Kindo × Deloitte - Strategic Framework to Execution Plan

Kindo × Deloitte

From Strategic Framework
to Execution Plan

Incorporating Tony's strategic framework + Joana's execution plan. Framed for Ron.

Source May 7 In-Person (Part 1 + Part 2) + May 19 Tony-Joana + Tony's Strategic Framework Updated May 24

1

Three Imperatives - Why Now

1

"The exclusivity window is closing."

Alliance agreement in progress - once locked, other firms can't replicate the embedded position. But only while Deloitte is the sole enterprise deployment partner.

2

"Speed of engagement > depth of engagement."

May 31 Swimlane migration, HP install, Mythos vulnerability wave - first mover with production agents wins. The market won't wait.

3

"The institutional knowledge capture is your moat - but only while it's scarce."

Compound learning starts only when agents are live in production. Every week of delay = competitors close the gap.

"Speed is going to be the most essential thing for us."

$5.5M

Current /yr

$6.5-7M+

With Net New Rev

40→80%

EBITDA Target

0/100

Prod Equivalents

2,800+

People Under Kush

$800M

Committed Rev

← BackEBITDA Bridge →

2

EBITDA Strategic Framework

40% → 80% improvement

Kindo Core Platform Team

Cost Elimination ~25-35%

Low Institutional Knowledge Dependency

Alliance contract - not controllable
Swimlane + CrowdStrike sunset

Swimlane $3-6M/yr · Jira/ITSM $0.5-1.5M · CrowdStrike $2-4M = ~$5.5-11.5M/yr cost elimination

"Sunset Swimlane in every which capacity" - Krishna

Deloitte Rapid Response Team

Scale Efficiency ~25-30%

Medium Institutional Knowledge Dependency

Same pool → more clients
Triage: 21→5 min (76% ↓)
Human effort: 70-85% ↓
Audits: sample → 100%

Deloitte Rapid Response Team

Net New Revenue ~35-45%

High Institutional Knowledge Dependency

A6-A13: each a revenue event
$5.5M → $6.5-7M+ growth

Each agent (A.6-A.11) = new service capability = new billable offering. New revenue at near-zero marginal cost - the highest-margin source

"Every agent is a net new revenue goal - either new revenue dollars or better profit margins" - Krishna

~70% of EBITDA improvement flows through institutional knowledge Institutional knowledge = compound learning through use (Kush's definition). Three levels: 1 User - individual analyst's agent learns their patterns 2 Agent - "Week 10 vs week 6?" (Kush) - agent improves across all users 3 Organizational - accumulated learning across all agents becomes org intelligence.

"Speed is going to be the most essential thing for us"

Cost elimination depends on Kindo clean Self-Managed installs and training Deloitte on Kindo. But Scale Efficiency and Net New Revenue depend on custom configurations and mining new agent design/build opportunities.

← Why NowRevenue Path →

3

Revenue Structure - Contracted vs. Net New

A1-A5: Contracted ($5.5M) - No Net New

Fulfill existing license. Cost us to deliver (IK transfer) but no incremental revenue.

ID	Agent	Status	Model
A.1	Threat Monitoring	PROD	MXDR
A.2	Threat Intel	PROD	MXDR
A.3	Threat Hunt	PROD	MXDR
A.4	Detection Eng	PROD	MXDR
A.5	CTEM	BUILT	MXDR

A6-A13: Net New Revenue - Growth Engine

Each is a revenue event. Push $5.5M → $6.5-7M+. Justifies CDO role.

ID	Agent	Status	Model	Ph
A.6	Vitals Dashboard	PLAN	Cross	2
A.7	Quality Audit	PLAN	Cross	2
A.8	Cloud Security	PLAN	Ded/Sh	3
A.9	IR Agent	PLAN	Ded/Sh	3
A.10	IoT/OT	PLAN	Ded/Sh	3
A.11	Custom Client	PLAN	Bespoke	3
A.12	Identity→IdaaS	PLAN	New SL	4
A.13	GRC→GRC aaS	PLAN	New SL	4

Alliance Revenue Model: Net new revenue (A.6-A.13) only flows if T&C discovers, designs, and implements. Revenue trajectory: $5.5M contracted → $1-2M+ net new → $5-12M+ upside (2-3× expansion). Kush confirmed consumption-based revenue sharing above adoption thresholds. Deloitte Cyber Operate annual revenue = $300M.

