Strategy
The thesis, the flywheel, the themes and products we build, and how we fund it. Buyer narratives, concrete shots, and dated timelines live in their own docs.
The opportunity
Four observations frame the bet — each its own chapter in the bet:
- Trust is what fast-moving builders buy — outcome > tools.
- Distribution, not delivery, is the bottleneck once the harness gives 10× concurrent capacity.
- Strong, unmet need for agent guardrails and FDEs — proven by the labs moving up the stack.
- The local-first market is underserved as open-weight (DeepSeek-class) LLMs make bring-your-own-model viable — frontier-API cost and regional access limits (HK, AWS) push regulated buyers to own the stack, the gap Hakiri / Contextful fills.
Real demand exists for a small, senior team of Forward Deployed Engineers (FDEs) who embed in a customer’s production workflow and ship software that runs the business, not a demo beside it.
That’s FractalBox’s wedge. AI collapsed the cost of generating code, not of making it production-ready, governed, and trusted in a regulated workflow. Labs ship horizontal guardrail primitives (eval, tool-use policies, model-native safety); defensibility is the vertical, deterministic encoding of one regulated workflow’s rules — guardrails, audit, exception handling, knowing which override was right — where a senior fractional CTO/CISO team is credible and a horizontal lab won’t go. a16z calls it the “Rest of Oz” (vertical, deterministic workflows where deep deployment is the moat) vs. the “Yellow Brick Road” the labs dominate. FractalBox lives in the Rest of Oz. 1
Why the FDE model wins here
- Build the system, not the tool. Systems own the workflow end-to-end and become the orchestration layer the customer depends on — “a system the customer runs their work through,” not a tool on top.
- Guardrails are the product. “That’s what your customers are paying you for.” The control plane — permissions, auditing, what an agent may do, regulatory accountability — is the deliverable. FDE + GRC, not staff-aug.
- Production compounds into a moat. “Every escalation a signal, every exception feedback.” What compounds across customers is our control / threat-model template library — not customer data, which stays on the buyer’s infrastructure (local-first). The day-one workflow isn’t the moat; the cross-engagement control library the loop produces is.
- Win on the customer’s P&L. “High ACV signals a system — systems replace headcount.” We measure outcomes, not model scores.
- The model is fungible; the system of work is not. We route across models per sub-task and absorb the migration churn labs won’t.
Our Take
-
Positioning: a small, senior FDE team — fractional CTO/CISO + data engineering — shipping production-ready, audited apps into regulated, AI-era teams. A system owner, not a body shop.
-
Wedge: the productized security-assessment + compliance-readiness engagement is the entry; FDE delivery of a governed production system is the expansion. It sells now, with existing skills — it does not wait on the Q3 build. That decoupling is the bridge: services revenue funds the team while the flagship is built.
-
Defensibility: one moat that compounds — the governance / control plane: the vertical, deterministic control + audit encoding of a regulated workflow, where a CISO-led team is uniquely credible. Three operating advantages support it but are table stakes, not moats — a router or lab ships them within ~24 months, so we don’t pitch them as the moat: the data flywheel (our control-template library, not customer data), model-variability management, and cost optimization across tiers.
-
The test we hold ourselves to: will the customer still need us if a lab ships a competing product? If no, we built a tool. Keep building systems.
Base case vs. Bull case
| Base case | Bull case | |
|---|---|---|
| Focus | Client leadgen, build the portfolio, improve the delivery harness setup | Catch today’s hype and dividend, establish brand, scale with product sales, establish fund for future work |
| Revenue | Services margin from FDE delivery | Product ARR + services |
| Outcome | Sustainable, profitable studio with strong reference portfolio | Market-timing payoff: brand, distribution, and FractalFund capitalized for compounding |
Both cases share the same flywheel and moat — the difference is tempo and ambition of the Q3–Q4 window.
The macro shifts beneath the bet — each shot should trace back to one:
Opportunities bought by AI
- Production cost collapses — unevenly. AI slashes generating software and paperwork; trusted, governed delivery doesn’t fall. The arbitrage is the gap.
- Compliance paperwork gets cheap. Much of GRC is documentation AI accelerates — deliver compliance readiness faster and cheaper than incumbents.
- AI outruns compliance and culture. Capability outpaces governance; regulated buyers feel it most. We sell into the lag.
- New needs AI creates. As more sensitive data flows through agents, buyers need stronger privacy and guardrails — exactly Hakiri / Contextful and Meerkat. And the buyer pool is widening: a wave of emerging builders who need production heavy-lifting, and increasingly sophisticated SMBs that now demand the trust layer we sell.
AI-native, self-improving organizations
Orgs rebuilt as AI-native and self-improving, where work runs through agentic systems that learn from every exception. Picture PwC or Accenture inverted: the partners stay human — judgment, relationships, accountability — while the rest of the pyramid (analysts, associates) is agents. That’s our wedge: the system of work rebuilt with governance, memory, and feedback baked in (an FDE delivery, not a SaaS sub), where the production feedback loop self-improvement needs is the moat a lab can’t capture. It’s how we run ourselves — the flywheel is FractalBox as an AI-native org.
Outcome and trust over credentials
- Ride the revolution, don’t fear it — the risk is falling behind.
- Accountability, trust, and outcome beat credentials — we win by building and standing behind the result.
- On credentials: Japan/Singapore’s credentials culture won’t shift in five years, so we hold the relevant ones — but the asset is trust and regulatory standing, not the certificate.
Formation & niche
- R&D is the core of the agency; data engineering is the niche and technical wedge.
