Expertise & Position

The position — vendor-neutral FDEs for SMB. We are senior, vendor-neutral forward-deployed engineers: we embed and ship governed, production-ready systems on the client’s own stack — not tied to any vendor, model, or cloud. Vendor-neutrality plus FDE delivery is the position. Neutrality is what makes the advice trustable (the bet); shipping on the client’s stack — not a demo, not a slide — is what makes us hard to copy (differentiation).

Every lane FractalBox sells into is a trust purchase — a buyer hands us their production system, security posture, or risk book because they can’t verify the work themselves. Our scarcest asset isn’t code or product; it’s the standing to be believed. This page manufactures that standing deliberately across three lanes — fractional CTO, fractional CISO, cyber/AI insurance — instead of hoping it accrues.

The house doctrine governs everything below: accountability, trust, and outcome beat credentials (Strategy · Outcome over credentials). We hold the certificates the market grades us on — Japan/Singapore’s credentials culture won’t shift in five years — but the asset is regulatory standing and a closed deal, not exam letters. Weight visible expertise — published work, a shipped system, a CISO peer or carrier who returns the call — over the charter every time.

Founder’s discipline — don’t become the deliverable. A six-track credential Gantt signals “the founder is the product” to an investor or buyer (Founder Credentials & Growth). Authority-building earns founder hours only where it directly unlocks a lane — and never at the expense of selling and the Q3 product build. Most of this is background study; very little is a company milestone.

Authority each lane actually requires

The three lanes demand different proofs. Conflating them — chasing a security cert to sell a CTO engagement — wastes the scarcest resource. What each buyer is testing:

LaneThe buyer’s unspoken testWhat actually proves itWhat does not
Fractional CTO”Can this person own architecture I’ll bet the company on?”A shipped, governed production system with our name on it; a reference founder; visible technical writing / OSS; the FDE delivery track record.Cloud-vendor certs alone — necessary hygiene, never the reason you’re hired.
Fractional CISO”Will an auditor, a board, and a regulator accept this person’s sign-off?”CISSP (the load-bearing trust token here), a clean SOC 2 / ISO 27001 readiness delivered, a defensible risk register, regulatory fluency.A pen-test cert without governance standing — that’s a practitioner, not a CISO.
Cyber / AI insurance”Can this person speak underwriter and agent-audit-log in one breath?”A closed carrier conversation, a published parametric-AI-liability thesis, AI Verify accreditation, fluency in the control frameworks underwriters price.FRM letters in isolation — the market buys the carrier relationship, not the charter (Insurance · Move ①).

The CISO and insurance lanes share a spine — provable safety → bounded risk → insurability → guarantee → felt trust (Insurance · the mechanism) — so one person owning both ends (governance control design and risk pricing) is the rare combination no horizontal lab or generic GRC shop occupies. The CTO lane is the foundation that earns the other two: you can’t govern or insure a system you couldn’t have built.

Credentials — load-bearing vs. background

Sort every credential by one question: does the next deal stall without it? If yes, milestone. If it merely makes us better, background — personal time, gating nothing. The dated Gantt for the personal tracks lives in Founder Credentials & Growth; this is the commercial triage.

CredentialLaneWhy it mattersVerdict
CISSPCISOThe load-bearing trust token for fractional-CISO sign-off; on the critical path.Milestone — load-bearing.
ISO/IEC 42001 · NIST AI RMF · IMDA Model AI Governance FrameworkCISO + insuranceThe control frameworks buyers are graded against; we encode them deterministically into Meerkat.Milestone — directly commercial.
AI Verify accreditation (opens Q3 2026)InsuranceThe “regulatory-assured” positioning; maps governance to the named control an underwriter prices.Milestone — unlocks the insurance lane.
ISO/IEC 27001 / SOC 2 readiness (delivered, not held)CISO + CTOThe buyer wants a clean audit delivered, not a cert on our wall.Milestone as a deliverable, not a personal exam.
FRM (GARP)InsuranceRisk/ILS/parametric literacy; ~250–400 founder-hours. The market buys the carrier conversation, not the charter.Background — improves us, gates nothing.
OWASP AI / LLM Top 10 contributionCISO + CTOVisible AI-security standing via a public artifact; compounds as inbound.Background, high-leverage — counts because it’s visible work.
CCSP · cloud-vendor certs (AWS/GCP)CTOTable-stakes hygiene; expected, never the reason for the hire.Background — hold the minimum, don’t over-invest.
CMU MSIT Privacy Eng · GDE · EU AI Act fluencyCTO / brandLong-horizon brand and privacy-engineering depth.Background / brand — off the committed window.

The rule the table encodes: CISSP, the AI-governance frameworks, and AI Verify are the only credentials that unlock a lane on the 2026 clock. Everything else is background — held because it makes the work better and the standing more visible, never pitched as a company milestone.

