Solanasis_ORB_Playbook_v3

Solanasis — Operational Resilience Baseline (ORB) Playbook (Refined)

Version: v3
Date: 2026-03-02 (America/Denver)
Timebox: 10 business days + 3 calls (Kickoff / Mid-check / Readout)
Positioning hook: “Backups don’t matter until you restore.”
Core promise: One real restore test + board-ready summary + prioritized 30/60/90 plan

---

1) What we’re optimizing for (next 90–120 days)

1.1 ICP (keep it tight)

Primary target: 10–150 seats SMBs + nonprofits on M365/Google Workspace.
Exception (still OK): smaller teams if they’re real businesses (≥ ~$500k/year revenue) or VC-backed startups.
Buyer: CEO/Executive Director; champion: Ops lead + IT/MSP contact.

1.2 Sales reality: what ORB is designed to do

• Close fast with a clear, fixed deliverable.
• Create a natural bridge to:
  • Remediation Sprint (2–4 weeks), then
  • Fractional “Resilience Partner” (blended CISO/CIO/COO)

1.3 “AI-native” stance (important)

• We use AI internally for drafting/summarizing.
• We do not advertise “AI-native” as part of the pitch.
• We never put secrets/PII in AI.

---

2) Offer packaging (simple externally, structured internally)

2.1 Public-facing name (friendly) + internal name (consistent)

• Public name: Resilience Checkup (10-day baseline)
• Internal name: Operational Resilience Baseline (ORB)

2.2 ORB Standard (the only thing you “lead with”)

Time: 10 business days
Includes:

• Baseline security + ops review (high-signal checks, not deep forensics)
• 1 restore test (small, safe dataset → sandbox/safe location)
• Evidence-backed findings (sanitized)
• Spreadsheet risk register + 30/60/90 action plan
• 1–2 page executive summary (PDF)

2.3 Add-ons (keep these few)

• Second restore test (different system): +$2,500to+$5,000
• Executive tabletop drill (45–60 min): +$3,000to+$6,000
• Policy mini-pack (5 short policies): +$4,500to+$9,000

Rule: ORB stays the “fast yes.” Anything big becomes a remediation sprint.

---

3) Scope (what we check)

3.1 Domains covered (baseline)

1. Identity & Access
   • Admin roles, MFA/2FA enforcement, shared accounts, least privilege, SSO posture
2. Email & Collaboration
   • Phishing controls, external forwarding, file sharing defaults
3. Endpoints (as available)
   • Inventory visibility, patch posture, disk encryption, AV/EDR posture
4. SaaS posture
   • Who has admin, how access is granted, “orphaned” accounts, key configuration risks
5. Backups & Restore readiness
   • Coverage, retention, ransomware protections, alerting, and restore test
6. Operational resilience
   • Critical workflows, vendor dependencies, incident roles, escalation paths, documentation readiness

3.2 Out of scope (explicit)

• Pen testing, red teaming
• Full compliance audits (SOC 2/HIPAA/PCI) unless separately scoped
• Large-scale migrations / implementations inside ORB
• Deep appsec/code review

---

4) Access model (your preference: temp full admin) — done safely

You prefer a temporary full admin account for speed. Here’s how to make it clean and defensible.

4.1 The “Right” way to request temp admin

Ask the client to create a dedicated account for you (never use a shared or personal account):

• solanasis.audit@their-domain.com (or similar)
• MFA required
• Time-limited (disable at the end)
• If available:
  • M365: use Privileged Identity Management (PIM) / time-bound role activation
  • Restrict sign-in to your IP (if feasible)
  • Require approval for role activation (if feasible)

4.2 Minimum requirements (non-negotiable)

• MFA enabled
• Credentials shared via password manager (no email/text)
• Client agrees you’ll remove/disable access at closeout
• You only collect evidence needed and you sanitize it

4.3 What you say if a client pushes back

“We can do read-only in many places, but full admin for a limited time lets us finish faster and more accurately. We’ll use a dedicated temporary account with MFA and disable it at the end.”

