Expertise & Position
The position — vendor-neutral FDEs for SMB. We are senior, vendor-neutral forward-deployed engineers: we embed and ship governed, production-ready systems on the client’s own stack — not tied to any vendor, model, or cloud. Vendor-neutrality plus FDE delivery is the position. Neutrality is what makes the advice trustable (the bet); shipping on the client’s stack — not a demo, not a slide — is what makes us hard to copy (differentiation).
Every lane FractalBox sells into is a trust purchase — a buyer hands us their production system, security posture, or risk book because they can’t verify the work themselves. Our scarcest asset isn’t code or product; it’s the standing to be believed. This page manufactures that standing deliberately across three lanes — fractional CTO, fractional CISO, cyber/AI insurance — instead of hoping it accrues.
The house doctrine governs everything below: accountability, trust, and outcome beat credentials (Strategy · Outcome over credentials). We hold the certificates the market grades us on — Japan/Singapore’s credentials culture won’t shift in five years — but the asset is regulatory standing and a closed deal, not exam letters. Weight visible expertise — published work, a shipped system, a CISO peer or carrier who returns the call — over the charter every time.
Founder’s discipline — don’t become the deliverable. A six-track credential Gantt signals “the founder is the product” to an investor or buyer (Founder Credentials & Growth). Authority-building earns founder hours only where it directly unlocks a lane — and never at the expense of selling and the Q3 product build. Most of this is background study; very little is a company milestone.
Authority each lane actually requires
The three lanes demand different proofs. Conflating them — chasing a security cert to sell a CTO engagement — wastes the scarcest resource. What each buyer is testing:
| Lane | The buyer’s unspoken test | What actually proves it | What does not |
|---|---|---|---|
| Fractional CTO | ”Can this person own architecture I’ll bet the company on?” | A shipped, governed production system with our name on it; a reference founder; visible technical writing / OSS; the FDE delivery track record. | Cloud-vendor certs alone — necessary hygiene, never the reason you’re hired. |
| Fractional CISO | ”Will an auditor, a board, and a regulator accept this person’s sign-off?” | CISSP (the load-bearing trust token here), a clean SOC 2 / ISO 27001 readiness delivered, a defensible risk register, regulatory fluency. | A pen-test cert without governance standing — that’s a practitioner, not a CISO. |
| Cyber / AI insurance | ”Can this person speak underwriter and agent-audit-log in one breath?” | A closed carrier conversation, a published parametric-AI-liability thesis, AI Verify accreditation, fluency in the control frameworks underwriters price. | FRM letters in isolation — the market buys the carrier relationship, not the charter (Insurance · Move ①). |
The CISO and insurance lanes share a spine — provable safety → bounded risk → insurability → guarantee → felt trust (Insurance · the mechanism) — so one person owning both ends (governance control design and risk pricing) is the rare combination no horizontal lab or generic GRC shop occupies. The CTO lane is the foundation that earns the other two: you can’t govern or insure a system you couldn’t have built.
Credentials — load-bearing vs. background
Sort every credential by one question: does the next deal stall without it? If yes, milestone. If it merely makes us better, background — personal time, gating nothing. The dated Gantt for the personal tracks lives in Founder Credentials & Growth; this is the commercial triage.
| Credential | Lane | Why it matters | Verdict |
|---|---|---|---|
| CISSP | CISO | The load-bearing trust token for fractional-CISO sign-off; on the critical path. | Milestone — load-bearing. |
| ISO/IEC 42001 · NIST AI RMF · IMDA Model AI Governance Framework | CISO + insurance | The control frameworks buyers are graded against; we encode them deterministically into Meerkat. | Milestone — directly commercial. |
| AI Verify accreditation (opens Q3 2026) | Insurance | The “regulatory-assured” positioning; maps governance to the named control an underwriter prices. | Milestone — unlocks the insurance lane. |
| ISO/IEC 27001 / SOC 2 readiness (delivered, not held) | CISO + CTO | The buyer wants a clean audit delivered, not a cert on our wall. | Milestone as a deliverable, not a personal exam. |
| FRM (GARP) | Insurance | Risk/ILS/parametric literacy; ~250–400 founder-hours. The market buys the carrier conversation, not the charter. | Background — improves us, gates nothing. |
| OWASP AI / LLM Top 10 contribution | CISO + CTO | Visible AI-security standing via a public artifact; compounds as inbound. | Background, high-leverage — counts because it’s visible work. |
| CCSP · cloud-vendor certs (AWS/GCP) | CTO | Table-stakes hygiene; expected, never the reason for the hire. | Background — hold the minimum, don’t over-invest. |
| CMU MSIT Privacy Eng · GDE · EU AI Act fluency | CTO / brand | Long-horizon brand and privacy-engineering depth. | Background / brand — off the committed window. |
The rule the table encodes: CISSP, the AI-governance frameworks, and AI Verify are the only credentials that unlock a lane on the 2026 clock. Everything else is background — held because it makes the work better and the standing more visible, never pitched as a company milestone.
