Skip to content

SnowOps — Milestone Definitions

Each milestone is an independently shippable state. Later milestones add capability but do not break earlier ones.

GTM / Revenue-Readiness Workstream ([GTM] — parallel to M1–M5)

Not a sequential milestone — a parallel workstream. Assets carry [GTM] tag (§4.Y + §4.Z + §3.8).

  • Motion: Founder-led cold outbound; free G-series Discovery Audit is the wedge.
  • Content: positioning + pricing + cold-outbound engine + conversion assets + proof + vertical reference-architecture blueprints.
  • Relationship to A-series: Y is the human-readable content layer; A-series HubSpot automation is the execution layer (A1 enrich · A2 score · A3 proposal-render · A5 discovery-trigger). Y unblocks A.
  • Needs zero cloud — Claude builds in parallel with Sagar's runbooks.

Assets: Y0–Y13, Z0–Z3, §3.8 pricing. Status: all 🟦 drafted (v0.34).

Ready-to-sell criteria: - [ ] One-line positioning + 3 ICP value props + objection library (Y1) - [ ] Published price for every §3 package (Y2 / §3.8) - [ ] 50-account target list + 5-touch outreach dry-run (Y3 + Y4) - [ ] Discovery script + priced proposal from a sample audit (Y5 + Y6) - [ ] Z1 SaaS blueprint reviewed (Z1) - [ ] Contract pack reviewed by counsel (Y12)

M1 — Pre-Sales & Developer Foundations

"Ship this, start selling."

  • Client: Any Azure prospect (pre-deal) or Day-30 client wanting quick security hygiene wins.
  • What a client gets: Portable quality gates adoptable onto any existing repo with zero new infrastructure + free automated Azure posture audit + GitHub repo provisioned to SnowOps standards.
  • Constraint: Azure-only discovery; GitHub Actions only.

Assets: D1 · D2 · D3 · X3 · X1 · X2 · C4 · R1 · G0–G6 · A1 · A5 · B1

Client-facing artifacts: - docs/client-guides/quickstart-quality-gates.md — self-service adoption of D1+D2+D3+C4 onto any repo - Discovery audit PDF (G3) — branded, findings-linked to remediation roadmap - GitHub repo provisioned via B1 with branch protection, CODEOWNERS, OIDC

Ready-to-use criteria: - [ ] conftest verify passes 36/36 (D3) - [ ] Discovery audit produces a PDF with ≥1 finding against a real Azure sub - [ ] G0 bootstrap script runs clean with read-only SP - [ ] D1 blocks a planted hardcoded-secret commit - [ ] B1 GitHub App provisions a test repo with all protection rules

Estimated effort: 4–5 weeks

M2a — Greenfield Azure Baseline: Core Infrastructure

"First client delivery — infrastructure and identity foundation."

  • Client: Day-0 greenfield Azure client on GitHub Actions. No existing IaC.
  • What a client gets: Hardened Azure subscription, secure network foundation, IAM with MFA + PIM + break-glass, AKS-ready infrastructure, complete CI/CD pipeline with policy gates.
  • Constraint: GitHub Actions only; no brownfield support yet.

Assets (on top of M1): F0 · F1↑ · F2 · F3 · F4 · F5 · F6↑ · H1–H3 · H5 · H7 · J1 · J2 · J6 · M1(data) · M2(data) · M3(data) · M6 · N5 · N6 · U1 · U2 · B2–B5 · C1 · C2 · C3 · D4 · X4 · X7

Client-facing artifacts: - Deployed hardened Azure subscription (F1) with policy, Defender, Log Analytics - Hub-spoke network topology (F2) - AKS cluster (F3) with Kyverno policies (D4) - CI/CD pipeline (C1–C3) with OPA + Kyverno gates - IAM bundle (H1–H3, H5, H7) — MFA mandatory, PIM active - Per-env Terraform state backend (F6/B4)

Status: FUNCTIONALLY CODE-COMPLETE (v0.40). W1–W3 postponed (D35).

Estimated effort: 6–8 weeks

M2b — Greenfield Azure Baseline: Compliance Monitoring & Full Package

"Complete Baseline — audit-defensible from day one."

  • Client: Same as M2a; extends with compliance monitoring, DR, evidence floor, and documentation.
  • What a client gets: Full "Cloud Secure" Baseline package. Lightweight evidence snapshot for early auditor conversations.

14-asset core (D36): E0 · V2 · V3 · S1 · S2 · K1 · K2 · L1 · L2 · L4 · D5 · F12 · B6 · F11

Additional assets (postponed until core complete): F7 · F8 · J4 · N3 · N4 · R2 · X5 · X8 · I5

Client-facing artifacts: - Drift detection + issue-per-drift (S1) - Azure Policy compliance dashboard (S2) - Compliance evidence snapshot artifact per apply (E0) - Auto-generated architecture diagram (V2) and operational runbook (V3) - IR runbook library (K1), on-call integration (K2) - Backup + monthly restore drill (L1, L4)

Estimated effort: 4–5 weeks

M3 — Brownfield & Multi-CI

"Works with existing infrastructure and any CI platform."

  • Client: Day-30/90 clients with partial IaC, existing Azure resources, or Azure DevOps.
  • What a client gets: All M2 capabilities, usable with existing Terraform-managed or click-ops Azure resources; C1-equivalent on Azure DevOps; stable module versioning.

Assets (on top of M2b): C5 · E7 · F11 · F12 · B6 · W4

Client-facing artifacts: - docs/client-guides/brownfield-adoption.md - Import runbooks per F-module (F12) - Azure DevOps pipeline equivalent of C1 (C5) - TicketPlatform adapters (E7) — Jira / GitHub Issues / Linear / ADO Boards - Client self-service prerequisite checker (B6) - Module version pins and upgrade path (F11)

Estimated effort: 4–5 weeks

M4 — Advanced Compliance Package

"SOC2 / ISO27001 / HIPAA ready."

  • Client: Series B+ clients in formal audit or preparing for certification. Also activates AWS clients via G7.
  • What a client gets: Full Advanced tier — automated evidence collection (Vanta/Drata), SIEM (Sentinel), SOAR playbooks, vendor risk management, HR security, trust center, compliance scorecard.

Assets (on top of M3): E0–E6 (full) · G7 · H4 · H6 · I4 · I6 · I7 · J3 · J5 · J7 · K3–K5 · L3 · L5 · M4–M7 · N2 · N7 · O1–O4 · P1–P4 · Q1–Q5 · R3 · R4 · S3 · S4 · T1–T4 · V1 · V4 · U4 · U5

Client-facing artifacts: - Vanta/Drata integration with automated control evidence - Microsoft Sentinel with MITRE-mapped analytics - Trust center + security questionnaire library - Compliance scorecard PDF per quarter - Full policy document library - AWS discovery audit capability (G7)

Estimated effort: 8–10 weeks

M5 — Multi-Cloud & Platform Scale

"Full platform maturity — any cloud, self-service, enterprise scale."

  • Client: Multi-cloud clients (AWS + Azure), clients wanting self-service, SnowOps at scale.

Assets (on top of M4): F9 · F10 · W5 · U3

Client-facing artifacts: - AWS module library (F9) with same security posture as Azure modules - Cross-cloud discovery (Azure + AWS combined report) - SnowOps client dashboard for multi-tenant visibility (W5)

Estimated effort: 6–8 weeks