antifragile/antifragile-consulting/playbooks/rapid-modernisation-plan.md

Rapid Modernisation Plan

"We must change our strategy from 'detect the attacker in time' to 'become the target that is not worth attacking.' Reactive mode is unsustainable. We must ensure the game is played on our field."

For the Executive Reader

This is not a three-year digital transformation. It is a 180-day foundation programme with measurable progress at each phase gate.

Phase	Timeline	What the Board Sees
Visibility	Days 0–60	We know the kill chain. T0 assets are identified, critical privileges are mapped, and logging is operational.
Control	Days 60–120	The highest-risk kill chain nodes are closed. MFA is enforced on privileged accounts. Critical gaps have evidence-backed remediation.
Signal	Days 120–180	Detection capability is built on the hardened foundation. Housekeeping is running as a permanent stream. The organisation can operate and maintain what was built.
Antifragility	Ongoing	Structural improvement, retained capability, and progressive reduction of technical debt. This phase does not end.

What 180 days delivers: A hardened foundation, closed kill chain, operational detection capability, and the processes to sustain them. Not a complete transformation — a credible, maintained starting point.

What 180 days does not deliver: Elimination of all technical debt (that takes years), full AI sovereignty (that is a multi-year journey), or zero vendor dependencies (that is an ongoing programme). Promising otherwise is dishonest and destroys client trust when reality arrives.

Investment principle: Configuration first. Procurement only if justified. Most value is extracted from existing tools before any new purchase is discussed.

Governance: Weekly check-in with named client lead. Monthly steering committee. Hard go/no-go gates at days 60, 120, and 180.

Modularity: Every phase can be delivered as an independent, fixed-scope module. See Modular Engagements for the standalone engagement menu.

For the business case and financial justification, see Business Case Template. For board conversation guidance, see C-Suite Conversation Guide.

---

For the Practitioner

What This Plan Is Not

Before using this roadmap with a client, be honest about what it commits to.

Not a sprint. The most common failure mode is treating security modernisation as a project that ends. It does not end. The 180-day programme establishes processes and capabilities that must run permanently. If the client does not have the internal resources to continue what we build, we need to have that conversation before we start.

Not a full audit. Phase 1 does not produce a complete identity inventory, a comprehensive vulnerability assessment, or an exhaustive compliance gap analysis. It produces a kill chain map and enough visibility to close existential risks. The full audit takes months and tends to produce reports that paralyse rather than mobilise.

Not compatible with staff paralysis. Organisations dealing with active incidents, leadership changes, or major concurrent projects cannot execute this plan on the stated timeline. The timeline is predicated on a named client lead with 30–40% availability and access provisioned before day 1.

Not vendor-agnostic in execution. The plan references Microsoft 365 environments as the primary context because that is most clients' reality. Non-Microsoft environments follow the same logic but require different specific tools. See the Platform Adaptation appendix in Modular Engagements.

---

Phase 1: Visibility (Days 0–60)

Theme: You cannot defend what you cannot see. You cannot fix what you cannot prioritise.

The first 60 days are about kill chain mapping and critical visibility — not about fixing everything. The goal is a clear, ranked picture of what would end the organisation, and initial closure of the most accessible existential gaps.

Why 60 days, not 30: A 30-day identity blitz sounds fast. It is also the fastest path to disabling a service account that runs payroll at 2 AM on Friday. Week 1 is documentation and baseline. Fixes require understanding the environment first. See the engagement model's week 1 discipline — it applies to every phase of this plan.

Weeks 1–2: Baseline and Kill Chain Mapping

No changes in week 1. Document and understand.

Action	Owner	Deliverable
Export current identity state: all accounts, groups, privilege assignments	IAM / Security	Identity inventory — stale, active, privileged, service
Run BloodHound collection; run Elysium password audit	Security	AD attack path map; compromised credential list
Run CAExporter for Conditional Access documentation	Security	Human-readable CA policy register with gaps highlighted
Deploy ASTRAL for M365 configuration baseline	Security	Committed tenant baseline; first drift detection operational
Map all public-facing assets	Security	External attack surface register with P0 classification
Identify the kill chain: shortest path from "nothing bad" to "organisation fails"	Security Architect	Kill chain document — maximum 2 pages; reviewed with executive sponsor

Weeks 3–4: T0 Identity Hardening

Target: privileged accounts only. Not all accounts.

