Kindo × Deloitte
From Strategic Framework
to Execution Plan

Connecting the May 7 strategy session to the delivery engine — framed for Ron, adaptable for Kush/Krishna next week.

Source May 7 In-Person (Kush, Krishna, Nathan) Updated May 19 Tony–Joana Alignment v1 Audience Ron v2 Next Week Kush / Krishna
1

Executive Summary — The Opportunity

Deloitte Cyber Operate is rebuilding its entire delivery model around Kindo. This isn't an evaluation — it's an infrastructure commitment. Krishna has mapped Kindo into every delivery model and every service line expansion.

$5.5M
Current Contract /yr
$6.5–7M+
With Net New Revenue
40→80%
EBITDA Target
100
Installs by Feb 2027
$800M
Cyber Operate Revenue

Why Now

The Delivery Engine Tony + Joana + Victor + Dukane + Charlie's team + Warren (AI operations). Tony as CDO — not just deploying agents, but accelerating compound learning loops that make each agent better every month. That's the moat: accumulated institutional knowledge encoded in production agents.
← Back EBITDA Framework →
2

EBITDA Strategic Framework

Three Sources of Improvement (40% → 80%)

Source 1: Cost Elimination — ~25–35% of gain

LOW IK DEPENDENCY
  • Built into alliance contract — not directly controllable
  • Swimlane sunset, CrowdStrike consolidation, third-party license elimination
"I want to completely sunset Swimlane in every which capacity." — Krishna

Source 2: Scale Efficiency — ~25–30% of gain

MEDIUM IK DEPENDENCY
  • Same analyst pool → more clients via agent augmentation
  • Triage: 21 min → 5 min (76% reduction, proven)
  • Human effort: 70–85% reduction target
  • Quality audits: sample → 100% via audit agent

Source 3: Net New Agent Revenue — ~35–45% of gain

HIGH IK DEPENDENCY
  • A6–A13: agents that don't exist yet, each a revenue event
  • Growth from $5.5M → $6.5–7M+ that funds the team
"Every agent is a net new revenue goal — either new revenue dollars or better profit margins." — Krishna

The Institutional Knowledge Substrate

~60–75% of EBITDA improvement flows through institutional knowledge IK isn't static — it's compound learning at three levels:
  1. User level: Individual analysts improve with agents month over month
  2. Agent level: Each agent accumulates judgment from production use — "How is my triage agent at week 10 bigger, better than week 6?" (Kush)
  3. Organizational level: Cross-agent learning — SOC → identity → GRC

Speed to production = compound learning velocity = EBITDA acceleration.

← Executive Summary Revenue Structure →
3

Revenue Structure — Contracted vs. Net New

A1–A5: Contracted ($5.5M License) — No Net New Revenue

These agents fulfill the existing license. They cost us to deliver (IK transfer) but don't generate incremental revenue.

IDAgentStatusModelIK
A.1Threat MonitoringPRODMXDRLOW
A.2Threat IntelPRODMXDRLOW
A.3Threat HuntPRODMXDRLOW
A.4Detection EngineeringPRODMXDRLOW
A.5CTEMBUILTMXDRLOW

A6–A13: Net New Revenue — The Growth Engine

Each is a revenue event. They push Deloitte from $5.5M/yr → $6.5–7M+ and justify the CDO role.

IDAgentStatusModelIKPhase
A.6Vitals DashboardPLANNEDCross-modelHIGHPH 2
A.7Quality AuditPLANNEDCross-modelHIGHPH 2
A.8Cloud SecurityPLANNEDDed/SharedHIGHPH 3
A.9IR AgentPLANNEDDed/SharedHIGHPH 3
A.10IoT/OT MonitorPLANNEDDed/SharedHIGHPH 3
A.11Custom ClientPLANNEDBespokeHIGHPH 3
A.12Identity → IdaaSPLANNEDNew Svc LineHIGHPH 4
A.13GRC → GRC aaSPLANNEDNew Svc LineHIGHPH 4
Full Scope: 42 items across 5 categories 11 Contracted (🟢) · 10 Alliance Revenue (🟡) · 12 Alliance Institutional (🔴) · 9 Operations. 23 of 42 (55%) depend on institutional knowledge.

See the full Scope Matrix visual →

← EBITDA Framework Agent Packaging →
4

Agent Packaging by Service Line

Kush's deployment vision: "We want to be able to package this and drop it at a client. Out of the box you get these six agents. But every big client needs custom agents."

