antifragile/antifragile-consulting/playbooks/sovereign-tool-stack.md

The Sovereign Tool Stack: Open-Source Arsenal for Antifragile Consulting

"We do not sell software. We operate a laboratory. Every tool in our stack is either open-source, client-owned, or built by us. The result is intelligence that no vendor can replicate because it is tuned to your specific environment."

This document provides the complete capability map for our consulting practice: the tools we deploy, why we chose them, how they integrate, and what gaps remain. It is designed for three audiences:

1. Clients who want to understand what we bring to an engagement
2. Consultants who need to select the right tool for the right module
3. Our own product team who are building ASTRAL and AOC to close the M365-native gap

---

The Philosophy: Sovereign Means Inspectable

Vendor Black Box	Sovereign Tool
Proprietary detection logic you cannot audit	Open-source code you can read, modify, and extend
Data exfiltrated to vendor cloud	Data stays in your infrastructure or ours
Vendor-defined scan scope and cadence	You control what is scanned, when, and how deeply
Generic report templates	Custom outputs tuned to your compliance and risk language
Per-asset licensing that scales poorly	Free or built-by-us; economics favour the client

The executive framing:

"Tenable is a rented microscope. Our stack is a laboratory. We can ask questions that Tenable never thought to ask because we own the queries, the data, and the integration logic. When we find a gap, we do not open a support ticket. We write a detection rule, a query, or a script—and it is yours forever."

---

Our Current Arsenal

Cloud Posture and Compliance

Prowler

Attribute	Detail
What it does	Multi-cloud security auditing for AWS, Azure, and GCP. 300+ checks against CIS benchmarks, PCI-DSS, ISO 27001, GDPR, and HIPAA.
Why we use it	It is the most mature open-source CSPM. One tool covers all three major clouds. Output is JSON/CSV/HTML—easy to feed into our reporting pipeline.
Antifragile pillar	Sovereign Intelligence, Stress-to-Signal Conversion
Engagement modules	Module 3 (M365 Security Hardening) for Azure; Module 8 (OT Security Assessment) for cloud-connected OT; any cloud-native client
Typical output	Executive dashboard: "247 findings across 12 services; 23 critical; 5 are internet-facing misconfigurations"
Integration	Output feeds into AI-assisted TVM prioritization and CISO Assistant compliance tracking

The conversation:

"Prowler audited your AWS estate in 45 minutes and found an S3 bucket with public read access containing backup files. That is not a theoretical risk. That is a data breach waiting for a journalist. We fixed it in 10 minutes. No vendor invoice."

---

Active Directory Attack Path Analysis

BloodHound

Attribute	Detail
What it does	Maps Active Directory attack paths using graph theory. Shows how an attacker moves from a compromised standard user to Domain Admin in your specific environment.
Why we use it	No commercial tool visualises AD trust relationships and permission chains as clearly. It turns abstract identity risk into a navigable map.
Antifragile pillar	Structural Decoupling, Sovereign Intelligence
Engagement modules	Module 6 (On-Premise AD Hardening); Module 10 (Red Team & Validation); kill chain assessments
Typical output	"There are 4,217 paths from standard users to Domain Admin. The shortest is 3 hops via an overprivileged service account. Here is the exact account, the exact permission, and the exact remediation."
Integration	Findings feed into T0 Asset Framework classification and remediation prioritisation

The conversation:

"Your AD has been growing for 15 years. Nobody remembers why the payroll service account has Replicating Directory Changes permissions. BloodHound remembers. It found 4,217 paths from a standard user to Domain Admin. The shortest is three hops. We are not guessing about AD security anymore."

---

Active Directory Security Assessment

Purple Knight / Forest Druid

Attribute	Detail
What it does	Automated AD security assessment against known vulnerability classes: credential exposure, privileged access gaps, replication security, Kerberos weaknesses, and LDAP/S channel hardening.
Why we use it	Purple Knight (Semperis) and Forest Druid provide rapid, scriptable AD health checks that complement BloodHound's graph analysis with rule-based security scoring. Forest Druid extends coverage to hybrid Entra ID configurations.
Antifragile pillar	Stress-to-Signal Conversion, Optionality Preservation
Engagement modules	Module 6 (On-Premise AD Hardening); Module 12 (Blue/Purple Team Foundation); diagnostic week 1 kill chain assessments
Typical output	AD security score with pass/fail against 50+ indicators; immediate remediation guidance for failed checks
Integration	Scores feed into antifragile risk register; trended across quarterly retests

The conversation:

"Purple Knight scanned your AD forest in 20 minutes and scored 62 out of 100. The failures were not exotic: default LDAP signing disabled, KRBTGT password older than 180 days, and 14 service accounts with SPNs vulnerable to Kerberoasting. These are fixable in a week. Here is the priority order."

