antifragile/antifragile-consulting/core/modular-engagements.md

Modular Engagement Architecture

"Not every client is ready for the full journey. Some need to solve one burning problem first. The antifragile approach is architected so that every module stands alone—and every module makes the next one easier."

This document defines the antifragile consulting portfolio as a menu of independent, self-contained modules. Clients can purchase any module without committing to the full 180-day program. Each module delivers measurable value, produces transferable assets, and creates natural appetite for the next phase.

---

The Philosophy: Progressive Resilience

We do not sell monolithic transformation projects. We sell building blocks that stack.

Approach	Traditional Consulting	Antifragile Modular
Sales motion	Sell a 12-month program or nothing	Sell a 30-day module; expand based on proven value
Client commitment	All-in or walk away	Start where the pain is highest
Risk to client	High (unknown ROI until month 6+)	Low (measurable value in 30 days)
Risk to consultant	High (scope creep, payment delays)	Low (bounded scope, phase-gated payment)
Political capital	Consumed defending the program	Generated by visible early wins

The rule: Every module must be sellable on its own, deliverable in 90 days or less, and must produce evidence that the next module is warranted.

---

The Module Menu

Module 1: Endpoint Management Foundation

The Entry Vector. The Most Common Starting Point.

Attribute	Detail
Typical duration	30-45 days
Typical investment	Low (labor only; Intune included in E3)
Prerequisites	M365 E3 or higher; Azure AD tenant
Standalone value	Full device visibility; compliance enforcement; remote management capability
Typical client	Remote-first organization; SCCM retiree; compliance-driven; Intune shelfware

What is delivered:

• Device inventory and enrollment campaign (Windows, macOS, iOS, Android)
• Compliance baseline: encryption, OS version, password policy, firewall
• Application inventory and shadow IT discovery
• Basic conditional access integration (compliant device required for M365 access)
• ASTRAL deployment for Intune configuration backup and drift detection
• Admin training and operational handover

Executive pitch:

"Your devices are in home offices, airports, and coffee shops. In 30 days, we will know exactly what you have, whether it is secure, and how to fix what is not. This is not surveillance. It is ensuring that only healthy devices access your data—wherever they are."

Natural next modules: Module 2 (Identity Security), Module 5 (AI Sovereignty Bridge), Module 6 (On-Premise AD)

See: Endpoint Management Entry Vector

---

Module 2: M365 Identity Security

The Foundation of Everything. The Most Undervalued Module.

Attribute	Detail
Typical duration	30-60 days
Typical investment	Low to medium (labor; E5/P2 licensing upgrade may be recommended selectively)
Prerequisites	M365 tenant (E3 minimum); administrative access
Standalone value	Elimination of standing privileged access; MFA enforcement; legacy auth blocked; guest access governed
Typical client	Post-breach hardening; auditor findings; rapid growth with identity debt; privileged account compromise

What is delivered:

• Full identity census: human accounts, service accounts, guests, enterprise apps
• CA policy register (CAExporter export): readable documentation of every Conditional Access policy before any changes are made
• MFA enforcement for 100% of users (conditional access with MFA for E3; risk-based conditional access and PIM for E5)
• Legacy authentication blocked tenant-wide
• Privileged access workstation (PAW) architecture for admins
• PIM deployment (if E5/Entra ID P2) or manual JIT process (if E3)
• PULSAR deployment for audit log intelligence and anomalous admin detection
• Guest access audit and time-bounding
• OAuth consent governance

Executive pitch:

"There are currently [X] administrator accounts in your tenant. If any one of them is compromised, an attacker owns your email, your documents, and your identity system. In 30 days, we reduce that to the minimum viable number, enforce multi-factor authentication, and ensure no admin ever logs in from a workstation with email and browsing."

Natural next modules: Module 3 (M365 Security Hardening), Module 6 (On-Premise AD), Module 7 (Recovery & Resilience)

---

Module 3: M365 Security Hardening

The E3 Maximization Play. Configuration, Not Procurement.