Package 1: D&RaaS

Krishna · ACTIVE

MXDR, Shared MSS, Dedicated MSS

  • A.1 Threat Monitoring PROD
  • A.2 Threat Intel PROD
  • A.3 Threat Hunt PROD
  • A.4 Detection Eng PROD
  • A.5 CTEM BUILT
  • A.6 Vitals Dashboard PLANNED
  • A.7 Quality Audit PLANNED
  • A.9 IR Agent PLANNED

Package 2: CaaS

Nathan Ellis · PH 2–3

Primarily Dedicated MSS

  • Custom CaaS agents (TBD with Nathan)
  • A.13 GRC crossover
  • A.7 Quality Audit (shared)

Nathan owns first 5–7 deploys. Requested: "Use your SDK. Force our teams to adhere to that standard."

Package 3: Identity aaS

Tim Corder · PH 4
  • A.12 Identity Agent
  • Custom IAM workflows
  • J&J team (Adelina)

Package 4: Cloud & Infra Security

Bhargav · PH 3–4
  • A.8 Cloud Security
  • Custom infra agents
  • Firewall provisioning already on Kindo

Package 5: GRC aaS

Nathan (cross-CaaS) · PH 4
  • A.13 GRC Agent
  • Compliance audit workflows

Package 6: App Security aaS

No owner · FUTURE
  • TBD — Phase 4+

The SOAR Flow — Agent Orchestration

Supervisory Agent Pattern (Kush, May 7) Triage agent acts as supervisor → calls Detection Engineering + CTI agents independently → they return context → containment loop runs continuously. This is what Kindo Engineering needs to build (currently in beta).

Revenue Model Per Client

  1. Base: D&RaaS bundle (A.1–A.5 + Vitals + Audit) — "out of the box"
  2. Service-line add-ons: CaaS, Identity, Cloud/Infra per engagement
  3. Bespoke custom agents (A.11): per client environment
  4. Private integrations: Client-specific MCP servers

Each layer = incremental revenue.

See Krishna's full operational map →

← Revenue Structure Platform Priorities →
5

Platform Priorities — What Kindo Must Deliver

From Part 2, May 7 — Bryan's roadmap + Kush's responses

CRITICAL — Blocking Deployment

1. Self-Managed Instance Stability

"We haven't done another deployment in over a month. Things get forgotten." — Nathan
  • Gap: 3–5 days per deployment with hand-holding
  • Target: Click-click-click install

2. Release Parity (SaaS ↔ SM)

"You keep getting this question from me." — Kush

Command Center improvements not shipped to self-managed. Next release will close gap.

3. Agent Memory & Self-Improvement

KUSH'S #1 PLATFORM PRIORITY
  • Layer 1: User memory (analyst improvement)
  • Layer 2: Agent memory — "Week 10 vs week 6?" — HIGHEST
  • Layer 3: Organizational memory — cross-agent learning
Kush: "In Kindo, I did not see any of this stuff today." The 4-phase model (docs → shadow → reverse shadow → steady state) requires ITSM ingestion, human feedback capture, and self-improvement.

4. Multi-Agent Orchestration

  • Current beta: "predefined agents calling other agents" (phase 1)
  • Sub-agents = biggest unlock (Brandon confirmed)
  • Kush wants deterministic, mission-specific chains first
  • Agent catalog: supervisor needs knowledge of available agents

HIGH — Needed for Scaling

5. Integration Privacy — Private MCP

Client integrations can't be public. "We want to crowdsource integrations for you." — Kush

  • Public: Standard (Zscaler) → submit to Kindo
  • Private: Client-specific → self-managed MCP, scoped to org

6. Token / Cost Optimization

"$25,000/month for one instance, 80% is LLM usage." — Nathan

Four strategies: auto model selection, better initial context, structured memory, context compaction.

MEDIUM — Deprioritized by Kush

7. GenUI / Canvas

"If you were spending four hours on Canvas out of ten, hold back. We'll use TrueArch Hub." — Kush

Kindo = backend/API. Focus on APIs, not UI.

← Agent Packaging HP Deployment RACI →
6

HP Customer Deployment — RACI

HP = FIRST production client install. Dedicated MSS. HP just renewed with AI terms. Krishna: "The first couple need to go really well."

