; cooperation from operations and engineering teams
Standalone value	IT/OT connection matrix; vendor access audit; manual override procedures validated; NIS2 evidence produced
Typical client	Power utilities; water/wastewater; telecommunications; manufacturing with SCADA/DCS

What is delivered:

• OT asset inventory: SCADA, DCS, EMS, protection relays, RTUs, AMI
• IT-to-OT network connection mapping with business justification
• Vendor remote access audit and time-bounding
• Network segmentation plan: IT/OT DMZ, unidirectional gateway recommendations
• Manual override procedure documentation and validation
• NIS2/CER compliance evidence package
• Black start / islanding procedure test (power utilities)

Executive pitch:

"Your control room does not need email. Your protection relays do not need internet access. Every connection between IT and OT is a bridge an adversary can cross. We map those bridges, justify the ones that must remain, and eliminate the ones that put physical safety at risk. This is not IT security. This is operational survival."

Natural next modules: Module 6 (On-Premise AD), Module 7 (Recovery & Resilience), Module 10 (Red Team & Validation)

See: Vertical: Power and Utilities, Vertical: Telco

---

Module 9: Organizational Resilience

The People and Process Module. Fix the Structure, Not Just the Tools.

Attribute	Detail
Typical duration	60-90 days
Typical investment	Medium (labor; no tooling cost)
Prerequisites	Executive sponsor with authority; willingness to experiment with team structure
Standalone value	One product team with embedded security; shift-left pilot operational; shared metrics proving velocity and security can coexist
Typical client	Organizations with siloed Dev/Sec/Ops; slow release cycles blamed on security gates; talent retention problems

What is delivered:

• Current-state Dev/Sec/Ops friction mapping
• Pilot team selection and embedded security engineer placement
• CI/CD security gate deployment (automated scanning, not manual review)
• Shared OKR definition: team owns vulnerability count, change failure rate, recovery time
• Platform team or SRE team architecture (if appropriate)
• Blameless post-mortem process with structural mandate
• 90-day metrics report: before-and-after velocity, defect rates, team satisfaction

Executive pitch:

"Your development team ships fast. Your security team says no. Your operations team keeps the lights on. None of them are wrong—but the organizational boundary between them destroys all three goals. We do not reorganize your departments on day one. We embed security into one product team, measure the results, and let the metrics make the case for broader change."

Natural next modules: Module 2 (Identity Security), Module 5 (AI Sovereignty Bridge), Module 10 (Red Team & Validation)

See: Organizational Resilience

---

Module 10: Red Team & Validation

The Proof Module. Validate Everything You Have Built.

Attribute	Detail
Typical duration	15-30 days (engagement) + quarterly re-testing
Typical investment	Medium to high (external red team; internal coordination)
Prerequisites	At least one other module deployed; operational incident response capability
Standalone value	Independent validation of security posture; kill chain identification; board-ready evidence
Typical client	Regulated industries requiring annual penetration testing; post-transformation validation; boards demanding proof

What is delivered:

• Scoping and rules of engagement (aligned to DORA TLPT or CIS requirements)
• Adversarial simulation: external reconnaissance, initial access, lateral movement, impact
• M365-specific attack paths: BEC, OAuth consent abuse, conditional access bypass attempts
• OT-bounded red team (for critical infrastructure clients)
• Report with kill chain analysis and prioritized remediation
• Board presentation: findings, risk quantification, and evidence of control effectiveness
• Quarterly purple team exercises (optional retainer)

Executive pitch:

"You have invested in security controls. But controls that have not been tested are assumptions, not facts. A red team exercise is a controlled failure that proves whether your defenses work before a real adversary tests them. The board receives independent evidence—not consultant promises."

Natural next modules: Any module where gaps were identified; typically cycles back to hardening modules.

---

Module 11: Embedded Quality & Process Assurance

The Presence Module. For Leaders Who Feel They Are Not in Control.

Attribute	Detail
Typical duration	60-90 days (12 weeks embedded)
Typical investment	Medium (labor; no tooling cost)
Prerequisites	Executive sponsor; team willing to be observed; tolerance for process change
Standalone value	Repeatable processes; accurate documentation; team confidence; friction reduction
Typical client	Heads of Security or Operations who say "we don't feel in control"; project teams behind schedule; teams with tool-shelfware

What is delivered:

• Immersion report: formal vs. actual process map; invisible risks identified
• Friction reduction: fast wins that reduce daily pain and vulnerability
• Capability handover: team-owned documentation, self-assessment checklists, metrics dashboard
• Validation: team operates independently for one week; consultant steps back to advisory

Executive pitch:

"You have capable people, but the gap between what is documented and what is actually happening has grown too wide. I do not audit you. I join your team for 12 weeks, observe the reality of daily work, and help you close that gap. You will have repeatable processes, accurate documentation, and a team that trusts its own capability."

