Technology Cybersecurity Cloud Security & Compliance

Zero Trust Security

High scrutiny and high blast radius; proof and governance matter.

Zscaler Okta Palo Alto Networks Cloudflare
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles (CISO, VP Security, IT ops), timeline, and measurable pilot success signals (connection reliability, access latency, helpdesk ticket delta).

      Alignment Questions

      Start Here: The Trigger That Changed Things

      • What single event or concern made you decide to explore replacing or augmenting your VPN today? Options: A major outage that impacted productivity, Penetration test showing lateral movement, Cyber insurance requirement, Planned cloud/remote migration, Executive directive, Other (please describe)
      • Who in your organization is sponsoring this effort at the executive level, and who will be the day-to-day project lead?
      • Which team currently owns the VPN and remote access operations today? Options: Network engineering, IT operations, Security team, Hybrid/shared, Third-party managed service, Other
      • Roughly how many users and which user cohorts are you thinking about for the initial pilot? Options: 100–199, 200–500, 500–1,000, 1,000–5,000, Other / unsure
      • Which three applications or classes of applications are highest priority to include in the pilot (name or describe them)?

      Who's Really Steering the Ship?

      • If we replaced the VPN tomorrow, who holds final authority to say 'go' or 'stop' for the pilot? Options: CISO, VP Security/Infrastructure, Head of IT Ops, CIO/CTO, Procurement with exec sign-off, Other
      • Which individuals or roles must be at the evaluation table for a vendor to be seriously considered? Options: CISO/Security leadership, Network architect, IT operations lead, Application owners, Helpdesk lead, Compliance/Legal, Procurement
      • Who will be the day-to-day administrator for the zero trust platform during the pilot, and do they have capacity for this project? Options: Existing VPN admin, Security engineer, Network operator, Dedicated pilot admin (new), Managed service provider, Unsure
      • Has there been internal resistance historically when platform or network architecture changes were proposed? Tell us about one memorable pushback and why it mattered.
      • Are there non-negotiable stakeholders who must approve network-level visibility, logging, or policy changes before we proceed? Options: Security leadership, Network operations, Compliance, Application owners, Legal, None

      If This Breaks, Who Will Notice—and How Bad Will It Hurt?

      • When you imagine the worst-case during a migration, who in the business feels the impact first and most painfully? Options: Remote engineering teams, Customer-facing teams, Sales/Revenue operations, Executive leadership, Helpdesk and IT ops, Other
      • Tell us about the outage, red-team finding, or audit that made this project urgent—what actually happened and what was the fallout?
      • Which internal applications or services would be most damaging if they became inaccessible during a pilot cutover?
      • How many helpdesk tickets per day/week are typical for remote access issues today (baseline)? Options: 0–5/day, 6–20/day, 21–100/day, 100+/day, Track by week instead, Unsure/no baseline
      • Are there known undocumented dependencies or 'shadow apps' that typically appear during migrations? If so, how do you currently discover them? Options: Yes—application inventory/CMDB, Yes—helpdesk tickets reveal them, Yes—but ad hoc discovery, No formal process, Unsure

      What Would Actually Convince the Skeptics?

      • What one measurable outcome would make this project an undeniable win for the CISO and for IT operations respectively?
      • Which of the following metrics will you use to compare vendors during the pilot? Options: Connection reliability/uptime, Access request latency, Helpdesk ticket delta (volume/change), Thick-client/RDP session compatibility, Policy granularity and admin UX, Resource/CPU/network footprint, Other
      • For the top three metrics you selected, what are your current baselines and what improvement would be considered acceptable?
      • If two vendors meet most metrics but one handles thick-client apps and RDP flawlessly while the other does not, how would that weigh in your decision? Options: Deciding factor, Strong tiebreaker, Nice to have but not decisive, Unsure
      • Who gets the final say if security and IT operations disagree on which vendor to advance? Options: CISO, IT Ops lead, Executive sponsor/CIO, Joint decision with escalation path, Procurement/Legal tie-breaker

      Can We Finish This Pilot on Your Timeline—or Will Hidden Gates Stop Us?

