cqrenet/antifragile
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8228ed55c47e14c8666b0a054a0a93700f8083e6
antifragile/antifragile-consulting/core/modular-engagements.md
Tomas Kracmar 2b969af2a8 feat: Add sovereign tool stack and integrate ASTRAL/AOC across playbooks 
New document: Sovereign Tool Stack — complete capability map for our
open-source consulting arsenal.

Documents updated:
- sovereign-tool-stack.md (new): Maps Prowler, BloodHound, CISO Assistant,
  Purple Knight/Forest Druid, ASTRAL, and AOC to engagement modules and
  antifragile pillars. Identifies 6 gaps with recommended closes:
  Wazuh+Sysmon (EDR), Shuffle (SOAR), TheHive+Cortex (case management),
  Cartography (cloud asset mapping), Syft+Grype+Trivy (containers),
  Zeek+Suricata (network analysis). Includes per-module tool pairing,
  deployment complexity matrix, and integration architecture.
- m365-e3-hardening.md: Added ASTRAL 'configuration immunity' section
  and AOC audit log integration references
- endpoint-management-entry-vector.md: Added ASTRAL for Intune
  configuration backup and drift detection
- modular-engagements.md: Added ASTRAL and AOC to Module 1/2/3
  deliverables; linked sovereign tool stack
- retained-capability.md: Added AOC and Wazuh to detection engineering
  description
- ai-assisted-tvm.md: Added AOC and Prowler to discovery layer table
- blue-purple-team-foundation.md: Added sovereign tool stack reference
  for open-source SOC architecture
- zero-budget-hardening.md: Linked sovereign tool stack
- README.md + index.md: Added sovereign-tool-stack.md to navigation
2026-05-09 17:05:18 +02:00

573 lines
30 KiB
Markdown
Raw Blame History

# Modular Engagement Architecture
> *"Not every client is ready for the full journey. Some need to solve one burning problem first. The antifragile approach is architected so that every module stands alone—and every module makes the next one easier."*
This document defines the antifragile consulting portfolio as a **menu of independent, self-contained modules**. Clients can purchase any module without committing to the full 180-day program. Each module delivers measurable value, produces transferable assets, and creates natural appetite for the next phase.
---
## The Philosophy: Progressive Resilience
We do not sell monolithic transformation projects. We sell **building blocks** that stack.
| Approach | Traditional Consulting | Antifragile Modular |
|----------|----------------------|---------------------|
| Sales motion | Sell a 12-month program or nothing | Sell a 30-day module; expand based on proven value |
| Client commitment | All-in or walk away | Start where the pain is highest |
| Risk to client | High (unknown ROI until month 6+) | Low (measurable value in 30 days) |
| Risk to consultant | High (scope creep, payment delays) | Low (bounded scope, phase-gated payment) |
| Political capital | Consumed defending the program | Generated by visible early wins |
**The rule**: Every module must be **sellable on its own**, **deliverable in 90 days or less**, and **must produce evidence that the next module is warranted**.