22-34 Net New Agents Identified: Beyond A.1-A.13, the Cyber Operate portfolio supports 22-34 additional agents across 6 service lines. Current scope = ~5% of total opportunity. Full opportunity: 80-165 under Kush, 250-550 under Adnan.

42 total items: 11 Contracted · 10 Alliance Revenue · 12 Alliance Institutional · 9 Ops. 23 of 42 (55%) depend on institutional knowledge. Plus 12 additional items on Krishna's roadmap beyond A.1-A.13 (untracked demand). See full scope matrix →

← EBITDAIK Flywheel →

4

Institutional Knowledge Flywheel - The Moat

Institutional knowledge ≠ static knowledge extraction. Kush's definition = compound learning through use. This is a flywheel, not a one-time transfer.

Kush's 3-Level Compound Learning

1

User

Individual analyst's agent learns their patterns and preferences over time

2

Agent

"Week 10 vs week 6?" - Kush
Agent improves across all users by processing real-world cases

3

Organizational

Accumulated learning across all agents becomes organizational intelligence

23/42

Scope Items Depend on IK (55%)

~70%

EBITDA Improvement Flows Through IK

Speed to production = exponentially important Compound learning starts only when agents are live. Every week of delay = competitors close the gap. This is a FLYWHEEL, not a one-time transfer.

"You also got a free design partner. That's how you should look at it." - Kush

CDO Role = Learning Loop Accelerator Not a knowledge extractor. The CDO (Tony) embeds in the Deloitte operating environment to accelerate the flywheel - mining new agent opportunities, tuning existing agents through production feedback, and expanding the compound learning across service lines.

Agent Memory = Kush's #1 Platform Priority "In Kindo, I did not see any of this stuff today." — Kush. Not in May 27 release. Requires platform architecture. Risk: without memory, compound learning degrades during HP shadow phase.

🤝

Tony × Service Lines

→

🧠

IK Capture

→

⚡

Agent Design + Build

→

📊

EBITDA Proof

→

📈

Upsell → Expand

↩

← RevenueR&D Lab → Market →

5

Deloitte is the R&D Lab. Mythos is the Market.

Two-Tier Product Strategy

"There's a Venn diagram overlapping Mythos and Deloitte" - Tony, May 19

Tier 1: Platform-Only

Customer buys Kindo platform + training. Builds their own agents from scratch.

Agent builder & orchestration engine
Integration framework (MCP ecosystem)
Self-Managed deployment
Standard documentation & training

Customer starts from zero. Months to first production agent. Generic platform sale.

Tier 2: Deloitte-Hardened Agent Bundles

Kindo platform + pre-configured agent templates built from Deloitte production experience.

Everything in Tier 1, plus:
Pre-configured agent templates per use case
Integration patterns already wired (ServiceNow, Splunk, ITSM)
Decision logic & triage workflows tuned from real production
Operational playbooks embedded from Deloitte deployment
3-6 months of accumulated judgment baked in

Days to first production agent. Battle-tested, not lab prototypes. Premium pricing.

