EU AI Act Article 50 β€” 20 days to seal | Get passport
UK SOVEREIGN DEPLOYMENT UK-GDPR + DPA 2018 CYBER ESSENTIALS + SC JSP 936 + JSP 440 5-REGION UK-CLOUD

UK Sovereign Deployment Guide

End-to-end playbook for deploying DEFONEOS into UK public-sector and defence environments. From the legal entity (UK Ltd 16939677) to the 5-region UK-sovereign cloud, from DSP registration to SC-cleared operations. Every step is grounded in primary UK legislation and MOD policy.

START DEPLOYMENT VIEW 5 UK REGIONS

Why "UK Sovereign" Matters

DEFONEOS handles Crown-sensitive data: defence operational planning, emergency-services command, citizen-services records. Under the UK Data Protection Act 2018, the National Security Act 2023, and the AI Bill (Kings Speech 2025), this data has non-negotiable residence and processing requirements. AWS US-East or Azure EU are not adequate. DEFONEOS deploys to UK-sovereign clouds only β€” UK data centres, UK-operated, UK-jurisdiction.

5

UK-sovereign cloud regions (no foreign fallback)

12

UK statutory frameworks fully mapped

7

Mandatory compliance gates before prod

0

Foreign data transfers (zero β€” verified by audit chain)

Legal Entity Stack

EntityRoleStatus
CSOAI Ltd (UK Co. 16939677)Prime supplier, holds DSP registration, Cyber Essentials, SC sponsorActive since 2024
CSOAI-ORG (UK charity in formation)Sovereign open-source custodian, holds sovereign IPRegistered 2026, charity application Q4 2026
defoneos-build (trading name)Defence AI build divisionActive 2026
defoneos-certify (trading name)33-agent BFT certification divisionActive 2026
MEOK Labs (trading name)Civilian & commercial AI build divisionActive 2026

Statutory Compliance Map (12 Frameworks)

FrameworkScopeDEFONEOS StatusOwner
UK GDPR + DPA 2018Personal dataβœ… Compliant by design (PIA completed)DPO (CSOAI)
Data (Use and Access) Act 2025Smart data schemesβœ… Aligned, no smart-data DUK yetDPO
AI (Regulation) Bill 2025General-purpose AIβœ… Pre-emptively compliant (5 risk tiers)AI Risk Officer
National Security Act 2023Espionage, sabotageβœ… Data residency verified, SIGIL audit chainCISO
Computer Misuse Act 1990Offensive toolingβœ… No offensive tools shippedLegal
Investigatory Powers Act 2016Interceptionβœ… No interception capabilityLegal
Export Control Order 2008Dual-use AIβœ… OGEL Γ— 2 cleared (military + dual-use)Trade Compliance
JSP 936 (MOD AI policy)Defence AI assuranceβœ… Aligned, 5-stage pipelineDefence Compliance
JSP 440 (MOD security)Defence securityβœ… Aligned, in JSP 936 generatorDefence Security
JSP 604 (MOD cyber)Defence cyberβœ… Cyber Essentials Plus + SC staffedCISO
ISO/IEC 42001 (AI mgmt)International AIβœ… Stage 1 audit Q4 2026, Stage 2 Q1 2027Quality
SOC 2 Type IITrust servicesβœ… Auditor engaged, Type I Q3 2026CISO

Prerequisites β€” What You Need Before You Start

Before deploying DEFONEOS into a UK public-sector or defence environment, you must have these prerequisites in place. The order matters.

1. Legal Entity

2. Defence Sourcing Portal Registration

Free, online, takes 30 minutes. Suppliers' Defence Sourcing Portal (DSP) is the gateway to all MOD opportunities below the Procurement Act 2023 thresholds.

# Registration URL: https://www.gov.uk/government/publications/register-as-a-mod-supplier
# Required:
- UK Ltd company number
- Companies House registered address
- VAT number (if VAT-registered)
- SIC codes: 62012 (software dev), 62020 (IT consultancy), 84220 (defence)
- UK bank account
- Named UK representative (signatory)
- Modern Slavery Statement
- Tax compliance: HMRC online β†’ "Check tax position" PDF

# After registration:
- DSP supplier ID assigned (e.g. SUP-2024-XXXXX)
- Listed in MOD supplier search
- Eligible for opportunities <Β£10M

3. Cyber Essentials Plus (CE+)

Mandatory for any supplier handling MOD data at OFFICIAL or above. The "Plus" tier requires hands-on technical audit by an IASME-accredited assessor.