---
## The Module Menu
### Module 1: Endpoint Management Foundation
**The Entry Vector. The Most Common Starting Point.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 30-45 days |
| **Typical investment** | Low (labor only; Intune included in E3) |
| **Prerequisites** | M365 E3 or higher; Azure AD tenant |
| **Standalone value** | Full device visibility; compliance enforcement; remote management capability |
| **Typical client** | Remote-first organization; SCCM retiree; compliance-driven; Intune shelfware |
**What is delivered**:
- Device inventory and enrollment campaign (Windows, macOS, iOS, Android)
- Compliance baseline: encryption, OS version, password policy, firewall
- Application inventory and shadow IT discovery
- Basic conditional access integration (compliant device required for M365 access)
- ASTRAL deployment for Intune configuration backup and drift detection
- Admin training and operational handover
**Executive pitch**:
> *"Your devices are in home offices, airports, and coffee shops. In 30 days, we will know exactly what you have, whether it is secure, and how to fix what is not. This is not surveillance. It is ensuring that only healthy devices access your data—wherever they are."*
**Natural next modules**: Module 2 (Identity Security), Module 5 (AI Sovereignty Bridge), Module 6 (On-Premise AD)
**See**: [Endpoint Management Entry Vector](../playbooks/endpoint-management-entry-vector.md)
---
### Module 2: M365 Identity Security
**The Foundation of Everything. The Most Undervalued Module.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 30-60 days |
| **Typical investment** | Low to medium (labor; E5/P2 licensing upgrade may be recommended selectively) |
| **Prerequisites** | M365 tenant (E3 minimum); administrative access |
| **Standalone value** | Elimination of standing privileged access; MFA enforcement; legacy auth blocked; guest access governed |
| **Typical client** | Post-breach hardening; auditor findings; rapid growth with identity debt; privileged account compromise |
**What is delivered**:
- Full identity census: human accounts, service accounts, guests, enterprise apps
- MFA enforcement for 100% of users (conditional access with MFA for E3; risk-based conditional access and PIM for E5)
- Legacy authentication blocked tenant-wide
- Privileged access workstation (PAW) architecture for admins
- PIM deployment (if E5/Entra ID P2) or manual JIT process (if E3)
- AOC deployment for audit log intelligence and anomalous admin detection
- Guest access audit and time-bounding
- OAuth consent governance
**Executive pitch**:
> *"There are currently [X] administrator accounts in your tenant. If any one of them is compromised, an attacker owns your email, your documents, and your identity system. In 30 days, we reduce that to the minimum viable number, enforce multi-factor authentication, and ensure no admin ever logs in from a workstation with email and browsing."*
**Natural next modules**: Module 3 (M365 Security Hardening), Module 6 (On-Premise AD), Module 7 (Recovery & Resilience)
---
### Module 3: M365 Security Hardening
**The E3 Maximization Play. Configuration, Not Procurement.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 30-60 days |
| **Typical investment** | Low (primarily labor; no new licensing required for E3 clients) |
| **Prerequisites** | M365 tenant; Module 2 (Identity Security) strongly recommended first |
| **Standalone value** | EOP tuned to maximum aggression; audit logging operational; Secure Score trending upward; ASR rules (if E5) |
| **Typical client** | E3 clients with untapped security potential; post-M365-deployment hardening; Secure Score below 50 |
**What is delivered**:
- Exchange Online Protection tuning: anti-phishing, anti-malware, anti-spam
- Mailbox auditing enabled for all users
- Unified Audit Log enabled and forwarded to SIEM
- Microsoft Secure Score baseline and improvement plan
- ASR rule deployment in audit mode (E5) or Defender for Endpoint P1 maximisation (E3)
- ASTRAL configuration baseline capture for all M365 security policies
- Windows Defender Firewall and exploit protection baseline
- LAPS deployment for local admin password randomization
**Executive pitch**:
> *"You own E3, which includes enterprise-grade antivirus, email filtering, and audit logging. Most organizations use less than 30% of these capabilities because no one configured them. We turn every available security control to maximum—and prove the improvement with before-and-after metrics. No new software. Just expertise applied to what you already paid for."*
**Natural next modules**: Module 4 (Data Governance), Module 5 (AI Sovereignty Bridge), Module 10 (Red Team & Validation)
**See**: [M365 E3 Hardening](../playbooks/m365-e3-hardening.md), [Zero-Budget Hardening](../playbooks/zero-budget-hardening.md), [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md)
---
### Module 4: Data Governance & Compliance
**The Regulatory Survival Module.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 45-90 days |
| **Typical investment** | Medium (labor; Purview licensing may be required for advanced features) |
| **Prerequisites** | M365 tenant; Module 3 (Security Hardening) recommended |
| **Standalone value** | Data classification deployed; retention policies enforced; DLP active; eDiscovery ready; regulatory evidence produced |
| **Typical client** | Regulated industries (banking, healthcare, critical infrastructure); litigation hold requirements; GDPR/DORA/NIS2 compliance |