      • If you had to pick a pilot length today, what would you propose? Options: 30 days, 60 days, 90 days, 120 days, Other/depends
      • What hard dates, blackout windows, or business cycles must we avoid when scheduling a pilot?
      • Are there procurement or legal timelines (RFP, SOW reviews, security questionnaires) that typically add weeks to this kind of project? Options: Yes—standard procurement process, Yes—security review required, Yes—vendor legal negotiation heavy, No—fast-track possible, Unsure
      • What are your non-negotiable gating criteria for pausing or rolling back a pilot (examples: >X% user impact, critical app down, spike in tickets)?
      • What internal approvals are required to start the pilot (list roles and expected sign-off timeframes)?

      What Would Make Your Operations Team Sleep Better?

      • If your ops team could remove one fear about replacing the VPN, what would it be?
      • Which operational capabilities are mandatory in the admin console for you to accept the new platform? Options: Fine-grained policy controls, Role-based admin access, Comprehensive audit logs, Real-time connection debugging, Connector placement control, Integration with SIEM/ITSM
      • How important is having a vendor engineer onsite or available in real time during initial cutover/testing? Options: Critical—must be onsite, Very helpful (remote OK), Nice to have, Not needed
      • Who will be responsible for connector placement, patching, and day-to-day maintenance during the pilot? Options: Network team, Security team, App owners, Vendor-managed, Managed service provider, Undecided
      • What device posture checks or endpoint controls must be enforced before granting access (select all that apply)? Options: Disk encryption, OS patch level, MFA presence, Antivirus/EDR running, Company-managed device only, Custom posture checks

      Will We Be Able to See the Same Truth—Telemetry & Evaluation

      • Are you willing to share pilot telemetry (connection logs, latency, helpdesk tickets) with vendors for side-by-side evaluation? Options: Yes—full telemetry, Yes—anonymized/aggregated, Limited to specific data types, No—privacy/security constraints, Undecided
      • Which telemetry types are you comfortable sharing for evaluation? Options: Connection success/failure logs, Access latency/time-to-connect, Application-level performance, Helpdesk ticket metadata, Endpoint posture logs, Network flow/packet-level logs
      • Do you have data retention or privacy policies that limit how long or where pilot telemetry can be stored? Options: Yes—strict limits, Yes—moderate limits, No limits, Unsure
      • How often would you like vendor evaluation meetings during the pilot to review telemetry and decide next steps? Options: Weekly, Bi-weekly, Monthly, Milestone-driven only, Other
      • Who on your team will be accountable for collecting and normalizing telemetry across vendors? Options: Security ops, Network ops, Platform/DevOps, Dedicated project analyst, Vendor-assisted, Undecided

      Decision Mechanics: From Pilot Results to Contract

      • What criteria will move this project from pilot to full deployment—who signs off and which documents do we need?
      • Who holds the budget for this initiative and what internal approval thresholds should we be aware of? Options: CISO/security budget, IT operations budget, Central IT budget, Business unit budget, Capital expenditure required, Unsure
      • Which contractual or commercial terms are likely to be decisive (e.g., trial credits, liability limits, SLAs, support SLAs)? Options: Trial/PO terms, Support/response SLAs, Liability/cap limits, Data handling clauses, Integration/engineering hours, Other
      • What would be an acceptable path to full production—big-bang cutover, phased rollout by app, or phased by user cohort? Options: Phased by user cohort, Phased by application, Big-bang with rollback plan, Hybrid phased approach, Undecided
      • What is the single next step you want from us after this discovery conversation? Options: Design pilot scope & SOW, Technical deep-dive with ops, Procurement/contract template, Proof-of-concept scheduling, Other
    2. Current Access & Risk Mapping

      Document VPN topology, blast-radius scenarios, application inventory, and undocumented dependencies that must be discovered before migration.

      Current State

      Starting Point: What's On Your Plate Today

      • Quick snapshot—how many remote users rely on your VPN today? Options: <100, 100–499, 500–2,499, 2,500–9,999, 10,000+
      • Which VPN or remote-access technologies are currently in production? Options: IPsec concentrator, SSL VPN, Firewall VPN appliance (vendor), Cloud gateway, ZTNA overlay, Other / multiple
      • Who owns day-to-day operations and policy changes for that VPN (team/title)?
      • When was the last meaningful outage or performance incident tied to the VPN, and what was the immediate business impact?
      • Do you maintain a living inventory of apps behind the VPN today (percentage complete)? Options: <25%, 25–49%, 50–74%, 75–99%, 100%

      If One Compromised Session Could Tell a Story, What Would It Say?