Attribute	Detail
Typical duration	30-60 days
Typical investment	Low (primarily labor; no new licensing required for E3 clients)
Prerequisites	M365 tenant; Module 2 (Identity Security) strongly recommended first
Standalone value	EOP tuned to maximum aggression; audit logging operational; Secure Score trending upward; ASR rules (if E5)
Typical client	E3 clients with untapped security potential; post-M365-deployment hardening; Secure Score below 50

What is delivered:

• Exchange Online Protection tuning: anti-phishing, anti-malware, anti-spam
• Mailbox auditing enabled for all users
• Unified Audit Log enabled and forwarded to SIEM
• Microsoft Secure Score baseline and improvement plan
• ASR rule deployment in audit mode (E5) or Defender for Endpoint P1 maximisation (E3)
• ASTRAL configuration baseline capture for all M365 security policies
• Windows Defender Firewall and exploit protection baseline
• LAPS deployment for local admin password randomization

Executive pitch:

"You own E3, which includes enterprise-grade antivirus, email filtering, and audit logging. Most organizations use less than 30% of these capabilities because no one configured them. We turn every available security control to maximum—and prove the improvement with before-and-after metrics. No new software. Just expertise applied to what you already paid for."

Natural next modules: Module 4 (Data Governance), Module 5 (AI Sovereignty Bridge), Module 10 (Red Team & Validation)

See: M365 E3 Hardening, Zero-Budget Hardening, Sovereign Tool Stack

---

Module 4: Data Governance & Compliance

The Regulatory Survival Module.

Attribute	Detail
Typical duration	45-90 days
Typical investment	Medium (labor; Purview licensing may be required for advanced features)
Prerequisites	M365 tenant; Module 3 (Security Hardening) recommended
Standalone value	Data classification deployed; retention policies enforced; DLP active; eDiscovery ready; regulatory evidence produced
Typical client	Regulated industries (banking, healthcare, critical infrastructure); litigation hold requirements; GDPR/DORA/NIS2 compliance

What is delivered:

• Sensitivity label deployment (Public, Internal, Confidential, Highly Confidential)
• Retention policies for all M365 workloads (email, Teams, SharePoint, OneDrive)
• Data Loss Prevention (DLP) policies for high-sensitivity data types
• External sharing lockdown and per-site governance
• eDiscovery readiness: legal hold procedures, retention hold capability
• Teams governance: controlled creation, expiration, access reviews
• SharePoint site provisioning governance

Executive pitch:

"Your auditor does not want to see a policy document. They want to see evidence that sensitive data is classified, that emails are retained according to regulation, and that you can produce documents for legal hold within 48 hours. We build the evidence—not the theater."

Natural next modules: Module 5 (AI Sovereignty Bridge), Module 7 (Recovery & Resilience), Module 10 (Red Team & Validation)

---

Module 5: AI Sovereignty Bridge

The Strategic Differentiator. The Conversation Starter.

Attribute	Detail
Typical duration	30-60 days
Typical investment	Low to medium (labor; Azure OpenAI consumption; optional local inference hardware)
Prerequisites	M365 tenant; Azure subscription; data governance baseline strongly recommended
Standalone value	Shadow AI eliminated; sanctioned Azure OpenAI deployed; proprietary data protected; first custom model or RAG pipeline operational
Typical client	Organizations using ChatGPT/Claude/Gemini without governance; leadership asking "what is our AI strategy?"; competitors investing in AI

What is delivered:

• Shadow AI usage inventory (proxy logs, endpoint scans, surveys)
• Azure OpenAI Service deployment with private endpoints and customer-managed keys
• Conditional access policies restricting AI access to approved users and devices
• Azure AI Foundry pilot: one RAG pipeline or fine-tuned model on proprietary data
• AI governance policy: approved use cases, prohibited data types, human-in-the-loop requirements
• User education: why sanctioned AI is safer and often better than public alternatives

Executive pitch:

"Your teams are already using AI—through personal accounts, browser tabs, and mobile apps. Every proprietary document they send to an unmanaged AI service is processed under terms you haven't reviewed, on infrastructure outside your control, with no data residency guarantees. We stop that leakage in two weeks by giving them a better, safer alternative. Then we build your first custom AI asset on data that never leaves your Azure region."

Natural next modules: Module 9 (Organizational Resilience), Module 4 (Data Governance), Module 10 (Red Team & Validation)

See: Azure OpenAI Sovereignty Bridge, AI Sovereignty Framework

---

Module 6: On-Premise AD & Endpoint Hardening

The Legacy Debt Cleanup. For Organizations with Feet in Both Worlds.