The Differentiator: Deloitte Rapid Response Team

Value Chain

5 of 9 overlap agents already in production/built on Kindo
Deloitte Rapid Response Team configures, deploys, hardens in real production
Accumulated judgment from 3-6 months of live operation
Agent configs, integration patterns, and playbooks packaged as templates
Templates become the Kindo Mythos Response Product (Tier 2 pricing)
Deloitte contract funds the R&D - Mythos product monetizes it at premium

Kush's Service Line Packaging (May 7)

Same template model extends across Cyber Operate portfolio:

D&RaaS Bundle: A.1-A.5 + A.6 Vitals + A.7 Audit (Krishna)
CaaS Bundle: Custom CaaS agents + A.13 GRC (Nathan Ellis)
Identity aaS Bundle: A.12 Identity Agent (Tim Corder)
Cloud & Infra Bundle: A.8 Cloud Security (Bhargav)
GRC Bundle: A.13 GRC Agent + compliance workflows (Nathan)
Mythos Response Bundle: A.1-A.5 + A.7 Audit + A.9 IR (cross-service)

Each bundle = a sellable product per discipline. Deloitte hardening = proof points for every bundle.

Pricing Premium - Pre-Configured Agent Bundles vs Platform-Only

Conservative: 40-60%+

Pre-configured templates + integration patterns. Customer still customizes. Comparable to SOAR platform + content packs pricing.

Target: 60-100%+

Production-proven at Deloitte. Battle-tested in F50 environment. Comparable to MDR vs self-managed EDR pricing.

Aggressive (Mythos crisis): 100-150%+

Speed premium during active vulnerability wave. "Deployed in days, not months." Comparable to IR surge pricing.

Scenario	Clients /yr	Bundle Premium	Avg Deal Size	Incremental Rev
Platform-only baseline	-	-	$500K-$2M	-
Conservative Premium (Deloitte service lines)	3-5	+50%	$750K-$3M	$1-5M
Target Package Premium (Deloitte + Mythos)	5-10	+75%	$875K-$3.5M	$2.5-12M
Aggressive Premium (Mythos surge)	10-20	+100-150%+	$1-$5M	$5-25M

Key insight: R&D cost = $0 for Kindo. Deloitte's $5.5M contract funds agent development. Bundle revenue = near-pure margin. The Deloitte Rapid Response Team creates the product AND the proof points that sell it.

UNVERIFIED: Deal sizes are structural estimates based on enterprise cybersecurity SOAR/MDR market comps ($826M→$1.7B SOAR market, MarketsandMarkets). Actual Kindo pricing needs validation from Ron/Kush. Client count scenarios are directional, not forecasted.

← IK FlywheelThe Team →

6

The Team - Tony's 7-Person Operating Model

Tony

Portfolio / Strategy · Deloitte GM

Alliance expansion
Ron/Kush relationship
Strategic positioning

Joana

Program / Execution · Governance

Deployment RACI
Program governance
Training coordination
Execution tracking
OGC legal pipeline tracking

Victor

Product / Engineering Lead

Agent design oversight
Product quality
Evals system

Charlie

Chief Architect · Kindo-Dedicated Eng

Platform engineering
Kindo-dedicated development
Integration architecture

Dukane

Delivery Support

Day-to-day analyst coordination
Client deployment support

Agent Designer

Business / Config (60% of scaling)

Sits with Deloitte service line teams
Captures IK, designs agent workflows
Configures packages per discipline

Think: former SOC analyst / security consultant who learns the Kindo platform

Engineer

Platform / Integration

Custom MCP servers + API integrations
Data privacy architecture
Environment deployment

Builds the plumbing connecting agents to client systems

Warren ⚡

Force Multiplier (~2-3 engineers equiv)

Bulk agent configuration
Integration pattern replication across service lines
Deployment automation + quality audit
Dashboard, reporting, 24/7 ops

Scaling Math Agents = configurations, not compiled code → 60% Agent Designers, 25% Engineers, 15% Program. Ratio: 15-25 agents per person at steady state. This team of 7 + Warren scales from current scope through 100+ agents without linear headcount growth.

Program Governance (Kush-Approved)

Weekly: Tuesday meetings (~25 attendees)
Monthly: Exec touchpoints (Krishna required, Arun invited)
Portal-only request intake - "Don't accept email" (Kush)
Deloitte-side priority curator (Kush flagged)

Org Scale Context Kush has 2,800+ people. Adnan has 9,000-12,000. This team of 7 + Warren scales to serve all of them through agent configurations - not headcount. Full opportunity: 80-165 agents under Kush, 250-550 under Adnan.

