cqrenet/antifragile
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc833365675bb1b8ef8f621f913ce2356ddfaa48
antifragile/antifragile-consulting
T
History
Claude Sonnet 4.6 dc83336567 feat: Add assessment team guide for Brownhat Diagnostic execution 
New: assessment-templates/assessment-team-guide.md

Pre-engagement: access checklist (M365, AD, docs); tool preparation
with deployment times; what to do if access is not ready.

Day 1 discipline: deploy ASTRAL and PULSAR before workshops start.
Step-by-step ASTRAL and PULSAR deployment commands. Passive external
scan in background. Microsoft Secure Score baseline.

Workshop signals: table of client statements -> likely findings ->
what to check on Day 2. Feeds technical assessment planning.

Day 2-3 tool runs in sequence:
1. CAExporter (30 min) - CA policy reality check; report-only mode;
   exclusion groups defeating the purpose
2. BloodHound (1-2h) - 5 required queries; KRBTGT last set check;
   Domain Admins on workstations; service account attack paths
3. Elysium (2-4h) - privilege requirements noted; privacy model
   explanation; what to document
4. Purple Knight (30 min) - indicators to focus on; cross-reference
   with BloodHound
5. Entra ID manual checks (1h) - app registrations, guest accounts,
   MFA registration status, AD Connect sync account
6. Intune/endpoint check (30 min) - via ASTRAL output
7. External attack surface (30-60 min) - Nmap, Shodan, crt.sh
8. Firewall rule review (30-60 min) - what to look for
9. Backup spot check (30 min) - the 'green tick' test

Kill chain synthesis: explicit step-by-step method for tracing
from outside to organisational failure.

Finding triage: kill chain test table; common priority inflation
mistakes.

Quick wins: 8-item checklist; three tests a quick win must pass.

Report structure: 5 sections, target 15-25 pages, specific guidance
per section including what makes a weak vs strong finding.

ASERAL/PULSAR handover requirements before leaving site.

9 common assessment mistakes named explicitly.

Post-assessment checklist: 10 items before submitting the report.

index.md and assessment-templates/README.md updated.

Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
2026-06-05 10:42:18 +00:00
..
assessment-templates
feat: Add assessment team guide for Brownhat Diagnostic execution
2026-06-05 10:42:18 +00:00
assets
feat: Add engagement model, consultant field guide, deliverable templates, CQRE tools integration, and Czech localization
2026-05-27 21:33:52 +02:00
core
feat: Add findings backlog as pragmatic alternative to risk register
2026-06-05 10:09:08 +00:00
playbooks
feat: Add findings backlog as pragmatic alternative to risk register
2026-06-05 10:09:08 +00:00
reference
chore: Full consistency scan — AOC->PULSAR, fix training-data claims, fix 90% claim
2026-06-05 07:05:13 +00:00
index.md
feat: Add assessment team guide for Brownhat Diagnostic execution
2026-06-05 10:42:18 +00:00
README.md
chore: Full consistency scan — AOC->PULSAR, fix training-data claims, fix 90% claim
2026-06-05 07:05:13 +00:00

README.md

Antifragile Enterprise Consulting Repository

"Wind extinguishes a candle and energizes fire. You want to be the fire and wish for the wind." — Nassim Nicholas Taleb

This repository contains reusable frameworks, playbooks, and assessment resources for consulting engagements focused on building antifragile organizations—enterprises that do not merely survive disruption but grow stronger from it.

What Is Antifragile?

Most security and resilience frameworks optimize for robustness—the ability to withstand shocks. Antifragility goes further. An antifragile system:

  • Benefits from volatility and stressors
  • Learns faster from failures than from successes
  • Decentralizes critical functions to avoid single points of failure
  • Treats optionality as a strategic asset, not overhead