Attribute	Detail
Typical duration	45-60 days
Typical investment	Medium (labor; Sysmon/Wazuh deployment; possible hardware for PAWs)
Prerequisites	On-premise Active Directory; administrative access to domain controllers
Standalone value	KRBTGT rotated; LAPS deployed; Sysmon operational; privileged access tiered; Azure AD Connect secured
Typical client	Hybrid identity environments; SCCM/AD shops; post-Active-Directory-compromise recovery; NIS2-critical infrastructure

What is delivered:

• Full AD identity census with orphan and privilege analysis
• Elysium password audit: weak and compromised credential check across all domain accounts; P0 remediation list for accounts on high-value attack paths
• KRBTGT password rotation (if > 180 days stale)
• LAPS deployment to all domain-joined workstations
• Sysmon deployment with SwiftOnSecurity configuration
• Privileged Access Workstation (PAW) architecture for Tier 0 admins
• Azure AD Connect hardening and audit
• AD FS security review (if present)
• Windows Defender maximization and firewall hardening

Executive pitch:

"Your Active Directory has been running for fifteen years. It has accounts from employees who left a decade ago, service accounts with passwords that never expire, and administrator accounts that log in from the same laptops used for email and browsing. In 45 days, we clean the foundation—and make it significantly harder for an adversary to gain a foothold."

Natural next modules: Module 2 (Identity Security), Module 7 (Recovery & Resilience), Module 8 (OT Security Assessment)

See: AD and Endpoint Hardening

---

Module 7: Recovery & Resilience Validation

The Insurance Policy. Prove You Can Rebuild Before You Need To.

Attribute	Detail
Typical duration	30-45 days
Typical investment	Low to medium (labor; third-party backup if not already owned)
Prerequisites	Backup solution in place (even if untested); administrative access to critical systems
Standalone value	One critical system recovered from backup; runbooks documented; CMDB seeded; quarterly drill cadence established
Typical client	Organizations that have never tested recovery; recent ransomware scare; DORA/NIS2 compliance preparation; board demanding evidence

What is delivered:

• Backup coverage inventory: what is backed up, how often, where, by what mechanism
• Recovery drill: one critical system restored to isolated environment with full validation
• CMDB seeding: T0 and T1 assets documented with owners, dependencies, and recovery requirements
• Recovery runbooks: documented, tested, and transferable to non-designers
• Immutable backup validation: ensure backups cannot be deleted by compromised admin accounts
• Quarterly recovery drill calendar established

Executive pitch:

"Most organizations discover they cannot recover from backup at 3 AM during an active ransomware incident. We discover it in a controlled test during business hours—when we can fix it without pressure. The question is not whether you have backups. The question is whether you have ever proven they work. We prove it."

Natural next modules: Module 10 (Red Team & Validation), Module 8 (OT Security Assessment), Module 3 (M365 Security Hardening)

---

Module 8: OT Security Assessment

The Critical Infrastructure Module. For Power, Utilities, and Telco.

Attribute	Detail
Typical duration	45-90 days
Typical investment	Medium to high (labor; potential network hardware for segmentation)
Prerequisites	OT network access; cooperation from operations and engineering teams
Standalone value	IT/OT connection matrix; vendor access audit; manual override procedures validated; NIS2 evidence produced
Typical client	Power utilities; water/wastewater; telecommunications; manufacturing with SCADA/DCS

What is delivered:

• OT asset inventory: SCADA, DCS, EMS, protection relays, RTUs, AMI
• IT-to-OT network connection mapping with business justification
• Vendor remote access audit and time-bounding
• Network segmentation plan: IT/OT DMZ, unidirectional gateway recommendations
• Manual override procedure documentation and validation
• NIS2/CER compliance evidence package
• Black start / islanding procedure test (power utilities)

Executive pitch:

"Your control room does not need email. Your protection relays do not need internet access. Every connection between IT and OT is a bridge an adversary can cross. We map those bridges, justify the ones that must remain, and eliminate the ones that put physical safety at risk. This is not IT security. This is operational survival."

Natural next modules: Module 6 (On-Premise AD), Module 7 (Recovery & Resilience), Module 10 (Red Team & Validation)

See: Vertical: Power and Utilities, Vertical: Telco

---

Module 9: Organizational Resilience

The People and Process Module. Fix the Structure, Not Just the Tools.