Network to target

Standing doesn’t compound in private — it needs the right gatekeepers as an audience. We don’t buy demand; we integrate into ecosystems and let the relationships be the distribution (Strategy · partnership play). Run it through the channels we already operate, pointed at each lane’s gatekeepers:

NetworkWho’s in itWhy we cultivate itLane
GRC / CISO peer circlesPractising CISOs, compliance leads, auditorsPeer referral is how CISO work is actually sourced; an auditor who trusts us de-risks every engagement.CISO
Regional regulators & assurance bodiesIMDA (AI Verify, GenAI Sandbox), CSA, PDPCThe accreditation gatekeepers; being in the sandbox is itself a credential.CISO + insurance
Insurance / InsurTech / reinsuranceSpecialist AI-liability writers, MGAs, on-chain capacity (Armilla / Corgi / Nexus-Mutual class)The carrier who “names the telemetry it would price” is the Phase-0 validation gate for the whole insurance lane.Insurance
Founder & operator networkPeer founders, design partnersWarm intros into regulated buyers; founder-to-founder credibility the FDE wedge rides on.CTO
OpenHackersClub + dev communityOSS contributors, buildersTurns trust into distribution and inbound; an open reference artifact compounds credibility for free.CTO + brand
Conference & stage circuitRSAC SG, GovWare, regional InsurTech/GRC events, Lorong AI (LAI) sharing sessionsWhere buyers and carriers gather; speaking is the qualification call in disguise.All

The highest-leverage move across all of these is the same: publish the niche before it’s crowded. Owning the term parametric AI-agent liability (or deterministic agent governance) is cheap now and becomes a moat that returns calls.

Speakership pipeline — talks as visible credentials

A talk is the cheapest credential that compounds: it’s demonstrated work in front of the right room, it doubles as the qualification call, and the recording/slides become evergreen proof. Lead with our own OSS — presenting an OpenHackersClub artifact is the “open-source a reference artifact so credibility compounds as inbound” motion in action, not a vanity slot.

OpportunityPitchStanding it buildsStatus
Lorong AI (LAI) sharing sessionFlareDispatch (OpenHackersClub) — BYOC CI/CD that offloads the expensive half of GitHub Actions onto a Cloudflare stack you own; typed Effect-TS runs (capabilities → primitives → recipes), not YAML.CTO + brand: live technical depth in the SG AI community; OSS-as-credibility; warm into the Lorong AI / IMDA orbit.To submit — sign-up sheet open.

FlareDispatch is the right opener because it’s a running system with a thesis (local-first / BYOC, deterministic typed pipelines) that lands with builders and sets up the deeper governance/insurance narrative without leading with the sales pitch.

The roadmap to get there

Sequenced cheapest-information-first, on the same calendar as the 12-month milestone ribbon — no parallel timeline. Validate that standing moves a deal before spending founder-hours earning more of it.

timeline
  title Authority build (2026 H2 → 2027)
  Now — Make existing standing visible (next 60d) : CISSP endorsement + CPE plan : Publish one niche thesis (parametric AI-agent liability) : Submit a Lorong AI talk on FlareDispatch : 10 CISO/carrier conversations to test what standing moves a deal
  2026 Q4 — Earn the lane-unlocking credentials : AI Verify accreditation : ISO 42001 / NIST AI RMF control mapping published : First governed system shipped as the CTO proof point
  2027 H1 — Convert standing to closed deals : First fractional-CISO retainer on the strength of delivered audits : First carrier names a priced signal : OWASP / OSS reference artifact cited by the niche
  2027 H2 — Compound into a recognized voice : Recognized voice on agent governance + AI-agent liability : Network self-sources pipeline : FRM Part II if pursued (background)

Phase 0 — make existing standing visible (next ~60 days). No new exam, no spend beyond founder time. Close out CISSP, publish one opinionated piece on the uncrowded niche, and have 10 conversations (CISO peers + carriers) whose only job is to reveal which standing unlocks a deal. If nobody returns the call on the strength of the published work, that’s the cheapest signal to change the thesis — weeks spent, not a year.

Phases 1–3 — earn, convert, compound. Earn only the lane-unlocking credentials (AI Verify, the governance-framework mappings), convert standing into the first retainer and first carrier signal, then let the network self-source pipeline as the niche cites us. Background tracks (FRM, CMU, GDE) run underneath on personal time, gating nothing.

PhaseCTO standingCISO standingInsurance standing
Now (60d)Ship/showcase a governed system; warm founder intros; submit a Lorong AI talk on FlareDispatchCISSP endorsement + CPE; risk-register templatePublish niche thesis; 10 carrier/CISO conversations
Q4 2026First reference system liveAI Verify; ISO 42001 / NIST AI RMF mappingAgree what telemetry a carrier would price
2027 H1OSS reference artifact citedFirst fractional-CISO retainerFirst carrier names a priced signal
2027 H2+Recognized technical voiceSelf-sourcing CISO pipelineRecognized voice on AI-agent liability

Bottom line

We’re not in the business of collecting certificates — we’re in the business of being believed by people who can’t check our work. The position that earns it: vendor-neutral FDEs who ship governed systems on the client’s own stack. Hold the credentials the market grades us on (CISSP, the AI-governance frameworks, AI Verify) as table-stakes signals; invest the real effort in demonstrated work, a published niche, and gatekeepers who return the call. Build the CTO foundation first, let it earn the CISO sign-off, and let the CISO+insurance spine — provable safety priced as bounded risk — become the rare standing no horizontal lab can claim. The certificate gets the meeting; the delivered outcome keeps the relationship.


See also Strategy · Outcome over credentials, Insurance & Autonomous Finance · Capability roadmap, Sales Channels, and Founder Credentials & Growth.