Kindo × Deloitte — Sprint Planning

Meeting Agenda

Sprint 1 Planning — 60 minutes. First formal scrum cadence session.

⚡ Context: June 24 strategy session confirmed 2-week scrum cadence starting June 29. Tony steps back to biweekly sprint planning (product owner cadence). SOC for AI is the new #1 strategic priority per Kush. Agents A.6 and A.10 deprioritized.

📋 Session Flow

Time	Topic	Owner	Goal
0–8 min	Cadence & Ceremonies	Joana	Confirm scrum structure, ceremonies, artifacts
8–15 min	Team & Hiring	Joana / Victor	Current team, Value First hires, role shifts
15–25 min	Portfolio Overview	Joana	Agent status, priority shift, Kush decisions
25–35 min	Deep Dive Sessions	Tony / Joana	Quarterly design sessions plan, first deep dive scope
35–52 min	Sprint 1 Planning	All	Select backlog items, assign, define sprint goal
52–60 min	Open Decisions	All	Blockers, needs-human items, next steps

S1

First Sprint

2W

Sprint Length

Jul 10

Sprint 1 End

Cadence & Ceremonies

Three-layer cadence: 2-week sprints, monthly portfolio, quarterly deep dives

🏃 Sprint (2 weeks)

Execution cadence. Ship code, build agents, deliver results.

Planning	Monday, Day 1
Standups	Mon/Wed/Fri (team only)
Review + Retro	Friday, Day 10
Tony attends	Planning + Review only

📊 Portfolio (monthly)

Show results to executives. Video evidence + working links.

First meeting	~Late July (Jul 27)
Attendees	Tony, Charlie + Ron
Format	Show, don't tell (see below)
Note	Separate from quarterly deep dive

🔬 Deep Dive (quarterly)

In-person design sessions. Strategic alignment + release planning.

Duration	~5-7 days
Q3 location	TBD (Houston?)
With	Team + Ron + key engineers
Output	Quarter release plan

📐 Scrum Artifacts — Warren Delivers

Tony expects Warren to programmatically deliver real-time sprint artifacts. No asking for status — artifacts should be self-service.

Artifact	Cadence	Description	Status
Sprint Backlog	Updated daily	Items committed for current sprint, status, blockers	Define
Burndown	Real-time	Story points or items remaining vs time	Define
Sprint Review Deck	End of sprint	Video evidence + working links of shipped work	Define
Definition of Ready	Standing	Criteria for items entering sprint (see below)	Defined
Definition of Done	Standing	Criteria for items being complete (see below)	Defined

🎬 "Show Don't Tell" — What Tony Means

We're moving at 5× traditional speed. Words can't keep up. Ron didn't understand net new revenue agents until the third time Tony explained it — and Ron is the sharpest person in the room. If Ron needs three reps to absorb a verbal summary, everyone else needs more.

The old way (what we stop doing):

Verbal status updates: "A.5 is code complete, waiting on merge"
Slides with bullet points about progress
Written summaries explaining what happened
"Technical done" without "business done" evidence

The new way (what every portfolio item needs):

🎥 Video walkthrough — screen recording of the feature working in production (30-90 sec)
🔗 Live URL — clickable link where the stakeholder can see it themselves, right now
📸 Before/after screenshots — visual proof of what changed
📊 Metrics — measurable impact (e.g., "21min per alert → 5min")

Tony's original architecture: Akira AI PMO confirms requirements via video → team builds → confirms results via video. Both ends are visual. If you can't show it working on screen, it's not done enough to present. This applies to everyone — Krishna, Kush, Ron, Forge Point.

🗓️ Proposed Location Rotation (Monthly Portfolio)

Month	Location	Notes
July	Houston	Ron in Houston Jul 27 — anchor event
August	San Francisco	Krishna's base
September	Austin	Tony's base
October	Los Angeles	Charlie's base

⚠️ Tony proposal — Joana to map against quarterly deep dive schedule to avoid over-travel.