Attribute	Detail
Typical duration	60-90 days
Typical investment	Medium (labor; no tooling cost)
Prerequisites	Executive sponsor with authority; willingness to experiment with team structure
Standalone value	One product team with embedded security; shift-left pilot operational; shared metrics proving velocity and security can coexist
Typical client	Organizations with siloed Dev/Sec/Ops; slow release cycles blamed on security gates; talent retention problems

What is delivered:

• Current-state Dev/Sec/Ops friction mapping
• Pilot team selection and embedded security engineer placement
• CI/CD security gate deployment (automated scanning, not manual review)
• Shared OKR definition: team owns vulnerability count, change failure rate, recovery time
• Platform team or SRE team architecture (if appropriate)
• Blameless post-mortem process with structural mandate
• 90-day metrics report: before-and-after velocity, defect rates, team satisfaction

Executive pitch:

"Your development team ships fast. Your security team says no. Your operations team keeps the lights on. None of them are wrong—but the organizational boundary between them destroys all three goals. We do not reorganize your departments on day one. We embed security into one product team, measure the results, and let the metrics make the case for broader change."

Natural next modules: Module 2 (Identity Security), Module 5 (AI Sovereignty Bridge), Module 10 (Red Team & Validation)

See: Organizational Resilience

---

Module 10: Red Team & Validation

The Proof Module. Validate Everything You Have Built.

Attribute	Detail
Typical duration	15-30 days (engagement) + quarterly re-testing
Typical investment	Medium to high (external red team; internal coordination)
Prerequisites	At least one other module deployed; operational incident response capability
Standalone value	Independent validation of security posture; kill chain identification; board-ready evidence
Typical client	Regulated industries requiring annual penetration testing; post-transformation validation; boards demanding proof

What is delivered:

• Scoping and rules of engagement (aligned to DORA TLPT or CIS requirements)
• Adversarial simulation: external reconnaissance, initial access, lateral movement, impact
• M365-specific attack paths: BEC, OAuth consent abuse, conditional access bypass attempts
• OT-bounded red team (for critical infrastructure clients)
• Report with kill chain analysis and prioritized remediation
• Board presentation: findings, risk quantification, and evidence of control effectiveness
• Quarterly purple team exercises (optional retainer)

Executive pitch:

"You have invested in security controls. But controls that have not been tested are assumptions, not facts. A red team exercise is a controlled failure that proves whether your defenses work before a real adversary tests them. The board receives independent evidence—not consultant promises."

Natural next modules: Any module where gaps were identified; typically cycles back to hardening modules.

---

Module 11: Embedded Quality & Process Assurance

The Presence Module. For Leaders Who Feel They Are Not in Control.

Attribute	Detail
Typical duration	60-90 days (12 weeks embedded)
Typical investment	Medium (labor; no tooling cost)
Prerequisites	Executive sponsor; team willing to be observed; tolerance for process change
Standalone value	Repeatable processes; accurate documentation; team confidence; friction reduction
Typical client	Heads of Security or Operations who say "we don't feel in control"; project teams behind schedule; teams with tool-shelfware

What is delivered:

• Immersion report: formal vs. actual process map; invisible risks identified
• Friction reduction: fast wins that reduce daily pain and vulnerability
• Capability handover: team-owned documentation, self-assessment checklists, metrics dashboard
• Validation: team operates independently for one week; consultant steps back to advisory

Executive pitch:

"You have capable people, but the gap between what is documented and what is actually happening has grown too wide. I do not audit you. I join your team for 12 weeks, observe the reality of daily work, and help you close that gap. You will have repeatable processes, accurate documentation, and a team that trusts its own capability."

Natural next modules: Module 9 (Organizational Resilience), Module 12 (Blue/Purple Team Foundation), Module 3 (M365 Security Hardening)

See: Embedded Quality & Process Assurance

---

Module 12: Blue / Purple Team Foundation

The Capability Module. From Tool Ownership to Operational Defense.

