EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Sovereign AI Operating System

DEFONEOS Proposal Pack — Ship-Grade CRO Handout (12-Doc Bundle, 27 Qs, 4 Tiers)

Proposal pack SOV33-anchored v1.0 · 12 Jul 2026
CSOAI Ltd · UK Co. 16939677
SIGIL: DEFONEOS-defoneos-mod-proposal-pack-2026-07-13-667c416d93a85e84
Publisher: DEFONEOS Sovereign Substrate · Vercel prod

The ship-grade CRO handout. Twelve documents, one manifest, seven KPIs, twenty-seven buyer questions, thirteen risks, a 30-day SOW, four pricing tiers. This is the bundle the named buyer walks away with — and the bundle the auditor, the investor, and the regulator walk away with too.

1. The 12-document bundle

#DocumentAudiencePagesStatus
1CEO letter to MOD decision-makersBuyer exec2Ready
2UK sovereign pitch deck (3 slides + 12 Q&A)Buyer exec3Ready
3Board decision pack (£200k-£800k)Buyer board1Ready
4Competitive battle card (vs. Palantir / Anduril)Buyer procurement2Ready
5Deal-defcon comparison 1-pagerBuyer procurement1Ready
6DEFCON 760 single-source pageBuyer procurement2Ready
730/60/90-day customer success planBuyer operator3Ready
8Escalation runbook (14-day SEV-1..4)Buyer operator3Ready
9Churn-prevention 30-day window + 6 leversBuyer exec2Ready
10Pilot evidence pack (HMAC + Ed25519 + BFT)Buyer auditor4Ready
11Sovereign proof pack (8 pillars / 12 frameworks)Buyer auditor + regulator4Ready
12Investor thesis (compressed)Buyer CFO + IR3Ready

2. The manifest (signing sheet)

The 12 documents are bound to one manifest. The manifest is HMAC + Ed25519 signed by the BFT-33 council. Each document carries the manifest digest in its footer, so any tampered page is detectable in O(1).

manifest.digest = sha256(bundle-12-2026-07-13) · manifest.signature = ed25519(manifest.digest, BFT33-quorum-key)

3. The 7 KPIs (the buyer will ask for these)

94%
Framework coverage
6h
Pipeline (240 tests)
14/14
NCSC CAF outcomes
89%
EU AI Act Art. 50
33
BFT council members
23
BFT quorum
90d
No-fault exit

4. The 27 buyer questions (and the closing answers)

The top 12 are in the UK sovereign pitch deck. The remaining 15 cover operational, financial, and legal angles. Compressed version below — the full Q&A is in the bundled deck.

#QuestionOne-line answer
13What is the 5-year TCO?£1.4-2.2M for DEFONEOS vs. £3.8-6.0M for hyperscaler.
14How do you handle model drift?Continuous SIGIL monitoring; 14-day SEV-1..4 escalation; named owner on call.
15Can I see the data in a UK-only data centre?Yes — at least 3 UK regions available; contractual UK-jurisdiction binding on every region.
16What about MOD Defence AI Safety Standard?9/9 principles covered; evidence auto-generated.
17What is the pilot success criteria?Same SLA, same dataset, same task; DEFONEOS evidence pack matches or exceeds vendor baseline.
18What about the 30-day SOW?Standard template, DEFCON 760 compatible, single-source, 30-day term, 14-day kickoff.
19What is the air-gap story?First-class; fully offline SIGIL chain; hardware root-of-trust.
20How do you handle adversarial robustness?50-question red-team rubric across 7 threat categories; quarterly rehearsal.
21What is the renewal rate?Target 95% TTM; SIGIL-anchored customer-success scorecard.
22What about the OSCAL SSP?16 control families, 240 tests, 6-hour pipeline, OSCAL export on demand.
23What about the 5-Eyes addenda?DEFONEOS is on the AUKUS Phase-1 shortlist; same 12-framework map covers all 5 jurisdictions.
24What is the SIGIL key rotation cadence?90 days for subkeys; BFT-33 quorum required for root rotation.
25What about the human-in-the-loop?Every high-risk decision is logged with a named human owner; the SIGIL pack proves it.
26What is the partner channel story?SI, reseller, MSP, hyperscaler co-sell programs; deal-reg, enablement, co-marketing.
27What is the contract termination story?90-day no-fault exit, open weights, open audit chain; you can migrate in 90 days.

5. The 13 risks (and the named owners)

Risks are owned, dated, and SIGIL-anchored. SEV ratings, mitigation plans, and escalation paths are in the escalation runbook. The top 3 are flagged in red on the cover sheet; the rest are tracked in the rolling risk register.

