Build the tech foundation that survives the board, the audit, and the scaling.

Who this is for

CEOs about to commit real capital to a product, or agencies scoping a six- or seven-figure build whose foundation they'll answer for in 18 months.

When you need it

You're at a decision point. The cost of a bad foundational choice compounds - every feature built on top of it costs more, binds you tighter to a structure you'll have to tear out, and dies in the room with the wrong investor.

What's delivered

• Architectural blueprint pressure-tested against your business model
• Board-ready presentation of that blueprint
• Living systems map documenting how every piece fits together
• Vendor shortlist for highest-leverage build-or-buy decisions
• Decision framework for top architectural trade-offs
• Governance scaffolding sized for your team
• 12-month roadmap with quantified milestones

Why this Consultant

Twenty years operating engineering organisations across scale-up (35→300 at imobiliare.ro), regulated finance (Bitstamp), three M&A processes including Bitstamp → Robinhood. Co-author of the WARRANT Standard for autonomous agent authorisation.

Who this is for

Companies inheriting opaque tech - from a previous vendor, a recent acquisition, a long-tenured founder-engineering era - that needs an honest read before commitments are made.

When you need it

You took over a platform you don't fully understand. You need to know what's actually there before you sign the next contract, write the next roadmap, or tell your board what comes next.

What's delivered

• Complete current-state inventory: services, vendors, contracts, infrastructure, team
• Heritage assessment: technical debt, vendor lock-in, undocumented decisions, single points of failure
• Risk-prioritised remediation list
• Recommended path per area: refactor / replace / leave-as-is, with rationale
• Scoping input for the onward proposal (whether to the agency's client or to the company's board)

Who this is for

New CTOs/Heads of Eng wanting a 30-day baseline. CEOs wanting an independent reality check on whether engineering is operating at the level the stage and stakeholders require. Pre-fundraise temperature checks.

When you need it

Engineering is 'fine' - but you don't actually know. You want a second opinion that isn't a Big Four deck and isn't your team marking their own homework.

What's delivered

• Practice maturity scorecard across 10 dimensions (architecture, delivery, observability, security, data, on-call, code review, hiring, performance management, knowledge transfer)
• Process review - how the team actually works vs. how it should
• Standards & good-practice benchmark (DORA, IEEE/NIST where applicable, SRE norms, twelve-factor / well-architected)
• Operating discipline audit (postmortems, on-call humanity, deployment cadence, change-management hygiene)
• Architecture posture: current state, debt inventory, scaling readiness for 12–18 months
• Risk register: top 10 risks with materiality, likelihood, owner, and remediation effort
• Prioritised improvement roadmap
• Board-ready summary

Why this Consultant

Benchmarks applied from twenty years of operating against them and watching what holds - not from a framework deck.

What this sprint is not

• A code audit (light at code level - escalate to specialists if deep code review needed)
• A penetration test (practice-level only, no offensive testing)
• A change-management programme (delivers diagnosis and roadmap; client executes)

Who this is for

Series A → Series B companies between 15–100 engineers where ad-hoc operating discipline has stopped holding. New CTOs/VPEs in their first 60 days installing the operating system.

When you need it

You've outgrown ad-hoc. The last OKR attempt fizzled. The board has started asking for SLO/SLA reporting. Your team has lost faith in the framework - and is operating on instinct.

What's delivered

• Company-level OKR framework - annual + quarterly cadence, ambition-vs-realism calibration, cascade rules
• First quarter OKRs actually drafted with the exec team during the engagement
• Squad-level OKR cascade, run with the squad leads
• KPI definitions: operating metrics, leading vs lagging, dashboard structure, ownership map
• SLO definitions for Tier 0 and Tier 1 services with error-budget policy and breach-response protocol
• SLA framing - customer-facing SLAs aligned to internal SLOs
• Performance management cycle: quarterly review templates, calibration, manager training brief
• Operating cadence document - weekly / monthly / quarterly / annual rhythms with named owners
• Board-cadence reporting structure with sample first report
• Tooling recommendation (lightweight eval of OKR / SLO / perf-mgmt platforms)

What this sprint is not

• Tooling implementation (recommendation only)
• HR / total-rewards system (no comp banding)
• Perpetual coaching engagement (installation + first cycle + handover)

Who this is for

Mid-market companies wanting AI without making the classic mistakes (RAG-when-you-needed-fine-tune, fine-tune-when-you-needed-RAG, ungoverned agents).