Attribute	Detail
Typical duration	60-90 days
Typical investment	Medium (labor; leverages existing Microsoft security stack)
Prerequisites	An operational EDR — Microsoft Defender E5, CrowdStrike, SentinelOne, or open-source Wazuh+Sysmon (see Sovereign Tool Stack for the zero-cost path); at least one security analyst; willingness to learn
Standalone value	Operating rhythm for SOC; first guided threat hunt; purple team charter; 12-month capability roadmap
Typical client	Organizations that own E5/Defender/Sentinel but underutilize them; SOC drowning in noise; no hunt discipline; red and blue teams do not collaborate

What is delivered:

• Capability audit: maturity assessment of detection, response, hunting, and metrics
• Operating rhythm: weekly Secure Score reviews, alert triage playbooks, automated enrichment
• First guided threat hunt: hypothesis-driven search with documented methodology
• Purple team exercise: collaborative attack/defence simulation with detection gap analysis
• 12-month roadmap: prioritized capability improvements with resource requirements

Executive pitch:

"You have a Ferrari-grade security stack and drive it like a rental car. The tools are not the problem—the team's ability to use them is. I help you build the weekly cadence, the hunt discipline, and the purple team culture that turns telemetry into action. In 12 weeks, your team owns the capability, not just the licenses."

Natural next modules: Module 10 (Red Team & Validation), Module 3 (M365 Security Hardening), Module 7 (Recovery & Resilience)

See: Blue/Purple Team Foundation

Also see: Retained Capability for the MSSP co-management and detection engineering model.

---

Module 13: Privileged Access Architecture

The Access Control Module. Replace VPN Sprawl With a Two-Layer Architecture.

Attribute	Detail
Typical duration	30-60 days
Typical investment	Low to medium (labor; Teleport CE is free for qualifying clients; Tailscale is per-user commercial)
Prerequisites	Administrative access to network infrastructure; identity provider (Entra ID, Okta, Google, or any OIDC provider)
Standalone value	Legacy VPN replaced or supplemented; privileged access recorded; vendor access time-bounded and auditable
Typical client	Any organisation with legacy VPN sprawl; OT clients with uncontrolled vendor remote access; post-breach clients needing access hardening

What is delivered:

• Access architecture design: which layer handles network access, which handles protocol-aware PAM
• Teleport CE or Enterprise deployment (SSH, RDP, Kubernetes, database proxying; session recording; JIT access)
• Tailscale or Headscale + WireGuard deployment (network-level mesh access)
• Access policy design: who reaches what, when, recorded how
• Vendor access governance: time-bounded, request-approve-record workflow for all third-party access
• Admin training and operational handover

Executive pitch:

"Your VPN gives everyone on it access to everything behind it. Your vendor credentials have not been rotated in two years. Your admins log into production servers from laptops they also use for email. In 30 days, we replace that with a system where every access request is approved, every session is recorded, and every credential expires the moment it is no longer needed. Your auditor will be able to watch a video of every administrative action ever taken on every critical server."

Natural next modules: Module 2 (Identity Security), Module 6 (On-Premise AD), Module 8 (OT Security)

See: Privileged Access Architecture

---

Module 14: Sovereign Communications

The Resilience Module. Communication That Survives an Incident.

Attribute	Detail
Typical duration	1-5 days (Delta Chat chatmail); 2-10 days (Matrix/Element)
Typical investment	Very low (€5-10/month infrastructure for Delta Chat chatmail relay; labor minimal)
Prerequisites	None — this module has no technical prerequisites
Standalone value	An operational out-of-band communication channel independent from corporate IT; tested and documented in the incident response plan
Typical client	Any organisation whose incident response plan assumes Teams or email will be available; OT/utilities/telco operators; organisations with recent breaches or near-misses

What is delivered:

Tier 1 — Delta Chat (always delivered):

• Chatmail relay deployed on independent cloud infrastructure (10 minutes; €5-10/month)
• Key personnel enrolled: incident response team, executives, OT operators (as applicable)
• Out-of-band channel documented in incident response runbooks
• Crisis channel tested with a simulated incident

Tier 2 — Matrix/Element (if full platform warranted):

• Synapse server deployed (CQRE-managed or client on-premises)
• SSO integration (Entra ID, Okta, Google Workspace)
• Persistent rooms configured for operational teams, incident response, management
• Migration guide for users moving from Teams/Slack

Executive pitch:

"Your incident response plan says to use Teams. Teams runs on Microsoft's infrastructure, authenticated by your Active Directory, connected through your network. If any of those three things are the incident, your response channel is gone too. We deploy a €7/month server today — it takes ten minutes — that gives your entire response team an encrypted channel on their personal phones, completely independent from everything else you run. This is the cheapest, fastest risk reduction in this entire engagement."