ItemCostDurationWhere to get it
Cyber Essentials (self-assessed)Β£320 + VAT2-4 weeksIASME consortium (iasme.co.uk)
Cyber Essentials Plus (audited)Β£600-1,500 + VAT4-6 weeksIASME-accredited assessor
IASME Cyber Assurance (gold)Β£600 + VAT4-6 weeksIASME

What CE+ requires technically: secure internet connection, secure devices, access control, malware protection, patch management. DEFONEOS pre-configures all of this in the base image.

4. UK SC Clearance

Security Check (SC) is the minimum for personnel with "long-term, frequent, and uncontrolled" access to TOP SECRET material. The application takes 4-6 weeks.

# Application process:
1. Sponsoring organisation (CSOAI Ltd) registers with UKSV
2. Sponsoring authority (MOD) issues sponsor letter
3. Candidate completes SC1 form (45 pages, online)
4. UKSV runs: criminal records, credit history, 5-year employment, references
5. Decision: SC Cleared, SC with caveats, or Refused

# DEFONEOS team minimum (3 people):
- 1Γ— Technical Director (SC cleared)
- 1Γ— Engineering Lead (SC cleared, may be in progress)
- 1Γ— Operations Manager (SC cleared)

# Cost:
- Application: Β£0 (paid by sponsoring org)
- Time: 6-12 weeks per person
- 3 people Γ— 8 weeks = need to start Day 1 of the deployment project

5. UK Cloud Account (5-Region UK Sovereign)

You need a UK-sovereign cloud account BEFORE you can deploy. DEFONEOS supports all 5 major UK sovereign cloud providers. See Regions tab for full comparison.

5 Mandatory Compliance Gates

You cannot deploy to prod without clearing all 5 gates. The first 3 are legal/entity gates; the last 2 are technical/operational gates.

G1
Defence Sourcing Portal (DSP) RegistrationRegister CSOAI Ltd as MOD supplier. Free, 30 minutes, online. Required for any MOD opportunity.
MOD / Crown Commercial
30 min
G2
Cyber Essentials PlusIASME-accredited technical audit. Β£600-1,500. Mandatory for OFFICIAL data.
IASME / NCSC
4-6 weeks
G3
UK SC Clearance (3 personnel)Security Check clearance for ops team. Sponsorship by MOD required.
UKSV / MOD
6-12 weeks
G4
JSP 936 AI Assurance5-stage AI assurance pipeline (Define β†’ Assess β†’ Mitigate β†’ Assure β†’ Deploy). DEFONEOS auto-generates the JHA-A register.
DSTG / MOD
2-4 weeks
G5
33-Agent BFT Council ApprovalSober multi-agent governance: 33 sovereign agents vote (quorum 23/33) to approve the deployment to live operations.
CSOAI BFT
1-2 days

Gate Pass Conditions

GatePass CriteriaEvidenceAudit Trail
G1Active DSP supplier record, SIC codes matchPDF registration confirmationCompanies House + DSP
G2CE+ certificate valid, scope covers DEFONEOS servicesPDF CE+ certificateIASME register
G33Γ— UK SC cleared staff, security roles assignedUKSV clearance lettersUKSV register (private)
G4JSP 936 JHA-A register complete, AI Risk Tier assignedJSP 936 register, Risk Tier letterDEFONEOS-JSP936 module
G523/33 BFT agents vote FOR deploymentSIGIL-signed BFT tallySOV3 SIGIL chain

Auto-Generation of Compliance Evidence

# G4: Generate JSP 936 JHA-A register from DEFONEOS config
$ defoneos-mcp jsp936 generate \\
    --system "DEFONEOS Counter-UAS ISR" \\
    --risk-tier HIGH \\
    --use-case "Counter-drone detection at RAF Lossiemouth" \\
    --output ./compliance/jsp936-jhaa-counter-uas.pdf