---

5) Deliverables (what the client gets)

5.1 Executive Summary (PDF, 1–2 pages)

• Why this matters
• What we assessed (10 days)
• Overall posture: Security / Recoverability / Ops readiness (Low/Med/High)
• Restore verification result: Pass / Partial / Fail, time-to-restore, blockers
• Top 5 risks
• Top 5 actions in the next 30 days
• Leadership decisions needed
• Recommended next step (sprint +/or fractional)

5.2 Risk Register (Google Sheet / Excel)

Columns:

• Risk ID
• Title
• Domain
• Impact (H/M/L)
• Likelihood (H/M/L)
• Evidence (brief, sanitized)
• Recommendation
• Effort (S/M/L)
• Owner type (Leadership / IT / MSP / Vendor)
• Target (30/60/90)

5.3 30/60/90 Action Plan (Google Sheet / Excel)

Columns:

• Priority
• Action
• Why it matters
• Owner type
• Dependencies
• Notes

5.4 Maturity Scorecard (simple)

Scale 1–5 across:

• Identity & Access
• Email/Collaboration
• Endpoints
• Backups/Restore
• Ops resilience

5.5 Restore Verification Runbook (client-ready)

• Scope chosen + definition of success
• Steps taken + start/end times
• Result + blockers
• Recommended “next drill” cadence

---

6) Pricing (fixed fee + clear scope) — launch-ready tiers

You asked for help choosing pricing tiers by size/complexity. Here’s a simple, defensible model.

6.1 Pricing philosophy (what you’re really selling)

You are selling:

• Proof (restore test)
• Decision clarity (exec summary + top actions)
• A prioritized plan they can execute with or without you

Price it like a high-impact diagnostic that prevents expensive downtime.

6.2 ORB Standard — by seat band (publish “starting at”)

Band	Seats	ORB Standard (10 biz days)	Typical buyer profile
S	1–10 (only if ≥ $500k rev or VC-backed)	$5,000	“Small but real” companies
M	11–50	$7,500	Most SMBs/nonprofits
L	51–150	$12,500	More tooling + more risk surface
XL	151–500 (optional)	$19,500	Only if it’s a great fit

Payment terms: 50% to start, 50% at delivery.

6.3 Complexity uplifts (simple and fair)

Apply one uplift (don’t stack them endlessly):

• +15% if hybrid/on-prem identity or multiple locations
• +25% if acquisitions/mergers, multi-tenant, or chaotic vendor handoff
• +35% if they want “compliance-grade” documentation expectations inside ORB

On Day 2 you either confirm “no uplift” or issue a quick change-order.

6.4 Nonprofit pricing

Keep scope identical. Offer either:

• 10% nonprofit discount, or
• Keep full price but allow a donation-based referral option (see referral section)

6.5 Why these numbers work (your bridge-revenue math)

At $7.5k–$12.5k per ORB, you only need:

• 2 ORBs/month → $15k–$25k monthly bridge revenue
• Plus 1 remediation sprint or fractional conversion → stable base

---

7) Delivery process (10 business days) — beginner-friendly

7.1 Calls (3 total)

1. Kickoff (45–60 min): scope lock + choose restore test target
2. Mid-check (20–30 min): “here’s what we’re seeing,” unblock access
3. Readout (45–60 min): exec summary + decisions + next steps

7.2 Day-by-day timeline

Day 0 — Setup (Solanasis)

• Create:
  • Internal Notion project (from template)
  • Client folder (Drive/SharePoint) + your working folder
• Send kickoff email with:
  • Intake form
  • Access checklist
  • Calendar holds (Kickoff + Readout)

Day 1 — Kickoff + scope lock

Outputs:

• Restore target chosen (one)
• POC + MSP/vendor contacts confirmed
• Confirm where final deliverables will live

Day 2 — Access + evidence collection

Outputs:

• Temp admin access validated
• Evidence checklist started
• Inventory of key systems created

Days 3–4 — Baseline checks (fast + practical)

Outputs:

• Findings bullets by domain
• Sanitized screenshots/evidence captured

Days 5–6 — Restore verification (the “proof”)

Outputs:

• Restore executed to safe location
• Time-to-restore measured
• Restore runbook drafted

Day 7 — Synthesis (turn findings into decisions)

Outputs:

• Draft risk register
• Draft maturity scorecard
• Draft 30/60/90 plan

Day 8 — Draft deliverables

Outputs:

• Draft exec summary (PDF)
• Draft sheets for risks + plan

Day 9 — QA + pre-read

Outputs:

• Remove contradictions
• Sanitize evidence
• Pre-read to POC (optional)