**What is delivered**:
- Sensitivity label deployment (Public, Internal, Confidential, Highly Confidential)
- Retention policies for all M365 workloads (email, Teams, SharePoint, OneDrive)
- Data Loss Prevention (DLP) policies for high-sensitivity data types
- External sharing lockdown and per-site governance
- eDiscovery readiness: legal hold procedures, retention hold capability
- Teams governance: controlled creation, expiration, access reviews
- SharePoint site provisioning governance
**Executive pitch**:
> *"Your auditor does not want to see a policy document. They want to see evidence that sensitive data is classified, that emails are retained according to regulation, and that you can produce documents for legal hold within 48 hours. We build the evidence—not the theater."*
**Natural next modules**: Module 5 (AI Sovereignty Bridge), Module 7 (Recovery & Resilience), Module 10 (Red Team & Validation)
---
### Module 5: AI Sovereignty Bridge
**The Strategic Differentiator. The Conversation Starter.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 30-60 days |
| **Typical investment** | Low to medium (labor; Azure OpenAI consumption; optional local inference hardware) |
| **Prerequisites** | M365 tenant; Azure subscription; data governance baseline strongly recommended |
| **Standalone value** | Shadow AI eliminated; sanctioned Azure OpenAI deployed; proprietary data protected; first custom model or RAG pipeline operational |
| **Typical client** | Organizations using ChatGPT/Claude/Gemini without governance; leadership asking "what is our AI strategy?"; competitors investing in AI |
**What is delivered**:
- Shadow AI usage inventory (proxy logs, endpoint scans, surveys)
- Azure OpenAI Service deployment with private endpoints and customer-managed keys
- Conditional access policies restricting AI access to approved users and devices
- Azure AI Foundry pilot: one RAG pipeline or fine-tuned model on proprietary data
- AI governance policy: approved use cases, prohibited data types, human-in-the-loop requirements
- User education: why sanctioned AI is safer and often better than public alternatives
**Executive pitch**:
> *"Your teams are already using AI—through personal accounts, browser tabs, and mobile apps. Every proprietary document they paste into ChatGPT trains a model that will eventually be sold to your competitors. We stop that leakage in two weeks by giving them a better, safer alternative. Then we build your first custom AI asset on data that never leaves your Azure region."*
**Natural next modules**: Module 9 (Organizational Resilience), Module 4 (Data Governance), Module 10 (Red Team & Validation)
**See**: [Azure OpenAI Sovereignty Bridge](azure-openai-sovereignty-bridge.md), [AI Sovereignty Framework](ai-sovereignty-framework.md)
---
### Module 6: On-Premise AD & Endpoint Hardening
**The Legacy Debt Cleanup. For Organizations with Feet in Both Worlds.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 45-60 days |
| **Typical investment** | Medium (labor; Sysmon/Wazuh deployment; possible hardware for PAWs) |
| **Prerequisites** | On-premise Active Directory; administrative access to domain controllers |
| **Standalone value** | KRBTGT rotated; LAPS deployed; Sysmon operational; privileged access tiered; Azure AD Connect secured |
| **Typical client** | Hybrid identity environments; SCCM/AD shops; post-Active-Directory-compromise recovery; NIS2-critical infrastructure |
**What is delivered**:
- Full AD identity census with orphan and privilege analysis
- KRBTGT password rotation (if > 180 days stale)
- LAPS deployment to all domain-joined workstations
- Sysmon deployment with SwiftOnSecurity configuration
- Privileged Access Workstation (PAW) architecture for Tier 0 admins
- Azure AD Connect hardening and audit
- AD FS security review (if present)
- Windows Defender maximization and firewall hardening
**Executive pitch**:
> *"Your Active Directory has been running for fifteen years. It has accounts from employees who left a decade ago, service accounts with passwords that never expire, and administrator accounts that log in from the same laptops used for email and browsing. In 45 days, we clean the foundation—and make it significantly harder for an adversary to gain a foothold."*
**Natural next modules**: Module 2 (Identity Security), Module 7 (Recovery & Resilience), Module 8 (OT Security Assessment)
**See**: [AD and Endpoint Hardening](../playbooks/ad-endpoint-hardening.md)
---
### Module 7: Recovery & Resilience Validation
**The Insurance Policy. Prove You Can Rebuild Before You Need To.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 30-45 days |
| **Typical investment** | Low to medium (labor; third-party backup if not already owned) |
| **Prerequisites** | Backup solution in place (even if untested); administrative access to critical systems |
| **Standalone value** | One critical system recovered from backup; runbooks documented; CMDB seeded; quarterly drill cadence established |
| **Typical client** | Organizations that have never tested recovery; recent ransomware scare; DORA/NIS2 compliance preparation; board demanding evidence |
**What is delivered**:
- Backup coverage inventory: what is backed up, how often, where, by what mechanism
- Recovery drill: one critical system restored to isolated environment with full validation
- CMDB seeding: T0 and T1 assets documented with owners, dependencies, and recovery requirements
- Recovery runbooks: documented, tested, and transferable to non-designers