When you need it

'We need to do AI' has graduated into 'we need to do AI responsibly and competitively' - and you can feel that the in-house team alone can't navigate this safely.

What's delivered

• AI capability roadmap - what's worth doing, in what order, and what's deliberately not pursued yet
• Architecture for LLM/RAG/agent integration into the existing product
• Vendor analysis: OpenAI vs Anthropic vs open-source vs gateway routing
• Eval framework - how to measure that the AI is doing what it claims to do
• Trust & governance scaffolding - agent authorisation, audit trails, human-in-the-loop boundaries (WARRANT-aligned)
• Cost / latency analysis with budgets per workflow stage
• EU AI Act and NIST AI RMF alignment notes

Why this Consultant

Co-author of the WARRANT Standard - the open specification for autonomous agent authorisation. Design informed by frontier work currently being defined.

Who this is for

Series B-stage companies, regulated-industry companies, companies receiving customer DD questionnaires.

When you need it

There's a compliance audit, due diligence, or institutional procurement review on the horizon. You need a clear 'what to fix and in what order' plan - not a 200-page deck.

What's delivered

• Gap analysis against the relevant framework (SOC 2 / DORA / FCA OR / sector-specific)
• Risk-prioritised remediation roadmap
• Process and policy templates: on-call rota, incident management, access review, change management, data-handling
• Vendor selection: SOC 2 readiness platform, DORA tooling, etc.
• Sample evidence pack the client can take into the audit
• Decision framework: what's worth doing in-house vs outsourcing

Who this is for

EU-headquartered or EU-customer-serving companies whose GDPR programme has grown organically. Series A+ B2B SaaS, fintech, healthtech, marketplace, edtech.

When you need it

Your GDPR posture has grown organically and is now visible - a customer DPA negotiation has stalled, a supervisory-authority inquiry is in, DSR volume has overwhelmed the team, or a Series B / acquisition will surface gaps.

What's delivered

• Data inventory & flow map - what personal data exists, where it lives, how it moves
• Record of Processing Activities (ROPA) - Article 30-aligned, structured for ongoing maintenance
• DPIA framework + one worked DPIA on the highest-risk processing activity
• Vendor / sub-processor DPA register, with missing SCCs flagged
• Data subject rights operating model - access, rectification, erasure, portability, objection at scale
• Breach response runbook - 72-hour notification clock, decision tree, templates, tabletop
• Data residency assessment - current footprint, cross-border transfers, residual risk
• Technical control roadmap - encryption, pseudonymisation, access logging, retention/deletion automation
• Board-ready GDPR posture summary

Why this Consultant

Ran the GDPR RASCI implementation at imobiliare.ro across a 2M+-user platform - DSR operationalisation, ROPA structure, vendor DPA programme, tech/legal interface. Lived GDPR work at scale, not framework-reading.

What this sprint is not

• Legal advice - works alongside the company's GDPR counsel on the technical operating model

Who this is for

Clients in active deal processes. Time-bound work.

When you need it

You're acquiring, being acquired, or about to enter exclusivity. The tech section of the data room will be read by people who have seen many of these. You want to be on the right side of that reading.

What's delivered

• Buy-side: tech DD report on the target (architecture, team, vendor stack, SBOM & open-source license posture, IP, technical debt, integration plan, retention risk)
• Sell-side: preparation pack - anticipated questions, defensible answers, SBOM and license inventory positioned for the buyer's legal team, data-room curation, narrative for the buyer's tech team
• Risk register with materiality scoring
• Integration plan (buy-side) or separation plan (sell-side)
• Executive presentation for the deal committee

Why this Consultant

Three M&A due-diligence processes lived through personally - including Bitstamp → Robinhood. This is not a learned-from-a-book offering.