---

Governance, Risk, and Compliance

CISO Assistant

Attribute	Detail
What it does	Open-source GRC platform for compliance mapping, risk register management, control evidence collection, and audit readiness tracking.
Why we use it	It replaces €50,000/year GRC platforms with a sovereign alternative. Maps controls to multiple frameworks simultaneously (ISO 27001, NIS2, DORA, SOC 2).
Antifragile pillar	Sovereign Intelligence, Asymmetric Payoff Design
Engagement modules	Module 4 (Data Governance); Module 11 (Embedded Quality); all compliance-driven clients
Typical output	Live compliance dashboard: "DORA Article 12: 14 of 17 controls evidence-complete; 3 gaps assigned to owners with due dates"
Integration	Pulls findings from Prowler, osquery, BloodHound, and AOC into unified evidence packages

The conversation:

"Your auditor wants evidence that you monitor privileged access. CISO Assistant links the BloodHound scan, the Purple Knight score, the AOC admin activity report, and the osquery listening-ports query into a single evidence package for DORA Article 8. No scrambling for screenshots the night before the audit."

---

M365 Backup and Change Management

ASTRAL (Our Platform)

Attribute	Detail
What it does	Intelligent backup, configuration drift detection, and change management for Microsoft Intune, Entra ID, and M365 tenant configurations. Captures baseline state, detects unauthorised or accidental changes, and enables rapid rollback.
Why we built it	No existing tool treats M365 configuration as code. A tenant with 500 conditional access policies, 200 Intune profiles, and 50 compliance policies is unmanageable without version control and drift detection. ASTRAL provides GitOps for M365.
Antifragile pillar	Structural Decoupling, Stress-to-Signal Conversion
Engagement modules	Module 1 (Endpoint Management); Module 2 (Identity Security); Module 3 (M365 Security Hardening); retained capability engagements
Typical output	"Configuration drift detected: 3 conditional access policies modified outside change window; 1 Intune profile deleted; all changes attributable to [admin account]; rollback initiated automatically"
Integration	Feeds change logs into AOC for audit intelligence; exports configuration state to CISO Assistant for compliance evidence

The conversation:

"Your M365 tenant has 400 configuration objects and no version control. When an admin accidentally deletes a conditional access policy at 2 AM, you discover it 6 hours later because users are complaining. ASTRAL detects the deletion in 60 seconds, attributes it to the specific admin session, and offers one-click rollback. This is not backup. This is configuration immunity."

---

M365 Audit Log Intelligence

AOC — Admin Operations Center (Our Platform)

Attribute	Detail
What it does	Correlates Microsoft 365 Unified Audit Log, Entra ID sign-in logs, and Intune operational logs into actionable intelligence. Detects anomalous admin behaviour, privilege escalation, shadow IT creation, and data exfiltration patterns.
Why we built it	The native M365 audit log is a firehose: 10,000+ events per day in a typical tenant, searchable only via slow PowerShell or expensive Sentinel. AOC extracts the 50 events that matter and enriches them with identity context, device state, and business impact.
Antifragile pillar	Sovereign Intelligence, Stress-to-Signal Conversion
Engagement modules	Module 12 (Blue/Purple Team Foundation); retained capability (Detection Engineering); all M365 hardening engagements
Typical output	Daily brief: "3 anomalous events flagged: Global Admin [X] added external user at 03:14; Exchange Admin [Y] exported 12,000 mailboxes; Service Principal [Z] granted Mail.Read to unverified publisher. All require validation within 4 hours."
Integration	Receives alerts from osquery/FleetDM, Wazuh, and Prowler; pushes cases to CISO Assistant for risk register tracking; enriches AI-assisted TVM with insider-threat context

The conversation:

"Microsoft gives you the audit log. They do not give you the story. AOC reads 50,000 events per night and tells you the three that need human attention: an admin added an external user at 3 AM, another exported 12,000 mailboxes, and a service principal granted Mail.Read to an unverified app. These are not false positives. These are the events that precede breaches."