Natural next modules: Module 7 (Recovery & Resilience), Module 8 (OT Security), Module 2 (Identity Security)

See: Sovereign Communications

---

Module Selection Guide

For the Client Who Knows Their Pain

Client Says	Start With Module	Typical Duration
"We need to manage remote devices"	Module 1: Endpoint Management	30-45 days
"We had a phishing incident"	Module 2: Identity Security	30-60 days
"Our E3 licenses feel wasted"	Module 3: M365 Security Hardening	30-60 days
"The auditor is coming"	Module 4: Data Governance	45-90 days
"What is our AI strategy?"	Module 5: AI Sovereignty Bridge	30-60 days
"Our AD is a mess"	Module 6: On-Premise AD Hardening	45-60 days
"Can we actually recover from backup?"	Module 7: Recovery & Resilience	30-45 days
"We operate critical infrastructure"	Module 8: OT Security Assessment	45-90 days
"Security slows us down"	Module 9: Organizational Resilience	60-90 days
"Prove our security works"	Module 10: Red Team & Validation	15-30 days
"We don't feel in control"	Module 11: Embedded Quality Assurance	60-90 days
"We own tools but can't use them"	Module 12: Blue/Purple Team Foundation	60-90 days
"Our outsourced SOC underperforms"	Module 12 (+ Retained Capability Audit)	60-90 days
"AI-powered attackers will outpace our response"	AI-Assisted TVM Sprint	30-90 days
"Our VPN is a mess / vendors have too much access"	Module 13 (Privileged Access Architecture)	30-60 days
"We need a crisis communication channel"	Module 14 (Sovereign Communications)	1-5 days
"We don't know where to start"	Brownhat Diagnostic (NIST CSF Baseline)	5-10 days

For the Client Who Does Not Know Where to Start

The Brownhat Diagnostic — a paid, structured NIST CSF 2.0 Baseline Assessment:

1. Two half-day workshops with key stakeholders (CIO/CISO, IT lead, one business owner)

   • No tools installed; no data collected from systems
   • Structured questionnaire across all six NIST CSF 2.0 domains
   • Produces an honest picture of current state, not a desired-state checklist

2. Deliverables (5 business days after workshop):

   • Current state report: strengths, gaps, and kill chain analysis
   • Prioritised module roadmap aligned to findings
   • Up to 5 quick wins executable immediately with existing tools

3. Module selection based on kill chain:

   • Kill chain starts with compromised endpoint → Module 1
   • Kill chain starts with stolen credentials → Module 2
   • Kill chain starts with unrecoverable systems → Module 7
   • Kill chain starts with OT bridge → Module 8
   • Kill chain starts with uncontrolled vendor/privileged access → Module 13
   • No out-of-band crisis comms capability → Module 14 (deploy immediately, 1 day)

---

Progressive Enhancement: How Modules Stack

Path A: The M365-First Organization

Month 1-2:   Module 1 (Endpoint Management)
              ↓ Discovers identity and security configuration gaps
Month 2-4:   Module 2 (Identity Security) + Module 3 (M365 Security Hardening)
              [run in parallel — identity and configuration are different workstreams]
              ↓ Discovers compliance and data gaps
Month 5-6:   Module 4 (Data Governance)
              ↓ Discovers AI shadow usage
Month 6-7:   Module 5 (AI Sovereignty Bridge)
              ↓ Discovers architectural fragility
Month 8-12:  Module 10 (Red Team) + selected hardening

Path B: The Hybrid Infrastructure Organization

Month 1-2:   Module 6 (On-Premise AD Hardening)
              ↓ Discovers recovery and identity gaps
Month 2-3:   Module 2 (Identity Security)
              ↓ Discovers endpoint visibility gap
Month 3-4:   Module 1 (Endpoint Management)
              ↓ Discovers AI and data gaps
Month 5-8:   Module 5 (AI Sovereignty) + Module 4 (Data Governance)
Month 9-12:  Module 7 (Recovery Validation) + Module 10 (Red Team)

Path C: The Critical Infrastructure Organization

Month 1-2:   Module 8 (OT Security Assessment)
              ↓ Discovers IT/OT identity and recovery gaps
Month 2-3:   Module 6 (On-Premise AD) + Module 2 (Identity Security)
Month 4-5:   Module 7 (Recovery & Resilience)
              ↓ Validates black start, DR procedures
Month 6-9:   Module 1 (Endpoint Management) + Module 3 (M365 Hardening)
Month 10-12: Module 10 (Red Team with OT scope)