# Output: 47-page JHA-A register including:
# - System description
# - AI risk tier justification
# - Data flow analysis (5 DPIA controls)
# - Human oversight measures
# - Bias audit (5 demographic groups, <2% disparate impact)
# - Robustness testing (1000+ adversarial inputs)
# - Red-team assessment
# - Operator training plan
# - Incident response runbook
# - Decommissioning plan

# G5: Submit to 33-agent BFT council
$ defoneos-mcp bft submit \\
    --proposal "Deploy DEFONEOS Counter-UAS v1.0 to UK-W2 production" \\
    --evidence ./compliance/jsp936-jhaa-counter-uas.pdf \\
    --quorum-required 23

# Output: 33-agent BFT vote tallied on SIGIL chain
# Quorum 23/33 reached in 36 hours
# Vote: 28 FOR, 3 AGAINST, 2 ABSTAIN
# Decision: APPROVED

5 UK Sovereign Cloud Regions

DEFONEOS deploys to UK-sovereign clouds only. The 5 regions are NOT interchangeable: each has different accreditation, different pricing, and different fit-for-purpose. Choose based on your deployment's data sensitivity and budget.

Region 1: UKCloud (Sovereign) β€” Slough + Corsham

Best for: MOD TOP SECRET, OFFICIAL-SENSITIVE, full data sovereignty required

Ownership
UK (HMG-overseen)
Accreditation
MOD Tier 2 + Pan-Govt
Data residency
UK only (no export)
Pricing
£££ (premium)
Compute
VMware + bare metal
GPU available
A100 (limited)

Region 2: AWS London (eu-west-2) β€” UK Sovereign

Best for: Production workloads, OFFICIAL, scale-out, GPU-heavy

Ownership
US (UK region)
Accreditation
G-Cloud 13, ISO 27001
Data residency
UK by default
Pricing
££ (commodity)
Compute
EC2 + ECS + Lambda
GPU available
H100, A100, L4, T4

Region 3: Azure UK (UK South + UK West) β€” UK Sovereign

Best for: Microsoft shops, OFFICIAL, AAD-integrated, hybrid

Ownership
US (UK region)
Accreditation
G-Cloud 13, ISO 27001
Data residency
UK by default
Pricing
££ (commodity)
Compute
VMs + AKS + Functions
GPU available
NC A100 v4-series

Region 4: Google Cloud UK (europe-west2 London) β€” UK Sovereign

Best for: AI/ML workloads, BigQuery, OFFICIAL

Ownership
US (UK region)
Accreditation
G-Cloud 13, ISO 27001
Data residency
UK by default
Pricing
Β£ (commodity, AI-tied)
Compute
GKE + Cloud Run
GPU available
H100, A100, L4, T4

Region 5: UKFast / M247 β€” Manchester + London

Best for: STRIX edge compute, small footprint, GOV.UK PaaS

Ownership
UK (wholly)
Accreditation
ISO 27001, Cyber Essentials+
Data residency
UK only (guaranteed)
Pricing
Β£ (cheap)
Compute
VMware + bare metal
GPU available
L4 (limited)

Recommended Configuration by Use Case

Use CasePrimaryBackupEdge
MOD defence AI (TOP SECRET)UKCloud SovereignUKCloud CorshamUKFast STRIX
MOD defence AI (OFFICIAL-SENSITIVE)AWS LondonAzure UK SouthUKFast STRIX
Emergency servicesAWS LondonGoogle UKUKFast STRIX
NHS / healthAzure UKAWS LondonUKFast STRIX
Local governmentUKFastGoogle UKUKFast STRIX
Commercial UKAWS LondonGoogle UKUKFast STRIX

Reference Architecture β€” DEFONEOS UK Sovereign

The standard DEFONEOS UK deployment. All components are UK-hosted, UK-operated, and SIGIL-audited. Zero foreign data egress.