Network to target
Standing doesn’t compound in private — it needs the right gatekeepers as an audience. We don’t buy demand; we integrate into ecosystems and let the relationships be the distribution (Strategy · partnership play). Run it through the channels we already operate, pointed at each lane’s gatekeepers:
| Network | Who’s in it | Why we cultivate it | Lane |
|---|---|---|---|
| GRC / CISO peer circles | Practising CISOs, compliance leads, auditors | Peer referral is how CISO work is actually sourced; an auditor who trusts us de-risks every engagement. | CISO |
| Regional regulators & assurance bodies | IMDA (AI Verify, GenAI Sandbox), CSA, PDPC | The accreditation gatekeepers; being in the sandbox is itself a credential. | CISO + insurance |
| Insurance / InsurTech / reinsurance | Specialist AI-liability writers, MGAs, on-chain capacity (Armilla / Corgi / Nexus-Mutual class) | The carrier who “names the telemetry it would price” is the Phase-0 validation gate for the whole insurance lane. | Insurance |
| Founder & operator network | Peer founders, design partners | Warm intros into regulated buyers; founder-to-founder credibility the FDE wedge rides on. | CTO |
| OpenHackersClub + dev community | OSS contributors, builders | Turns trust into distribution and inbound; an open reference artifact compounds credibility for free. | CTO + brand |
| Conference & stage circuit | RSAC SG, GovWare, regional InsurTech/GRC events, Lorong AI (LAI) sharing sessions | Where buyers and carriers gather; speaking is the qualification call in disguise. | All |
The highest-leverage move across all of these is the same: publish the niche before it’s crowded. Owning the term parametric AI-agent liability (or deterministic agent governance) is cheap now and becomes a moat that returns calls.
Speakership pipeline — talks as visible credentials
A talk is the cheapest credential that compounds: it’s demonstrated work in front of the right room, it doubles as the qualification call, and the recording/slides become evergreen proof. Lead with our own OSS — presenting an OpenHackersClub artifact is the “open-source a reference artifact so credibility compounds as inbound” motion in action, not a vanity slot.
| Opportunity | Pitch | Standing it builds | Status |
|---|---|---|---|
| Lorong AI (LAI) sharing session | FlareDispatch (OpenHackersClub) — BYOC CI/CD that offloads the expensive half of GitHub Actions onto a Cloudflare stack you own; typed Effect-TS runs (capabilities → primitives → recipes), not YAML. | CTO + brand: live technical depth in the SG AI community; OSS-as-credibility; warm into the Lorong AI / IMDA orbit. | To submit — sign-up sheet open. |
FlareDispatch is the right opener because it’s a running system with a thesis (local-first / BYOC, deterministic typed pipelines) that lands with builders and sets up the deeper governance/insurance narrative without leading with the sales pitch.
The roadmap to get there
Sequenced cheapest-information-first, on the same calendar as the 12-month milestone ribbon — no parallel timeline. Validate that standing moves a deal before spending founder-hours earning more of it.
timeline title Authority build (2026 H2 → 2027) Now — Make existing standing visible (next 60d) : CISSP endorsement + CPE plan : Publish one niche thesis (parametric AI-agent liability) : Submit a Lorong AI talk on FlareDispatch : 10 CISO/carrier conversations to test what standing moves a deal 2026 Q4 — Earn the lane-unlocking credentials : AI Verify accreditation : ISO 42001 / NIST AI RMF control mapping published : First governed system shipped as the CTO proof point 2027 H1 — Convert standing to closed deals : First fractional-CISO retainer on the strength of delivered audits : First carrier names a priced signal : OWASP / OSS reference artifact cited by the niche 2027 H2 — Compound into a recognized voice : Recognized voice on agent governance + AI-agent liability : Network self-sources pipeline : FRM Part II if pursued (background)
Phase 0 — make existing standing visible (next ~60 days). No new exam, no spend beyond founder time. Close out CISSP, publish one opinionated piece on the uncrowded niche, and have 10 conversations (CISO peers + carriers) whose only job is to reveal which standing unlocks a deal. If nobody returns the call on the strength of the published work, that’s the cheapest signal to change the thesis — weeks spent, not a year.
Phases 1–3 — earn, convert, compound. Earn only the lane-unlocking credentials (AI Verify, the governance-framework mappings), convert standing into the first retainer and first carrier signal, then let the network self-source pipeline as the niche cites us. Background tracks (FRM, CMU, GDE) run underneath on personal time, gating nothing.
| Phase | CTO standing | CISO standing | Insurance standing |
|---|---|---|---|
| Now (60d) | Ship/showcase a governed system; warm founder intros; submit a Lorong AI talk on FlareDispatch | CISSP endorsement + CPE; risk-register template | Publish niche thesis; 10 carrier/CISO conversations |
| Q4 2026 | First reference system live | AI Verify; ISO 42001 / NIST AI RMF mapping | Agree what telemetry a carrier would price |
| 2027 H1 | OSS reference artifact cited | First fractional-CISO retainer | First carrier names a priced signal |
| 2027 H2+ | Recognized technical voice | Self-sourcing CISO pipeline | Recognized voice on AI-agent liability |
Bottom line
We’re not in the business of collecting certificates — we’re in the business of being believed by people who can’t check our work. The position that earns it: vendor-neutral FDEs who ship governed systems on the client’s own stack. Hold the credentials the market grades us on (CISSP, the AI-governance frameworks, AI Verify) as table-stakes signals; invest the real effort in demonstrated work, a published niche, and gatekeepers who return the call. Build the CTO foundation first, let it earn the CISO sign-off, and let the CISO+insurance spine — provable safety priced as bounded risk — become the rare standing no horizontal lab can claim. The certificate gets the meeting; the delivered outcome keeps the relationship.
See also Strategy · Outcome over credentials, Insurance & Autonomous Finance · Capability roadmap, Sales Channels, and Founder Credentials & Growth.