- Immutable backup validation: ensure backups cannot be deleted by compromised admin accounts
- Quarterly recovery drill calendar established
**Executive pitch**:
> *"Most organizations discover they cannot recover from backup at 3 AM during an active ransomware incident. We discover it in a controlled test during business hours—when we can fix it without pressure. The question is not whether you have backups. The question is whether you have ever proven they work. We prove it."*
**Natural next modules**: Module 10 (Red Team & Validation), Module 8 (OT Security Assessment), Module 3 (M365 Security Hardening)
---
### Module 8: OT Security Assessment
**The Critical Infrastructure Module. For Power, Utilities, and Telco.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 45-90 days |
| **Typical investment** | Medium to high (labor; potential network hardware for segmentation) |
| **Prerequisites** | OT network access; cooperation from operations and engineering teams |
| **Standalone value** | IT/OT connection matrix; vendor access audit; manual override procedures validated; NIS2 evidence produced |
| **Typical client** | Power utilities; water/wastewater; telecommunications; manufacturing with SCADA/DCS |
**What is delivered**:
- OT asset inventory: SCADA, DCS, EMS, protection relays, RTUs, AMI
- IT-to-OT network connection mapping with business justification
- Vendor remote access audit and time-bounding
- Network segmentation plan: IT/OT DMZ, unidirectional gateway recommendations
- Manual override procedure documentation and validation
- NIS2/CER compliance evidence package
- Black start / islanding procedure test (power utilities)
**Executive pitch**:
> *"Your control room does not need email. Your protection relays do not need internet access. Every connection between IT and OT is a bridge an adversary can cross. We map those bridges, justify the ones that must remain, and eliminate the ones that put physical safety at risk. This is not IT security. This is operational survival."*
**Natural next modules**: Module 6 (On-Premise AD), Module 7 (Recovery & Resilience), Module 10 (Red Team & Validation)
**See**: [Vertical: Power and Utilities](../reference/vertical-power-utilities.md), [Vertical: Telco](../reference/vertical-telco.md)
---
### Module 9: Organizational Resilience
**The People and Process Module. Fix the Structure, Not Just the Tools.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 60-90 days |
| **Typical investment** | Medium (labor; no tooling cost) |
| **Prerequisites** | Executive sponsor with authority; willingness to experiment with team structure |
| **Standalone value** | One product team with embedded security; shift-left pilot operational; shared metrics proving velocity and security can coexist |
| **Typical client** | Organizations with siloed Dev/Sec/Ops; slow release cycles blamed on security gates; talent retention problems |
**What is delivered**:
- Current-state Dev/Sec/Ops friction mapping
- Pilot team selection and embedded security engineer placement
- CI/CD security gate deployment (automated scanning, not manual review)
- Shared OKR definition: team owns vulnerability count, change failure rate, recovery time
- Platform team or SRE team architecture (if appropriate)
- Blameless post-mortem process with structural mandate
- 90-day metrics report: before-and-after velocity, defect rates, team satisfaction
**Executive pitch**:
> *"Your development team ships fast. Your security team says no. Your operations team keeps the lights on. None of them are wrong—but the organizational boundary between them destroys all three goals. We do not reorganize your departments on day one. We embed security into one product team, measure the results, and let the metrics make the case for broader change."*
**Natural next modules**: Module 2 (Identity Security), Module 5 (AI Sovereignty Bridge), Module 10 (Red Team & Validation)
**See**: [Organizational Resilience](organizational-resilience.md)
---
### Module 10: Red Team & Validation
**The Proof Module. Validate Everything You Have Built.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 15-30 days (engagement) + quarterly re-testing |
| **Typical investment** | Medium to high (external red team; internal coordination) |
| **Prerequisites** | At least one other module deployed; operational incident response capability |
| **Standalone value** | Independent validation of security posture; kill chain identification; board-ready evidence |
| **Typical client** | Regulated industries requiring annual penetration testing; post-transformation validation; boards demanding proof |
**What is delivered**:
- Scoping and rules of engagement (aligned to DORA TLPT or CIS requirements)
- Adversarial simulation: external reconnaissance, initial access, lateral movement, impact
- M365-specific attack paths: BEC, OAuth consent abuse, conditional access bypass attempts
- OT-bounded red team (for critical infrastructure clients)
- Report with kill chain analysis and prioritized remediation
- Board presentation: findings, risk quantification, and evidence of control effectiveness
- Quarterly purple team exercises (optional retainer)
**Executive pitch**:
> *"You have invested in security controls. But controls that have not been tested are assumptions, not facts. A red team exercise is a controlled failure that proves whether your defenses work before a real adversary tests them. The board receives independent evidence—not consultant promises."*
