VOL 07BUILD SEQUENCEFOUR PHASES · 2025 → 2031

How we get from here to there.

The sequence is not a wishlist. Every package depends on something earlier in the chain — the identity graph, the policy engine, the audit fabric, and the pluggable crypto layer. Build the foundations once, and Cybersec91 + Infosec91 compose on top in order.

§00The four foundations
Built once · used everywhere

Before any product ships, four shared substrates must exist. Each one is consumed by every product on the roadmap. Investing here first is the difference between a coherent suite and seven disconnected vendors in a trench coat.

F1 · IDENTITY GRAPH
Users, devices, agents, services — one model.
Every entity (human, device, agent, workload) has a first-class node. Relationships are edges. Every other product reads from this graph.
F2 · POLICY ENGINE
One language for all access decisions.
OPA / Rego-style declarative policy. MFA, SSO, ZTNA, PAM, Mythos all evaluate against the same engine, the same context, the same audit shape.
F3 · AUDIT FABRIC
Tamper-evident, India-resident, regulator-ready.
Chain-hashed log of every authn / authz / privileged-action event. Sectoral CERT export format built in. The compliance story is a query, not a project.
F4 · CRYPTO LAYER
Pluggable, PQ-ready, BYO-HSM.
Single primitive interface across all products. ML-KEM / ML-DSA available behind a config flag. PQ migration is an ops change, not a re-architecture.

Investment rule. No product is allowed to ship its own auth, its own policy DSL, or its own log format. Foundation work is never deferred for product velocity — it is the multiplier that gives us product velocity.

§01Dependency graph
What unlocks what
PHASE 1 · 2025–2026 PHASE 2 · 2026–2027 PHASE 3 · 2027–2029 PHASE 4 · 2029–2031 FOUNDATIONS Identity Graph · Policy Audit Fabric · Crypto MFA ● LIVE SSO ● BUILDING Audit Console v1 ● BUILDING PAM ○ Y2 IGA ○ Y2 ZTNA ○ Y2 DPDP / Privacy ○ Y2 SIEM ◇ Y3 DSP / DLP ◇ Y3 EDT ◇ Y3 Compliance Auto ◇ Y3 Mythos AI Layer ◇ Y4–5 SOAR ◇ Y4–5 App / API Sec ◇ Y4–5 CSPM / Cloud ◇ Y4–5 SHIPPED BUILDING PLANNED FUTURE

Read it left to right. Each arrow is a hard dependency — the upstream node must be production-grade before the downstream one can ship. Soft dependencies (data feeds, UX cohesion, shared concepts) are not drawn.

§02Phase 1 · Trust the human
2025–2026
01

Land the identity beachhead.

2025–2026 · 18 months

Establish the foundations and ship a credible identity stack: phishing-resistant MFA, federated SSO, audit-grade logging. Win regulated-sector deals on compliance posture and air-gap fit.

SHIPPED + BUILDING ● LIVE / BUILD
Packages
F1–F4 · FoundationsIdentity graph, policy engine, audit fabric, pluggable crypto layer.
LIVE
MFA · all factorsFIDO2, TOTP, push, HOTP, RADIUS, SMS/email fallback, self-service enrollment.
LIVE
SSO · SAML + OIDCFederated SSO, JIT provisioning, step-up to MFA, session console.
BUILDING
Audit Console v1Tamper-evident log, sectoral CERT export, India-resident retention.
BUILDING
Exit gates
G1
3 BFSI customers in production with MFA, including 1 air-gapped deployment.
Proves regulated-sector fit.
G2
SSO GA, with at least 30 connector-grade SaaS integrations.
Unlocks IGA + ZTNA in Phase 2.
G3
Audit fabric passes external attestation (SOC 2 Type II + ISO 27001).
Compliance Automation builds on this.
G4
PQ ML-DSA available behind feature flag for token signing.
Phase 4 PQ migration is then a config change, not a project.
§03Phase 2 · Trust the access
2026–2027
02

From "who are you" to "what can you do".

2026–2027 · 12 months

Build privileged-access, governance, and zero-trust network access on top of the identity beachhead. Address the helpdesk-fraud, leaver, and VPN-flat threat classes head-on. DPDP enforcement is the wedge.

PLAN · Y2 ○ PLANNED
Packages
PAMVault + JIT elevation + session recording. Defends against helpdesk-fraud + ransomware playbook.
Y2
IGAJoiner-mover-leaver, access reviews, SoD, role mining. Closes leaver-exfil + audit gaps.
Y2
ZTNAIdentity-aware proxy, per-app micro-tunnels, posture gate. Replaces VPN.
Y2
DPDP / PrivacyConsent ledger, DSAR fulfilment, breach-notification engine. India-specific moat.
Y2
Exit gates
G5
PAM GA with 5 enterprise references; session recording + JIT elevation in active use.
G6
IGA closes 95% of orphan-account drift on a quarterly cycle for reference customers.
G7
ZTNA replaces legacy VPN at 2+ marquee accounts; sub-100ms p99 added latency.
G8
DPDP module passes one DPB-style mock audit by external counsel.
§04Phase 3 · Trust the data + the device
2027–2029
03

From identity into data, device, and detection.