      • Imagine an attacker gained one VPN credential—how easily could they move laterally across your environment? Options: Full lateral movement likely, Limited by subnet segmentation, Mostly prevented by controls, Not sure / unknown
      • Have red team or penetration tests flagged lateral movement originating from the VPN in the last 24 months? Describe the most concerning finding.
      • What mechanisms currently prevent a VPN session from accessing unrelated business-critical systems? Options: Network ACLs, VPN split tunneling rules, Application layer proxies, Identity-based filters, None / unclear
      • How do you quantify the blast radius today—what data or scenarios do you use? Options: Subnet maps, App dependency charts, Incident postmortems, Estimated user groups, We don't quantify it
      • How would a high-impact lateral movement event affect revenue, compliance, or customer trust in your view?

      Where Are The Invisible Dependencies Hiding?

      • How confident are you that your current app inventory captures every service the VPN exposes (including scripts, scheduled jobs, and CI systems)? Options: Very confident, Somewhat confident, Not confident, We don't have an inventory
      • List the categories of legacy or undocumented apps that you suspect are still reachable only via VPN (e.g., internal build servers, printer services, license servers).
      • Which discovery methods have you used to uncover hidden dependencies? Options: Network flow capture (NetFlow/IPFIX), Endpoint agent telemetry, Service account audits, Helpdesk logs, Manual interviews, We haven't systematically discovered dependencies
      • How long does it typically take your team to validate whether an application can function without VPN access? Options: <1 week, 1–2 weeks, 3–4 weeks, >1 month
      • Can you share one example of an undocumented dependency that caused a disruptively unexpected outage or rollback?

      How Much Latency Is Too Much? (And Who Notices First)

      • When users complain about remote access performance, which symptoms appear first—slowness logging in, app timeouts, RDP lag, or something else? Options: Slow authentication/login, Application timeouts, RDP/GUI lag, Large file transfer slowness, Intermittent disconnects, Other
      • What are your current SLA or target goals for connection latency and session reliability for remote engineers? Options: <50 ms, <100 ms, <200 ms, No explicit SLA
      • Which tools or telemetry sources do you use to measure access latency and connection reliability? Options: Active synthetic tests, Endpoint agents, VPN concentrator logs, User helpdesk tickets, Third-party monitoring, None
      • How many helpdesk tickets per 1,000 remote users per month relate to connectivity or application access problems? Options: <5, 5–20, 21–50, 51–200, Unknown
      • Tell us about one performance problem that had measurable business cost (time, lost revenue, missed deadlines).

      Do Your Admins Feel Empowered or Handcuffed?

      • If you asked your network team whether current firewall/VPN policy granularity matches business intent, what would they say? Options: Yes—policies map well, Partially—gaps exist, No—policies are blunt and risky, They haven't been asked
      • How many distinct firewall/VPN rulesets or security groups do you maintain for remote access (approximate count)? Options: <100, 100–499, 500–1,999, 2,000+
      • Which policy controls are non-negotiable for replacement (for example: per-app allowlists, time-of-day restrictions, group-level exceptions)? Options: Per-application allowlist, Role-based access, Time-of-day/geo restrictions, Source-IP restrictions, Device posture checks, Other
      • How do you currently audit and prove that access policies are correctly limiting risk for compliance or cyber insurance reviews? Options: Automated reports, Manual audits, Incident logs, We struggle to produce evidence
      • Describe a recent policy change that was difficult to implement and why it was painful operationally.

      If You Could Shrink The Blast Radius Overnight, What Would Change?

      • What three measurable outcomes would convince you a new access model reduced blast radius and improved security?
      • Which user population would be the best candidate for an initial pilot to prove reduced blast radius and why? Options: Remote engineering, DevOps, Sales/Field, Contractors, IT operations, Other
      • What minimum duration and sample size do you require to trust pilot telemetry (days and user count)? Options: 30 days, 60 days, 90 days, Other
      • Which metrics will you weight most in a vendor comparison—connection reliability, access latency, helpdesk ticket delta, thick-client compatibility, policy granularity, or something else? Options: Connection reliability, Access latency, Helpdesk ticket delta, Thick-client/RDP compatibility, Policy granularity, Other
      • In an ideal shift, what operational or financial benefit would make leadership say 'we made the right call'?