Phase 1: Installation + Doc Ingestion

ActivityRACI
SMK provisioning (AEF)Nathan, BrandonKrishnaJoanaTony, Ron
Security reviewNathan, HarishKrishnaKindo EngJoana
Core agent deploy (D&RaaS)Brandon, MarcosNathanKrishnaJoana, Tony
HP integrations (private MCP)Robby's teamNathanKindo EngJoana
ITSM ingestion (6 mo)Warren + PlatformKrishnaKush, ShivaTony
SOP & doc ingestionJoana, WarrenKrishnaShivaTony

Phase 2: Shadow (Parallel Operation)

ActivityRACI
Ticket mirroringKindo EngNathanKrishnaJoana
Agent monitoringAnalysts + WarrenShivaKrishnaJoana, Tony
Human feedbackAnalystsShivaWarrenKrishna
Accuracy tracking (Vitals)WarrenJoanaKrishnaTony
Weekly performance reviewJoanaKrishnaTony, KushRon

Phase 3: Reverse Shadow (Agent-Primary)

ActivityRACI
Agent primary executionPlatformKrishnaKush, NathanTony, Ron
Human oversightAnalystsShivaKrishnaJoana
Validation (accuracy/completeness)Warren + Audit AgentJoanaKrishnaTony
EBITDA trackingWarrenJoanaKrishnaTony, Ron
Go/no-go for steady stateKrishnaKushTonyRon

Phase 4: Steady State (Production)

ActivityRACI
Autonomous execution (70%)PlatformKrishnaKushTony, Ron
15% human holdback (QA)AnalystsShivaKrishnaJoana
100% audit opsAudit AgentKrishnaWarrenKush
EBITDA reportingWarren, JoanaTonyKrishnaRon
Custom agent expansionWarren + KindoJoanaKrishnaTony

Key Risks

RiskImpactMitigationOwner
Platform stabilityBlocks Phase 1Sandbox hardening; Nathan daily cleanupNathan + Brandon
Release parity gapLimits visibilityPush release before HP liveKindo Eng
Agent memory not builtDegrades learning loopManual IK during ShadowKush
AEF vs ITS decisionDelays provisioningHP = production = AEFNathan
← Platform Priorities Execution Roadmap →
7

Execution Roadmap

Phase 1: Foundation — Now → May 31
  • ✅ A.1–A.4 agents in production (MXDR)
  • ✅ A.5 CTEM built
  • 🚨 Swimlane migration — all non-contract MXDR to Kindo (May 31)
  • 📋 HP deployment planning
  • 📋 Training program (6 domains — Joana)
Phase 2: First Client + Scale Prep — June
  • HP Phase 1 (SMK provisioning + doc ingestion)
  • Alliance agreement draft contract
  • MXDR efficiency data collection
  • D&RaaS agent package finalized
  • 2nd/3rd client ID from renewal pipeline
Phase 3: Shadow + Expansion — Jul–Aug
  • HP Phase 2 (shadow — parallel operation)
  • A.6 Vitals Dashboard + A.7 Quality Audit dev
  • CaaS integration planning (Nathan)
  • 10–20 additional MXDR installs
Phase 4: Production + Net New — Sep → Feb 2027
  • HP → steady state
  • A.8–A.11 (Cloud, IR, IoT/OT, Custom)
  • Dedicated MSS scaling (multi-F50)
  • Identity aaS expansion
  • Target: 100 installs by February 2027
← HP RACI Kindo Considerations →
8

Kindo Team Considerations

⚠ Internal Only
Not for Ron. Resolve before adapting for Kush/Krishna next week.

Validate with Deloitte Team

  1. Is A1–A5 vs A6–A13 accurate against actual contract? ($5.5M = platform license, not named agents)
  2. Platform blockers that collide with May 31 Swimlane migration?
  3. Does Krishna's May 31 directive align with deployment team's tracking?
  4. HP timeline — when does Phase 1 provisioning actually start?

Warren's Execution Role

Mythos Connection (Ron's Frame)

Agents Deloitte needs (A.1–A.9) = agents Mythos-overwhelmed customers need. Tony's delivery builds Ron's agent catalog without Ron funding it separately.

Ron pitches speed → Tony's team delivers speed. The Venn diagram is the leverage.

Resource Ask

Tony + Joana + Victor + Dukane + Charlie's team. Net new revenue (A6–A13) justifies it: $5.5M → $6.5–7M+ doesn't happen without this team.

← Execution Roadmap Scope Matrix →

Reference: Scope Matrix v1.0

Full 42-item scope matrix from the Tony strategy thread — all agents, platform capabilities, delivery models, service line expansion, and operations with status, IK dependency, and focal person attribution.

Kindo × Deloitte Cyber Operate — Scope Matrix v1.0 Click image for full screen
Scope Matrix v1.0
← Kindo Considerations Operational Map →

Reference: Krishna D&RaaS Operational Map

Krishna's organizational and delivery map showing how Kindo plugs into each layer of Deloitte Cyber Operate — leadership, ops, service lines, agents, and Kindo integration points.

Krishna DREAS Operational Map — Where Kindo Plugs In Click image for full screen
Krishna D&RaaS Operational Map
← Scope Matrix ↗ Back to Start