Kindo × Deloitte
From Strategic Framework
to Execution Plan

Connecting the May 7 strategy session to the delivery engine — framed for Ron, adaptable for Kush/Krishna next week.

Source May 7 In-Person Updated May 21 v1 Ron v2 Kush/Krishna
1

Executive Summary

Deloitte Cyber Operate is rebuilding its entire delivery model around Kindo — not evaluating, committing. Krishna mapped Kindo into every delivery model and service line.

$5.5M
Current /yr
$6.5–7M+
With Net New Rev
40→80%
EBITDA Target
100
Installs by Feb '27
$300M
Annual Cyber Op Rev
$800M
Committed Rev /yr

Why Now

  • May 31: all non-contract MXDR → Kindo (Krishna directive)
  • HP: first production client install — happening now
  • Alliance agreement in progress — same tier as Google, SAP
  • Mythos vulnerability wave — banks, healthcare, defense overwhelmed with newly discovered vulnerabilities need exactly these cybersecurity operational agents. Deloitte delivery = the forge where production-hardened agents for the Mythos response get built first
Deloitte GM Tony is the only person at Kindo who can deliver on the current contract while expanding on the Deloitte Alliance agreement.
← BackEBITDA Framework →
2

EBITDA Strategic Framework

40% → 80% improvement

Kindo Core Platform Team

Cost Elimination ~25–35%

Low Institutional Knowledge Dependency
  • Alliance contract — not controllable
  • Swimlane + CrowdStrike sunset

Swimlane $3-6M/yr · Jira/ITSM $0.5-1.5M · CrowdStrike $2-4M = ~$5.5-11.5M/yr cost elimination

"Sunset Swimlane in every which capacity" — Krishna

Deloitte Rapid Response Team

Scale Efficiency ~25–30%

Medium Institutional Knowledge Dependency
  • Same pool → more clients
  • Triage: 21→5 min (76% ↓)
  • Human effort: 70–85% ↓
  • Audits: sample → 100%

Deloitte Rapid Response Team

Net New Revenue ~35–45%

High Institutional Knowledge Dependency
  • A6–A13: each a revenue event
  • $5.5M → $6.5–7M+ growth

Each agent (A.6-A.11) = new service capability = new billable offering. New revenue at near-zero marginal cost — the highest-margin source

"Every agent is a net new revenue goal — either new revenue dollars or better profit margins" — Krishna
~60–75% of EBITDA improvement flows through institutional knowledge Institutional knowledge = compound learning through use (Kush's definition). Three levels: ① User — individual analyst's agent learns their patterns ② Agent — "Week 10 vs week 6?" (Kush) — agent improves across all users ③ Organizational — accumulated learning across all agents becomes org intelligence.

"Speed is going to be the most essential thing for us"

Cost elimination depends on Kindo clean Self-Managed installs and training Deloitte on Kindo. But Scale Efficiency and Net New Revenue depend on custom configurations and mining new agent design/build opportunities.

← SummaryRevenue Structure →
3

Revenue Structure — Contracted vs. Net New

A1–A5: Contracted ($5.5M) — No Net New

Fulfill existing license. Cost us to deliver (IK transfer) but no incremental revenue.

IDAgentStatusModel
A.1Threat MonitoringPRODMXDR
A.2Threat IntelPRODMXDR
A.3Threat HuntPRODMXDR
A.4Detection EngPRODMXDR
A.5CTEMBUILTMXDR

A6–A13: Net New Revenue — Growth Engine

Each is a revenue event. Push $5.5M → $6.5–7M+. Justifies CDO role.

