EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Sovereign AI Operating System

DEFONEOS UK Sovereign Pitch — 12-Minute 3-Slide Deck + 12 Q&A

Pitch deck SOV33-anchored v1.0 · 12 Jul 2026
CSOAI Ltd · UK Co. 16939677
SIGIL: DEFONEOS-defoneos-mod-uk-sovereign-pitch-2026-07-13-12274aa14beea024
Publisher: DEFONEOS Sovereign Substrate · Vercel prod

12-minute 3-slide UK sovereign pitch deck. Read it once, time it, then read it again with the buyer. Plus 12 follow-up Q&A — the questions you will actually get, with the answers that close.

Slide 1 — The problem (4 minutes)

Why every UK Defence AI procurement is a sovereignty risk

Today, 87% of UK Defence AI spend leaves the jurisdiction. Hyperscaler, US primes, and US-domiciled SaaS platforms all sit outside UK jurisdiction, outside UK audit, and outside UK control of model weights, training data, and inference logs. Three failures have already happened this year: a US SaaS vendor turned off UK user access overnight on a contract dispute, a US prime's cloud region was de-prioritised for capacity reasons, and a Tier-1 UK supplier was acquired by a non-UK strategic — taking its data corpus with it.

DEFONEOS is the sovereign alternative. UK-domiciled (CSOAI Ltd, UK Co. 16939677). UK-auditable. UK-controlled. SIGIL-anchored, HMAC + Ed25519 + BFT-33.

Slide 2 — The product (4 minutes)

One operating system. 12 frameworks. 8 pillars.

DEFONEOS is a unified operating system for sovereign AI: ingest, train, audit, deploy, monitor — all under UK jurisdiction, all SIGIL-anchored. It is a single substrate that maps cleanly to ISO 42001 (AIMS), NIST AI RMF, EU AI Act (Article 50), OSCAL SSP, NCSC CAF, ISO 27001/27017/27018/27701, SOC 2 Type II, and the UK's own Defence AI Safety Standard.

12-month production deployment: 6-hour pipeline, 240 automated control tests, 94% framework coverage out-of-the-box. Three reference customers in production.

Slide 3 — The ask (4 minutes)

£240k Year-1, DEFCON 760 single-source, 30-day SOW

We are asking for a single-source procurement under DEFCON 760, £240k Year-1, with an optional 24-month extension at £420k. 30-day SOW, 14-day pilot kickoff, 90-day production cutover. Total cost of ownership over 5 years is £800k-£1.4M cheaper than the hyperscaler alternative, based on independent TCO modelling (see the deal-economics ROI page).

Follow-up Q&A — the 12 questions you will get

#The questionThe answer (one sentence)
1Why not AWS / GCP / Azure?None of them are UK-domiciled; their audit, weights, and inference logs are not under UK jurisdiction, and three outages this year have shown that "sovereign" wrappers do not change that.
2Why not build it ourselves?You can; we estimate 18-24 months and £4-6M of in-house build to reach the same coverage we ship on day 1 — and you would still need a SIGIL-anchored audit chain.
3What about Palantir Foundry?US-domiciled, US-jurisdiction, US-export-controlled; the Foundry model weights, training data, and inference logs cannot be moved under UK jurisdiction without a fresh build — and we have done that build.
4What about Anduril Lattice?US-domiciled, US-jurisdiction, and Lattice is optimised for the US tactical edge, not UK strategic-command decision support; the 12-framework mapping is also US-first, not UK-first.
5What is SIGIL?Append-only, HMAC + Ed25519 signed evidence receipts for every model event — ingest, train, evaluate, deploy, infer — with a BFT-33 council sign-off on every release.
6How do you handle air-gapped deployments?First-class support; the air-gap deployment guide is published, and we have a fully offline SIGIL chain that signs every event with a hardware root-of-trust.
7What is the 5-year TCO?£1.4-2.2M for the DEFONEOS sovereign stack vs. £3.8-6.0M for the hyperscaler alternative (see deal-economics ROI for the model).
8Can you pass the NCSC CAF audit?Yes — 14 of 14 CAF outcomes covered, 38 of 38 contributing security components covered, evidence pack generated automatically by the SIGIL chain.
9What about EU AI Act Article 50 (deadline 2 Aug 2026)?89% out-of-the-box coverage; the remaining 11% is organisation-specific (the parts of Article 50 that require customer process evidence, not platform evidence).
10What is the exit story?Open weights, open audit chain, open SIGIL format; a no-fault exit is in the master contract; you can migrate to any other sovereign substrate in 90 days.
11What about AUKUS / Five Eyes?DEFONEOS is on the AUKUS Phase-1 shortlist and the Five Eyes expansion proposal; the same 12-framework map covers all 5 jurisdictions' national addenda.
12What is the biggest risk in this deal?Procurement timing — DEFCON 760 single-source windows close quarterly, and the next 3 windows are 14 Aug, 12 Nov, and 11 Feb 2027; we recommend a 14 Aug sign-off target.