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                     UK SOVEREIGN BOUNDARY                          β”‚
β”‚                                                                    β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            β”‚
β”‚  β”‚ STRIX Edge   β”‚  β”‚ STRIX Edge   β”‚  β”‚ STRIX Edge   β”‚  (UKFast)  β”‚
β”‚  β”‚ (Counter-UAS)β”‚  β”‚ (Convoy)     β”‚  β”‚ (SAR)        β”‚            β”‚
β”‚  β”‚ Jetson Orin  β”‚  β”‚ Jetson Orin  β”‚  β”‚ Jetson Orin  β”‚            β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜            β”‚
β”‚         β”‚                  β”‚                  β”‚                    β”‚
β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                    β”‚
β”‚                            β–Ό                                       β”‚
β”‚                   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                             β”‚
β”‚                   β”‚  FreeTAKServer   β”‚   (UKCloud Corsham)         β”‚
β”‚                   β”‚  C2 + CoT emit   β”‚                             β”‚
β”‚                   β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                             β”‚
β”‚                            β”‚ mTLS                                  β”‚
β”‚                            β–Ό                                       β”‚
β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                  β”‚
β”‚         β”‚     DEFONEOS MCP Federation          β”‚   (AWS London)   β”‚
β”‚         β”‚  β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”‚                  β”‚
β”‚         β”‚  β”‚ ISR  β”‚ β”‚ Swarmβ”‚ β”‚ C2   β”‚ β”‚ Auditβ”‚ β”‚                  β”‚
β”‚         β”‚  β”‚ MCP  β”‚ β”‚ MCP  β”‚ β”‚ MCP  β”‚ β”‚ MCP  β”‚ β”‚                  β”‚
β”‚         β”‚  β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β”‚                  β”‚
β”‚         β”‚  β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”‚                  β”‚
β”‚         β”‚  β”‚ YOLO β”‚ β”‚ Mava β”‚ β”‚ TAK  β”‚ β”‚ Map  β”‚ β”‚                  β”‚
β”‚         β”‚  β”‚ MCP  β”‚ β”‚ MCP  β”‚ β”‚ MCP  β”‚ β”‚ MCP  β”‚ β”‚                  β”‚
β”‚         β”‚  β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β”‚                  β”‚
β”‚         β”‚  β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β” β”‚                  β”‚
β”‚         β”‚  β”‚ 30 MCPs in total ...              β”‚ β”‚                  β”‚
β”‚         β”‚  β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β”‚                  β”‚
β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                  β”‚
β”‚                    β”‚                                              β”‚
β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                                   β”‚
β”‚         β–Ό                     β–Ό                                   β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                            β”‚
β”‚  β”‚  PostgreSQL  β”‚      β”‚  SIGIL Chain β”‚   (UKCloud Slough)        β”‚
β”‚  β”‚  (audit data)β”‚      β”‚  (immutable) β”‚                            β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜      β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                            β”‚
β”‚                                                                    β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                          β”‚
β”‚  β”‚  Cesium Globe (3D COP)               β”‚   (Azure UK South)      β”‚
β”‚  β”‚  https://cop.defoneos.uk/            β”‚                          β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                          β”‚
β”‚                                                                    β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                          β”‚
β”‚  β”‚  BFT Council  (33 agents)            β”‚   (Google UK)            β”‚
β”‚  β”‚  quorum 23/33                         β”‚                          β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                          β”‚
β”‚                                                                    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Component Hosting Map

ComponentRegionAccreditationReplicas
STRIX Edge (field)UKFast ManchesterCyber Essentials+3-N (operational)
FreeTAKServerUKCloud CorshamMOD Tier 22 (HA)
DEFONEOS MCP FleetAWS LondonISO 27001, G-Cloud 133-AZ
PostgreSQL (audit)UKCloud SloughMOD Tier 22 (sync)
SIGIL ChainUKCloud SloughMOD Tier 23 (consortium)
Cesium 3D COPAzure UK SouthISO 27001, G-Cloud 132
BFT CouncilGoogle UKISO 27001, G-Cloud 135-node

Day-2 Operations β€” UK Sovereign Runbook

Once deployed, the runbook covers incident response, security patching, audit, and decommissioning.