Action	Owner	Deliverable
Force-reset accounts identified as compromised by Elysium (P0)	IAM	Password reset log with verification
Enforce MFA on all T0 accounts: Global Admins, Domain Admins, backup admins, service principals with high privilege	IAM	MFA coverage report for T0 accounts
Review and disable accounts that are clearly orphaned: departed employees confirmed by HR	IAM	Disable log — only accounts with confirmed ownership resolution
Rotate KRBTGT and critical service account passwords	AD	Rotation log; tested without service disruption
Review and remove direct Global Admin assignments; move toward PIM or named individual accounts	IAM	Privilege assignment review

What we do not do in weeks 3–4: We do not attempt to disable all unknown accounts. We do not attempt to resolve all service account ownership. We do not attempt to achieve 100% MFA on all users. These are Phase 2 activities, started after the kill chain is closed and the environment is understood.

Weeks 5–6: Logging, Perimeter, and Critical Asset Inventory

Action	Owner	Deliverable
Deploy PULSAR for M365 audit log ingestion	Security	Audit events ingested; watermarks established; search operational
Enable logging for T0 systems where it is missing	Security	Logging coverage report for T0/T1 assets
Audit all vendor and third-party remote access paths	Security / Procurement	Vendor access inventory with remove/restrict list
Scan public-facing assets for critical CVEs	Security	Prioritised findings: P0 (internet-facing, critical CVE), P1, P2
Seed CMDB with T0 assets	IT / Security	T0 asset register with ownership, backup status, recovery procedure
Validate backup integrity for T0 assets	Backup Admin	Backup test report — at least one successful restore per T0 system

Weeks 7–8: Kill Chain Closure and Phase 1 Wrap

Action	Owner	Deliverable
Close P0 vulnerabilities identified in week 5–6 scan	Security	Remediation log with verification
Restrict or close the highest-risk vendor access paths	Security / Procurement	Vendor access changes confirmed
Implement basic network segmentation between IT and OT (if applicable)	Network / OT	Segmentation policy; validated firewall rules
Phase 1 review: re-run BloodHound and Elysium against week 1 baseline	Security	Before/after comparison; revised kill chain assessment
Establish housekeeping queue: stale accounts, orphaned permissions, legacy protocols	IAM / Security	Queue populated; named owner; monthly cadence confirmed

Phase 1 Exit Criteria

• Kill chain documented and reviewed with executive sponsor
• T0 accounts: MFA enforced, privilege reviewed, compromised credentials reset
• P0 vulnerabilities (internet-facing, critical CVE) closed
• ASTRAL deployed; M365 baseline committed
• PULSAR deployed; M365 audit logs ingesting
• T0 asset CMDB complete with backup integrity verified
• Vendor access inventory complete; highest-risk paths closed
• Housekeeping stream established: named owner, cadence, populated queue

What "complete" does not mean at day 60: All identities validated. All shared accounts eliminated. MFA on 100% of users. Zero legacy protocols. These are legitimate targets — they belong in the housekeeping queue and Phase 2 work, tracked, resourced, and given realistic timescales.

---

Phase 2: Control (Days 60–120)

Theme: Close the kill chain. Build on what is understood, not what is assumed.

Phase 2 takes the kill chain map from Phase 1 and systematically closes the structural gaps. The work is less about discovery and more about verified remediation with proper change management.

Weeks 9–10: MFA and Identity Hardening (Broad Rollout)

Phase 1 hardened T0. Phase 2 extends to all users — with proper change management.

Action	Owner	Deliverable
Enforce MFA on all remote access: not just T0, but all users	IAM	MFA coverage report (% of users) — target 100% enforced, not just enrolled
Block legacy authentication protocols tenant-wide	IAM	Legacy auth block confirmed via CAExporter and sign-in log review
Deploy Conditional Access baseline: device compliance, location, sign-in risk	IAM	CA policy set deployed and tested; rollback documented
Continue housekeeping queue: first monthly cycle	IAM	Accounts resolved this cycle; queue status report

Change management is the constraint here, not technical complexity. MFA rollout for 500 users requires helpdesk preparation, communication, exception handling, and at minimum two weeks of lead time. Scope this honestly. A rollout that generates 200 support tickets and forces an exception for the CEO because his phone broke is a rollout that gets walked back.

Weeks 11–12: Attack Surface Reduction

Action	Owner	Deliverable
Deploy Intune compliance policies; enforce device compliance in CA	Endpoint / IAM	Compliance policy set; non-compliant device access blocked
Harden admin access: dedicated admin accounts, PAW where feasible	Security	Admin account architecture; PAW deployed for T0 admins
Implement ASR rules on all managed endpoints	Endpoint Security	ASR policy deployed; compliance measured
Review and remove excessive application permissions (OAuth grants, service principals)	IAM	App permission audit; high-risk grants reviewed and reduced

Weeks 13–14: Network Hardening and Vendor Governance

Action	Owner	Deliverable
Implement DNS security: filtering and logging	Network	DNS security coverage report
Harden vendor remote access: time-bounded, MFA, session recording	Security / Procurement	Vendor access gateway operational; access policy enforced
Patch P1 vulnerabilities from Phase 1 scan	Security	Remediation log; rescan confirming closure
Establish change window discipline: all production changes through approved process	IT / Security	Change management process documented and operational

