antifragile/antifragile-consulting/index.md

Antifragile Enterprise Consulting Repository — Index

For Executives and Board Members

Start here. These documents require no technical background.

Document	Purpose	Audience
About CQRE	Who we are, what we do, how we're different — fill this before sharing with clients	CEOs, New Clients, New Hires
O společnosti CQRE	Česká verze firemního profilu — pro české klienty a nové členy týmu	Czech Clients, New Hires
Executive Summary	One-page strategic overview — read this first	CEOs, Boards, Executive Committees
C-Suite Conversation Guide	Scripts, objection handling, and psychological framing	Executives, Advisors
Business Case Template	Financial justification, ROI, and risk quantification	CFOs, Boards, Risk Committees
Modular Engagements	Menu of independent modules; choose your starting point	CEOs, CFOs, Procurement

For the strategic philosophy, see Core Frameworks below.

For Practitioners and Consultants

Operational and persuasion documents used in engagements. Start every new client with the NIST CSF 2.0 Baseline Assessment (the Brownhat Diagnostic) to earn the right to recommend anything.

Document	Purpose	Audience
README	Repository overview and quick start	Everyone
Engagement Model	How engagements work: lifecycle, client requirements, deliverables, pricing, and consultant delivery discipline	Clients, New Consultants
Consultant Field Guide	Internal playbook: decision models, client qualification, module selection, common mistakes, technical onboarding, proposal writing	New Consultants
NIST CSF 2.0 Baseline Assessment	The Brownhat Diagnostic: entry workshop for every new engagement	Consultants, CISOs, IT Managers
AI Operations Inevitability	Defensive AI is inevitable; business AI is optional	CISOs, CTOs, Consultants
Azure OpenAI Sovereignty Bridge	Azure OpenAI/Foundry as pragmatic sovereignty step	CTOs, Architects, Consultants
Organizational Resilience	Shift left and Dev/Sec/Ops merger talking points	CTOs, CISOs, Consultants
Embedded Quality Assurance	Process assurance for teams feeling "not in control"	Heads of Security, Operations, Project Leaders
Blue/Purple Team Foundation	Building defensive capability from existing tool investments	CISOs, SOC Managers, Security Architects
Retained Capability	What to keep in-house when outsourcing SOC, pentest, compliance	CISOs, CFOs, Procurement

For the engagement posture and philosophy, see Core Frameworks below.

Core Frameworks

Document	Purpose	Audience
Move Fast and Fix Things	Speed, repair, and maximizing existing investment	Consultants, Executives
Antifragile Manifest	Five pillars of antifragile enterprise	Executives, Architects, Consultants
AI Sovereignty Framework	Strategic arguments and implementation for local AI	CISOs, CTOs, Security Architects
T0 Asset Framework	Tier 0 classification and protection for critical assets	Security Architects, Infrastructure Leads
Spontaneous Order Principles	Philosophical foundation for the five pillars	Executives, Architects, Strategists

Playbooks

Document	Purpose	Audience
Rapid Modernisation Plan	30-60-90-180 day transformation roadmap	Program Managers, Consultants, CISOs
Endpoint Management Entry Vector	Intune/device management as the ideal engagement entry point	M365 Consultants, Account Managers
AI-Assisted TVM Blueprint	AI-powered vulnerability management for AI-powered adversaries	CTOs, CISOs, Vulnerability Management
Zero-Budget Vulnerability Discovery	Script-based and osquery-based server/container vuln discovery without Tenable/Qualys	Security Engineers, Consultants
Perimeter Scanning Capability	External attack surface strategy: build, partner, or hybrid	Security Architects, Consultants
Osquery: The Sovereign Discovery Platform	Build a custom vulnerability and asset inventory platform on osquery	Security Engineers, Consultants, CTOs
M365 Antifragile Project	Greenfield and modernisation with antifragile design	M365 Consultants, Project Managers
M365 E3 Hardening	Tactical hardening for M365 E3 environments	M365 Consultants, Security Engineers
AD and Endpoint Hardening	On-prem AD, Windows endpoints, hybrid identity	Infrastructure Consultants, Security Engineers
Zero-Budget Hardening	Maximize existing tools, minimize new purchases	Consultants, CISOs, IT Managers
Implementation Playbook	Tactical step-by-step delivery guide	Technical Leads, Security Engineers
Sovereign Tool Stack	Open-source arsenal: Prowler, BloodHound, CISO Assistant, ASTRAL, AOC, Wazuh, Shuffle	Consultants, CTOs, CISOs
Privileged Access Architecture	PAM design: Teleport, Tailscale/Headscale, JIT access, vendor access governance	Security Architects, Infrastructure Consultants, OT Leads
Sovereign Communications	Delta Chat chatmail relay, Matrix/Element, crisis out-of-band channels	CISOs, Operations Leads, Incident Response
Business Case Template	Financial justification, ROI, risk quantification	CFOs, Boards, Consultants