Team & Hiring

Current team, role evolution, and Value First hiring plan

👥 Current Team

Person	Current Role	Evolving To	Sprint Role
Tony	Strategic leadership	Product Owner (biweekly)	Sprint planning + review only
Joana	Program delivery	Net new revenue agent design	Scrum lead + agent designer
Victor	Technical delivery	Net new revenue agent design	Technical lead + agent designer
Charlie	Chief Architect / Agent Runtime	Platform + architecture decisions	Technical advisor
Warren	Engineering & Ops AI	Scrum master + execution engine	Artifact delivery, sprint tracking
Dukane	Delivery support	QA manager (#warren-review)	Output quality review

⚠️ Role Shift: Joana & Victor moving from program delivery (100 installs, training) → net new revenue agent design. Hires will backfill the program delivery gap.

🤝 Hiring Plan — Value First / Omberto

Role	Count	Region	Focus	Status
AI PMO / Soft Skills	2-3	LatAm (preferred)	Requirements gathering, stakeholder mgmt, verification	Interviewing
Engineer	1-2	Eastern Europe or LatAm	MLflow, Kindo agent configuration, integrations	Planning

Process: Invoice → Charlie → Ron. Charlie vets technical candidates. LatAm for soft-skills (live meetings), Eastern Europe for code (Charlie's preference).

🔧 Engineering Availability

June Blocker: Agent Runtime team (Madison, Sean) on extended PTO through end of June. Core Kindo engineering (Brian Van's team) out for 3 weeks. Expected to normalize in July.

Team	Status	Expected Back	Impact
Agent Runtime (Madison)	PTO	Early July	Multi-agent, agent features blocked
Agent Runtime (Sean)	PTO	Week of Jul 7	Reduced velocity past 2 weeks
Core Kindo (Brian Van)	PTO	Mid-July	Core platform changes blocked
Charlie (Agent Runtime lead)	Active	—	Shipped memory prototype solo

Sprint 1 implication: Focus on soft-skills deliverables (requirements, agent design, research) that don't need Kindo eng. Engineering-dependent items slot into Sprint 2+ when team is back.

Portfolio Status

Agent portfolio with June 24 priority shift — SOC for AI is the new #1

🔴 Priority Shift (Kush, June 22): SOC for AI takes top priority. A.6 (Vitals Dashboard) and A.10 (IoT/OT Monitor) deprioritized. We must produce results faster — A.6 took 6 weeks to align, same pattern as Generative UI. If we don't capture, Deloitte builds it themselves.

🗺️ Agent Status Map

ID	Agent	Status	Revenue Class	Blocker
A.1	Threat Monitoring	PROD	Contracted	—
A.2	Threat Intel	PROD	Contracted	—
A.3	Threat Hunt	PROD	Contracted	—
A.4	Detection Engineering	PROD	Contracted	—
A.5	CTEM	BUILT	Contracted	Deployment pending
A.6	Vitals Dashboard	⏸️ DEPRIORITIZED	Alliance	Kush shifted to SOC for AI
A.7	Quality Audit Agent	REQS	Alliance	Design sprint needed
A.8	Cloud Security Agent	PLANNED	Alliance	—
A.9	IR Agent	PLANNED	Alliance	—
A.10	IoT/OT Monitor	⏸️ DEPRIORITIZED	Alliance	Kush shifted to SOC for AI
A.11	Custom Client Agents	REQS	Alliance	Shadow & document method
A.12	Identity Agent → IdaaS	PLANNED	Alliance	Tim Corder engagement
A.13	GRC Agent → GRC aaS	PLANNED	Alliance	Nathan Ellis engagement
NEW	SOC for AI	🔴 #1 PRIORITY	Alliance	Research + integration mapping

🛡️ SOC for AI — Two-Layer Scope

"Shadow IT for AI" — discover which AI tools, agents, LLMs, copilots, MCP servers run across endpoints, SaaS, cloud; then govern, policy-enforce, remediate. Now #1 priority (Kush deprioritized A6 + A10). Distinct from A.1 (Threat Monitoring) — A.1 is Deloitte's existing SOC agent; SOC for AI coexists with / complements it.