Path D: The "Not in Control" Organization

Month 1-3:   Module 11 (Embedded Quality & Process Assurance)
              ↓ Discovers that tools are underutilized because processes are broken
Month 3-5:   Module 12 (Blue/Purple Team Foundation)
              ↓ Builds operating rhythm for existing security stack
Month 5-7:   Module 2 (Identity Security) + Module 3 (M365 Hardening)
              ↓ Technical fixes now stick because processes support them
Month 8-12:  Module 10 (Red Team) + continuous improvement retainer

Path E: The "AI-Adversary" Organization

For clients whose leadership has recognized that AI-powered scanners, exploit generators, and vulnerability-discovery tools have permanently shortened the attacker's window.

Week 1-2:    AI-Assisted TVM Baseline Sprint
              ↓ Maps actual exploitable attack surface before adversary tooling does
Month 1-2:   Module 1 (Endpoint Management) + Module 2 (Identity Security)
              ↓ Closes the highest-risk doors while AI TVM operationalizes
Month 2-3:   Module 3 (M365 Security Hardening) + AI TVM operationalization
              ↓ Automated remediation pipeline; <48h critical CVE response
Month 3-6:   Module 12 (Blue/Purple Team) + continuous AI TVM improvement
              ↓ Purple team validates that open vulnerabilities are detected and contained

---

Pricing and Engagement Structure

Fixed-Scope Modules

Each module is sold with:

• Fixed price (or fixed daily rate with capped days)
• Fixed duration (hard stop)
• Defined deliverables (checklist)
• Go/no-go gate before any expansion

Example module statement of work:

Module: Endpoint Management Foundation
Duration: 30 business days
Investment: €[X]
Deliverables:
  [ ] Device inventory: 100% of corporate devices identified
  [ ] Enrollment: 90%+ of corporate devices managed
  [ ] Compliance baseline: encryption, OS version, password policy deployed
  [ ] Application inventory: shadow IT report delivered
  [ ] Conditional access: compliant device required for M365
  [ ] Training: client admin team operational
  [ ] Handover: runbooks and monitoring dashboard

Go/No-Go Gate: Day 30 steering committee
  → If value demonstrated: propose Module 2 (Identity Security)
  → If value not demonstrated: engagement concludes with findings report

Module Bundles (Optional)

For clients ready to commit to a multi-module journey, offer discounted bundles:

Bundle	Modules	Discount	Typical Timeline
M365 Foundation	1 + 2 + 3	10%	90-120 days
M365 Secure	1 + 2 + 3 + 4 + 5	15%	180 days
Hybrid Hardening	1 + 2 + 3 + 6 + 7	15%	180 days
Critical Infrastructure	1 + 2 + 6 + 7 + 8 + 10	20%	270 days
Capability Building	11 + 12 + 2 + 3	15%	180 days
MSSP Optimization	Retained Capability Audit + 12 + 10	15%	120-180 days
AI TVM Sprint	AI-assisted TVM + 1 + 2 + 3	15%	90-120 days

The rule: Bundles are discounted but still phase-gated. Each module has its own go/no-go. The client can pause or stop after any module.

---

Sales Enablement

The Modular Pitch

"We do not sell one-size-fits-all transformation programs. We sell specific, bounded modules that solve specific problems. You can start with any module—whichever pain is keeping you awake at night. Each module delivers measurable value in 30-60 days. If you like the results, we add the next module. If you do not, we stop. No long-term commitment. No sunk cost. Just building blocks that make your organization stronger."

The Discovery Question Sequence

1. "What is the shortest path to a business-ending incident here?" (Identifies kill chain)
2. "Which of your security investments are you least sure about?" (Identifies untapped tooling)
3. "If you could fix one thing in the next 60 days, what would it be?" (Identifies module selection)
4. "What have you tried before that did not work?" (Avoids repeating failures)
5. "What would make you confident enough to expand to the next phase?" (Defines go/no-go criteria)

---

Integration With Existing Frameworks

Document	Integration
Rapid Modernisation Plan	Each module maps to one or more rapid modernisation phases
Business Case Template	Modular pricing structure; per-module ROI
C-Suite Conversation Guide	Modular pitching scripts and objection handling
M365 Antifragile Project	Modules 1-5 map directly to M365 project workstreams
Antifragile Risk Register	Each module closes a defined risk category

---

Platform Adaptation: Non-Microsoft Environments

The strategic framework, assessment methodology, and tool stack (Modules 6–12) are fully platform-agnostic. Modules 1–5 use Microsoft 365 as the primary reference environment because it is the dominant client footprint—but every module has direct equivalents on other platforms.

