learntodriveai.dev/Cybersecurity/Hardening Strategy and Zero Trust Architecture
Cybersecurity·Project 16·7 units

Hardening Strategy and Zero Trust Architecture

**Track:** Cybersecurity

§ Brief

You're designing a multi-layer hardening strategy for Northbridge Wealth and Trust, a Toronto-based wealth-management firm under federal regulation by OSFI. The deliverable is a strategic architecture document that the board will fund — or not.

The discipline skills: designing hardening as an architecture, not a stack of layers; deriving a zero-trust trust model end-to-end; building drift detection and a maintenance plan into the design; framing the work in NIST CSF for the board; and writing handoff documentation a future practitioner can use without you.

The AI-direction lesson: AI implements components but does not connect them into a coherent trust model. Its layer-by-layer hardening leaves the gaps between layers wide open — and the gaps are where the attacker pivots. It omits maintenance plans, treats drift as out of scope, and maps to NIST CSF mechanically. The mature register here is also the AI relationship itself — context per agent, when not to connect, when not to delegate, and infrastructure portable enough for a different assessor to pick up cleanly.

Your Role

You're the architect. The trust model, the layer architecture, the phased rollout, the drift detection, the maintenance plan, the NIST CSF executive narrative, and the AI infrastructure that produces all of it — yours.

Scaffolding is thin. No strategy template, no zero-trust skeleton, no maintenance-plan template, no NIST CSF mapping table, no AI-infrastructure starter. The brief is a single formal email from Darren Beaulieu, Northbridge's Chief Compliance Officer. Read it twice — once for what it says, once for what it doesn't.

Four scoped agents — architecture, validation, implementation-planning, executive-writer — each get the context their phase needs and only that. Connectivity is selective: offensive tooling connects during validation and disconnects elsewhere. Some decisions are explicitly yours, not the agents': the trust model, the phased rollout, the wrap-versus-migrate calls on the legacy portals, the conversation with Darren. The AI infrastructure itself — CLAUDE.md alongside AGENTS.md, skills, hook patterns — is part of the handoff packet.

What's New

Last time you ran a full exploitation campaign for a petroleum-services contractor in Western Australia — multiple targets, multiple paths, sufficient-finding judgment, and an explicit list of decisions that weren't AI's.

Architecture as a unit of design. Earlier projects hardened individual layers — a default credential, a web header, a container, a benchmark, a network segment. This one is the strategy itself: how the layers compose, where the gaps live, how the trust model makes the composition coherent.

Zero trust as a designed trust model. Not a product. A principle applied end-to-end: no network location, no previous authentication, no internal status grants implicit trust. Northbridge has three legacy portals, advisors on personal devices, and clients in 28 countries — the trust model has to work for all of it.

Drift detection and maintenance as deliverables. A strategy without a maintenance plan is hardened on day one and quietly less hardened every week after.

NIST CSF as the executive frame. The board reads in frameworks. The strategy is intelligible because it lives in their vocabulary.

The AI directing relationship at its most mature. The engagement requires all four together — context designed per agent, connectivity decided deliberately, portable handoff infrastructure, and explicit when-not-to-delegate judgment.

The hard part: the gaps between layers. AI will produce strong layer specs and the strategy will still have a hole where an attacker pivots between them. Coherence is your design problem. Dani Okafor appears once, mid-strategy, with one calibrating question about sensor placement under zero trust.

Tools

  • Claude Code, Codex CLI — driving the four scoped agents and the explicit "not for AI" decisions.
  • Northbridge architecture lab (Docker) — Toronto headquarters, Montréal DR site, three legacy portals, identity provider, fiduciary asset systems, and the instrumented defender stack.
  • NIST Cybersecurity Framework — new. Introduced in the regulatory-context brief; you'll position the strategy within its six functions (Govern, Identify, Protect, Detect, Respond, Recover — CSF v2.0, Feb 2024) and crosswalk to OSFI B-13.
  • CIS Benchmarks — familiar. Inputs to your strategy.
  • Wazuh, Loki, Grafana, Suricata, osquery — defender stack for validation and drift-detection design.
  • Sigma, sigma-cli, pySigma — detection rule format and conversion tooling.
  • Engagement-memory infrastructure — methodology, trust model, baselines, drift-detection design, maintenance plan, NIST CSF mapping, and the AI-infrastructure artefacts, with portability as an explicit design property.
  • Python, Markdown, YAML, Mermaid, GitHub — strategy document, implementation plan, executive summary, diagrams, runbooks, project repo.

Materials

  • First-contact email — Darren's formal written engagement request, at the level his board reads.
  • Architecture-inventory document — IT operations' description of headquarters, the three legacy portals, the Montréal DR site, the international advisor access pattern, and the existing perimeter-based controls.
  • Regulatory-context brief — OSFI B-13's seven domains, NIST CSF v2.0's six functions, ISO 27001 crosswalks, and the audit committee's vocabulary.
  • Northbridge architecture lab — Docker simulation matching the inventory.
  • Agent-spec template and CLAUDE.md — familiar; CLAUDE.md carries hardening-strategy verification targets (trust model end-to-end before any layer is hardened, layer-coherence checks before baseline publication, NIST CSF mapping before the executive summary).

Everything downstream — the trust model, the layer architecture, the drift-detection design, the maintenance plan, the AI infrastructure deliverable, the handoff packet — is yours.