Who this is for

Companies hiring their first Staff+/Principal engineer, first Head of Eng / VPE, replacing a CTO, or staffing a senior bench post-Series B.

When you need it

You're about to hire someone senior and the in-house team does not have a peer-grade interviewer at that seniority. The cost of a bad senior hire - 12–18 months of compensation, displaced morale, lost roadmap quarters - outruns the cost of getting the hiring system right by an order of magnitude.

What's delivered

• Role definition that survives the hire (not the version that gets written for the JD)
• Scorecard - competencies, behavioural indicators, trade-offs, weighted rubric
• Interview architecture - panel design, round structure, technical/behavioural/leadership balance, calibration, anti-bias scaffolding
• Market scan - current senior compensation bands, total-rewards expectations, competitive landscape
• Sourcing strategy - advice on channels, network activation, search-firm-vs-direct trade-off
• Candidate evaluation framework - debrief structure, calibration, written-feedback discipline
• Hiring decision framework - what 'yes', 'stretch yes', 'no' look like; how trade-offs get resolved
• Board / exec brief (for leadership hires)

Why this Consultant

Scaled imobiliare.ro engineering from 35 to 300, ran senior-bench hiring through three M&A processes including Bitstamp → Robinhood. Hiring-at-scale lived experience, not a coaching framework.

What this sprint is not

• Executive search (no candidate sourcing or placement fee)
• A coaching engagement (CEO/CTO makes the hire; Consultant builds the system)

Who this is for

B2B SaaS, marketplaces, CRMs, ticketing, documents, calendars, billing - any product whose value compounds when an agent can drive it. Particularly strong fit when customers have already started asking 'do you have an MCP server?'

When you need it

Your product is increasingly being read or operated by AI agents - Claude Desktop, Cursor, custom agent stacks. You want to be present in the agent context window with native tools, not just scraped HTML. Or you can see the wave coming and want to land in the next round of agent integrations on your terms.

What's delivered

• MCP exposure strategy - what tools and resources you should expose, what you deliberately shouldn't, and why
• Tool catalogue with WARRANT-aligned authorization (read-only vs side-effecting, identity scope, audit signals)
• Resource catalogue with mime-types and refresh model
• The MCP server itself, OR a senior-reviewed scaffold your team builds against - the choice is named in Sprint 1
• Discovery surfaces: /.well-known/mcp.json, <link rel="mcp"> tags, HTTP Link headers, robots.txt allowance
• Registry submission kit (Smithery, mcp.so, Glama AI) ready to paste
• End-to-end testing against Claude Desktop, Cursor, Continue, and a custom JSON-RPC client
• Operational documentation for internal teams and external agent consumers
• Board-ready summary of what was exposed and what the agent surface signals about your product

Why this Consultant

Co-author of the WARRANT Standard for autonomous agent authorisation. Monitive's own site at /.well-known/mcp.json is the live reference implementation - including the discovery stack, the tool catalogue, the resource exposure, and the legal posture. Clients can audit the live server before signing.

What this sprint is not

• A generic AI integration project (pair with AI Integration Strategy Sprint first)
• A one-day 'stand up the server' engagement (the value sits in design, not implementation)
• A security audit of an existing MCP server (closer to Tech Audit Sprint scope)

Who this is for

API-first SaaS, marketplaces, data providers, compute / inference / extraction APIs whose customers are increasingly using agent-driven access and need usage-based pricing for non-human callers.

When you need it

Your API is being called - or is about to be called - by AI agents on someone else's behalf. The user is no longer a human clicking a button; it's software with a budget. You want to monetize that traffic without dragging every agent operator through a sales call.

