How to read this
Tier 1 lines need the sandbox only. TECOM budget-to-readiness is the closest win; the same demo stack repurposes for DHS and similar civilian budget shops. Federal AI workforce training is offered capability with no contract yet (USMC class proved delivery format only). Tier 2 is the first billable SOW after a win, using the promotion gate. Tier 3 lines need accredited client hosting and firm-owned cloud; they are the ARR case. Companion lines are not separate product names on the brief summary but are real revenue (managed ops, gate assurance, per-client compliance delta, IL5 baseline build) that attach to hosting and platform funding.
Pursuit / project = territory-led or cyber capture, often non-recurring first award. Recurring = hosting, MSSP, endpoints, managed ops. Capital build = one-time platform footprint (costing page), not a pursuit forecast.
Tier 1: Win pursuits today
Capture engine. Client hosting does not need to be live. Proof = live demos in the AI Sandbox.
Line 1 (TECOM) is the pursuit nearest award. Lines 1 and 2 share one platform build: budget and readiness storytelling with grounded vs naive AI. Repurpose the TECOM demo for DHS and other federal CFO / program offices without a new build.
| # | Service line | Status | Primary buyer | Revenue model | Delivery | Sandbox proof | Platform dependency |
|---|---|---|---|---|---|---|---|
| 1 | TECOM budget-to-readiness intelligence | Closest win | TECOM PA&E / readiness; repurposable to DHS, civilian CFO and program shops | Pursuit / project (active pipeline) | KTG builds; territories sell and deliver | TECOM resource-to-readiness demo; budget dollars to unit readiness on synthetic data | Same IaC demo shell for other mission/budget clients; no re-build for DHS-style pursuits |
| 2 | Navy readiness decision intelligence | Live | Navy PA&E, readiness and program owners | Pursuit / project after demo | KTG builds; territories sell and deliver | Navy readiness demo (grounded vs naive AI on synthetic mission data) | Shared platform with line 1; separate customer thread from TECOM |
| 3 | Active defense and live SOC operations | Live | Agency CISO, SOC directors | Cyber pursuit leading to Tier 3 MSSP | Cyber | AD/CD demo: detection, deception, OT scenarios, ServiceNow IR workflow | Synthetic telemetry in sandbox; Sentinel visibility (Decision 2 in motion) |
| 4 | SOAR and federal financial-system analytics | Live | Financial system owners, IG and audit partners, SOC leads | Cross-sell from cyber and audit practices | Cyber | SOAR demo: ingestion, anomaly scoring, alerting, worked incidents | Same as SOC; opens audit-adjacent buyers without separate hosting |
| 5 | Federal AI workforce training and executive briefings | Offered | Program leadership, workforce and training shops | Capability / pursuit (no contract yet; repeatable once sold) | Sandbox content; territories teach | USMC FM class used TECOM demo as centerpiece; proves format, not a booked training deal | Can bundle with TECOM/DHS pursuits; Cognito demo access for classes |
| 6 | AI assurance and red-teaming | Live | AI program offices, CISO, authorizing officials | Assessment engagements | Cyber; territories at scale | Methodology exercised in sandbox (hallucination, grounding, misuse) | No client CUI in sandbox; aligns with Tier 3 ATO story later |
Tier 2: First SOW after the win
Mission-specific builds proved in the sandbox, then promoted through the mission gate into a client accredited environment.
| # | Service line | Status | Primary buyer | Revenue model | Delivery | Sandbox proof | Platform dependency |
|---|---|---|---|---|---|---|---|
| 7 | Custom capability prototyping and promotion | Ongoing | Mission owners with gaps no incumbent fills | Design-build and implementation SOWs | Sandbox build; territories scale; Cyber governs gate | Any first-of-kind demo that wins (apps, automations, agents) | Promotion gate: IaC rebuild, SBOM, client approval (see companion line C2) |
Tier 3: Recurring at platform scale
In the architecture plan and Moving Forward target state. The platform is the productized front end of a managed-security practice the division already runs. The MSSP lines below are not net-new capability. The division operates a 24/7/365 SOC across roughly 5,900 endpoints under a multi-year federal information-security program, and has deployed active-defense and cyber-deception tooling in a national-laboratory environment. The Sentinel build that gives the CIO one pane internally is the same service sold to clients as managed security. What Tier 3 needs is accredited client hosting and firm-owned cloud, not a capability we have yet to prove.