The principle never changes. The tool that implements it does.

Module 1: Endpoint Management Foundation

Environment	Equivalent Tooling
Microsoft (default)	Intune + Entra ID
Apple-heavy	Jamf Pro or Kandji + Entra ID (BYOD)
Mixed SMB	JumpCloud MDM or NinjaRMM
Linux-heavy	Ansible + osquery (see Sovereign Tool Stack)
Multi-platform enterprise	VMware Workspace ONE or Ivanti

Module 2: Identity Security

Environment	Equivalent Platform
Microsoft 365	Entra ID — Conditional Access, PIM, SSPR
Google Workspace	Cloud Identity + BeyondCorp Enterprise
Independent IdP	Okta (MFA, lifecycle), JumpCloud, or self-hosted Authentik
AWS-native	IAM Identity Center + SCPs + CloudTrail
Legacy/hybrid	Okta or Ping Identity as federation layer over AD

The non-negotiables remain identical across all platforms: MFA on every account, no shared admin credentials, least-privilege access, full audit logging, and PAW architecture for administrators.

Module 3: Security Hardening

Environment	Equivalent Approach
Microsoft 365	Secure Score + EOP + ASR rules + LAPS
Google Workspace	Admin Security Health Advisory + Workspace Security Advisor + Alert Center
AWS	Security Hub + Config Rules + GuardDuty + CloudTrail validation
Multi-cloud	Prowler (covers AWS, Azure, GCP — see Sovereign Tool Stack)

Module 4: Data Governance and Compliance

Environment	Equivalent Tooling
Microsoft 365	Microsoft Purview (sensitivity labels, DLP, retention)
Google Workspace	Google Vault + DLP + Drive labels
Cloud-native	AWS Macie (data discovery) + S3 Object Lock (retention)
Platform-agnostic	CISO Assistant (open-source GRC) for evidence tracking regardless of platform

Module 5: AI Sovereignty Bridge

Environment	Approach
Azure (default)	Azure OpenAI Service + Private Endpoints + Foundry
AWS	Amazon Bedrock + VPC endpoints + AWS PrivateLink
Self-hosted / sovereign	Ollama or vLLM + quantized open models (Llama 3, Mistral, Phi)
Hybrid regulated	On-premise inference + Azure or AWS for burst capacity with data boundary controls

The sovereignty test is the same regardless of platform: Does your proprietary data leave your environment? Can you audit what the model sees? Can you operate if the provider goes down?

Path F: The Non-Microsoft Organization

Month 1-2:   Module 6 (On-Premise AD Hardening) if AD is present
             — OR —
             Module 2 equivalent (Okta / JumpCloud / Google Identity hardening)
              ↓ Establishes identity foundation
Month 2-3:   Module 1 equivalent (Jamf / JumpCloud MDM / Ansible endpoint management)
              ↓ Establishes device visibility and compliance baseline
Month 3-4:   Module 3 equivalent (Prowler cloud scan / Google Workspace hardening)
              ↓ Closes misconfiguration and hardening gaps
Month 5-6:   Module 8 (OT Security) if critical infrastructure
             — OR —
             Module 9 (Organizational Resilience) if development-heavy
Month 7-12:  Module 10 (Red Team) + Module 12 (Blue/Purple Team Foundation)

The Sovereign Tool Stack remains unchanged: BloodHound, osquery, Prowler, CISO Assistant, Wazuh, TheHive, and the rest of the arsenal operate independently of Microsoft licensing.

---

Integration With Existing Frameworks

Document	Integration
Rapid Modernisation Plan	Each module maps to one or more rapid modernisation phases
Business Case Template	Modular pricing structure; per-module ROI
C-Suite Conversation Guide	Modular pitching scripts and objection handling
M365 Antifragile Project	Modules 1-5 map directly to M365 project workstreams
Antifragile Risk Register	Each module closes a defined risk category

---

For the full 180-day rapid modernisation plan, see Rapid Modernisation Plan. For module-specific tactical guidance, see the linked playbooks in each module description.