---

The Stack Architecture

┌─────────────────────────────────────────────────────────────────────────┐
│                         EXECUTIVE DASHBOARD                              │
│  (CISO Assistant + AI synthesis → board-ready risk and compliance view)  │
└─────────────────────────────────────────────────────────────────────────┘
                                    ▲
    ┌───────────────┬───────────────┼───────────────┬───────────────┐
    ▼               ▼               ▼               ▼               ▼
┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐
│ Prowler │   │BloodHound│   │ ASTRAL  │   │  AOC    │   │ osquery │
│(Cloud)  │   │  (AD)   │   │ (M365)  │   │(Audit)  │   │(Endpoint)│
└────┬────┘   └────┬────┘   └────┬────┘   └────┬────┘   └────┬────┘
     │             │             │             │             │
     └─────────────┴─────────────┴─────────────┴─────────────┘
                                   ▼
                    ┌─────────────────────────┐
                    │  AI-Assisted TVM Engine  │
                    │  (Prioritisation +       │
                    │   remediation scripts)    │
                    └─────────────────────────┘
                                   ▼
                    ┌─────────────────────────┐
                    │  Purple Team Validation  │
                    │  (Did the fix work?      │
                    │   Can we still exploit?)  │
                    └─────────────────────────┘

Data flow:

1. Discovery layer (Prowler, BloodHound, osquery, ASTRAL) collects raw security state
2. Intelligence layer (AOC, AI-assisted TVM) correlates, enriches, and prioritises
3. Governance layer (CISO Assistant) maps findings to compliance frameworks and tracks remediation
4. Validation layer (Purple Knight, Forest Druid, purple team exercises) proves fixes work

---

Gap Analysis: What We Recommend Adding

Our current stack covers cloud posture, AD security, GRC, M365 configuration, and endpoint audit intelligence. Here are the gaps and our recommended closes:

Gap 1: Endpoint Detection and Response (EDR) — The Visibility Gap

Current state: osquery provides structured endpoint inventory and compliance. AOC ingests M365 audit logs. What is missing is real-time behavioural detection on the endpoint itself.

Recommended close: Wazuh + Sysmon (open-source EDR stack)

Why Wazuh	Why Sysmon
Centralised SIEM/XDR with 5,000+ detection rules	Windows endpoint telemetry at kernel level
Agent-based or agentless deployment	Maps directly to MITRE ATT&CK
Native integration with Threat Intel (MISP, VirusTotal)	Free, mature, extensively documented
Scales to 100,000+ endpoints	Outputs to any SIEM via standard formats

Deployment model: Wazuh server in client infrastructure (or ours as managed service); Sysmon on all Windows endpoints with SwiftOnSecurity config; Linux agents via Wazuh native agent. Cost: infrastructure only.

When to deploy: Module 1 (Endpoint Management) for E3 clients lacking Defender for Endpoint P2; Module 12 (Blue/Purple Team) as the detection engineering foundation.

---

Gap 2: Security Orchestration and Automated Response (SOAR) — The Response Gap

Current state: AOC detects anomalous admin behaviour. ASTRAL detects configuration drift. What is missing is automated response: disabling a compromised account, isolating a device, or revoking an OAuth grant at machine speed.

Recommended close: Shuffle (open-source SOAR)

Why Shuffle
Visual workflow builder (no code required for simple playbooks)
Native integrations with M365, Entra ID, Wazuh, TheHive, Slack
Self-hosted: data never leaves client infrastructure
Replaces €100,000+/year commercial SOAR platforms

Example playbook: AOC detects impossible-travel sign-in → Shuffle disables account → ASTRAL revokes all active sessions → Slack alerts SOC → CISO Assistant logs incident → Ticket created in client ITSM.

When to deploy: Module 12 (Blue/Purple Team Foundation); retained capability engagements.

---

Gap 3: Incident Response Case Management — The Coordination Gap

Current state: Findings are scattered across Prowler, BloodHound, AOC, and osquery. What is missing is a single case management system that tracks incidents from detection through remediation to post-mortem.

Recommended close: TheHive + Cortex (open-source SOC case management)

Why TheHive	Why Cortex
Case management with IOC tracking, task assignment, and timeline	Automated analysis of observables: hashes, IPs, domains, files
Native MISP integration for threat intel correlation	30+ analyzers (VirusTotal, AbuseIPDB, URLhaus, etc.)
Metrics dashboard: MTTR, case volume, analyst workload	Free, extensible, community-maintained

When to deploy: Module 12 (Blue/Purple Team Foundation); retained capability ( Detection Engineering).