IDAgentStatusModelPh
A.6Vitals DashboardPLANCross2
A.7Quality AuditPLANCross2
A.8Cloud SecurityPLANDed/Sh3
A.9IR AgentPLANDed/Sh3
A.10IoT/OTPLANDed/Sh3
A.11Custom ClientPLANBespoke3
A.12Identity→IdaaSPLANNew SL4
A.13GRC→GRC aaSPLANNew SL4
42 total items: 11 Contracted · 10 Alliance Revenue · 12 Alliance Institutional · 9 Ops. 23 of 42 (55%) depend on institutional knowledge. See full scope matrix →
← EBITDAAgent Packaging →
4

Agent Packaging by Service Line

1. D&RaaS

Krishna · ACTIVE
  • A.1–A.5 (4 PROD + 1 BUILT)
  • A.6 Vitals, A.7 Audit, A.9 IR
  • Serves: MXDR, Shared, Dedicated

2. CaaS

Nathan Ellis · PH 2–3
  • Custom CaaS agents (TBD)
  • A.13 GRC crossover
  • Nathan owns first 5–7 deploys

3. Identity aaS

Tim Corder · PH 4
  • A.12 Identity Agent
  • J&J team (Adelina)

4. Cloud & Infra

Bhargav · PH 3–4
  • A.8 Cloud Security
  • Firewall provisioning on Kindo

5. GRC aaS

Nathan · PH 4
  • A.13 GRC Agent
  • Compliance workflows

6. App Security

No owner · FUTURE
  • TBD — Phase 4+
SOAR Flow (Kush, May 7) Triage agent → calls DE + CTI sub-agents → context returns → containment loop. Kindo Eng building (beta). See operational map →
Revenue per client: ① Base D&RaaS bundle ② Service-line add-ons ③ Bespoke custom agents (A.11) ④ Private MCP integrations. Each layer = incremental revenue.
← RevenuePlatform: Critical →
5a

Platform Priorities — Critical

May 7 asks → current status

1. Self-Managed Kindo Instance Stability

1ST INSTALL DONESANDBOX TESTING

Ask: Click-click-click installs (was 3–5 days).

Now: 1st production Self-Managed Kindo install in Deloitte’s internal IT environment this week. Installer/upgrader/preflight in May 27 release. Observability MVP in final testing.

2. Release Parity (Cloud ↔ Self-Managed)

CLOSING MAY 27

What this means: Kindo ships features to its cloud (SaaS) version first. Deloitte runs a Self-Managed instance on their own infrastructure. "Release Parity" = getting the same features on both versions at the same time. Kush keeps asking because Deloitte’s instance has been behind.

Ask: "You keep getting this question from me" — Kush

Now: May 27 release closes the gap with 15+ features shipping to Self-Managed: Chatbot APIs, Version Control, Pinned Credentials, ServiceNow integration, MITRE ATT&CK framework, Member API Keys. Biggest parity close yet.

3. Agent Memory & Self-Improvement

NOT STARTEDKUSH'S #1

Ask: 3-layer compound learning (user → agent → org). "In Kindo, I did not see any of this stuff today."

Now: Not in May 27. Requires platform architecture. Risk: degrades compound learning in HP shadow.

4. Multi-Agent Orchestration

BETA — Feature Flag Enabled on Deloitte Self-Managed

Ask: Supervisory triage agent calls Detection Engineering + Cyber Threat Intelligence sub-agents automatically.

Now: Agent-to-Agent feature flag enabled on Deloitte’s Self-Managed Kindo instance (calibrated rollout). General Availability gated on resource hardening.

← PackagingPlatform: High/Med →
5b

Platform Priorities — High & Medium

May 7 asks → current status

5. Integrations — MCP Ecosystem

PRIVACY IN DEVNEW MCPs SHIPPING

Shipping May 27: ServiceNow triggers, MITRE ATT&CK, Dynamic API resolution

In review: SailPoint writes, PostgreSQL, Jira attachments

Urgent: Zscaler ZIA for May 27 demo; Swimlane fix (TEK-141)

6. Agent Reliability & DX

SHIPPING MAY 27

Done: Long-run reliability + Plan Mode, Agent Version Control (GitOps), Pinned Credentials, Error UX, Chat Actions API, Chatbot APIs

Backlog: Error messages (8798), re-run failed step (10190), resizable windows (9378), prompt filtering (9967)

7. Token / Cost Optimization

ROADMAP

"$25K/month, 80% LLM" — Nathan. Four strategies planned: auto model selection, better context, structured memory, compaction. Not in May 27.

8. GenUI / Canvas

DEPRIORITIZED

"Hold back on Canvas. We'll use TrueArch Hub." — Kush. Chat Actions API (shipping May 27) powers it. Kindo = backend/API.