🌐 Layer A — Shadow AI Discovery

Which AI, by whom, how much, what risk. Via CASB/SSE + IdP + DLP + SIEM the client already owns.

💻 Layer B — Endpoint / EDR Telemetry

Orchestrate EDR/SIEM agents already on the machine (CrowdStrike-style). No new agent installs — Deloitte was explicit.

Mechanism: API-level orchestration of existing monitoring agents; build domain-specialized agents inside Kindo. No core architecture change. ~80% soft-skills / ~20% engineering.

Validated Market Timing:

CrowdStrike Shadow AI Discovery for Endpoint — RSAC 2026, GA, 1,800+ AI apps detected
Microsoft Agent 365 — GA May 2026 (Defender+Intune); context mapping + runtime blocking in public preview June 2026

🔌 Integration Landscape (from Joana's validated research)

Source: SOC for AI — Scope & Research doc (Jun 25). Tenant-safe = research-grade, needs Charlie's sign-off. Registry status needs Victor/Charlie confirmation (Q1).

Already in Kindo — can start immediately (confirm registry):

Platform	SOC-for-AI Capability	In Kindo?	Tenant-safe?
CrowdStrike Falcon	Shadow AI Discovery — AI apps, agents, LLM runtimes, MCP servers	❓ CONFIRM	⚠️ Per-tenant (cloud control plane — see Q2)
Splunk / Datadog	SIEM + observability for AI activity	❓ CONFIRM	✅ Yes
Grafana / Sumo Logic / Google SecOps	Dashboarding, log analytics, security ops	❓ CONFIRM	✅ Yes

Gaps — likely need new integrations:

Platform	Capability	Tenant	Priority
MS Defender for Endpoint	Shadow-AI discovery (Agent 365 — GA May, preview Jun 2026)	✅ Azure-native	P1 — biggest gap
MS Intune	AI agent policy enforcement on devices	✅ Azure-native	P1
MS Purview	DLP / data classification for AI	✅ Azure-native	P2
Nightfall / Netskope / Cyberhaven / Okta	GenAI DLP, CASB, data lineage, OAuth-consent discovery	⚠️ Validate	P3

🏯 Tenant Survival Filter (Tony's note #1): Every integration must pass: (1) tenant-scoped? (2) data stays in tenant, no egress? (3) SOC 2 Type II / BAA / DLP compatible? Cross-tenant/egress = disqualified.

Safest bet: Microsoft stack (Defender+Intune+Purview) — Deloitte is a Microsoft shop, runs inside their Azure/M365 tenant. Charlie's 4–6 net-new estimate looks right.

⚠️ Gates Layer B (Charlie's call): CrowdStrike Falcon runs a cloud-side control plane. Even if it's in registry, does the orchestration genuinely stay "Deloitte only"? Can't resolve on paper — open question.

📊 Revenue Classification

$5.5M

Contracted (A.1–A.5)

$1-2M+

Alliance Net New (A.6–A.13)

$5-12M+

Upside (2-3× Expansion)

Deep Dive Design Sessions

Quarterly in-person sessions — strategic alignment + release planning with Deloitte

Origin: Tony proposed quarterly deep dives 6 months ago — modeled after what he and Ron did independently in December (7 days of uninterrupted deep thinking). Deloitte "wholeheartedly agreed" at the June 22 meeting.

🎯 Deep Dive Topics (from Deloitte meeting)

These items were categorized under "design sessions" in Tony's meeting notes. More than half of what Deloitte raised maps to these sessions.