- Outcome-driven — anyone can vibe-code general ideas, so the defensible spot is the hard constraint: compliance and risk management.
- T-shaped — deep in cybersecurity and data engineering, broad enough to own the workflow.
The flywheel
Four arms compound into one motion. FractalBox (AI-transform-as-a-service) proves the playbook on clients and earns the cash that funds FractalFund (operator PE). That rigor compounds the Cybersecurity-as-a-Service brand; OpenHackersClub, our OSS community, turns trust into a self-sovereign stack, distribution, and inbound that reopen the FractalBox funnel. Each turn makes the next cheaper.
- FractalBox — AI-transform-as-a-service: the cash engine and front door; delivery seeds the design partners and reference logos everything rides on.
- FractalFund — operator PE, not VC (later arm). Details in FractalFund.
- Cybersecurity-as-a-Service — the brand arm: every audited engagement compounds the trust that reopens the funnel.
- OpenHackersClub — community + open source: a self-sovereign OSS stack that compounds credibility, distribution, and talent, and feeds the local-first foundations our products stand on.
Sequencing — what’s on the committed 7-month critical path. Only FractalBox (the cash engine) and the two flagship products are 2026 execution. FractalFund and OpenHackersClub are later arms — the narrative of where this compounds to, not work in the committed window. In a pitch they’re a one-line “where this goes,” not co-equal arms (see Flagship Products).
North star metrics
One number per arm — the single metric it optimizes. The two committed arms have a live north star; the later arms inherit one as they come online.
| Arm | North star metric | 2026 measure |
|---|---|---|
| FractalBox | Annual revenue | The cash engine’s only number — it funds every other arm. |
| OpenHackersClub | Number of product users | GitHub stars as the 2026 proxy until product user counts exist. |
| FractalFund | (later arm) | Not yet tracked — out of the committed window. |
| Cybersecurity-as-a-Service | (brand arm) | Compounds the FractalBox number; no separate north star. |
Themes — what we work on
Two design principles decide what we take on and how we charge:
- Local-first. Software runs on the customer’s own infrastructure; data never leaves their control plane — the trust unlock for regulated data and the principle our Hakiri context engine (and Contextful on top) is built on. We sell the sync, not seats — recurring revenue is a tax on compute & storage for the sync layer, not a per-seat fee. It lowers buyer lock-in and gives us durable, usage-aligned revenue.
- Privacy-first. We go where privacy is the requirement, not a nice-to-have: confidential workloads (e.g. trading) and where data residency is mandated (compliance / regulated). It’s the wedge a frontier-API-dependent rival can’t match — exactly what Meerkat governs — tying to the regulated-AI thesis and the hybrid / local-LLM tailwind.
Flagship products
Two products instantiate the thesis — each a system, each mapped to its role. Both are built in the Q3 dev block and launched into the Q4 window:
- Meerkat — a toolkit to build harness and safety guardrails for AI agents in risk management & compliance. The governance / control-plane moat, and nearest the security/compliance wedge we already sell.
- Contextful — local-first agent context & memory, built on the Hakiri context engine + ETL pipelines; where sell-the-sync and the scalable, lab-resistant story live.
Hakiri + Contextful hold what the system knows; Meerkat governs what it’s allowed to do. Shipping both in one 13-week block is the aggressive bet — it rides on the delivery harness + 10× concurrent capacity; the Sep-30 gate is the checkpoint that proves it. Full product detail: Flagship Products.
Go-to-market
Run two operating modes in parallel:
- Founder mode — lead generation. Founder-led selling drives top-of-funnel: direct relationships, design-partner talks, conference presence, and credibility only a senior founder carries into a regulated buyer.
- Agency mode — momentum. The delivery engine keeps engagements moving and revenue compounding while founder mode chases the next wedge, converting each engagement into references, case studies, and expansion.
Partnership play — ecosystems as the lead channel
Don’t buy demand — integrate into ecosystems and let the integrations be the distribution. Each is both feature and lead surface:
- 100+ source integrations — Contextful connects to the systems customers already run; every supported source is a reason to be found and to land.
- Key compute partnerships — anchor on platforms with their own distribution and co-sell, e.g. Cloudflare (Workers / Pages / edge, a natural fit for local-first + edge governance) and agent platforms. Their reach becomes our lead channel.
Low, compounding CAC: founder mode opens, agency mode sustains, partnerships feed both.
Tactics
We’re founders too
We sell as operators, not vendors — being founders is both a channel and a cost advantage:
- Founder network. Warm intros, design partners, and referrals via a peer founder network, not cold outbound — the shared client pool behind the income-sharing scheme. Founder-to-founder credibility gets us into regulated buyers.
- Credits. Founder / startup status unlocks cloud and tooling credits that subsidize the backend build and extend runway — Google for Startups (up to US$350k), AWS Activate, Cloudflare — offsetting the Q3 build-block cost.
Challenges
The key challenges to the strategy and how we mitigate them live in Challenges.
Narratives
One thesis, three buyers — founders, SMB finance/compliance firms, and the crypto community. Same FDE delivery and the same products, a different story per buyer. Full hooks and wedges live in Narratives.
Shots — the live pipeline
The concrete attempts against these opportunities — deals, grants, programmes, events — and dated timelines live in Roadmap & Pipeline, with the GTM playbook (ICE71 → design partner → CSA CyberCall / Startup SG Tech / IMDA GenAI Sandbox).
Fundraising
See Partnership Business Model for income-sharing scheme, fund use, and partnership structure.
See also Roadmap & Pipeline and GRC notes.
Footnotes
-
Insights and quotes from a16z, “Avoiding Death on the Yellow Brick Road”. ↩