← CriticalHP RACI →
6a

HP Deployment RACI — Phase 1 & 2

First production client install (Dedicated MSS)

R Responsible A Accountable C Consulted I Informed

ActivityKrishnaNathanKindoJoanaTonyNotes
Phase 1 — Installation & Document Ingestion
Self-Managed Kindo provisioning (Deloitte infrastructure)ARRCINathan + Brandon; AEF for prod
Security & NEC reviewARCIINathan + Harish
D&RaaS agent deploymentCARCIBrandon + Marcos: A.1–A.5
HP integrations (private MCP)CACIIRobby's team; data stays in HP
ITSM ingestion (6 mo)ACCRIWarren + platform
SOP & doc ingestionAIIRIJoana + Warren
Phase 2 — Shadow (Parallel Operation)
Ticket mirroringCARIIKindo configures pipeline
Agent monitoringCIIRIAnalysts + Warren compare
Human feedbackCICAIFeeds compound learning
Accuracy trackingCIIRIVitals Dashboard proof points
Weekly reviewACIRCJoana runs; Kush consulted
← PlatformRACI Ph 3–4 →
6b

HP Deployment RACI — Phase 3 & 4 + Risks

ActivityKrishnaNathanKindoJoanaTonyNotes
Phase 3 — Reverse Shadow (Agent-Primary)
Agent primary executionACRIIPlatform runs; Krishna to Kush
Human oversight (15%)CIIAIShiva's analysts; Joana tracks
Validation (acc/compl/cons)CICRIWarren + Audit Agent (A.7)
EBITDA trackingCIIRAFlows: us → Deloitte → client
Go/no-go steady stateRCCCIKrishna recommends; Kush decides
Phase 4 — Steady State (Production)
Autonomous execution (70%)AIRIIKrishna owns outcomes
100% audit coverageAIRCIAudit Agent (A.7)
EBITDA reportingCIIRAProof points for upsell
Custom agent expansionCCRAIWarren + Kindo build

Key Risks

RiskImpactMitigationOwner
Platform stabilityBlocks Ph 1Sandbox hardening; Nathan cleanupNathan + Brandon
Agent memory gapDegrades learningManual IK during ShadowKush
Release parityLimits visibilityMay 27 release closes gapKindo Eng
AEF env decisionDelays provisioningHP = prod = AEFNathan
← RACI Ph 1–2Ops Status →
7a

Current Operational Status

Week of May 19 — Three parallel workstreams toward May 31

🔧 Platform

15+
Features in May 27 release
  • Pinned Credentials LIVE
  • Agent Version Control (GitOps)
  • Chat Actions API
  • Long-running reliability + Plan Mode
  • ServiceNow triggers + Dynamic API
  • MITRE ATT&CK
  • Agent-to-Agent Feature Flag On
  • Member API Keys (Self-Managed)
  • Sandbox stability — final testing
  • Self-Managed Kindo installer + Observability MVP
Build May 26 · Upgrade May 27

🚀 Deployments

1st Done
First Self-Managed Kindo production install (Deloitte internal IT)
  • DONE 1st production Self-Managed Kindo install
  • 🚨 May 31 — Swimlane migration
  • HP planning next (Ded MSS, AEF)
  • Target: repeatable install package
Krishna: MXDR → Kindo by May 31

🎓 Training

26 / 75
Engineers trained toward 100-install
  • DONE Cohort 1 (26/31 attended)
  • NEXT Cohort 2 (June 1st–2nd wk)
  • Practitioner + Technical tracks
  • 6 domains: Platform, Impl, Integrations, Governance, Use Case, Ops
  • LMS + auto new-hire paths
Ongoing: certification tracking
← RACITimeline →
7b

