This environment is for
Kearney employees only.
Sign in with your Kearney credentials to continue.
Access issues? Contact sandbox-support@kearneyco.com
CGO / CFO analysis

Federal services menu and revenue model

UNCLASSIFIED // FOUO  |  Companion to the Moving Forward decision brief

Every sellable line defensible from the platform plan and the live sandbox. Use this page for pipeline, recurring revenue, and funding linkage. The Moving Forward brief keeps the decision narrative; this page is the line-by-line business case.

6
Win now (Tier 1)
1
Handoff (Tier 2)
6
Recurring (Tier 3)
+4
Companion lines

How to read this

Tier 1 lines need the sandbox only. TECOM budget-to-readiness is the closest win; the same demo stack repurposes for DHS and similar civilian budget shops. Federal AI workforce training is offered capability with no contract yet (USMC class proved delivery format only). Tier 2 is the first billable SOW after a win, using the promotion gate. Tier 3 lines need accredited client hosting and firm-owned cloud; they are the ARR case. Companion lines are not separate product names on the brief summary but are real revenue (managed ops, gate assurance, per-client compliance delta, IL5 baseline build) that attach to hosting and platform funding.

Revenue type key

Pursuit / project = territory-led or cyber capture, often non-recurring first award. Recurring = hosting, MSSP, endpoints, managed ops. Capital build = one-time platform footprint (costing page), not a pursuit forecast.

Tier 1: Win pursuits today

Capture engine. Client hosting does not need to be live. Proof = live demos in the AI Sandbox.

Closest win

Line 1 (TECOM) is the pursuit nearest award. Lines 1 and 2 share one platform build: budget and readiness storytelling with grounded vs naive AI. Repurpose the TECOM demo for DHS and other federal CFO / program offices without a new build.

# Service line Status Primary buyer Revenue model Delivery Sandbox proof Platform dependency
1 TECOM budget-to-readiness intelligence Closest win TECOM PA&E / readiness; repurposable to DHS, civilian CFO and program shops Pursuit / project (active pipeline) KTG builds; territories sell and deliver TECOM resource-to-readiness demo; budget dollars to unit readiness on synthetic data Same IaC demo shell for other mission/budget clients; no re-build for DHS-style pursuits
2 Navy readiness decision intelligence Live Navy PA&E, readiness and program owners Pursuit / project after demo KTG builds; territories sell and deliver Navy readiness demo (grounded vs naive AI on synthetic mission data) Shared platform with line 1; separate customer thread from TECOM
3 Active defense and live SOC operations Live Agency CISO, SOC directors Cyber pursuit leading to Tier 3 MSSP Cyber AD/CD demo: detection, deception, OT scenarios, ServiceNow IR workflow Synthetic telemetry in sandbox; Sentinel visibility (Decision 2 in motion)
4 SOAR and federal financial-system analytics Live Financial system owners, IG and audit partners, SOC leads Cross-sell from cyber and audit practices Cyber SOAR demo: ingestion, anomaly scoring, alerting, worked incidents Same as SOC; opens audit-adjacent buyers without separate hosting
5 Federal AI workforce training and executive briefings Offered Program leadership, workforce and training shops Capability / pursuit (no contract yet; repeatable once sold) Sandbox content; territories teach USMC FM class used TECOM demo as centerpiece; proves format, not a booked training deal Can bundle with TECOM/DHS pursuits; Cognito demo access for classes
6 AI assurance and red-teaming Live AI program offices, CISO, authorizing officials Assessment engagements Cyber; territories at scale Methodology exercised in sandbox (hallucination, grounding, misuse) No client CUI in sandbox; aligns with Tier 3 ATO story later

Tier 2: First SOW after the win

Mission-specific builds proved in the sandbox, then promoted through the mission gate into a client accredited environment.

# Service line Status Primary buyer Revenue model Delivery Sandbox proof Platform dependency
7 Custom capability prototyping and promotion Ongoing Mission owners with gaps no incumbent fills Design-build and implementation SOWs Sandbox build; territories scale; Cyber governs gate Any first-of-kind demo that wins (apps, automations, agents) Promotion gate: IaC rebuild, SBOM, client approval (see companion line C2)

Tier 3: Recurring at platform scale

In the architecture plan and Moving Forward target state. The platform is the productized front end of a managed-security practice the division already runs. The MSSP lines below are not net-new capability. The division operates a 24/7/365 SOC across roughly 5,900 endpoints under a multi-year federal information-security program, and has deployed active-defense and cyber-deception tooling in a national-laboratory environment. The Sentinel build that gives the CIO one pane internally is the same service sold to clients as managed security. What Tier 3 needs is accredited client hosting and firm-owned cloud, not a capability we have yet to prove.

