Tomas Kracmar
8228ed55c4
New section: 'When to Partner Commercially: The Partnership Doctrine' Addresses the practical reality of a 5-person consultancy growing to 15-20: where open-source wins, where commercial wins, and the decision framework for choosing between them. Partnership Decision Framework: - Capability (24/7 eyes-on-glass = partner) - Compliance (audit demands vendor logo = partner) - Scale (>5,000 endpoints = partner) - Time to value (<30 days = partner) - Margin (recurring revenue without proportional labour = partner) - Differentiation (partner makes us generic = refuse) Tier 1 Strategic Partnerships (deeply integrated): - Huntress: Managed EDR for 24/7 coverage we cannot staff - Thinkst Canary: Enterprise deception, high margin, low touch - Tenable: Compliance-auditable VM for regulated clients Tier 2 Situational Partnerships (deploy as needed): - Delinea (PAM), KnowBe4 (awareness), Veeam (backup), Proofpoint/Mimecast (email gateway) Tier 3 Consultant Productivity (not resold): - Burp Suite Pro, Cobalt Strike/Sliver, training Also documents what we REFUSE to partner with (all-in-one platforms, generic SIEM, opaque AI startups, M365 management competitors) and provides a Year 1 vs Year 3 partnership portfolio roadmap.
Antifragile Enterprise Consulting Repository
"Wind extinguishes a candle and energizes fire. You want to be the fire and wish for the wind." — Nassim Nicholas Taleb
This repository contains reusable frameworks, playbooks, and assessment resources for consulting engagements focused on building antifragile organizations—enterprises that do not merely survive disruption but grow stronger from it.
What Is Antifragile?
Most security and resilience frameworks optimize for robustness—the ability to withstand shocks. Antifragility goes further. An antifragile system:
- Benefits from volatility and stressors
- Learns faster from failures than from successes
- Decentralizes critical functions to avoid single points of failure
- Treats optionality as a strategic asset, not overhead
Repository Structure
├── core/ # Foundational frameworks and principles
│ ├── move-fast-and-fix-things.md # Company philosophy: speed, repair, existing tools
│ ├── antifragile-manifest.md # The five pillars of antifragile enterprise
│ ├── modular-engagements.md # Menu of independent, self-contained modules
│ ├── ai-sovereignty-framework.md # AI sovereignty as a strategic mandate
│ ├── ai-operations-inevitability.md # Why defensive AI is inevitable (business AI is optional)
│ ├── azure-openai-sovereignty-bridge.md # Azure OpenAI/Foundry as sovereignty stepping stone
│ ├── organizational-resilience.md # Dev/Sec/Ops merger and shift-left arguments
│ ├── quality-management-engagement.md # Embedded process assurance for teams feeling "not in control"
│ ├── blue-purple-team-foundation.md # Building defensive capability from existing tools
│ ├── retained-capability.md # What to keep in-house when outsourcing security (MSSP, pentest, compliance)
│ ├── executive-summary.md # One-page board brief
│ ├── c-suite-conversation-guide.md # Persuasion scripts for top management
│ └── t0-asset-framework.md # Tier 0 asset classification and protection
├── playbooks/ # Executable modernisation and response plans
│ ├── rapid-modernisation-plan.md # 30-60-90-180 day transformation roadmap
│ ├── endpoint-management-entry-vector.md # Intune/device management as engagement entry point
│ ├── ai-assisted-tvm.md # AI-powered vulnerability management blueprint
│ ├── zero-budget-vulnerability-discovery.md # Script-based vuln discovery without commercial scanners
│ ├── perimeter-scanning-capability.md # External attack surface scanning strategy
│ ├── osquery-custom-platform.md # Build a sovereign vuln/asset discovery platform on osquery
│ ├── m365-antifragile-project.md # M365 greenfield/modernisation with antifragile design
│ ├── m365-e3-hardening.md # M365 E3-specific tactical hardening
│ ├── ad-endpoint-hardening.md # On-prem AD, Windows endpoint, hybrid identity
│ ├── zero-budget-hardening.md # Maximize existing tool investment
│ ├── implementation-playbook.md # Step-by-step operational guide
│ └── business-case-template.md # Financial justification and ROI framework
│ ├── sovereign-tool-stack.md # Open-source arsenal and capability map
├── assessment-templates/ # Diagnostic tools and maturity models
│ ├── README.md # Assessment roadmap and development plan
│ ├── antifragile-risk-register.md # Antifragile risk taxonomy and register template
│ └── m365-project-risk-register.md # M365 project-specific risk register
├── reference/ # External standards, mappings, and citations
│ ├── cis-controls-mapping.md # CIS Controls v8 alignment
│ ├── nist-csf-mapping.md # NIST CSF 2.0 alignment
│ ├── vertical-power-utilities.md # Power generation, transmission, water utilities
│ ├── vertical-telco.md # Telecommunications and mobile operators
│ └── vertical-banking.md # Financial services regulatory alignment
└── assets/ # Diagrams, visuals, and presentation materials
Our Posture: Move Fast and Fix Things
This practice is built on a simple, actionable stance: move fast and fix things. We do not wait for perfect plans. We identify the kill chain, extract value from existing investments, and close existential gaps before they become incidents.
- Speed is a security control. A 90% solution deployed today outperforms a 100% solution that ships in six months.
- Work beats purchases. Most organizations own 60-80% of the capabilities they need. We configure and operationalize before we shop.
- Every fix must produce a signal. A remediation without telemetry is a remediation that will rot.
Read the full Move Fast and Fix Things philosophy.
Core Pillars
- Structural Decoupling — Remove hidden dependencies before they become fatal ones
- Optionality Preservation — Maintain strategic exits and alternatives at every layer
- Stress-to-Signal Conversion — Turn failures, attacks, and outages into intelligence
- Sovereign Intelligence — Own your cognitive infrastructure; never rent your ability to think
- Asymmetric Payoff Design — Engineer outcomes where small investments yield disproportionate protection
Standards Alignment
Our approach is not an alternative to established frameworks. It is the fastest path to meeting them while building real resilience:
- CIS Controls v8 — IG1 as a non-negotiable 90-day floor, achieved primarily through existing tool configuration
- NIST CSF 2.0 — All six functions addressed with emphasis on GOVERN as the missing keystone
Quick Start for Executives and Board Members
- Read Executive Summary — one page, five minutes, the full case
- Review Business Case Template — financial justification, ROI, and risk quantification
- Browse C-Suite Conversation Guide — how your advisors should frame the conversation
Quick Start for Consultants
- Open
core/move-fast-and-fix-things.md— understand the engagement posture - Read
core/antifragile-manifest.md— understand the philosophy - Study
playbooks/m365-e3-hardening.md— master the primary client environment (most clients are E3) - Study
playbooks/ad-endpoint-hardening.md— cover on-premises AD and endpoint gaps - Study
playbooks/zero-budget-hardening.md— extract value from existing tools in 30 days - Deploy
playbooks/rapid-modernisation-plan.md— run the 30-60-90-180 day roadmap - Reference
core/t0-asset-framework.mdandcore/ai-sovereignty-framework.md— classify assets and own intelligence - Map
reference/cis-controls-mapping.mdandreference/nist-csf-mapping.md— align to standards - Adapt
reference/vertical-power-utilities.md,reference/vertical-telco.md, orreference/vertical-banking.md— tailor for regulated critical infrastructure clients
Usage and Licensing
These documents are designed for reuse across client engagements. Adapt, remix, and extend. Credit the framework when presenting externally.
Built for practitioners who defend the future, not just the perimeter.