Execution Timeline

Phase 1: Foundation — Now → May 31
  • ✅ A.1–A.4 in production · A.5 built
  • ✅ First Self-Managed Kindo production install
  • ✅ May 27 release: 15+ features, agent-to-agent orchestration
  • ✅ Training Cohort 1 (26/31)
  • 🚨 Swimlane migration May 31
  • 📋 HP deployment planning · Cohort 2 (June)
Phase 2: First Client + Scale Prep — June
  • HP Phase 1 (Self-Managed Kindo provisioning + doc ingestion)
  • Alliance agreement draft contract
  • MXDR efficiency data → proof points
  • D&RaaS agent package finalized
  • 2nd/3rd client ID from renewal pipeline
Phase 3: Shadow + Expansion — Jul–Aug
  • HP Phase 2 (shadow — parallel operation)
  • A.6 Vitals + A.7 Audit development
  • CaaS integration planning (Nathan)
  • 10–20 additional MXDR installs
Phase 4: Production + Net New — Sep → Feb 2027
  • HP → steady state · A.8–A.11 dev
  • Dedicated MSS scaling (multi-F50)
  • Identity aaS expansion
  • Target: 100 installs by February 2027
← Ops StatusKindo Internal →
8

Kindo Team Considerations

Validate with Deloitte

  1. A1–A5 vs A6–A13 accurate against contract? ($5.5M = platform license)
  2. Platform blockers colliding with May 31?
  3. Krishna's directive aligns with deployment team tracking?
  4. HP timeline — when does Phase 1 provisioning start?

Agent Bundle Packaging — Feasibility

Feasibility: High — Low-to-Medium Complexity
  • Agent Version Control (GitOps) shipping May 27 — enables agent export/import
  • Agents are configurations on the platform, not compiled code — packaging = productizing existing config patterns
  • Integration patterns (ServiceNow, Splunk, ITSM) already built for Deloitte — templatize, not rebuild
  • Kush already suggested "packages of agents per service line" (May 7) — Deloitte wants this for their own expansion
  • Hard part is done: building and hardening agents in production. Packaging layer = product decision, not engineering moonshot

UNVERIFIED: Engineering effort estimate needs validation from Charlie/Brandon. Packaging layer itself is low-medium. Integration template QA per client vertical adds effort.

Pricing Premium — Pre-Configured Agent Bundles vs Platform-Only

Kindo can charge Aggressive pricing because there's a crisis AND because the Deloitte hardening gives Kindo a product that actually delivers at the speed the crisis demands.

Conservative Premium: 40–60%+

Pre-configured templates + integration patterns. Customer still customizes. Comparable to SOAR platform + content packs pricing (Palo Alto XSOAR, Swimlane Turbine bundles).

Target Package Premium: 60–100%+

Production-proven positioning at Deloitte. Battle-tested in F50 environment, not lab prototypes. Comparable to managed detection & response (MDR) vs self-managed EDR pricing.

Aggressive (Mythos crisis): 100–150%+

Speed premium during active vulnerability wave. Banks/healthcare under Mythos pressure can't wait months. "Deployed in days, not months." Comparable to incident response surge pricing.

Tier Progression = Deloitte Hardening Maturity

The tier progression is directly a function of how refined the Deloitte production implementation is:

  • More hardened at Deloitte → faster deployment at new clients → charge more because time-to-value drops from months to days
  • More refined remediation → better outcomes → premium justified by measurable threat reduction
  • The speed of implementation at a new client is the pricing lever, and that speed is a direct output of institutional knowledge accumulated through Deloitte production

The tiers are both demand-driven (Mythos urgency, market panic) AND supply-driven (Deloitte hardening maturity). The supply side — how clean and repeatable the Deloitte-proven implementation is — is what actually unlocks the ability to charge at the higher tiers.

Revenue Opportunity for Kindo

ScenarioClients /yrBundle PremiumAvg Deal SizeIncremental Rev
Platform-only baseline$500K–$2M
Conservative Premium (Deloitte service lines)3–5+50%$750K–$3M$1–5M
Target Package Premium (Deloitte + Mythos)5–10+75%$875K–$3.5M$2.5–12M
Aggressive Premium (Mythos surge)10–20+100–150%+$1–$5M$5–25M
Key insight: R&D cost = $0 for Kindo. Deloitte's $5.5M contract funds agent development. Bundle revenue = near-pure margin. Every Mythos client sale stacks directly on the bottom line. The Deloitte Rapid Response Team creates the product AND the proof points that sell it.