← MythosThe Ask →

7

The Ask - Key Decisions

1

Fund the Team

7-person commitment: Tony, Joana, Victor, Charlie, Dukane, Agent Designer, Engineer. Warren comes with the package. Phase growth: 3 engineers → 5 + delivery lead → 10 + team.

2

Authorize Alliance Expansion

Move beyond A.1-A.5 contracted scope into A.6-A.13 net new revenue. Revenue trajectory: $5.5M → $1-2M+ net new → $5-12M+ upside (2-3× expansion). Share of net new revenue that T&C creates through the alliance expansion.

3

Tony as Deloitte GM

Operating partner for the engagement. The only person who can acquire the institutional knowledge that 55% of scope depends on. CDO role = learning loop accelerator for the ~70% of EBITDA improvement that flows through IK.

4

Speed Commitment

May 31 Swimlane AI migration → HP deployment → 100 installs by Feb 2027. "Speed of engagement > depth of engagement." The exclusivity window closes when competitors catch up.

Contract Milestones 0/7 internal Self-Managed Kindo production equivalents + 0/100 client production deployments against contract targets. ITS install is progress but does not count as a contract production equivalent per Kush's definition. 10 months remain.

Org Scale Kush has 2,800+ people. Adnan has 9,000-12,000. This team of 7 + Warren scales to serve all of them through agent configurations. Current scope = ~5% of total opportunity. Full opportunity: 250-550 agents.

← TeamAgent Packaging →

8

Agent Packaging by Service Line

1. D&RaaS 70% coverage

Krishna · ACTIVE

A.1-A.5 (4 PROD + 1 BUILT)
A.6 Vitals, A.7 Audit, A.9 IR
Serves: MXDR, Shared, Dedicated

2. CaaS 5% coverage

Nathan Ellis · PH 2–3

Custom CaaS agents (TBD)
A.13 GRC crossover
Nathan owns first 5-7 deploys

3. Identity aaS

Tim Corder · PH 4

A.12 Identity Agent
J&J team (Adelina)

4. Cloud & Infra 8% coverage

Bhargav · EXISTING IMPL

A.8 Cloud Security
Firewall provisioning already on Kindo (insurance co, ServiceNow+Palo Alto+custom)
Pre-Kindo ERP security asset migrated

5. GRC aaS

Nathan · PH 4

A.13 GRC Agent
Compliance workflows

6. App Security

No owner · FUTURE

TBD - Phase 4+

Kush's Architecture: "Your ITSM is only a system of record now. Your system of execution and workflow is this new platform." SOAR Flow: Triage agent → calls DE + CTI sub-agents → context returns → containment loop. Kindo Eng building (beta). See operational map →

Revenue per client: 1 Base D&RaaS bundle 2 Service-line add-ons 3 Bespoke custom agents (A.11) 4 Private MCP integrations. Each layer = incremental revenue.

← The AskPlatform: Critical →

9a

Platform Priorities - Critical

May 7 asks → current status

1. Self-Managed Kindo Instance Stability

1ST INSTALL DONESANDBOX TESTING

Ask: Click-click-click installs (was 3-5 days).

Now: 1st production Self-Managed Kindo install in Deloitte's internal IT environment this week. Installer/upgrader/preflight in May 27 release. Observability MVP in final testing.

2. Release Parity (Cloud ↔ Self-Managed)

CLOSING MAY 27

What this means: Kindo ships features to its cloud (SaaS) version first. Deloitte runs a Self-Managed instance on their own infrastructure. "Release Parity" = getting the same features on both versions at the same time. Kush keeps asking because Deloitte's instance has been behind.

Ask: "You keep getting this question from me" - Kush

Now: May 27 release closes the gap with 15+ features shipping to Self-Managed: Chatbot APIs, Version Control, Pinned Credentials, ServiceNow integration, MITRE ATT&CK framework, Member API Keys. Biggest parity close yet.