#	Topic	Description	Owner
1	Net New Revenue Agents	Design + deploy agents that generate alliance revenue (Tier 2/3 packages)	Tony / Joana
2	Threat Remediation	Extend A.1-A.5 into automated remediation workflows	Charlie / Victor
3	Deloitte Roadmap (Azure/GCP)	Cloud platform alignment and multi-cloud strategy	Charlie
4	Institutional Knowledge / Memory	Skills, memory, compound learning flywheel. ⚠️ Don't equip Deloitte to build what we want to build (Charlie)	Charlie
5	AI Cyber Guard / Tower	Control plane co-development	Charlie
6	Lifecycle Hooks	Generic lifecycle hooks — Kush says yes but NOT most important. Ship fast MVP, don't over-engineer. Deployment speed > stickiness features.	Charlie
7	Workflow Acceleration	Accelerate deployment cycle (time-to-value for new Kindo customers)	Victor / Joana
8	SOC for AI	Shadow IT discovery, AI governance, integration mapping	Joana / Victor

✅ Definition of Ready (DoR)

An item can enter the sprint when ALL of these are true:

#	Criteria	Why
1	Clear outcome defined — what does "done" look like in business terms, not technical terms?	Victor's point: business value, not technical value
2	Owner assigned — single person accountable	No orphan items
3	Dependencies identified — blocked/unblocked explicitly tagged	Victor's framework: shoot where we're unblocked
4	Effort estimated — days, not points. Be honest.	Tony needs to know what to expect without asking
5	Classified soft-skill vs code — which work type? Determines who can execute.	~80% soft-skills moves without Brian's team
6	Passes tenant filter (if integration) — tenant-scoped? data stays in tenant? SOC 2 II / BAA / DLP?	Tony's note #1: "Deloitte only"
7	Fits the sprint — total committed work ≤ team capacity	Don't overcommit then under-deliver
8	Acceptance criteria written — how will we verify it's done?	"Show don't tell" starts here

🏁 Definition of Done (DoD)

An item is done when ALL of these are true:

#	Criteria	Evidence Required
1	Acceptance criteria met — every criterion checked off with proof	Screenshots, video, or live URL
2	Business done, not just technical done — stakeholder can see and use it	Working link or deployed artifact
3	Evidence attached — "show don't tell" proof in the same message as the completion claim	Video walkthrough, screen recording, API response
4	Integrations pass tenant + compliance check	Tenant filter results documented
5	No open blockers or regressions	Verification report
6	Reviewed — at least one other team member has seen the output	Reviewer name + ✅/⚠️/❌
7	Documented so Warren can report status	Warren updates programmatically
8	Owner confirmed done	Explicit sign-off

Hard rule: "Code complete" ≠ done. "Waiting on merge" ≠ done. "I verified" without the actual evidence ≠ done. If you can't show it on screen, it's not done.

📅 Proposed Deep Dive Calendar

Q3 2026 — First Deep Dive

Target: TBD (separate from monthly portfolio meeting). 5-7 day in-person session. Team + Ron + key engineers. Output: Q3 release plan, SOC for AI architecture, net new revenue agent designs.

Q4 2026 — Second Deep Dive

Target: October. Location TBD. Review Q3 results, plan Q4 releases, expand to service lines beyond D&RaaS (Identity aaS, GRC aaS).

⚠️ Charlie's Warning on IK/Skills Sessions: "I don't want to do design partnership work where we equip them to build stuff that we want to build." Deloitte can execute the "how" faster than us on their own infrastructure. Strategy: share the "what" strategically, protect the "how."

Sprint 1 — June 29 → July 10

First sprint: focus on soft-skills deliverables while engineering is on PTO

🎯 Sprint Goal

Validate scope → design AI Discovery Agent → build v1 in Kindo

This is ~80% soft-skills work — agent configuration, not code. Warren accelerates: research (done), design docs, agent config specs, Kindo setup. Goal isn't just a design — it's a working agent in Kindo by sprint end. Human effort = scope confirmation (Joana's 5 Qs) + validation + review. Warren does the build grunt work.