Standards Reference

Document	Purpose	Audience
CIS Controls v8 Mapping	IG1-IG3 alignment with antifragile actions	Consultants, Auditors, Compliance
NIST CSF 2.0 Mapping	CSF function mapping and evidence package	Consultants, Auditors, Compliance

Vertical References

Document	Purpose	Audience
Vertical: Power and Utilities	Power generation, transmission, water, OT, NIS2/CER	Consultants in energy/water sectors
Vertical: Telco	Mobile/fixed operators, signaling security, 5G, fraud	Consultants in telecommunications
Vertical: Banking	Financial services, DORA, PSD2, SWIFT CSP alignment	Consultants in banking/fintech sectors

Assessment and Tools

Document	Purpose	Audience
NIST CSF 2.0 Baseline Assessment	The Brownhat Diagnostic: structured 2-half-day workshop, gap analysis, prioritised module roadmap	Consultants, CISOs, IT Managers
NIST CSF 2.0 — česká verze	Brownhat Diagnostika: dotazníky a průvodce workshopem v češtině	Consultants running Czech-language workshops
Module Completion Report	Template for the deliverable package at the end of every module	Consultants
Risk Register Example	8 fully populated risk entries from a realistic engagement — calibration reference for consultants	Consultants
Antifragile Risk Register	Kill chain-aware risk taxonomy and register template	Risk Managers, Consultants
M365 Project Risk Register	M365-specific risk register with phase gates	Project Managers, M365 Consultants
Assessment Templates	Future diagnostic tools and maturity models	Consultants, Auditors

Navigation by Role

For the Executive Sponsor

1. Move Fast and Fix Things — understand the engagement posture and speed philosophy
2. Spontaneous Order Principles — understand why antifragile design works at a systems level
3. Antifragile Manifest — understand the strategic philosophy
4. AI Sovereignty Framework — read the executive summary and five strategic arguments
5. Rapid Modernisation Plan — review phases and governance cadence
6. Zero-Budget Hardening — understand how existing investments are maximized

For the Security Architect

1. T0 Asset Framework — master the classification and protection model
2. Implementation Playbook — follow the workstreams for identity, perimeter, and resilience
3. Spontaneous Order Principles — architectural philosophy for why decentralized resilience outperforms centralized control
4. Rapid Modernisation Plan — adapt phases to organizational context

For the Consultant

Start here (read in order before your first engagement):

1. README — repository orientation
2. Move Fast and Fix Things — the Brownhat methodology and engagement posture
3. Engagement Model — lifecycle, scoping, pricing, delivery discipline, and how to handle difficult situations
4. Consultant Field Guide — decision models, client qualification, module selection, the ten common mistakes, technical onboarding, and proposal writing
5. Antifragile Manifest — the five pillars and their client-facing translation
6. Spontaneous Order Principles — the philosophical foundation for why antifragile design works
7. C-Suite Conversation Guide — scripts, objection handling, and psychological framing for every executive archetype

Then study the module delivery toolkit:

8. NIST CSF 2.0 Baseline Assessment — run this first with every new client (the Brownhat Diagnostic)
9. Modular Engagements — the full module menu (Modules 1–14) and platform adaptation guide
10. Sovereign Tool Stack — the full arsenal: CQRE tools, open-source stack, commercial partnerships, and when to use each
11. M365 E3 Hardening — primary client environment for MS clients (most are E3)
12. AD and Endpoint Hardening — on-premises identity and endpoint depth
13. Privileged Access Architecture — Module 13: Teleport, Tailscale/Headscale, JIT access, vendor remote access governance
14. Sovereign Communications — Module 14: Delta Chat chatmail relay, Matrix/Element, crisis out-of-band channels

Reference when needed:

15. AI Sovereignty Framework — persuasive arguments and objection handling
16. AI Operations Inevitability — why defensive AI is not optional
17. Organizational Resilience — shift left and Dev/Sec/Ops merger talking points
18. Retained Capability — what to keep in-house when outsourcing SOC, pentest, compliance
19. Zero-Budget Hardening — extract value from existing tools in 30 days
20. Zero-Budget Vulnerability Discovery — script-based and osquery-based discovery before scanner procurement
21. Osquery: The Sovereign Discovery Platform — build owned vulnerability and asset inventory capability
22. Rapid Modernisation Plan — structured engagement roadmap
23. Implementation Playbook — tactical delivery guidance
24. Vertical: Power and Utilities, Vertical: Telco, or Vertical: Banking — sector-specific adaptations
25. CIS Controls Mapping and NIST CSF Mapping — standards alignment for auditors and regulators

---

This index is updated as the repository grows.