**Natural next modules**: Any module where gaps were identified; typically cycles back to hardening modules.
---
### Module 11: Embedded Quality & Process Assurance
**The Presence Module. For Leaders Who Feel They Are Not in Control.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 60-90 days (12 weeks embedded) |
| **Typical investment** | Medium (labor; no tooling cost) |
| **Prerequisites** | Executive sponsor; team willing to be observed; tolerance for process change |
| **Standalone value** | Repeatable processes; accurate documentation; team confidence; friction reduction |
| **Typical client** | Heads of Security or Operations who say "we don't feel in control"; project teams behind schedule; teams with tool-shelfware |
**What is delivered**:
- Immersion report: formal vs. actual process map; invisible risks identified
- Friction reduction: fast wins that reduce daily pain and vulnerability
- Capability handover: team-owned documentation, self-assessment checklists, metrics dashboard
- Validation: team operates independently for one week; consultant steps back to advisory
**Executive pitch**:
> *"You have capable people, but the gap between what is documented and what is actually happening has grown too wide. I do not audit you. I join your team for 12 weeks, observe the reality of daily work, and help you close that gap. You will have repeatable processes, accurate documentation, and a team that trusts its own capability."*
**Natural next modules**: Module 9 (Organizational Resilience), Module 12 (Blue/Purple Team Foundation), Module 3 (M365 Security Hardening)
**See**: [Embedded Quality & Process Assurance](quality-management-engagement.md)
---
### Module 12: Blue / Purple Team Foundation
**The Capability Module. From Tool Ownership to Operational Defense.**
| Attribute | Detail |
|-----------|--------|
| **Typical duration** | 60-90 days |
| **Typical investment** | Medium (labor; leverages existing Microsoft security stack) |
| **Prerequisites** | Microsoft Defender (E5) or equivalent EDR; at least one security analyst; willingness to learn |
| **Standalone value** | Operating rhythm for SOC; first guided threat hunt; purple team charter; 12-month capability roadmap |
| **Typical client** | Organizations that own E5/Defender/Sentinel but underutilize them; SOC drowning in noise; no hunt discipline; red and blue teams do not collaborate |
**What is delivered**:
- Capability audit: maturity assessment of detection, response, hunting, and metrics
- Operating rhythm: weekly Secure Score reviews, alert triage playbooks, automated enrichment
- First guided threat hunt: hypothesis-driven search with documented methodology
- Purple team exercise: collaborative attack/defence simulation with detection gap analysis
- 12-month roadmap: prioritized capability improvements with resource requirements
**Executive pitch**:
> *"You have a Ferrari-grade security stack and drive it like a rental car. The tools are not the problem—the team's ability to use them is. I help you build the weekly cadence, the hunt discipline, and the purple team culture that turns telemetry into action. In 12 weeks, your team owns the capability, not just the licenses."*
**Natural next modules**: Module 10 (Red Team & Validation), Module 3 (M365 Security Hardening), Module 7 (Recovery & Resilience)