📋 Proposed Sprint 1 Backlog

Item	Type	Owner	Effort	Dependencies / Risks
SOC for AI — Scope Confirmation Get answers to Joana's 5 questions from Charlie & Victor: registry check, CrowdStrike tenant isolation, Microsoft path, first deliverable sizing, control plane alignment	P0	Joana	1d	⚠️ Depends: Charlie & Victor input ⚠️ Risk: Questions sent Jun 25, still awaiting answers. If not answered before Monday, sprint planning has no confirmed scope.
SOC for AI — AI Discovery Agent: Design + Build v1 in Kindo Design + configure in Kindo: CrowdStrike Falcon (if tenant-safe) + MS Defender; AI app/agent inventory; dashboard; tenant-scoped data. Warren produces agent config spec + builds draft in Kindo. Human effort = review + validate. Per Joana's §4.	P1	Warren + Victor	2d human / 6d Warren	⚠️ Depends: scope confirmation ⚠️ Risk: CrowdStrike cloud control plane may not pass tenant filter (Q2). If Layer B blocked, pivot to Layer A only — smaller but still a working agent by Jul 10.
Outcome Package → Skill Conversion Reverse-engineer Tony's Warren process into reusable OpenClaw skill (Charlie directive)	P3	Victor + Warren	2d	⚠️ Unknown state Victor said "I think I already did that" — needs confirmation. If done, just verify. If not, real work.

🔥 Sprint 1 Meta-Risk: The entire sprint is optimized for soft-skills work because eng is on PTO. That's smart — we're shooting where we're unblocked. But if eng comes back mid-sprint and unblocks code work, do NOT mid-sprint pivot. Finish what we committed to. New engineering items go into Sprint 2 backlog.

✅ Sprint 1 Exit Criteria

Show-don't-tell: every criterion needs evidence, not a status update.

Joana's 5 scope questions answered by Charlie & Victor → deliverable: confirmed scope doc with decisions recorded
Integration landscape validated against live Kindo registry → deliverable: confirmed registry check (what exists, what's net-new)
CrowdStrike tenant isolation question resolved → deliverable: Charlie's yes/no on Layer B viability
AI Discovery Agent v1 built in Kindo (Layer A + B if tenant-safe, or Layer A only) → deliverable: working agent in Kindo + design doc + video walkthrough
Warren delivering sprint status automatically → deliverable: live sprint dashboard URL (program track)

🚫 Sprint 1 — NOT In Scope

Code shipping to Kindo platform (eng on PTO) — Sprint 2 when team returns
Core platform changes (Brian's team required) — blocked, not our call
A.6 Vitals Dashboard (deprioritized by Kush) — parked
Scaling Story for Ron (important but not SOC for AI) — separate workstream, not sprint backlog
A.7 Quality Audit design sprint (depends on Krishna scheduling) — backlog, not Sprint 1
Hiring decisions (interviews in progress) — parallel track

Product Backlog

Items that produce a built artifact (agent, integration, code in Kindo) — ranked by strategic priority

Prioritization framework: SOC for AI is #1 (Kush mandate). Then net new revenue agents (alliance revenue). Then contracted platform work. Unblocked items before blocked items (self-unblocking bias).

P0 — Must Do Now 2 items

SOC for AI — Scope Confirmation

Research complete (Joana's SOC for AI — Scope & Research doc, Jun 25). Two-layer scope defined, integration landscape mapped, tenant filter applied. Now pending Charlie & Victor's answers to 5 confirmation questions sent Jun 25. Answers gate the Sprint 1 backlog.

✅ Research Done Blocked: awaiting Charlie & Victor

⚠️ Risk: Questions sent Jun 25, still unanswered. If not confirmed before Monday, sprint planning has no validated scope. Key gate: Q2 (CrowdStrike tenant isolation) determines whether Layer B is viable.