Day 10 — Leadership readout + decision

Outputs:

• Decision on:
  • Remediation sprint
  • Fractional retainer
  • Or MSP-led remediation with you advising

---

8) AI workflow (safe + useful)

8.1 What AI is used for

• Meeting transcript → summary + action items
• Raw findings bullets → risk register wording
• Risk register → 30/60/90 plan draft
• Findings → executive summary draft (human-edited)

8.2 What AI is never used for

• Secrets: passwords, keys, tokens
• Full user lists
• Detailed logs with PII
• Any regulated data dumps

8.3 Copy/paste prompt pack (internal)

Meeting summary: “Summarize into Decisions, Risks, Open Questions, Action Items (owner type + due date).”

Risk drafting: “Turn these bullets into a risk entry with: Title, Description, Impact, Likelihood, Evidence, Recommendation, Effort.”

30/60/90 drafting: “Create a 30/60/90 plan from these risks. Prioritize high impact + low effort first. Include Owner Type.”

Exec summary: “Write a 1–2 page exec summary for non-technical leadership: top risks, restore outcome, top 5 actions.”

---

9) Contractor-based delivery (you manage; contractors execute)

You selected “contractors deliver most; you manage.” Here’s the simplest structure.

9.1 Roles (minimum viable)

• You (Lead): kickoff, scope lock, readout, final QA, pricing/changes
• Contractor A (Security config reviewer): identity/email baselines
• Contractor B (Backup/DR): backup coverage + restore test execution notes
• Contractor C (Ops analyst/writer): risk register + 30/60/90 plan formatting

9.2 Delegation rule

Contractors create:

• Evidence notes
• Draft risks
• Draft plan items

You approve:

• Priority ordering
• Executive summary language
• Any “claims” and recommendations

9.3 Quality gates (non-negotiable)

• Every risk must have evidence
• No secrets/PII in deliverables
• Restore test documented with start/end times + result

---

10) Conversion ladder (how ORB turns into recurring revenue)

10.1 Remediation Sprint (2–4 weeks)

Purpose: fix the top 5–10 issues in the “30-day” list.

Pricing guidance (simple):

• 2-week sprint: $9k–$18k
• 4-week sprint: $18k–$35k

10.2 Fractional “Resilience Partner” (monthly)

Deliverables-based cadence:

• Monthly posture + ops review
• Quarterly restore drill
• Quarterly tabletop
• Vendor/permissions hygiene
• Roadmap ownership

Starter pricing guidance:

• 11–50 seats: $2,500–$5,000/mo
• 51–150 seats: $5,000–$9,000/mo
• 151–500 seats: $9,000–$15,000/mo

---

11) Referral program (you asked for a typical structure)

You want a referral program and you’re leaning on your network.

11.1 Standard referral (friends/network)

Recommended: 10% of ORB fee, capped at $1,500

• Paid after the client’s first payment clears
• Option: donation to a nonprofit instead of cash

11.2 MSP/Partner referral

Pick one (keep it simple):

• Option A (referral only): 15% of ORB fee, capped at $2,500
• Option B (co-delivery): MSP does remediation; you do ORB + roadmap; agree a rev-share per deal
• Option C (white-label): MSP sells it; you deliver under their brand at an agreed wholesale price

Start with Option A. Add B/C only after you have repeatability.

---

12) Red lines (walk away / pause)

• Client can’t provide access within a reasonable timeframe (timeline resets)
• Client expects guaranteed prevention of incidents
• Client wants you to store secrets unsafely
• Scope creep into compliance/migration without a new SOW

---

13) Beginner “this week” checklist

1. Put ORB one-pager + “starting at $X” on LinkedIn and your site
2. Create your Notion ORB template (project + checklists)
3. Build two Sales Navigator lists:
   • “CO SMB 11–150”
   • “CO Nonprofit 11–150”
4. Launch outreach cadence (see LinkedIn playbook)
5. Draft the referral program message and start asking

---

Appendix — Folder structure (hybrid)

Client folder (their Drive/SharePoint):

• 00-admin (SOW, contacts)
• 01-intake
• 02-evidence (sanitized)
• 03-deliverables-final (PDF + Sheets)
• 04-closeout (next steps)

Solanasis working folder (internal):

• meeting-notes
• drafts
• contractor-work
• QA