# Service line Status Primary buyer Revenue model Delivery What unlocks it Platform dependency
8 Accredited client hosting, commercial and SLED (CUI low tier) Target State and civilian agencies with CUI, no DoD nexus (Texas anchor) Recurring hosting + managed ops (companion C1) Cyber / Compliance Commercial CUI enclave; FedRAMP Moderate or TX-RAMP; per-client account Commercial CUI enclave on AWS (promoted from CUI pilot, Decisions 6–7); intake routing (line 13); overlays (line 13)
9 Accredited client hosting, federal and DoD (IL5 gold load) Target DoD and federal program owners with IL4/IL5 data Recurring hosting + apps + MSSP; highest ARR tier Cyber / Compliance One gold load accredited once, stamp-out per client (hard isolation) IL5 on AWS GovCloud or Azure Government; sponsorship path; funded baseline (companion C4); ESP determination (companion C3)
10 Managed SOC and security monitoring (MSSP) Target Agencies without in-house SOC Recurring MSSP Cyber Sentinel as client pane; one-way logs from hosted enclave. Proven on a live 24/7 federal SOC today. Same Sentinel build as internal overwatch and existing SOC delivery; ESP/MSP memo (companion C3)
11 Managed endpoint security Target CISOs with endpoint gaps in cloud-first shops Per device / seat Cyber Internal Cyber endpoint standard as first proof, then client offer (deferred from brief asks) Gold image + EDR + Sentinel telemetry; pairs with MSSP
12 Cloud and AI authorization support Target CIO, CISO, authorizing officials Advisory and assessment (project or retainer) Compliance + delivery practices SSP inheritance model from gold load and stamp-outs Discipline applied to our footprints and client deltas (companion C2)
13 Compliance overlays and client intake routing Target Any hosted client with CJIS, IRS 1075, HIPAA, or custom controls Per-client overlay build + assessment delta Cyber / Compliance Reusable overlay library on correct hosting tier Data-type screening before pursuit pricing; stops mis-tiered bids

Companion lines (attach to hosting and platform funding)

These appear throughout the architecture plan but are easy to miss in a pursuit-only view. CFOs should model them with Tier 3.

ID Line Revenue model When it bills Notes
C1 Managed cloud / enclave operations Recurring (often separate from hosting rent) Per hosted client Day-2 ops for client enclave: patching, monitoring hooks, change control. Bundled in hosting routing on lines 8–9 but should be priced as its own SKU for margin.
C2 Secure promotion and supply-chain assurance Per promotion / per release Each capability crossing the mission gate Security review, CycloneDX SBOM, control mapping. Billable DevSecOps wrapped around Tier 2 deliveries.
C3 ESP / MSP and personnel eligibility advisory Pre-sales compliance; gates MSSP pricing Before IL5 MSSP commit External Service Provider determination and operator eligibility in writing. Walk-away-or-staff-up gate for IL5 floor.
C4 IL5 gold-load baseline build Capital build Before client one Accredited baseline engineering and compliance; separate program decision on the costing page.

Optional pursuit accelerators (not separate core SKUs today): detection engineering and purple-team work under line 3; federal audit / IG analytics buyers under line 4; cross-cloud identity and SIEM onboarding SOWs for clients mirroring our Entra–Sentinel spine.

Funding linkage (brief decisions)

Maps sellable lines to What we are asking for and platform costing.

Decision / resource What it unlocks for revenue Tiers affected
Decision 1: Firm AWS org + lab migration Governed synthetic demos; prerequisite for CUI pilot account Tier 1 (all); Tier 2 gate
Decision 2–3: Sentinel + Entra Visibility and identity for lab and pilot Tier 1–2; Tier 3 MSSP proof
Decision 4–5: Synthetic Opex + 1099 Keep TECOM and Navy winning on software Tier 1 (1–2, 4–6)
Decision 6–7: CUI pilot charter + $7K/mo cloud + 1099 surge Client CUI demos; TECOM on real data; DHS reuse; overhead carries build Tier 1 pursuit; Tier 3 hosting path
IL5 gold load, GovCloud or Azure Government (future) Full DoD hosting and stamp-out Tier 3 (8–9, 12–13)
CGO summary

Fund Tier 1 on synthetic now. Fund the CUI pilot (Decisions 6–7) so John can run TECOM-class demos on authorized client data within 90 days. IL5 hosting remains a separate program on the costing page.

Out of scope for this platform

  • IL6 and IC classified work (separate facility-clearance program)
  • Client-hosted data inside the corporate GCC High CMMC boundary
  • Slide-only pursuits with no path to hosted, managed, or gated delivery

Keeping these out preserves defensibility in front of a 3PAO and a client assessor.