      Testing the Tough Stuff: Thick-Client and RDP Reality Check

      • Which business-critical applications rely on thick-client binaries, native sockets, or RDP that browsers can't proxy?
      • How often do remote users rely on RDP or VDI for core workstreams versus browser-based tools? Options: Mostly RDP/VDI, Mixed (both equally), Mostly browser-based, Unknown
      • Are there file share protocols, license managers, or native databases that require IP-level access today? Please list them and their owners.
      • What is the tolerance for any functional regression on these apps during a pilot (zero tolerance, minor acceptable, acceptable with rollback plan)? Options: Zero tolerance, Minor acceptable with monitoring, Acceptable with rollback plan, Unsure
      • Who on your team will own compatibility testing and who signs off on application acceptance?

      Telemetry, Rollback & Signals: What Will Convince You?

      • What single telemetry signal would make your SRE or SOC say 'this new access model is safer than VPN'? Options: No lateral movement events, Reduced mean time to detect, Fewer high-severity incidents, Access logs correlated to identity only, Other
      • Which telemetry sources can you share during a pilot (VPN logs, endpoint telemetry, helpdesk tickets, SIEM events)? Options: VPN concentrator logs, Endpoint agent logs, Helpdesk ticketing, SIEM/IDS alerts, Application logs, We cannot share
      • What would trigger an immediate rollback during a pilot (criteria and threshold)?
      • How frequently do you want joint evaluation checkpoints (daily, weekly, bi-weekly) and who must attend? Options: Daily, Weekly, Bi-weekly, Monthly
      • Are there legal, compliance, or vendor rules that limit telemetry sharing or external logging during an evaluation? Options: Yes—strict limits, Limited but manageable, No significant restrictions, Unknown

      Hidden Costs & Operational Overhang

      • Estimate the recurring operational hours your team spends per month on VPN rule changes, break-fix, and tuning. Options: <10 hours, 10–40 hours, 41–160 hours, >160 hours, Unknown
      • How often do firewall rule changes require coordination across 3+ teams (routing, security, app owners, helpdesk)? Options: Always, Often, Sometimes, Rarely
      • What hidden costs or risks do you associate with continuing to operate the VPN long-term (licensing, single point of failure, audit exposure)?
      • How many FTEs on your helpdesk are primarily dedicated to remote access troubleshooting? Options: 0, 1–2, 3–5, 6–10, 10+
      • If you could reclaim a percentage of that time, what would you reallocate those resources to? Options: Proactive security projects, Cloud migration, Developer support, Other

      Next Steps & Decision Hygiene

      • Who are the decision-makers and formal approvers for a pilot (title/role)—who has veto power?
      • What procurement or legal constraints should we anticipate for a 60–90 day parallel pilot? Options: Standard MSA only, Data processing addendum needed, Strict vendor security questionnaire, Insurance clauses, Other
      • What is your target timeline to start a discovery-led pilot if the scope and protections are acceptable? Options: Immediately, Within 30 days, 30–60 days, 60–120 days, Longer
      • Who will be the primary operational owner for the pilot (name/title) and who will be the technical day-to-day contact?
      • What would be a small but meaningful next-step you’d like from us to make moving forward easier? Options: Network map review, App inventory assistance, Proof-of-concept blueprint, Pilot measurement plan, Other
  2. Solution Experience

    Run a side-by-side scenario using the customer context to show how the agent reduces blast radius, improves connection times, and supports thick-client/RDP sessions.