**See**: [Blue/Purple Team Foundation](blue-purple-team-foundation.md)
**Also see**: [Retained Capability](retained-capability.md) for the MSSP co-management and detection engineering model.
---
## Module Selection Guide
### For the Client Who Knows Their Pain
| Client Says | Start With Module | Typical Duration |
|-------------|-------------------|-----------------|
| "We need to manage remote devices" | Module 1: Endpoint Management | 30-45 days |
| "We had a phishing incident" | Module 2: Identity Security | 30-60 days |
| "Our E3 licenses feel wasted" | Module 3: M365 Security Hardening | 30-60 days |
| "The auditor is coming" | Module 4: Data Governance | 45-90 days |
| "What is our AI strategy?" | Module 5: AI Sovereignty Bridge | 30-60 days |
| "Our AD is a mess" | Module 6: On-Premise AD Hardening | 45-60 days |
| "Can we actually recover from backup?" | Module 7: Recovery & Resilience | 30-45 days |
| "We operate critical infrastructure" | Module 8: OT Security Assessment | 45-90 days |
| "Security slows us down" | Module 9: Organizational Resilience | 60-90 days |
| "Prove our security works" | Module 10: Red Team & Validation | 15-30 days |
| "We don't feel in control" | Module 11: Embedded Quality Assurance | 60-90 days |
| "We own tools but can't use them" | Module 12: Blue/Purple Team Foundation | 60-90 days |
| "Our outsourced SOC underperforms" | Module 12 (+ Retained Capability Audit) | 60-90 days |
| "Mythos/AI will find all our vulnerabilities" | AI-assisted TVM Sprint | 30-90 days |
### For the Client Who Does Not Know Where to Start
**The Diagnostic Path**:
1. **Week 1: Kill Chain Assessment** (included in scoping; no charge)
- Interview stakeholders
- Identify the shortest path to organizational failure
- Recommend the module that closes the most critical gap
2. **Module selection based on kill chain**:
- Kill chain starts with compromised endpoint → Module 1
- Kill chain starts with stolen credentials → Module 2
- Kill chain starts with unrecoverable systems → Module 7
- Kill chain starts with OT bridge → Module 8
---
## Progressive Enhancement: How Modules Stack
### Path A: The M365-First Organization
```
Month 1-2: Module 1 (Endpoint Management)
↓ Discovers identity and AI gaps
Month 2-3: Module 2 (Identity Security)
↓ Discovers compliance and data gaps
Month 4-5: Module 4 (Data Governance)
↓ Discovers AI shadow usage
Month 5-6: Module 5 (AI Sovereignty Bridge)
↓ Discovers architectural fragility
Month 7-12: Module 10 (Red Team) + selected hardening
```
### Path B: The Hybrid Infrastructure Organization
```
Month 1-2: Module 6 (On-Premise AD Hardening)
↓ Discovers recovery and identity gaps
Month 2-3: Module 2 (Identity Security)
↓ Discovers endpoint visibility gap
Month 3-4: Module 1 (Endpoint Management)
↓ Discovers AI and data gaps
Month 5-8: Module 5 (AI Sovereignty) + Module 4 (Data Governance)
Month 9-12: Module 7 (Recovery Validation) + Module 10 (Red Team)
```
### Path C: The Critical Infrastructure Organization
```
Month 1-2: Module 8 (OT Security Assessment)
↓ Discovers IT/OT identity and recovery gaps
Month 2-3: Module 6 (On-Premise AD) + Module 2 (Identity Security)
Month 4-5: Module 7 (Recovery & Resilience)
↓ Validates black start, DR procedures
Month 6-9: Module 1 (Endpoint Management) + Module 3 (M365 Hardening)
Month 10-12: Module 10 (Red Team with OT scope)
```
### Path D: The "Not in Control" Organization
```
Month 1-3: Module 11 (Embedded Quality & Process Assurance)
↓ Discovers that tools are underutilized because processes are broken
Month 3-5: Module 12 (Blue/Purple Team Foundation)
↓ Builds operating rhythm for existing security stack
Month 5-7: Module 2 (Identity Security) + Module 3 (M365 Hardening)
↓ Technical fixes now stick because processes support them
Month 8-12: Module 10 (Red Team) + continuous improvement retainer
```
### Path E: The "Mythos / AI Vulnerability Panic" Organization
```
Week 1-2: AI-assisted TVM Baseline Sprint
↓ Discovers actual exploitable attack surface; beats adversary AI to first move
Month 1-2: Module 1 (Endpoint Management) + Module 2 (Identity Security)