3. Agent Memory & Self-Improvement

NOT STARTEDKUSH'S #1

Ask: 3-layer compound learning (user → agent → org). "In Kindo, I did not see any of this stuff today."

Now: Not in May 27. Requires platform architecture. Risk: degrades compound learning in HP shadow.

4. Multi-Agent Orchestration

BETA - Feature Flag Enabled on Deloitte Self-Managed

Ask: Supervisory triage agent calls Detection Engineering + Cyber Threat Intelligence sub-agents automatically.

Now: Agent-to-Agent feature flag enabled on Deloitte's Self-Managed Kindo instance (calibrated rollout). General Availability gated on resource hardening.

← PackagingPlatform: High/Med →

9b

Platform Priorities - High & Medium

May 7 asks → current status

5. Integrations - MCP Ecosystem

PRIVACY IN DEVNEW MCPs SHIPPING

Shipping May 27: ServiceNow triggers, MITRE ATT&CK, Dynamic API resolution

In review: SailPoint writes, PostgreSQL, Jira attachments

Urgent: Zscaler ZIA for May 27 demo; Swimlane fix (TEK-141)

6. Agent Reliability & DX

SHIPPING MAY 27

Done: Long-run reliability + Plan Mode, Agent Version Control (GitOps), Pinned Credentials, Error UX, Chat Actions API, Chatbot APIs

Backlog: Error messages (8798), re-run failed step (10190), resizable windows (9378), prompt filtering (9967)

7. Token / Cost Optimization

ROADMAP

"$25K/month, 80% LLM" - Nathan. Four strategies planned: auto model selection, better context, structured memory, compaction. Not in May 27.

8. GenUI / Canvas

DEPRIORITIZED PH 1-2STRATEGIC PH 3-4

Now: "Hold back on Canvas. We'll use TrueArch Hub." - Kush. Chat Actions API (shipping May 27) powers it.

But: Kush calls Canvas/UX "uber uber important" for the long-term vision - making Kindo the "everyday workbench for the entire security organization." Deprioritized for Phase 1-2; strategic priority for Phase 3-4 CISO-level engagement.

← CriticalHP Deploy & Risks →

10

HP Deployment RACI & Risks

First production client (Fortune 100 Dedicated MSS)

R Responsible A Accountable C Consulted I Informed

Activity	Krishna	Nathan	Kindo	Joana	Tony
Ph 1 - Installation & Doc Ingestion
SMK provisioning (AEF)	A	R	R	C	I
Security & NEC review	A	R	C	I	I
D&RaaS agent deployment (A.1-A.5)	C	A	R	C	I
HP integrations (private MCP)	C	A	C	I	I
ITSM + SOP ingestion	A	I	C	R	I
Ph 2 - Shadow (Parallel Operation)
Ticket mirroring + monitoring	C	A	R	R	I
Human feedback + accuracy tracking	C	I	C	A	I
Weekly review	A	C	I	R	C
Ph 3 - Reverse Shadow (Agent-Primary)
Agent primary + 15% human oversight	A	C	R	A	I
Validation + EBITDA tracking	C	I	I	R	A
Go/no-go steady state	R	C	C	C	I
Ph 4 - Steady State (Production)
Autonomous execution (70%) + 100% audit	A	I	R	C	I
EBITDA reporting + custom expansion	C	C	R	A	A

Client Access Model (Kush directive): Clients have read-only access. They can see agent activity and interact, but cannot modify the system. "We own the system - ownership, management, administration, metrics, upkeep, uptime - all of that is on us." Kindo RBAC must support this scoping.