Natural next modules: Module 9 (Organizational Resilience), Module 12 (Blue/Purple Team Foundation), Module 3 (M365 Security Hardening)

See: Embedded Quality & Process Assurance

---

Module 12: Blue / Purple Team Foundation

The Capability Module. From Tool Ownership to Operational Defense.

Attribute	Detail
Typical duration	60-90 days
Typical investment	Medium (labor; leverages existing Microsoft security stack)
Prerequisites	Microsoft Defender (E5) or equivalent EDR; at least one security analyst; willingness to learn
Standalone value	Operating rhythm for SOC; first guided threat hunt; purple team charter; 12-month capability roadmap
Typical client	Organizations that own E5/Defender/Sentinel but underutilize them; SOC drowning in noise; no hunt discipline; red and blue teams do not collaborate

What is delivered:

• Capability audit: maturity assessment of detection, response, hunting, and metrics
• Operating rhythm: weekly Secure Score reviews, alert triage playbooks, automated enrichment
• First guided threat hunt: hypothesis-driven search with documented methodology
• Purple team exercise: collaborative attack/defence simulation with detection gap analysis
• 12-month roadmap: prioritized capability improvements with resource requirements

Executive pitch:

"You have a Ferrari-grade security stack and drive it like a rental car. The tools are not the problem—the team's ability to use them is. I help you build the weekly cadence, the hunt discipline, and the purple team culture that turns telemetry into action. In 12 weeks, your team owns the capability, not just the licenses."

Natural next modules: Module 10 (Red Team & Validation), Module 3 (M365 Security Hardening), Module 7 (Recovery & Resilience)

See: Blue/Purple Team Foundation

Also see: Retained Capability for the MSSP co-management and detection engineering model.

---

Module Selection Guide

For the Client Who Knows Their Pain

Client Says	Start With Module	Typical Duration
"We need to manage remote devices"	Module 1: Endpoint Management	30-45 days
"We had a phishing incident"	Module 2: Identity Security	30-60 days
"Our E3 licenses feel wasted"	Module 3: M365 Security Hardening	30-60 days
"The auditor is coming"	Module 4: Data Governance	45-90 days
"What is our AI strategy?"	Module 5: AI Sovereignty Bridge	30-60 days
"Our AD is a mess"	Module 6: On-Premise AD Hardening	45-60 days
"Can we actually recover from backup?"	Module 7: Recovery & Resilience	30-45 days
"We operate critical infrastructure"	Module 8: OT Security Assessment	45-90 days
"Security slows us down"	Module 9: Organizational Resilience	60-90 days
"Prove our security works"	Module 10: Red Team & Validation	15-30 days
"We don't feel in control"	Module 11: Embedded Quality Assurance	60-90 days
"We own tools but can't use them"	Module 12: Blue/Purple Team Foundation	60-90 days
"Our outsourced SOC underperforms"	Module 12 (+ Retained Capability Audit)	60-90 days
"Mythos/AI will find all our vulnerabilities"	AI-assisted TVM Sprint	30-90 days

For the Client Who Does Not Know Where to Start

The Diagnostic Path:

1. Week 1: Kill Chain Assessment (included in scoping; no charge)

   • Interview stakeholders
   • Identify the shortest path to organizational failure
   • Recommend the module that closes the most critical gap

2. Module selection based on kill chain:

   • Kill chain starts with compromised endpoint → Module 1
   • Kill chain starts with stolen credentials → Module 2
   • Kill chain starts with unrecoverable systems → Module 7
   • Kill chain starts with OT bridge → Module 8

---

Progressive Enhancement: How Modules Stack

Path A: The M365-First Organization

Month 1-2:   Module 1 (Endpoint Management)
              ↓ Discovers identity and AI gaps
Month 2-3:   Module 2 (Identity Security)
              ↓ Discovers compliance and data gaps
Month 4-5:   Module 4 (Data Governance)
              ↓ Discovers AI shadow usage
Month 5-6:   Module 5 (AI Sovereignty Bridge)
              ↓ Discovers architectural fragility
Month 7-12:  Module 10 (Red Team) + selected hardening

Path B: The Hybrid Infrastructure Organization

Month 1-2:   Module 6 (On-Premise AD Hardening)
              ↓ Discovers recovery and identity gaps
Month 2-3:   Module 2 (Identity Security)
              ↓ Discovers endpoint visibility gap
Month 3-4:   Module 1 (Endpoint Management)
              ↓ Discovers AI and data gaps
Month 5-8:   Module 5 (AI Sovereignty) + Module 4 (Data Governance)
Month 9-12:  Module 7 (Recovery Validation) + Module 10 (Red Team)