Weeks 15–16: Verification and Phase 2 Wrap

Action	Owner	Deliverable
Re-run BloodHound, Elysium, and CAExporter against Phase 1 baseline	Security	Attack path reduction report; before/after metrics
Run Purple Knight / E8-CAT against AD and M365	Security	Security score comparison; residual findings list
Review ASTRAL drift log for Phase 1–2 period	Security	Configuration change audit; unauthorised drift incidents
Review PULSAR audit log: anomalous events flagged, investigated, resolved	Security	Audit review report
Update risk register: what Phase 1–2 closed, what remains open, what Phase 3 addresses	Security	Updated risk register signed off by client lead
Housekeeping queue: second monthly cycle	IAM	Queue status; cumulative accounts resolved

Phase 2 Exit Criteria

• MFA enforced for 100% of users (not just enrolled — enforced via CA policy)
• Legacy authentication blocked tenant-wide
• CA baseline deployed and tested
• ASR rules active on all managed endpoints
• P1 vulnerabilities from Phase 1 scan closed
• Vendor remote access hardened and inventoried
• Attack path reduction measurable against Phase 1 BloodHound baseline
• Housekeeping queue running; two cycles completed

---

Phase 3: Signal and Retained Capability (Days 120–180)

Theme: Build detection on the hardened foundation. Build the capability to sustain what was built.

Phase 3 starts only after Phase 2 exit criteria are met. Detection engineering on an unhardened environment is waste — the signal-to-noise ratio is too low to produce actionable intelligence.

Why not AI Sovereignty in Phase 3: AI sovereignty — local models, owned inference infrastructure, sovereign cognitive capability — is a multi-year programme, not a 30-day sprint. Hardware procurement alone typically takes 6–12 weeks. Claiming it as a Phase 3 deliverable sets up the engagement to fail. AI sovereignty begins with the audit work in Phase 1 (AI usage inventory, classification, assessment of vendor terms) and continues as a separate parallel initiative. The Azure OpenAI Sovereignty Bridge is the appropriate near-term stepping stone. See AI Sovereignty Framework and Azure OpenAI Sovereignty Bridge.

Weeks 17–18: Detection Engineering Foundation

Action	Owner	Deliverable
Write initial PULSAR alert rules: CA policy changes, new Global Admin assignments, bulk mailbox export, app permission grants outside change window	Security	Alert rule set deployed; test-triggered and validated
Review SIEM coverage: which T0 events generate alerts, which do not	Security	Detection coverage map against MITRE ATT&CK top 10 for M365
Tune ASTRAL rolling PRs: configure reviewer notification, test reject/restore flow	Security	ASTRAL review workflow operational; first restore test completed
Establish alert response runbooks: who gets notified, what they do, what they escalate	Security / Client Lead	Runbooks for top 5 alert types

Weeks 19–20: Endpoint and Identity Detection

Action	Owner	Deliverable
Deploy Wazuh or verify existing EDR coverage for on-premise systems	Security	Endpoint detection coverage report
Write custom detection rules for kill chain-specific TTPs identified in Phase 1	Security	Custom rule set tuned to client environment
Establish weekly threat review cadence: PULSAR event summary + ASTRAL drift review	Security / Client Lead	First weekly review completed; format agreed
AI usage audit: classify current AI workflows by data sensitivity and vendor agreement	Security / Legal	AI usage register; high-risk workflows flagged for remediation

Weeks 21–24: Knowledge Transfer and Handover

The most important deliverable of Phase 3 is the client's ability to operate everything without us.

Action	Owner	Deliverable
Runbook completion: every system built or modified has an operating runbook	Security / Client Team	Runbook set reviewed and signed off by client IT lead
Client training: ASTRAL drift review workflow, PULSAR event search, alert response	Security	Training delivered; client IT lead can demonstrate competency
Housekeeping queue: third and fourth monthly cycles	IAM	Queue status; cumulative resolution metrics
Document what was built: configuration baseline document for every module	Security	Module completion package delivered
Phase 3 review: risk register update, metrics summary, Phase 4 / retained capability recommendation	Security	Final 180-day programme review with executive sponsor

Phase 3 Exit Criteria

• PULSAR alert rules operational for top 5 M365 risk scenarios
• ASTRAL drift review workflow operational; first restore tested
• Custom detection rules written for client-specific TTPs
• Weekly threat review cadence established and running
• All runbooks completed and signed off by client IT lead
• Client IT lead can operate ASTRAL and PULSAR without consultant support
• AI usage registered and high-risk workflows flagged
• Housekeeping queue: four consecutive cycles completed

---

Phase 4: Antifragility (Ongoing)

Theme: The programme does not end. The organisation learns faster from disruption than competitors do.