    Experience Meetings

    • Solution Experience Kickoff — Confirm Context & Success Metrics
    • Test Plan & Scenario Design — Map Customer Context to Side-by-Side Scenarios
    • Environment Prep & Baseline Measurement
    • Side-by-Side Execution Session (Live Run)
    • Post-Run Analysis & Decision Workshop
    • Capture all telemetry and evidence necessary for decisions and vendor comparison.
    • Acquire a reliable baseline dataset under the customer's current VPN for direct comparison.
    • Ensure the side-by-side agent environment mirrors production context and is validated.
    • Establish a clear go/no-go decision and rollback plan to minimize customer risk.
    • Customer to run the agreed baseline scripts and upload logs to the shared location.
    • Seller to verify agent telemetry is streaming to dashboards and correlated with baseline identifiers.
    • Both parties to sign-off on the go/no-go checklist before the live execution window.
    • Re-state Objectives & Roles
    • Demonstrate measurable reduction in lateral exposure for the agreed blast-radius scenario.
    • Show statistically significant improvement (or parity) in connection times and access latency.
    • Prove that thick-client and RDP workflows function without breaking under the agent.
    • Introductions & Roles
    • Seller to collect and share side-by-side logs, packet captures, and dashboard exports for each scenario.
    • Customer to validate and sign off each scenario as 'meets criteria' or 'requires remediation'.
    • If issues found, both parties to agree on immediate mitigations and schedule re-run windows.
    • Catalog any undocumented dependencies discovered during the run for remediation planning.
    • Executive Summary of Outcomes
    • Reach a mutual decision on whether the side-by-side proved the future state against the customer's consequences.
    • Produce a prioritized remediation and rollout plan for any outstanding compatibility gaps.
    • Agree on measurement and reporting cadence for the remainder of the pilot or next evaluation steps.
    • Seller to generate a concise side-by-side comparison report (metrics, artifacts, and recommended remediation) within 48 hours.
    • Customer to review and accept the report, marking each scenario as 'validated' or 'requires remediation'.
    • Both parties to agree owners and dates for remediation tasks and any follow-up test windows.
    • If validated, schedule the Validation Checklist meeting to prepare for wider pilot expansion.
    • Make the current state crystal clear in one sentence to eliminate ambiguity.
    • Surface and quantify the business/operational consequence of the current state.
    • Agree a one-sentence future-state outcome that the side-by-side must prove.
    • Lock success signals and the measurement plan so the run has objective pass/fail criteria.
    • Confirm pre-work, data access, and responsible owners to avoid delays.
    • Customer to provide canonical app inventory, network topology diagram, and list of undocumented dependencies.
    • Customer to grant telemetry/API access and create the agreed test accounts for the pilot cohort.
    • Seller to produce a one-page measurement plan mapping metrics to data sources and dashboards.
    • Assign a single pilot owner from the customer side who will validate results and coordinate triage.
    • Review App Inventory & Blast-Radius Threats
    • Produce a prioritized, executable scenario list that directly ties to the customer's consequences.
    • Define explicit measurement and pass/fail criteria per scenario.
    • Agree where and how the customer will validate each proof step to force confirmation.
    • Finalize the test scripts and schedule for the live execution.
    • Seller to deliver detailed test scripts for each scenario including commands, expected outputs, and telemetry points.
    • Customer to mark the apps and IP ranges that must be in-scope and highlight any sensitive systems requiring special handling.
    • Both parties to agree on the run window and expected duration for each scenario.
    • Seller to prepare dashboards and log collectors for real-time comparison against baseline VPN metrics.
    • Topology & Connector Placement Review
    • One-sentence Current State
    • Scenario A — Blast-Radius Containment Test
    • Baseline Metric Collection Plan
    • Select Representative Scenarios
    • Deep-dive Metrics Comparison
    • Impact Mapping to Consequences
    • Map Metrics to Each Scenario
    • Scenario B — Connection Time & Latency Comparison
    • Consequence Quantification
    • Deploy & Validate Agents/Connectors
    • Decide Next Steps & Acceptance
    • Define Future State (one sentence)
    • Define Stepwise Proof Actions
    • Baseline Test Execution
    • Scenario C — Thick-Client & RDP Functionality
    • Real-time Telemetry Review
    • Go/No-Go & Risk Mitigation
  3. Pilot Scope

    Define pilot boundaries: user cohort (200–500 engineers), target applications/connectors, measurement plan, and vendor comparison criteria.

    Scope Configuration

    • Install endpoint access agent on user devices
    • Integrate with SSO/Identity Provider
    • Deploy application connectors for internal apps
    • Provision per-application encrypted micro-tunnels
    • Configure per-application role-based access policies
    • Enable RDP and thick-client tunneling
    • Configure device posture enforcement
    • Set up split DNS and internal name resolution
    • Forward session and audit logs to SIEM
    • Deploy high-availability connector clusters
    • Enable clientless browser access for web apps
    • Activate session recording and live threat alerts

    Scope Questions

    Install endpoint access agent on user devices

    • Which endpoint operating systems must the agent support? Options: Windows, macOS, Linux, iOS, Android, ChromeOS
    • How many devices/users will need agent installation for the pilot? Options: Less than 50, 50-200, 200-500, 500-2,000, More than 2,000
    • How do you prefer agents to be installed? Options: Manual (IT push), Self-service user install, MDM/EDR push (Intune, Jamf, etc.), Vendor-managed deployment
    • Do you have an existing MDM/endpoint management solution to orchestrate installs? If yes, which one? Options: Yes - Microsoft Intune, Yes - Jamf, Yes - Workspace ONE / AirWatch, Yes - Other, No
    • Are there corporate policies or AV products that block unsigned drivers or kernel modules the agent might need? Options: Yes, No, Not sure — need to check
    • Do you require offline or air-gapped device support for the agent? Describe constraints if any.

