Implementation playbook
SARC is sold + delivered as a fixed-scope implementation engagement, not a SaaS subscription. The engagement typically runs 4–8 weeks depending on cloud + CI coverage and existing Kosli + ServiceNow maturity.
This page is a public-facing summary. The full per-week playbook (engineer task list, customer task list, executive artefacts) ships under epic #413 and is delivered with the engagement.
Engagement phases
Section titled “Engagement phases”Week 1 — Foundation
Section titled “Week 1 — Foundation”Customer outcomes:
- SARC running in the customer’s chosen cloud + namespace
- First audit-evidence pack exported to PDF
- AUDITOR magic-link sent to the customer’s audit team
Engineer tasks:
- Cloud bootstrap (
scripts/bootstrap-secrets-<cloud>.sh) - Terraform apply for the cluster (EKS / AKS / GKE)
- ArgoCD install + ApplicationSets applied
- Demo tenant seeded with the 48 global controls
Customer tasks:
- Provide cloud admin credentials for bootstrap
- Provide Kosli + ServiceNow + (optional) GitHub/GitLab/ADO PATs
- Identify the audit / GRC contact who will own the AUDITOR session
Week 2 — Workflow integration
Section titled “Week 2 — Workflow integration”- ServiceNow CR enrichment live: 5-axis risk score writes back into the customer’s CR records
- Pipeline-side compliance gates wired into customer’s existing CI
Week 3 — Multi-cloud / multi-CI parity
Section titled “Week 3 — Multi-cloud / multi-CI parity”- Second cloud or second CI added if in scope
- Kosli
karc-pipelineflow naming validated across environments
Week 4 — Industry pack tuning
Section titled “Week 4 — Industry pack tuning”- Industry-specific controls tuned for the customer’s regulatory profile (banking + DORA + PSD2, or healthcare + HIPAA, or public sector + FedRAMP)
- Custom controls added (
ComplianceControlrows withtenantIdset)
Weeks 5–6 — Vuln + cost integration
Section titled “Weeks 5–6 — Vuln + cost integration”- Vulnerability SLO targets set with customer’s SLAs
- Cost-vuln correlation activated (requires cost-ingest credentials)
- Executive ROI 1-pager (epic #416) generated for the executive sponsor
Weeks 7–8 — Handover + customer success
Section titled “Weeks 7–8 — Handover + customer success”- Operator training (Sidecar role + ADMIN role + AUDITOR role)
- Runbook walkthrough for incident response, evidence export, change-window mgmt
- Knowledge-transfer session with the customer’s platform team
- Engagement closes; customer owns + operates
What stays with the customer
Section titled “What stays with the customer”After the engagement:
- All Terraform + Helm + scripts live in the customer’s own repo (forked or copied)
- All cluster + portal + Kosli + ServiceNow data lives in the customer’s own infrastructure
- No SARC-side runtime dependency, no telemetry sent back to Calitti / Synechron
- Customer’s own team operates from here forward
What ongoing engagement is available
Section titled “What ongoing engagement is available”After the initial engagement, customers may optionally engage Calitti / Synechron for:
- New feature additions (industry packs, CI integrations, cloud expansion)
- Annual compliance pack refreshes (DORA quarterly RTS updates, etc.)
- AI Governance / NIST AI RMF / ISO 42001 readiness as separate engagements
These are quoted per-engagement; there is no recurring fee.
How engagements get scoped
Section titled “How engagements get scoped”Contact Calitti / Synechron with:
- The cloud(s) you want SARC to run on (AWS / Azure / GCP / on-prem)
- The CI platforms you already use (GitLab / GitHub Actions / Azure DevOps / Jenkins)
- Your existing Kosli + ServiceNow status (already adopted? planning to adopt?)
- Your primary compliance frameworks (DORA / PSD2 / ISO 27001 / SOC 2 / HIPAA / FedRAMP / …)
- The target audit / readiness date
A typical engagement quote comes back within 5 business days.