SOC for AI — AI Discovery Agent: Design + Build v1 in Kindo

Design + build working agent in Kindo (not just a design doc). Per Joana's §4: CrowdStrike Falcon (if tenant-safe) + MS Defender; AI app/agent inventory dashboard; tenant-scoped. Warren produces agent config spec + drafts in Kindo. Human effort = review + validate + confirm with Deloitte.

Agent Design Tenant Isolation Depends: scope confirmation (5 Qs)

⚠️ Risk: CrowdStrike cloud control plane may not pass tenant filter (Q2 gates Layer B). If blocked, agent pivots to Layer A only.

P1 — High Priority 5 items

CrowdStrike Shadow AI Discovery — API Scope Validation

Validate Kindo's existing CrowdStrike integration (OAuth2_CC) covers the Shadow AI Discovery endpoints announced at RSAC 2026 (1,800+ AI apps detection).

Technical Charlie Unblocked

⚠️ Risk: If scopes don't cover Shadow AI, becomes eng task → blocked by PTO. Could invalidate SOC for AI agent designs.

A.7 Quality Audit Agent — Design Sprint

Option 1: High-bandwidth meeting with Krishna's team (~3hrs). Design the 5-agent Quality Audit package (Alert Scorer, Human Baseline Validator, Efficiency Tracker, Pool Optimizer, Audit Dashboard).

Agent Design Joana Blocked: Krishna scheduling

A.11 Custom Client Agents — Shadow & Document

Option 2: Warren ingests SOPs + ride-along with analysts. Capture institutional knowledge for custom agent patterns. Start with HP deployment patterns.

IK Capture Victor Depends: analyst access

A.5 CTEM — Production Deployment

CTEM is built, needs deployment. Blocked on Kindo eng availability but should be first code ship when team returns.

Deployment Blocked: Eng PTO

Show-Don't-Tell — Video Evidence Pipeline

Establish process for capturing video evidence of working functionality. Every P0/P1 should have video proof + working URL. Tony: "We're moving too fast for words."

Delivery Mechanism Warren + Victor Unblocked

P2 — Medium Priority 4 items

MS Defender for Endpoint Integration (SOC for AI)

New integration needed. Shadow AI discovery via "Agent 365" (May 2026). Critical for enterprise customers. Tenant-scoped.

Integration Engineering Blocked: Eng PTO

A.8 Cloud Security Agent — Requirements

Kush's Deloitte roadmap includes Azure/GCP alignment. Design cloud security agent leveraging cloud-native tools.

Agent Design Depends: Deep Dive

A.9 IR Agent — Requirements

Incident Response automation agent. Extends threat monitoring (A.1) into response workflows.

Agent Design Depends: Deep Dive

Outcome Packages → Skills Conversion

Reverse-engineer Tony's process with Warren (e.g., release planning) into reusable OpenClaw skills. Charlie: "Tell Warren to turn session logs into a skill and verify." Victor may have started.

Warren Skills Victor Unblocked

P3 — Future / Deep Dive Topics 7 items

MS Purview Integration (SOC for AI — DLP)

Data loss prevention + data classification for AI usage. No Kindo integration today.

IntegrationP3

A.12 Identity Agent → IdaaS (Tim Corder)

Service line expansion into Identity aaS. Requires engagement with Tim Corder + Ravi.

Service Line ExpansionPhase 4

A.13 GRC Agent → GRC aaS (Nathan Ellis)

Service line expansion into GRC aaS. Requires engagement with Nathan Ellis.

Service Line ExpansionPhase 4

Lifecycle Hooks MVP

Kush: short answer is yes, but NOT most important. Ship fast MVP — don't over-engineer. Focus: deployment speed, not stickiness.

PlatformKush deprioritized

IK / Memory Design Session (Kush request)

Kush asked for a session on institutional knowledge, skills, memory. ⚠️ Charlie: protect IP — share "what" not "how."