6. The 30-day SOW (single-page summary)

Scope: 1 sovereign-AI workload, DEFONEOS substrate, 1 named BFT-33 council member, 1 named CSOAI lead. Term: 30 days. Kickoff: 14 days from signature. Cutover: day 30. Total cost: see tier 1 of the pricing table. Termination: any party, any time, 7-day notice. SIGIL: every event signed, BFT-33 sign-off on release.

7. The 4 pricing tiers

TierAnnual feeScopeTermIdeal buyer
Tier 1 — Pilot£240k1 workload, 30-day SOW1yFirst-time sovereign-AI buyer
Tier 2 — Production£420k3 workloads, 90-day SOW2yBuyer with pilot validated
Tier 3 — Sovereign£800k10 workloads, 12-framework coverage3yMOD / AUKUS buyer
Tier 4 — Five Eyes£1.4M+Unlimited workloads, full AUKUS addenda5yFive Eyes national buyer

Appendix A — SIGIL chain-of-custody

Every artefact on this page is anchored to a SIGIL receipt in the DEFONEOS public ledger. The receipts form an append-only hash chain. The chain is HMAC + Ed25519 signed; the BFT-33 council provides a 23-of-33 quorum sign-off on every release; the chain root is published externally and can be replayed by any third party without DEFONEOS cooperation.

A.1 — Receipts cited on this page

A.2 — Replay procedure (auditor can run it themselves)

  1. Pull the SIGIL pack from the public ledger (ledger.get(release_id)).
  2. Verify the manifest digest against the published ledger entry.
  3. Walk the hash chain from manifest → events → root → release digest.
  4. Verify the Ed25519 signatures against the BFT-33 public key.
  5. Spot-check 3-5 events at random — pull the underlying artefact, hash it, compare.
  6. Confirm the BFT-33 sign-off record — 23-of-33 quorum, 28-approve / 5-amend / 0-reject pattern.
  7. Spot-check the framework mapping — verify 3-5 controls against the relevant standard.

Total replay time: 15-30 minutes. No DEFONEOS employee is in the loop. The auditor can run it in their own tooling, in their own jurisdiction, at any time.

A.3 — Cross-references to adjacent surfaces

A.4 — Contact and escalation


Appendix B — Operating context

This surface is part of the DEFONEOS sovereign AI operating system. It is published under the CSOAI Ltd sovereign substrate (UK Co. 16939677), maintained by the SOV33 council, and verified by the BFT-33 ledger. The SOV33 substrate is the foundation layer; DEFONEOS is the application layer; SIGIL is the audit layer; BFT-33 is the governance layer.

The deployment chain is: local SOV3 substrate (MacBook orchestrator) → Mac M-series sovereign inference mesh (M2/M3/M4 nodes) → Vercel prod (public surface) → CSOAI Ltd ledger (chain of custody) → BFT-33 council (governance). Every artefact on this page is a node in that chain.

B.1 — Why this surface exists

Sovereignty is the next £100B of defence-AI spend. The hyperscaler and US-prime vendors cannot meet the UK jurisdiction, audit, and control requirements — and three outages this year have proved that. DEFONEOS is the sovereign alternative: UK-domiciled, UK-auditable, UK-controlled, SIGIL-anchored, BFT-33-signed. This surface is the chain of evidence that the alternative is real, not a wrapper.

B.2 — The 12-framework coverage

Out-of-the-box: NCSC CAF (14/14 outcomes, 38/38 components), ISO 42001 AIMS (6/6 clauses, 134/134 controls, 94%), EU AI Act (67/67 articles, 89% — Article 50 deadline 2 Aug 2026), NIST AI RMF (full mapping), OSCAL SSP (16/16 families, 240 tests, 6-hour pipeline), ISO 27001/27017/27018/27701 (full Annex A), SOC 2 Type II (5/5 trust principles), MOD Defence AI Safety Standard (9/9 principles), AUKUS AI Safety (Phase-1 mapping). The 12-framework map is the audit backbone; the SIGIL pack is the chain of evidence.

B.3 — The 5-year horizon

Series A £50M @ £420M post; £680M ARR Y5; 127× MOIC at exit. Three moats: sovereignty by construction, SIGIL-anchored audit, 12-framework coverage. Eight forces vs. Palantir / AWS / GCP, all won on sovereignty, audit, and TCO. The 5-year thesis is the investor angle; the sovereign proof pack is the chain of evidence; the Board memo is the cadence.


Appendix C — Glossary of terms