---

Gap 4: Cloud Asset and Dependency Mapping — The Context Gap

Current state: Prowler finds misconfigurations. BloodHound maps AD attack paths. What is missing is a unified map of how cloud resources connect to each other and to on-premise assets.

Recommended close: Cartography (by Lyft, open-source)

Why Cartography
Neo4j-based graph of AWS, GCP, Azure, and GitHub assets
Shows dependency chains: compromised IAM role → S3 bucket → Lambda → RDS
Complements BloodHound: BloodHound maps identity; Cartography maps infrastructure
Free, queryable via Cypher (same language as BloodHound)

When to deploy: Module 3 (M365 Security Hardening) for Azure environments; Module 5 (AI Sovereignty Bridge) for infrastructure mapping.

---

Gap 5: Container and Supply Chain Security — The Modernisation Gap

Current state: Our vulnerability discovery covers servers and endpoints. What is missing is native container image scanning, SBOM generation, and supply chain integrity verification.

Recommended close: Syft + Grype + Trivy

Tool	Role
Syft	Generate SBOMs from container images, filesystems, and archives
Grype	Scan SBOMs against NVD and vendor advisory databases
Trivy	Comprehensive scanner: OS packages, language dependencies, IaC misconfigs, secrets

Already in repository: See Zero-Budget Vulnerability Discovery for the Syft → Grype pipeline.

When to deploy: Any client with containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates.

---

Gap 6: Network Traffic Analysis — The Blind Spot Gap

Current state: We see endpoint state (osquery) and cloud configurations (Prowler). What is missing is visibility into network traffic: lateral movement, C2 beacons, and data exfiltration at the packet level.

Recommended close: Zeek + Suricata

Why Zeek	Why Suricata
Protocol analysis: extracts metadata from HTTP, DNS, TLS, SMB without full packet storage	IDS/IPS with 30,000+ signatures and emerging threat rules
Scales to 10 Gbps+ on commodity hardware	Can drop malicious traffic inline (IPS mode)
Output is structured JSON—easy to feed into Wazuh or AOC	Native file extraction and malware detection

When to deploy: Module 8 (OT Security Assessment) for industrial network segmentation validation; Module 12 (Blue/Purple Team) for detection engineering.

---

Complete Capability Matrix

Capability	Our Tool	Open-Source Alternative	Commercial Equivalent	When to Recommend
Cloud posture management	Prowler	ScoutSuite, CloudSploit	Prisma Cloud, Wiz, Orca	Every cloud environment; first sweep
AD attack path analysis	BloodHound	— (none comparable)	—	Every on-premise or hybrid AD
AD security assessment	Purple Knight / Forest Druid	PingCastle, ADRecon	Semperis Directory Services Protector	AD hardening engagements
GRC and compliance	CISO Assistant	OpenGRC, SimpleRisk	ServiceNow GRC, RSA Archer	DORA, NIS2, SOC 2 clients
M365 backup/change mgmt	ASTRAL	— (no open-source equivalent)	Veeam, AvePoint, SkyKick	All M365 clients; retained capability
M365 audit intelligence	AOC	— (no open-source equivalent)	Microsoft Sentinel, ManageEngine	All M365 clients; SOC co-management
Endpoint inventory	osquery + FleetDM	Wazuh (limited), Zentral	Tenable, Qualys	50-5,000 endpoints; sovereign preference
Endpoint detection (EDR)	Wazuh + Sysmon	—	CrowdStrike, SentinelOne, Defender P2	E3 clients without Defender P2; air-gapped environments
SIEM / log aggregation	Wazuh	Graylog, Grafana Loki, ELK	Splunk, Sentinel, QRadar	All environments needing centralised alerting
SOAR / automation	Shuffle	—	Palo Alto XSOAR, Splunk SOAR	SOC operationalisation; retained capability
SOC case management	TheHive + Cortex	—	ServiceNow SecOps, D3	Blue/purple team foundation; MSSP co-management
Container security	Syft + Grype + Trivy	Clair, Anchore	Snyk, Aqua	Containerised workloads; DevSecOps
Network analysis	Zeek + Suricata	—	Corelight, Darktrace	OT environments; high-sensitivity networks
Cloud asset mapping	Cartography	CloudQuery	Lucidscale, Faddom	Complex multi-cloud; incident response
Perimeter scanning	Nuclei + Amass + Naabu	OpenVAS, Greenbone	Tenable.asm, Cortex Xpanse	External attack surface management
Vulnerability discovery	osquery + Grype	OpenVAS, Nessus Essentials	Tenable, Qualys	Zero-budget first sweep; continuous monitoring