Deep Dive⚠️ IP sensitivity

AI Cyber Guard / Tower — Control Plane

Control plane co-development with Deloitte. Design session topic.

Deep DiveCharlie

SaaS Discovery Integrations (Nightfall, Netskope, Okta)

CASB/SaaS-level AI discovery tools. No Kindo integrations today. Lower priority than endpoint-level discovery.

IntegrationP3

⏸️ PARKED 2 items

A.6 Vitals Dashboard

Deprioritized by Kush (June 22). SOC for AI takes its slot. May resurface in future sprints.

Deprioritized

A.10 IoT/OT Monitor

Deprioritized by Kush (June 22).

Deprioritized

Program / Strategic Track

Parallel track — program management work that needs an owner and date but doesn't produce a product artifact. Not sprint-rankable. Joana's track.

📋 Why this is separate: These items are essential program work — investor narratives, portfolio prep, hiring, travel planning — but they don't produce a built artifact in Kindo. They run on their own timelines with their own owners, parallel to the sprint. Mixing them into P0–P3 product lanes creates false prioritization conflicts.

Item	Owner	Target Date	Notes
Scaling Story for Ron / Forge Point	Tony + Joana	Monday Jun 29	Capture while Tony is present — he goes biweekly after. 3-5× revenue growth narrative for Forge Point VC.
Monthly Portfolio Prep (July)	Joana	Ahead of Jul 27 Houston	Video evidence + working links for shipped functionality.
Value First Hiring	Joana / Victor	Ongoing	Interviews in progress. Invoice → Charlie → Ron.
Deep Dive Prep / Calendar + Budget	Tony / Joana	TBD	Map quarterly deep dives against monthly portfolio, avoid over-travel.
Warren Scrum Artifacts Setup	Joana + Warren + Victor	Sprint 1	Configure Warren for sprint backlog, burndown, status delivery. ⚠️ Verify accuracy before Tony relies on it.

Open Decisions & Needs-Human

Items requiring team input during Monday's planning

🔴 SOC for AI — Scope Confirmation (Joana → Charlie & Victor, Jun 25)

These 5 questions were sent to Charlie & Victor — answers gate the Monday backlog. Source: SOC for AI — Scope & Research doc.

1️⃣

Registry check (Victor/Charlie) Are CrowdStrike, Grafana, Sumo Logic, Google SecOps actually in our connector registry today? Any gap-list items already there un-documented? Changes the net-new integration count.

2️⃣

CrowdStrike tenant isolation (Charlie) Does Falcon's orchestration survive "Deloitte only / local tenant" given its cloud control plane? Yes/no gates the entire Layer B approach. Can't resolve on paper.

3️⃣

Microsoft path (Charlie) Is MS Defender for Endpoint a separate integration build, or covered by existing Entra / Microsoft MCP? Same for Intune and Sentinel.

4️⃣

AI Discovery Agent — right first build? (Charlie/Victor) Is the proposed AI Discovery Agent (§4 of Joana's doc) the right first deliverable? Scope right-sized for one sprint? What's missing?

5️⃣

Scope + control plane (both) Is the two-layer scope (A: shadow-AI discovery, B: endpoint telemetry) right-sized? Does the AI Discovery Agent connect to or compete with Kush's "AI Cyber Guard/Tower" — design for integration?

🟡 Other Open Items

📋

Sprint 1 scope — confirm or adjust proposed items Do the SOC for AI items match what we can realistically ship in 2 weeks with eng on PTO?

📋

First deep dive vs monthly portfolio — separate or combine in July? Monthly portfolio anchored to Ron in Houston Jul 27. Quarterly deep dive is separate — timing/location TBD. Joana to map both against calendar.

📋

Value First hiring — interview results (June 26) Joana interviewing candidate. Results feed into team planning but don't block Sprint 1.

📋

Agent runtime team return date — confirm July availability Madison back early July, Sean week of Jul 7. Track for Sprint 2 planning.