2027–2029 · 24 months

SIEM with native identity correlation. Endpoint trust attached to the identity graph. Data-security + compliance-automation closing the regulator loop. We become the platform — not a point tool.

PLAN · Y3 ◇ FUTURE
Packages
SIEM · India-residentIdentity-aware UEBA, cross-product correlation, 7-yr cold storage, sectoral threat-intel.
Y3
DSP / DLPClassification, endpoint DLP, CASB, field encryption + tokenisation, residency enforcement.
Y3
EDT · Endpoint & Device TrustTPM-backed device identity, posture telemetry, compliance gate, MDM bridges.
Y3
Compliance AutomationContinuous control monitoring, audit-binder export, multi-framework cross-mapping.
Y3
Exit gates
G9
SIEM detects 3 cross-product attack patterns (e.g. push-bomb → MFA approve → ZTNA grant) in production.
Proves the integration thesis.
G10
DSP discovers + classifies sensitive data at 5+ enterprise accounts with <5% false positive on Aadhaar/PAN.
G11
EDT enforces device-posture gating in 3+ regulated-sector accounts.
G12
Compliance Automation reduces audit prep time by 60%+ at 2 reference customers.
§05Phase 4 · Trust the agent
2029–2031
04

The Mythos era — defending against autonomous attackers.

2029–2031 · 24 months

Mythos extends every foundation to AI agents: agent identities, agent-to-agent auth, prompt firewall, tool-call policy, deepfake detection. SOAR + AppSec + CSPM round out the suite. We are the only India-headquartered platform with a coherent agent-identity story.

PLAN · Y4–5 ◇ FUTURE
Packages
Mythos AI Security LayerAgent identity, A2A auth, prompt firewall, tool-call policy, output filter, deepfake detection.
Y4–5
SOARPlaybooks, auto-response, CERT-In incident drafting, cross-tool orchestration.
Y4–5
App / API SecurityAPI discovery, schema + auth posture, runtime protection, secrets scanning.
Y4–5
CSPM / CIEM / CWPPMulti-cloud posture, entitlements, workload runtime, sovereign-cloud profiles.
Y4–5
Exit gates
G13
Mythos issues + audits agent identities for 100k+ agents across 5+ enterprise customers.
Defines the category in India.
G14
SOAR auto-files CERT-In 6-hour incident reports from telemetry, with human-in-loop approval.
G15
Deepfake-detection inline at video-KYC flows for 2+ BFSI customers.
G16
Full PQ migration shipped under regulator mandate — config flag flip, no customer downtime.
§06Sequencing risks
What could break the chain
R-01HIGH

Foundation under-investment

Pressure to ship the next product faster causes shortcuts in the identity graph or policy engine. Each shortcut compounds — every later product re-implements its own auth, audit, or crypto.

MitigationFoundation team is org-isolated from product P&Ls. No product gates on its own auth. Quarterly architecture review with veto power.
R-02HIGH

SSO timeline slip

SSO blocks IGA, ZTNA, and most of Phase 2. Connector-grade integration with 30+ SaaS apps is more work than visible from the outside.

MitigationConnector roadmap published with named owners. Top-10 integrations prioritised by customer demand. Contractor team for long-tail.
R-03MED

SIEM scale economics

India-resident hot+cold storage at competitive cost is non-trivial. If we miss the cost target, customers default to global SIEM despite residency risk.

MitigationCompressed cold-tier R&D started in Phase 2. Partnerships with Indian DC operators. Bring-your-own-storage option.
R-04HIGH

Mythos category timing

If we ship Mythos too early, no agent-identity sprawl yet — no buyers. Too late and global hyperscalers (or one of OpenAI / Anthropic / Google) own the category.

MitigationMythos design partners committed in Phase 3. Public reference architecture in Phase 3. GA at the earliest signs of real agent sprawl in 2029.
R-05MED

Regulatory drift

RBI / SEBI / CERT-In requirements change between phases. A product designed against today's framework misses tomorrow's audit.

MitigationCompliance Automation framework templates designed for hot-swap. Active engagement on consultation papers. Sectoral CERT relationships maintained at exec level.
R-06MED

Talent concentration

Crypto, identity, and AI-security expertise are scarce in the India market. Every phase has a single-point-of-failure technical leader risk.

MitigationPair-leader policy on every foundation team. Open-source presence for hiring funnel. Academic advisory + intern pipeline.
Companion · Vol 06
Threat Horizon →
The threats that justify this sequence.
Companion · Vol 04
Suite Map →
Every product in this sequence, on one chart.