Repository Structure

├── core/                           # Foundational frameworks and principles
│   ├── about-cqre.md               # Company overview template — fill before sharing with clients
│   ├── about-cqre-cs.md            # Czech version of company overview (O společnosti CQRE)
│   ├── move-fast-and-fix-things.md # Company philosophy: speed, repair, existing tools (Brownhat brand)
│   ├── engagement-model.md         # How engagements work: lifecycle, deliverables, pricing, consultant discipline
│   ├── consultant-field-guide.md   # Internal playbook: decision models, qualification, mistakes, technical onboarding
│   ├── antifragile-manifest.md     # The five pillars of antifragile enterprise
│   ├── modular-engagements.md      # Menu of independent, self-contained modules
│   ├── ai-sovereignty-framework.md # AI sovereignty as a strategic mandate
│   ├── ai-operations-inevitability.md # Why defensive AI is inevitable (business AI is optional)
│   ├── azure-openai-sovereignty-bridge.md # Azure OpenAI/Foundry as sovereignty stepping stone
│   ├── organizational-resilience.md  # Dev/Sec/Ops merger and shift-left arguments
│   ├── quality-management-engagement.md   # Embedded process assurance for teams feeling "not in control"
│   ├── blue-purple-team-foundation.md     # Building defensive capability from existing tools
│   ├── retained-capability.md             # What to keep in-house when outsourcing security (MSSP, pentest, compliance)
│   ├── executive-summary.md          # One-page board brief
│   ├── executive-summary-cs.md       # Czech version of board brief (Výkonné shrnutí)
│   ├── c-suite-conversation-guide.md # Persuasion scripts for top management
│   └── t0-asset-framework.md       # Tier 0 asset classification and protection
├── playbooks/                      # Executable modernisation and response plans
│   ├── rapid-modernisation-plan.md # 30-60-90-180 day transformation roadmap
│   ├── endpoint-management-entry-vector.md # Intune/device management as engagement entry point
│   ├── ai-assisted-tvm.md          # AI-powered vulnerability management blueprint
│   ├── zero-budget-vulnerability-discovery.md # Script-based vuln discovery without commercial scanners
│   ├── perimeter-scanning-capability.md # External attack surface scanning strategy
│   ├── osquery-custom-platform.md    # Build a sovereign vuln/asset discovery platform on osquery
│   ├── m365-antifragile-project.md # M365 greenfield/modernisation with antifragile design
│   ├── m365-e3-hardening.md        # M365 E3-specific tactical hardening
│   ├── ad-endpoint-hardening.md    # On-prem AD, Windows endpoint, hybrid identity
│   ├── zero-budget-hardening.md    # Maximize existing tool investment
│   ├── implementation-playbook.md  # Step-by-step operational guide
│   ├── cqre-product-suite.md       # ASTRAL, PULSAR, AURORA: details, alignment, deployment
│   ├── sovereign-tool-stack.md     # Full arsenal: CQRE products, open-source, and commercial tools
│   ├── privileged-access-architecture.md # PAM: Teleport, Tailscale/Headscale, JIT access (Module 13)
│   ├── sovereign-communications.md # Delta Chat chatmail, Matrix/Element, crisis channels (Module 14)
│   └── business-case-template.md  # Financial justification and ROI framework
├── assessment-templates/           # Diagnostic tools and maturity models
│   ├── README.md                   # Assessment roadmap and development plan
│   ├── nist-csf-baseline.md        # The Brownhat Diagnostic: 2-half-day NIST CSF workshop (entry engagement)
│   ├── nist-csf-baseline-cs.md     # Czech version of Brownhat Diagnostic workshop questionnaire
│   ├── module-completion-report.md # Template for the module completion package (every module)
│   ├── risk-register-example.md    # 8 fully populated risk entries from a realistic engagement
│   ├── antifragile-risk-register.md # Antifragile risk taxonomy and register template
│   └── m365-project-risk-register.md # M365 project-specific risk register
├── reference/                      # External standards, mappings, and citations
│   ├── cis-controls-mapping.md     # CIS Controls v8 alignment
│   ├── nist-csf-mapping.md         # NIST CSF 2.0 alignment
│   ├── vertical-power-utilities.md # Power generation, transmission, water utilities
│   ├── vertical-telco.md           # Telecommunications and mobile operators
│   └── vertical-banking.md         # Financial services regulatory alignment
└── assets/                         # Diagrams, visuals, and presentation materials

What Is Brownhat?

Brownhat is the delivery brand for CQRE consulting engagements. The name is a deliberate rejection of the traditional hat colour taxonomy in security (black hat / white hat / grey hat) — our work is not about adversarial simulation or compliance theatre. It is about the unglamorous, practical work of making real environments more resilient: brownfield by design, working with what exists, fixing what matters most.

The Brownhat methodology is the operational posture behind every engagement: move fast, extract value from existing investments, and close existential gaps before they become incidents. The Brownhat Diagnostic is the specific entry engagement — a structured NIST CSF 2.0 baseline assessment that every new client completes before any module recommendation is made.

Our Posture: Move Fast and Fix Things

This practice is built on a simple, actionable stance: move fast and fix things. We do not wait for perfect plans. We identify the kill chain, extract value from existing investments, and close existential gaps before they become incidents.