↓ Closes the highest-risk doors while AI TVM operationalizes
Month 2-3: Module 3 (M365 Security Hardening) + AI TVM operationalization
↓ Automated remediation pipeline; <48h critical CVE response
Month 3-6: Module 12 (Blue/Purple Team) + continuous AI TVM improvement
↓ Purple team validates that open vulnerabilities are detected and contained
```
---
## Pricing and Engagement Structure
### Fixed-Scope Modules
Each module is sold with:
- **Fixed price** (or fixed daily rate with capped days)
- **Fixed duration** (hard stop)
- **Defined deliverables** (checklist)
- **Go/no-go gate** before any expansion
**Example module statement of work**:
```
Module: Endpoint Management Foundation
Duration: 30 business days
Investment: €[X]
Deliverables:
[ ] Device inventory: 100% of corporate devices identified
[ ] Enrollment: 90%+ of corporate devices managed
[ ] Compliance baseline: encryption, OS version, password policy deployed
[ ] Application inventory: shadow IT report delivered
[ ] Conditional access: compliant device required for M365
[ ] Training: client admin team operational
[ ] Handover: runbooks and monitoring dashboard
Go/No-Go Gate: Day 30 steering committee
→ If value demonstrated: propose Module 2 (Identity Security)
→ If value not demonstrated: engagement concludes with findings report
```
### Module Bundles (Optional)
For clients ready to commit to a multi-module journey, offer **discounted bundles**:
| Bundle | Modules | Discount | Typical Timeline |
|--------|---------|----------|-----------------|
| **M365 Foundation** | 1 + 2 + 3 | 10% | 90-120 days |
| **M365 Secure** | 1 + 2 + 3 + 4 + 5 | 15% | 180 days |
| **Hybrid Hardening** | 1 + 2 + 3 + 6 + 7 | 15% | 180 days |
| **Critical Infrastructure** | 1 + 2 + 6 + 7 + 8 + 10 | 20% | 270 days |
| **Capability Building** | 11 + 12 + 2 + 3 | 15% | 180 days |
| **MSSP Optimization** | Retained Capability Audit + 12 + 10 | 15% | 120-180 days |
| **AI TVM Sprint** | AI-assisted TVM + 1 + 2 + 3 | 15% | 90-120 days |
**The rule**: Bundles are discounted but still phase-gated. Each module has its own go/no-go. The client can pause or stop after any module.
---
## Sales Enablement
### The Modular Pitch
> *"We do not sell one-size-fits-all transformation programs. We sell specific, bounded modules that solve specific problems. You can start with any module—whichever pain is keeping you awake at night. Each module delivers measurable value in 30-60 days. If you like the results, we add the next module. If you do not, we stop. No long-term commitment. No sunk cost. Just building blocks that make your organization stronger."*
### The Discovery Question Sequence
1. *"What is the shortest path to a business-ending incident here?"* (Identifies kill chain)
2. *"Which of your security investments are you least sure about?"* (Identifies untapped tooling)
3. *"If you could fix one thing in the next 60 days, what would it be?"* (Identifies module selection)
4. *"What have you tried before that did not work?"* (Avoids repeating failures)
5. *"What would make you confident enough to expand to the next phase?"* (Defines go/no-go criteria)
---
## Integration With Existing Frameworks
| Document | Integration |
|----------|-------------|
| [Rapid Modernisation Plan](../playbooks/rapid-modernisation-plan.md) | Each module maps to one or more rapid modernisation phases |
| [Business Case Template](../playbooks/business-case-template.md) | Modular pricing structure; per-module ROI |
| [C-Suite Conversation Guide](c-suite-conversation-guide.md) | Modular pitching scripts and objection handling |
| [M365 Antifragile Project](../playbooks/m365-antifragile-project.md) | Modules 1-5 map directly to M365 project workstreams |
| [Antifragile Risk Register](../assessment-templates/antifragile-risk-register.md) | Each module closes a defined risk category |
---
*For the full 180-day rapid modernisation plan, see [Rapid Modernisation Plan](../playbooks/rapid-modernisation-plan.md).*
*For module-specific tactical guidance, see the linked playbooks in each module description.*
Reference in New Issue View Git Blame Copy Permalink