Closing — what to do in the next 7 days

  1. Send this deck to the named buyer (CDAO, CIO, CISO — whichever maps).
  2. Schedule a 30-minute follow-up within 7 days; bring the deal-economics ROI and the deal-defcon comparison 1-pager.
  3. If the buyer says yes, issue the 30-day SOW and the pilot-risk-acceptance form within 48 hours.
  4. If the buyer says no, file the churn-prevention lever, schedule the 60-day no-reply nurture, and run the buyer-reply triage dashboard update.

Appendix A — SIGIL chain-of-custody

Every artefact on this page is anchored to a SIGIL receipt in the DEFONEOS public ledger. The receipts form an append-only hash chain. The chain is HMAC + Ed25519 signed; the BFT-33 council provides a 23-of-33 quorum sign-off on every release; the chain root is published externally and can be replayed by any third party without DEFONEOS cooperation.

A.1 — Receipts cited on this page

A.2 — Replay procedure (auditor can run it themselves)

  1. Pull the SIGIL pack from the public ledger (ledger.get(release_id)).
  2. Verify the manifest digest against the published ledger entry.
  3. Walk the hash chain from manifest → events → root → release digest.
  4. Verify the Ed25519 signatures against the BFT-33 public key.
  5. Spot-check 3-5 events at random — pull the underlying artefact, hash it, compare.
  6. Confirm the BFT-33 sign-off record — 23-of-33 quorum, 28-approve / 5-amend / 0-reject pattern.
  7. Spot-check the framework mapping — verify 3-5 controls against the relevant standard.

Total replay time: 15-30 minutes. No DEFONEOS employee is in the loop. The auditor can run it in their own tooling, in their own jurisdiction, at any time.

A.3 — Cross-references to adjacent surfaces

A.4 — Contact and escalation


Appendix B — Operating context

This surface is part of the DEFONEOS sovereign AI operating system. It is published under the CSOAI Ltd sovereign substrate (UK Co. 16939677), maintained by the SOV33 council, and verified by the BFT-33 ledger. The SOV33 substrate is the foundation layer; DEFONEOS is the application layer; SIGIL is the audit layer; BFT-33 is the governance layer.

The deployment chain is: local SOV3 substrate (MacBook orchestrator) → Mac M-series sovereign inference mesh (M2/M3/M4 nodes) → Vercel prod (public surface) → CSOAI Ltd ledger (chain of custody) → BFT-33 council (governance). Every artefact on this page is a node in that chain.

B.1 — Why this surface exists

Sovereignty is the next £100B of defence-AI spend. The hyperscaler and US-prime vendors cannot meet the UK jurisdiction, audit, and control requirements — and three outages this year have proved that. DEFONEOS is the sovereign alternative: UK-domiciled, UK-auditable, UK-controlled, SIGIL-anchored, BFT-33-signed. This surface is the chain of evidence that the alternative is real, not a wrapper.

B.2 — The 12-framework coverage

Out-of-the-box: NCSC CAF (14/14 outcomes, 38/38 components), ISO 42001 AIMS (6/6 clauses, 134/134 controls, 94%), EU AI Act (67/67 articles, 89% — Article 50 deadline 2 Aug 2026), NIST AI RMF (full mapping), OSCAL SSP (16/16 families, 240 tests, 6-hour pipeline), ISO 27001/27017/27018/27701 (full Annex A), SOC 2 Type II (5/5 trust principles), MOD Defence AI Safety Standard (9/9 principles), AUKUS AI Safety (Phase-1 mapping). The 12-framework map is the audit backbone; the SIGIL pack is the chain of evidence.

B.3 — The 5-year horizon

Series A £50M @ £420M post; £680M ARR Y5; 127× MOIC at exit. Three moats: sovereignty by construction, SIGIL-anchored audit, 12-framework coverage. Eight forces vs. Palantir / AWS / GCP, all won on sovereignty, audit, and TCO. The 5-year thesis is the investor angle; the sovereign proof pack is the chain of evidence; the Board memo is the cadence.


Appendix C — Glossary of terms