| # | Service line | Status | Primary buyer | Revenue model | Delivery | What unlocks it | Platform dependency |
|---|---|---|---|---|---|---|---|
| 8 | Accredited client hosting, commercial and SLED (CUI low tier) | Target | State and civilian agencies with CUI, no DoD nexus (Texas anchor) | Recurring hosting + managed ops (companion C1) | Cyber / Compliance | Commercial CUI enclave; FedRAMP Moderate or TX-RAMP; per-client account | Commercial CUI enclave on AWS (promoted from CUI pilot, Decisions 6–7); intake routing (line 13); overlays (line 13) |
| 9 | Accredited client hosting, federal and DoD (IL5 gold load) | Target | DoD and federal program owners with IL4/IL5 data | Recurring hosting + apps + MSSP; highest ARR tier | Cyber / Compliance | One gold load accredited once, stamp-out per client (hard isolation) | IL5 on AWS GovCloud or Azure Government; sponsorship path; funded baseline (companion C4); ESP determination (companion C3) |
| 10 | Managed SOC and security monitoring (MSSP) | Target | Agencies without in-house SOC | Recurring MSSP | Cyber | Sentinel as client pane; one-way logs from hosted enclave. Proven on a live 24/7 federal SOC today. | Same Sentinel build as internal overwatch and existing SOC delivery; ESP/MSP memo (companion C3) |
| 11 | Managed endpoint security | Target | CISOs with endpoint gaps in cloud-first shops | Per device / seat | Cyber | Internal Cyber endpoint standard as first proof, then client offer (deferred from brief asks) | Gold image + EDR + Sentinel telemetry; pairs with MSSP |
| 12 | Cloud and AI authorization support | Target | CIO, CISO, authorizing officials | Advisory and assessment (project or retainer) | Compliance + delivery practices | SSP inheritance model from gold load and stamp-outs | Discipline applied to our footprints and client deltas (companion C2) |
| 13 | Compliance overlays and client intake routing | Target | Any hosted client with CJIS, IRS 1075, HIPAA, or custom controls | Per-client overlay build + assessment delta | Cyber / Compliance | Reusable overlay library on correct hosting tier | Data-type screening before pursuit pricing; stops mis-tiered bids |
Companion lines (attach to hosting and platform funding)
These appear throughout the architecture plan but are easy to miss in a pursuit-only view. CFOs should model them with Tier 3.
| ID | Line | Revenue model | When it bills | Notes |
|---|---|---|---|---|
| C1 | Managed cloud / enclave operations | Recurring (often separate from hosting rent) | Per hosted client | Day-2 ops for client enclave: patching, monitoring hooks, change control. Bundled in hosting routing on lines 8–9 but should be priced as its own SKU for margin. |
| C2 | Secure promotion and supply-chain assurance | Per promotion / per release | Each capability crossing the mission gate | Security review, CycloneDX SBOM, control mapping. Billable DevSecOps wrapped around Tier 2 deliveries. |
| C3 | ESP / MSP and personnel eligibility advisory | Pre-sales compliance; gates MSSP pricing | Before IL5 MSSP commit | External Service Provider determination and operator eligibility in writing. Walk-away-or-staff-up gate for IL5 floor. |
| C4 | IL5 gold-load baseline build | Capital build | Before client one | Accredited baseline engineering and compliance; separate program decision on the costing page. |
Optional pursuit accelerators (not separate core SKUs today): detection engineering and purple-team work under line 3; federal audit / IG analytics buyers under line 4; cross-cloud identity and SIEM onboarding SOWs for clients mirroring our Entra–Sentinel spine.
Funding linkage (brief decisions)
Maps sellable lines to What we are asking for and platform costing.
| Decision / resource | What it unlocks for revenue | Tiers affected |
|---|---|---|
| Decision 1: Firm AWS org + lab migration | Governed synthetic demos; prerequisite for CUI pilot account | Tier 1 (all); Tier 2 gate |
| Decision 2–3: Sentinel + Entra | Visibility and identity for lab and pilot | Tier 1–2; Tier 3 MSSP proof |
| Decision 4–5: Synthetic Opex + 1099 | Keep TECOM and Navy winning on software | Tier 1 (1–2, 4–6) |
| Decision 6–7: CUI pilot charter + $7K/mo cloud + 1099 surge | Client CUI demos; TECOM on real data; DHS reuse; overhead carries build | Tier 1 pursuit; Tier 3 hosting path |
| IL5 gold load, GovCloud or Azure Government (future) | Full DoD hosting and stamp-out | Tier 3 (8–9, 12–13) |
Fund Tier 1 on synthetic now. Fund the CUI pilot (Decisions 6–7) so John can run TECOM-class demos on authorized client data within 90 days. IL5 hosting remains a separate program on the costing page.
Out of scope for this platform
- IL6 and IC classified work (separate facility-clearance program)
- Client-hosted data inside the corporate GCC High CMMC boundary
- Slide-only pursuits with no path to hosted, managed, or gated delivery
Keeping these out preserves defensibility in front of a 3PAO and a client assessor.