---

Per-Module Tool Pairing

Module 1: Endpoint Management Foundation

Primary: ASTRAL (Intune configuration backup and drift detection) + osquery/FleetDM (endpoint inventory) Augmentation: Wazuh + Sysmon (for E3 clients without Defender P2)

Module 2: M365 Identity Security

Primary: AOC (audit log intelligence) + BloodHound (hybrid identity attack paths) Augmentation: Purple Knight (AD security baseline)

Module 3: M365 Security Hardening

Primary: ASTRAL (configuration state) + Prowler (Azure posture) Augmentation: AOC (continuous monitoring of security control changes)

Module 6: On-Premise AD Hardening

Primary: BloodHound + Purple Knight / Forest Druid Augmentation: osquery (endpoint state of domain controllers)

Module 10: Red Team & Validation

Primary: BloodHound (attack path validation) + Nuclei (external validation) Augmentation: Zeek + Suricata (detect red team activity from blue team perspective)

Module 12: Blue/Purple Team Foundation

Primary: Wazuh + Sysmon + TheHive + Cortex + Shuffle Augmentation: AOC (M365-specific detections) + osquery (endpoint telemetry)

Retained Capability: Detection Engineering

Primary: Wazuh (rule authoring) + AOC (M365 detections) + Shuffle (response playbooks) Augmentation: Zeek + Suricata (network detection rules)

---

Deployment Complexity

Tool	Time to First Value	Infrastructure Required	Expertise Required	Client Data Sensitivity
Prowler	1 hour	None (runs from consultant laptop)	Low	Low (read-only API)
BloodHound	2 hours	None (collector + laptop)	Medium	Medium (AD enumeration)
Purple Knight	30 minutes	None	Low	Medium (AD scan)
CISO Assistant	1 day	Docker host or VM	Low	Low-Medium (compliance data)
ASTRAL	2 hours	SaaS or client-hosted	Low	High (M365 configuration)
AOC	4 hours	SaaS or client-hosted	Medium	High (audit logs, identity data)
osquery + FleetDM	4 hours	FleetDM server + agents	Medium	High (endpoint data)
Wazuh + Sysmon	1 day	Wazuh server + agents	Medium	High (endpoint + network data)
Shuffle	4 hours	Docker host	Medium	High (SOAR playbooks)
TheHive + Cortex	4 hours	Docker host	Medium	High (case data)
Syft + Grype	1 hour	None	Low	Low (container metadata)
Zeek + Suricata	1 day	Network tap or SPAN port	High	High (network traffic)
Cartography	4 hours	Neo4j + AWS/GCP/Azure APIs	Medium	Medium (cloud metadata)

---

The Honest Limitations

What Our Stack Does Well	What It Cannot Do
Provides complete visibility without vendor lock-in	Requires more expertise to deploy and maintain than commercial SaaS
Costs a fraction of commercial equivalents	Does not come with 24/7 vendor support (we provide that)
Customisable to client-specific needs	Customisation takes time; commercial tools are faster to deploy out-of-the-box
Data sovereignty by default	Some clients' procurement departments prefer vendor-backed solutions for audit comfort
Integrates across tools via open APIs	Integration requires engineering; commercial suites are pre-integrated

The framing:

"Our stack is not for everyone. If you want a dashboard that takes 15 minutes to deploy and requires no expertise, buy CrowdStrike. If you want intelligence that answers questions no vendor thought to ask, and you want to own that intelligence forever, our stack is the right choice. We provide the expertise so you do not need to hire it."

---

Integration With Existing Frameworks

Document	Integration
Zero-Budget Vulnerability Discovery	Syft + Grype container pipeline; osquery endpoint discovery; Prowler cloud-native discovery
AI-Assisted TVM Blueprint	All discovery tools feed the AI prioritisation engine; AOC provides insider-threat context
Perimeter Scanning Capability	Nuclei + Amass + Naabu form the open-source active scanning layer; Prowler covers cloud perimeter
Osquery: The Sovereign Discovery Platform	osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection
Blue/Purple Team Foundation	Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection
Retained Capability	Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex
Modular Engagements	Each module has a recommended tool pairing in the matrix above

---

For the cloud-native vulnerability discovery methods, see Zero-Budget Vulnerability Discovery. For the endpoint discovery platform, see Osquery: The Sovereign Discovery Platform. For the AI prioritisation layer that consumes these tools' output, see AI-Assisted TVM Blueprint. For the organisational model that operates this stack, see Retained Capability.