Path C: The Critical Infrastructure Organization

Month 1-2:   Module 8 (OT Security Assessment)
              ↓ Discovers IT/OT identity and recovery gaps
Month 2-3:   Module 6 (On-Premise AD) + Module 2 (Identity Security)
Month 4-5:   Module 7 (Recovery & Resilience)
              ↓ Validates black start, DR procedures
Month 6-9:   Module 1 (Endpoint Management) + Module 3 (M365 Hardening)
Month 10-12: Module 10 (Red Team with OT scope)

Path D: The "Not in Control" Organization

Month 1-3:   Module 11 (Embedded Quality & Process Assurance)
              ↓ Discovers that tools are underutilized because processes are broken
Month 3-5:   Module 12 (Blue/Purple Team Foundation)
              ↓ Builds operating rhythm for existing security stack
Month 5-7:   Module 2 (Identity Security) + Module 3 (M365 Hardening)
              ↓ Technical fixes now stick because processes support them
Month 8-12:  Module 10 (Red Team) + continuous improvement retainer

Path E: The "Mythos / AI Vulnerability Panic" Organization

Week 1-2:    AI-assisted TVM Baseline Sprint
              ↓ Discovers actual exploitable attack surface; beats adversary AI to first move
Month 1-2:   Module 1 (Endpoint Management) + Module 2 (Identity Security)
              ↓ Closes the highest-risk doors while AI TVM operationalizes
Month 2-3:   Module 3 (M365 Security Hardening) + AI TVM operationalization
              ↓ Automated remediation pipeline; <48h critical CVE response
Month 3-6:   Module 12 (Blue/Purple Team) + continuous AI TVM improvement
              ↓ Purple team validates that open vulnerabilities are detected and contained

---

Pricing and Engagement Structure

Fixed-Scope Modules

Each module is sold with:

• Fixed price (or fixed daily rate with capped days)
• Fixed duration (hard stop)
• Defined deliverables (checklist)
• Go/no-go gate before any expansion

Example module statement of work:

Module: Endpoint Management Foundation
Duration: 30 business days
Investment: €[X]
Deliverables:
  [ ] Device inventory: 100% of corporate devices identified
  [ ] Enrollment: 90%+ of corporate devices managed
  [ ] Compliance baseline: encryption, OS version, password policy deployed
  [ ] Application inventory: shadow IT report delivered
  [ ] Conditional access: compliant device required for M365
  [ ] Training: client admin team operational
  [ ] Handover: runbooks and monitoring dashboard

Go/No-Go Gate: Day 30 steering committee
  → If value demonstrated: propose Module 2 (Identity Security)
  → If value not demonstrated: engagement concludes with findings report

Module Bundles (Optional)

For clients ready to commit to a multi-module journey, offer discounted bundles:

Bundle	Modules	Discount	Typical Timeline
M365 Foundation	1 + 2 + 3	10%	90-120 days
M365 Secure	1 + 2 + 3 + 4 + 5	15%	180 days
Hybrid Hardening	1 + 2 + 3 + 6 + 7	15%	180 days
Critical Infrastructure	1 + 2 + 6 + 7 + 8 + 10	20%	270 days
Capability Building	11 + 12 + 2 + 3	15%	180 days
MSSP Optimization	Retained Capability Audit + 12 + 10	15%	120-180 days
AI TVM Sprint	AI-assisted TVM + 1 + 2 + 3	15%	90-120 days

The rule: Bundles are discounted but still phase-gated. Each module has its own go/no-go. The client can pause or stop after any module.

---

Sales Enablement

The Modular Pitch

"We do not sell one-size-fits-all transformation programs. We sell specific, bounded modules that solve specific problems. You can start with any module—whichever pain is keeping you awake at night. Each module delivers measurable value in 30-60 days. If you like the results, we add the next module. If you do not, we stop. No long-term commitment. No sunk cost. Just building blocks that make your organization stronger."

The Discovery Question Sequence

1. "What is the shortest path to a business-ending incident here?" (Identifies kill chain)
2. "Which of your security investments are you least sure about?" (Identifies untapped tooling)
3. "If you could fix one thing in the next 60 days, what would it be?" (Identifies module selection)
4. "What have you tried before that did not work?" (Avoids repeating failures)
5. "What would make you confident enough to expand to the next phase?" (Defines go/no-go criteria)

---

Integration With Existing Frameworks

Document	Integration
Rapid Modernisation Plan	Each module maps to one or more rapid modernisation phases
Business Case Template	Modular pricing structure; per-module ROI
C-Suite Conversation Guide	Modular pitching scripts and objection handling
M365 Antifragile Project	Modules 1-5 map directly to M365 project workstreams
Antifragile Risk Register	Each module closes a defined risk category

---

For the full 180-day rapid modernisation plan, see Rapid Modernisation Plan. For module-specific tactical guidance, see the linked playbooks in each module description.