  • Speed is a security control. A realistic engagement delivers 3060% of an ideal posture in 180 days — infinitely better than the 100% solution that stays in planning and never ships.
  • Work beats purchases. Most organizations own 60-80% of the capabilities they need. We configure and operationalize before we shop.
  • Every fix must produce a signal. A remediation without telemetry is a remediation that will rot.

Read the full Move Fast and Fix Things philosophy.

Core Pillars

  1. Structural Decoupling — Remove hidden dependencies before they become fatal ones
  2. Optionality Preservation — Maintain strategic exits and alternatives at every layer
  3. Stress-to-Signal Conversion — Turn failures, attacks, and outages into intelligence
  4. Sovereign Intelligence — Own your cognitive infrastructure; never rent your ability to think
  5. Asymmetric Payoff Design — Engineer outcomes where small investments yield disproportionate protection

Standards Alignment

Our approach is not an alternative to established frameworks. It is the fastest path to meeting them while building real resilience:

  • CIS Controls v8 — IG1 as a non-negotiable 90-day floor, achieved primarily through existing tool configuration
  • NIST CSF 2.0 — All six functions addressed with emphasis on GOVERN as the missing keystone
  • NIS2 (EU 2022/2555) — Every engagement produces direct evidence for the Article 21 measures: configuration management (ASTRAL), logging and monitoring (PULSAR), access control, and incident detection. Essential and important entities under NIS2 will find the Brownhat module set directly maps to their supervisory obligations.
  • DORA (EU 2022/2554) — ICT change management records (ASTRAL Git trail), incident log retention (PULSAR), and ICT third-party risk governance map onto DORA Articles 10 and 11. Designed for financial entities who need demonstrable controls, not documentation exercises.
  • GDPR Article 32 — Continuous configuration governance and audit log retention constitute "appropriate technical measures" under the accountability principle. Evidence produced by ASTRAL and PULSAR is directly usable in DPA and auditor reviews.

Quick Start for Executives and Board Members

  1. Read Executive Summary — one page, five minutes, the full case
  2. Review Business Case Template — financial justification, ROI, and risk quantification
  3. Browse C-Suite Conversation Guide — how your advisors should frame the conversation

Platform Independence

This framework is platform-agnostic at the strategic level. The Antifragile Manifest, assessment methodology, and Sovereign Tool Stack operate independently of any vendor ecosystem.

Many playbooks use Microsoft 365 as the reference environment because it is the most common client footprint (E3/Business Premium). Consultants working with Google Workspace, AWS-native, or mixed environments should read the Platform Adaptation appendix in Modular Engagements, which maps every M365-specific module to equivalent non-Microsoft tooling.

Quick Start for Consultants

  1. Open core/move-fast-and-fix-things.md — understand the engagement posture and the Brownhat brand
  2. Read core/engagement-model.md — understand how engagements are structured, scoped, priced, and delivered
  3. Read core/consultant-field-guide.md — internalize the decision models, learn to qualify clients, understand the common mistakes
  4. Read core/antifragile-manifest.md — understand the philosophy
  5. Study core/modular-engagements.md — the full module menu (Modules 114) and platform adaptation guide
  6. Run assessment-templates/nist-csf-baseline.md — the Brownhat Diagnostic: mandatory entry engagement for every new client
  7. Study playbooks/sovereign-tool-stack.md — the full tool arsenal, commercial partnerships, and when to use each
  8. Study playbooks/m365-e3-hardening.md — primary client environment for MS clients (most are E3)
  9. Study playbooks/ad-endpoint-hardening.md — on-premises AD and endpoint gaps
  10. Study playbooks/zero-budget-hardening.md — extract value from existing tools in 30 days
  11. Deploy playbooks/rapid-modernisation-plan.md — run the 30-60-90-180 day roadmap
  12. Reference core/t0-asset-framework.md and core/ai-sovereignty-framework.md — classify assets and own intelligence
  13. Map reference/cis-controls-mapping.md and reference/nist-csf-mapping.md — align to standards
  14. Adapt reference/vertical-power-utilities.md, reference/vertical-telco.md, or reference/vertical-banking.md — tailor for regulated critical infrastructure clients

Usage and Licensing

These documents are designed for reuse across client engagements. Adapt, remix, and extend. Credit the framework when presenting externally.

Built for practitioners who defend the future, not just the perimeter.

Reference in New Issue View Git Blame Copy Permalink