UNVERIFIED: Deal sizes are structural estimates based on enterprise cybersecurity SOAR/MDR market comps ($826M→$1.7B SOAR market, MarketsandMarkets). Actual Kindo pricing needs validation from Ron/Kush. Client count scenarios are directional, not forecasted.

← TimelineScope Matrix →
9

Mythos × Deloitte — Same Agents, Two Revenue Streams

Two-Tier Product Strategy

"There's a Venn diagram overlapping Mythos and Deloitte" — Tony, May 19

Tier 1: Platform-Only

Customer buys Kindo platform + training. Builds their own agents from scratch.

  • Agent builder & orchestration engine
  • Integration framework (MCP ecosystem)
  • Self-Managed deployment
  • Standard documentation & training

Customer starts from zero. Months to first production agent. Generic platform sale.

Tier 2: Deloitte-Hardened Agent Bundles

Kindo platform + pre-configured agent templates built from Deloitte production experience.

  • Everything in Tier 1, plus:
  • Pre-configured agent templates per use case
  • Integration patterns already wired (ServiceNow, Splunk, ITSM)
  • Decision logic & triage workflows tuned from real production
  • Operational playbooks embedded from Deloitte deployment
  • 3–6 months of accumulated judgment baked in

Days to first production agent. Battle-tested, not lab prototypes. Premium pricing.

The Differentiator: Deloitte Rapid Response Team

DELOITTE DELIVERY $5.5M contract funds the R&D KINDO MYTHOS RESPONSE PRODUCT Banks, Healthcare, Defense PRODUCTION-HARDENED AGENT TEMPLATES Built for Deloitte. Packaged for Mythos. Sold at premium. Deloitte-only scope: Swimlane sunset ITSM migration Analyst training Internal SOPs ── In Production on Kindo ── A.1 Threat Monitoring A.2 Threat Intel A.3 Threat Hunt A.4 Detection Engineering A.5 CTEM (built) ── Being Built for Deloitte ── A.6 Vitals Dashboard A.7 Quality Audit A.9 IR Agent A.10 IoT/OT Monitor Mythos-specific: Vuln-specific playbooks Client env configs Compliance reporting Incident-specific SLAs Deloitte Rapid Response Team = the bridge between Tier 1 and Tier 2 Production-hardened agents deployed at Deloitte → packaged as templates → Kindo Mythos Response Product Deloitte contract funds the R&D. Mythos clients pay the premium. Estimated premium: research in progress.

Value Chain

  1. 5 of 9 overlap agents already in production/built on Kindo
  2. Deloitte Rapid Response Team configures, deploys, hardens in real production
  3. Accumulated judgment from 3–6 months of live operation
  4. Agent configs, integration patterns, and playbooks packaged as templates
  5. Templates become the Kindo Mythos Response Product (Tier 2 pricing)
  6. Deloitte contract funds the R&D — Mythos product monetizes it at premium

Kush's Service Line Packaging (May 7)

Same template model extends across Cyber Operate portfolio:

  • D&RaaS Bundle: A.1–A.5 + A.6 Vitals + A.7 Audit (Krishna)
  • CaaS Bundle: Custom CaaS agents + A.13 GRC (Nathan Ellis)
  • Identity aaS Bundle: A.12 Identity Agent (Tim Corder)
  • Cloud & Infra Bundle: A.8 Cloud Security (Bhargav)
  • GRC Bundle: A.13 GRC Agent + compliance workflows (Nathan)
  • Mythos Response Bundle: A.1–A.5 + A.7 Audit + A.9 IR (cross-service)

Each bundle = a sellable product per discipline. Deloitte hardening = proof points for every bundle.

← InternalScope Matrix →

Reference: Scope Matrix v1.0

42-item scope: agents, platform, delivery, service lines, operations — with status, IK dependency, focal person.

Scope Matrix v1.0 Click for full screen
Scope Matrix
← MythosOp Map →

Reference: Krishna D&RaaS Operational Map

Leadership, ops, service lines, agents, and Kindo integration points across Cyber Operate.

Krishna DREAS Operational Map Click for full screen
Krishna Map
← Scope Matrix↗ Start