3.1 On-Call Rotation (24/7)

3.2 Severity Tiers (UK Gov Standard)

SevDefinitionResponse TimeResolution TargetComms
1Total service outage / data breach / red-line violation≀15 min≀4 hoursMOD + ICO + NCSC within 72h
2Major degradation (>50% capability lost)≀30 min≀8 hoursCustomer SLA breach report
3Minor degradation (≀50% capability lost)≀2 hours≀24 hoursStandard ticket
4Cosmetic / documentation / RFE≀1 business day≀2 weeksStandard ticket

3.3 Security Patching SLA

SeverityPatch withinVerification
Critical CVE (CVSS β‰₯9.0)24 hoursRe-run E2E test suite + SIGIL audit
High CVE (CVSS 7.0-8.9)7 daysRe-run E2E test suite
Medium CVE (CVSS 4.0-6.9)30 daysRegression test
Low CVE (CVSS <4.0)90 daysStandard regression

3.4 Audit Cycle

3.5 Red Lines (Never Crossed)

RED LINE 1: NO data egress outside UK sovereign boundary
  - SIGIL chain alerts within 60 seconds of any attempt
  - Automatic kill switch on egress attempt
  - Page CISO + CTO

RED LINE 2: NO kinetic-targeting decisions without human-in-loop
  - Counter-UAS intercept requires operator approval
  - SIGIL chain records every approval
  - BFT council can override in <50ms

RED LINE 3: NO model deployment without BFT 23/33 vote
  - Every model version SIGIL-emitted
  - Quorum gate enforced at MCP layer
  - Rollback available within 60s

RED LINE 4: NO SIGIL chain mutation
  - Hash chain immutability verified daily
  - Any tampering triggers sev-1
  - NCSC notified within 1 hour

RED LINE 5: NO personal surveillance
  - Defoneos detects threats, not people
  - Person-detection is operator-approval only
  - ICAO / DPIA controls applied

3.6 Decommissioning

When the deployment is retired (end of contract, technology refresh, etc.), the following must happen within 30 days:

90-Day Deployment Timeline

From a fresh UK Ltd to a fully sovereign production deployment. The first 30 days are entity + compliance; days 31-60 are technical build; days 61-90 are pilot + scale.

DAY 0 (Already complete)
UK Ltd Company (CSOAI 16939677) registered Companies House, ICO registration, HMRC UTR
DAY 1 (Today β€” 4 Jul 2026)
DEFONEOS Sprint Day 1 β€” Foundation phase begins All compliance work starts in parallel with technical build
DAYS 1-7 (4-11 Jul)
DSP + Cyber Essentials + SC applications 3 parallel workstreams: 30-min DSP, 4-week CE+, 6-week SC. All required to bid.
DAYS 7-30 (11 Jul - 3 Aug)
Build 30 MCPs + 50 pages + 15 P0 repos DEFONEOS Sprint β€” sensor blitz, core demo, digital twin. 30 MCPs, 50+ live pages.
DAYS 30-60 (3-30 Aug)
Pilot deployment to UKCloud Slough (single region) First real customer (Yorkshire flood response unit). 4-week pilot, KPI-driven exit criteria.
DAYS 60-90 (30 Aug - 1 Oct)
Scale to 5-region UK sovereign architecture Multi-region HA, ISO 42001 audit, SOC 2 Type II, 33-agent BFT full approval.
DAY 90 (1 Oct 2026)
PRODUCTION READY β€” first MOD pilot Full sovereign stack. CE+ certified. SC cleared. JSP 936 compliant. BFT approved. Ready to win contracts.

Critical Path

Three parallel workstreams must all complete:

Resource Requirements

RoleFTESC RequiredCost (annual)
CTO / Technical Director1.0YesΒ£180,000
Senior Engineer (MCP / Cloud)1.0YesΒ£110,000
Senior Engineer (ML / ISR)1.0YesΒ£110,000
Operations / On-Call1.0YesΒ£75,000
Compliance Officer (DPA, JSP 936)0.5No (BPSS minimum)Β£55,000
Commercial / Bid Manager0.5NoΒ£55,000
Total5.0 FTE4Γ— SCΒ£585,000/yr