Phase 4 is not a 30-day sprint. It is an ongoing operational posture. The 180-day programme establishes the foundation; Phase 4 is what happens when that foundation is maintained and extended over months and years.

Phase 4 activities (initiated at 180 days; sustained indefinitely):

• Retained capability: Monthly ASTRAL drift review, PULSAR event summaries, quarterly Elysium/BloodHound scans, housekeeping queue advancement
• Detection engineering: Progressive extension of alert rule coverage; tuning based on real events; quarterly rule review
• Structural improvement: Exit architectures for vendor dependencies, progressive elimination of legacy systems, planned OT technology refresh
• Chaos engineering: Controlled failure exercises — starting with non-production, progressing to production once detection and recovery capability is confirmed
• Red team exercises: Annual structured adversarial testing — not before Phase 2 is complete and detection is operational
• AI sovereignty programme: Local inference infrastructure, where justified by workload and capability; AURORA deployment for M365 governance intelligence; sovereign AI as a parallel multi-year initiative
• Greenfield capability building: Configuration as code for all managed systems; tested migration procedures; documented rebuild path

What makes Phase 4 real: A named person who owns the housekeeping queue. A calendar-blocked weekly threat review. A quarterly retained capability scope. Without these, Phase 4 does not happen — and everything built in 180 days begins to rot.

---

Success Metrics

Dimension	Metric	Realistic Target
Kill chain	Kill chain nodes closed	100% of P0 nodes closed by day 120
Identity	MFA enforcement on privileged accounts	100% of T0 accounts by day 60; 100% of all accounts by day 120
Configuration	ASTRAL drift detected and reviewed	Weekly; 100% of unauthorised drift investigated within 48h
Audit trail	PULSAR retention operational	12+ months of M365 audit events retained by day 60
Housekeeping	Stale accounts resolved per quarter	Measurable queue reduction each cycle; not a fixed % target
Recovery	T0 system recovery test completed	At least one per T0 system within 180 days
Handover	Client IT lead operational independence	All built systems operable without consultant by day 180

On metrics and honesty: Avoid targets that sound like achievements but are not verifiable. "100% of identities validated" cannot be verified in 180 days in any organisation with meaningful history. "All T0 accounts with MFA enforced and verified via CA sign-in logs" is verifiable. Write metrics you can prove, not metrics that sound ambitious.

---

Governance and Cadence

Weekly Check-In (30 minutes, every week)

• Change log review: what was completed, what is blocked
• Client decisions required this week
• Risks and open items

If this meeting is consistently cancelled by the client, the engagement pauses until it resumes.

Monthly Steering Committee (60 minutes)

• Phase progress against exit criteria
• Risk register review
• Housekeeping queue status
• Budget and scope review
• Next phase / retained capability planning

Phase Gate Reviews (Days 60, 120, 180)

Hard go/no-go decisions. Not formalities. If phase exit criteria are not met, the programme does not advance — it addresses the gaps.

---

Adaptation Guide

Small Organisations (< 100 employees)

• Phase 1 focus: kill chain, T0 accounts, ASTRAL/PULSAR deployment. Skip broad identity audit — it is not necessary for small populations.
• Phase 2 focus: MFA for all users (achievable quickly at small scale), basic CA, device compliance.
• Phase 3 focus: runbooks and handover. Detection engineering is proportional to environment complexity.
• Do not compress the timeline further. The bottleneck at small organisations is almost always IT resource availability and change management, not technical complexity.

Regulated Industries (Finance, Healthcare, Critical Infrastructure)

• Extend Phase 1 to 90 days where regulatory mapping and OT inventory are required.
• Add compliance validation gates at each phase exit — specific evidence requirements for NIS2/DORA/GDPR.
• The housekeeping stream is non-negotiable for regulators who require demonstrable continuous control.

Organisations with Heavy Technical Debt

• Accept explicitly, in writing, that 20 years of debt will not be cleared in 180 days.
• Phase 1 focus is kill chain only. The full debt picture goes into the housekeeping queue and the Phase 4 backlog.
• The rapid modernisation plan addresses existential risk. The housekeeping stream addresses accumulated risk over time. Both are necessary; neither replaces the other.
• Adjust Phase 2 exit criteria to reflect the realistic pace of MFA rollout in high-debt environments — legacy systems often require extended exception handling.

OT/Critical Infrastructure Environments

• Phase 1 must include OT asset inventory and IT/OT connection map.
• Phase 2 segmentation work (IT/OT boundary) is the primary kill chain closure, not identity hardening.
• See Vertical: Power and Utilities and the Critical Infrastructure Adaptation in Move Fast and Fix Things.

---

Next: Implementation Playbook Previous: T0 Asset Framework