Key Risks

Risk	Impact	Mitigation
Platform stability	Blocks Ph 1	Sandbox hardening; Nathan cleanup. Deloitte will NOT deploy internally first - clients before internal.
Agent memory gap	Degrades learning	Manual IK during Shadow
OGC legal (per client)	Serial bottleneck on migration + 100-install target	Map OGC approval pipeline; track cleared vs pending
48-hour RCA obligation	Support burden on outages	Factor into support planning; QBR escalation path
Swimlane = two workstreams	May 31 = AI use only; SOAR replacement = separate, harder	Split tracking: AI use (May 31) vs SOAR/workflow (longer)
Jira migration = 3 mo/client	Constrains cost elimination	Build client-by-client windows; start early
Release parity	Limits visibility	May 27 release closes gap
AEF env decision	Delays provisioning	HP = prod = AEF

← PlatformTimeline →

11

Execution Timeline

Phase 1: Foundation - Now → May 31

✅ A.1-A.4 in production · A.5 built
✅ First Self-Managed Kindo install (ITS - not yet a contract prod equivalent)
✅ May 27 release: 15+ features, agent-to-agent orchestration
✅ Training Cohort 1 (26/31) · Chitra running parallel 2,800+ enablement
🚨 Swimlane AI use migration May 31 (SOAR replacement = separate, longer)
📋 HP deployment planning · SOWs in legal review · OGC approval per client

Phase 2: First Client + Scale Prep - June-July

HP Phase 1 (dev deployment w/ Qburent first, then prod provisioning + doc ingestion)
Internal ITS production deployment (~90 days from Renta clearance)
Alliance agreement draft contract · consumption-based revenue sharing
MXDR efficiency data → proof points
D&RaaS agent package finalized · Cohort 2 (curated scope per Kush)
Jira migration starts (3-month per-client effort)

Phase 3: Shadow + Expansion - Jul-Aug

HP Phase 2 (shadow - parallel operation)
A.6 Vitals + A.7 Audit development
CaaS integration planning (Nathan)
10-20 additional MXDR installs

Phase 4: Production + Net New - Sep → Feb 2027

HP → steady state · A.8-A.11 dev
Dedicated MSS scaling (multi-F50)
Identity aaS expansion
Target: 100 installs by February 2027

← HP DeployOperations →

12

Current Operational Status

Week of May 19 - Three parallel workstreams toward May 31

🔧 Platform

15+

Features in May 27 release

Pinned Credentials LIVE
Agent Version Control (GitOps)
Chat Actions API
Long-running reliability + Plan Mode
ServiceNow triggers + Dynamic API
MITRE ATT&CK
Agent-to-Agent Feature Flag On
Member API Keys (Self-Managed)
Sandbox stability - final testing
Self-Managed Kindo installer + Observability MVP

Build May 26 · Upgrade May 27

🚀 Deployments

0 / 100

Contract production equivalents (Kush's definition)

DONE 1st Self-Managed Kindo install (ITS - dev/staging, not contract prod equivalent)
🚨 May 31 - Swimlane AI migration (SOAR replacement = separate, longer effort)
HP planning next (Ded MSS, AEF) - Mo recommends dev deployment w/ Qburent first
SOWs in legal review - infra readiness is the gate
OGC legal approval required per client migration
Internal ITS production within 90 days (Renta process cleared)

Krishna: MXDR AI → Kindo by May 31 (no-paperwork clients)

🎓 Training (Two Tracks)

26 / 75

Kindo-delivered training toward 100-install readiness

DONE Cohort 1 (26/31 attended)
REVIEW Cohort 2 scope - Kush questioned purpose targeting: "assess where the questions come from"
Practitioner + Technical tracks
6 domains: Platform, Impl, Integrations, Governance, Use Case, Ops

Parallel track: Chitra (Kush's team) runs internal enablement for 2,800+ people independently. Deloitte owns breadth; Kindo owns depth.

Coordinate with Kush/Arun on Cohort 2 curation

← TimelineScope Matrix →

⊞

Reference: Scope Matrix v1.0

42-item scope: agents, platform, delivery, service lines, operations - with status, IK dependency, focal person.

Scope Matrix v1.0 Click for full screen

← OperationsOp Map →

⊞

Reference: Krishna D&RaaS Operational Map

Leadership, ops, service lines, agents, and Kindo integration points across Cyber Operate.

Krishna DREAS Operational Map Click for full screen

← Scope Matrix↗ Start