What's delivered

• Payment-model design: which endpoints meter, which stay free; per-request vs session-pass vs subscription gate
• Protocol selection: x402 (USDC on Base) as primary; L402 (Lightning) for Bitcoin-native or non-EVM constraints
• Wallet and custody: EOA vs smart account vs custody provider, key-management posture, off-ramp strategy
• Network and asset choice with reasoning written down for audit
• Facilitator selection: Coinbase CDP, self-hosted, third-party - with cost-per-verify modelling
• Server-side integration in your stack (Next.js, Express, FastAPI, Go, or other - named in Sprint 1)
• Pricing-model calibration against unit costs and competitor benchmarks
• Fraud, replay, and abuse defences: nonce, signature verification, replay-window, rate-limit-on-top-of-payment, blacklist hooks, refund posture
• MiCA / VAT / AML compliance scoping for counsel review (not legal advice)
• Monitoring and accounting: on-chain analytics, alerting, daily settlement, finance-stack integration
• Agent-discovery surfaces so callers know what to pay for: /.well-known/mcp.json.paidEndpoints, llms.txt, Link headers
• Board-ready summary including projected agent-revenue baseline and operational risk surface

Why this Consultant

Monitive's own /api/agents/match endpoint is the live reference implementation of x402, including the facilitator integration, payment-required body shape, receipt header, and graceful-degradation path. Co-author of WARRANT Standard for autonomous agent authorisation - and agent-payment authorisation is the natural extension of agent-action authorisation. Compliance posture is built into the engagement because shipping x402 without it is a problem deferred, not avoided.

What this sprint is not

• Legal advice (compliance scoping is structured input for your counsel, not an opinion)
• Broader crypto / treasury / token / on-chain product strategy (scope separately)
• Custodial work (Monitive does not hold your funds, keys, or your customers' payments)
• A 1-day wire-it-up engagement (that's mini A20)

Who this is for

Companies sitting on a load-bearing 10-15+ year codebase that is the main brake on shipping. Teams that want AI leverage on the engineering process itself, not just AI features in the product. Agencies asked to modernize a legacy estate who need a defensible, governed method rather than a heroic rewrite.

When you need it

The biggest brake on AI adoption isn't model access - it's the 10-to-15-year-old codebase nobody fully understands anymore. Agents can now read that estate, map dependencies, containerize it, and open pull requests against it. The question stopped being 'can agents do this' and became 'who do you trust to point them at your production code, and how do you govern what they merge.'

What's delivered

• Estate and dependency map - in-scope legacy services inventoried, dependencies mapped (build-time and runtime), each ranked for modernization-readiness
• The governed agent pipeline - agents read the code, propose containerization and refactors, and open PRs, wired with scoped permissions, branch protection, human-in-the-loop merge gates, and a structured audit trail (WARRANT-aligned)
• Containerization pilot on 1-2 bounded services - dependencies resolved, Docker-containerized, agent-opened PRs reviewed, tested, and merged under the gate. Real merged output, not a deck
• Test and eval gates - characterization tests around legacy behaviour before it's touched, plus CI gates (build, test, security scan, behavioural diff) each agent PR must pass before a human reviews
• Authorization model for agent code changes - what agents may touch, under whose identity, with what blast radius, how it's logged. WARRANT-aligned vocabulary (read-only / side-effecting / identity-required / scoped)
• Sequenced modernization roadmap - the rest of the estate ordered by value, risk, and dependency, with the per-wave plan your team runs against the pipeline
• Board-ready summary - what was modernized, what the pilot proved, and the honest risk surface of pointing agents at production code

Why this Consultant

Co-author of the WARRANT Standard for autonomous agent authorisation - an agent opening a PR against production is a side-effecting agent action, and authorising it properly (scoped identity, bounded blast radius, structured audit) is exactly what WARRANT specifies. Lived pattern, not theory: prismalOS runs adversarial eval swarms as CI/CD release gates - the same governance shape this sprint installs around agent-authored code. Plus twenty years operating legacy estates through scale, regulation, and three M&A processes including Bitstamp → Robinhood.

What this sprint is not

• A full migration delivery (1-2 pilot services end-to-end + the governed pipeline + the roadmap; the rest is a staffed programme, not a four-week sprint)
• Autonomous agents merging to main unsupervised (every agent PR passes automated gates and a human merge gate)
• 'AI will rewrite your app' (agents accelerate the mechanical work; sequencing and boundaries are the senior work)
• A product-AI engagement (that's the AI Integration Strategy Sprint)