    Integrate with SSO/Identity Provider

    • Which Identity Provider(s) do you use for authentication? Options: Okta, Azure AD, Ping, Workday, OneLogin, On-prem AD/ADFS, Other
    • Which federation/protocols are required for integration? Options: SAML, OIDC/OAuth2, LDAP, Kerberos, SCIM
    • Do you require automated user/group provisioning (SCIM) from your IdP? Options: Yes, No, Maybe — want to discuss
    • Are there multiple authentication domains or tenants that must be supported? Options: Single tenant/domain, Multiple domains, Multiple IdPs
    • Do you require MFA enforcement or specific conditional access policies for pilot users? Options: Yes — enforce MFA, Yes — conditional access based on device posture, No additional MFA requirements
    • Who are the IdP owners and technical contacts (name, team, email)?

    Deploy application connectors for internal apps

    • How many internal applications do you plan to include in the pilot? Options: 1-5, 6-15, 16-50, 50+
    • What types of applications will need connectors? Options: Web (HTTP/S), RDP/Terminal Server, Thick-clients (custom TCP/UDP), Databases (SQL), SSH, Mainframe/Green-screen
    • Where must connectors be deployed for each app (on-prem, cloud VPC, DMZ) — list per application if possible.
    • Are there network or firewall constraints (static IPs, NAT, port ranges) that affect connector placement? Options: Yes — static IPs/NAT, Yes — restricted ports, No significant constraints, Unknown — need assistance
    • Do any applications require protocol translation, header injection, or application-layer proxies? Options: Yes, No, Not sure — need discovery
    • Who are the application owners/SMEs we can coordinate with for connector testing?

    Provision per-application encrypted micro-tunnels

    • Which specific applications should have per-application micro-tunnels provisioned for the pilot?
    • What are your expected performance requirements per application (e.g., latency targets, throughput)? Options: Low latency (<50ms), Moderate (50-150ms), High tolerance (>150ms), Throughput-sensitive (file transfers/DB)
    • Do you require end-to-end encryption standards or ciphers (e.g., TLS1.3 only, FIPS)? Options: TLS1.3, TLS1.2, FIPS-compliant crypto, No special requirement
    • Should tunnels be persistent or on-demand per session? Options: Persistent (always-on), On-demand per app launch, Configurable per app
    • Are there regulatory or data residency constraints governing where tunnel endpoints may reside? Options: Yes — country/region restrictions, No, Not sure
    • Do you require split-tunnel behavior or full tunnel for selected apps? Options: Per-app split tunnel, Full tunnel for specific apps, No split tunnel (all traffic)

    Configure per-application role-based access policies

    • What user roles/groups should be mapped to application access for the pilot?
    • Should policies be based on identity only or include device posture, location, and time of day? Options: Identity only, Identity + device posture, Identity + location/time, All factors (identity + posture + location + time)
    • Do you need coarse-grained (app-level) or fine-grained (action/resource-level) policy controls? Options: App-level, Action/resource-level, Both
    • Will policy changes require a formal approval workflow or change window? Options: Yes — approvals required, No — admins can change in real time
    • Are there temporary/exceptions workflows (e.g., emergency access) that must be supported during pilot? Options: Yes, No
    • How should policy audit logs be retained and who needs access to them?

    Enable RDP and thick-client tunneling

    • Which RDP/back-end versions and ports are in use (e.g., RDP over TCP 3389, custom ports)?
    • List thick-client applications that must function through tunnels (name, protocol, typical ports).
    • Do clients require clipboard, file transfer, or drive-mapping across the tunnel? Options: Clipboard only, Clipboard + file transfer, Full drive mapping, No file transfer allowed
    • Do you require SSO into thick-clients/RDP sessions or separate credential prompts? Options: SSO required, Credential prompt acceptable
    • Are there performance baselines for RDP/thick-client sessions we should measure during the pilot? Options: Yes — provide baselines, No — we need help defining baselines
    • Are there specific security controls for RDP sessions (e.g., clipboard disable, screen lock) that must be enforced? Options: Yes, No, Discuss during design

    Configure device posture enforcement

    • Which device posture checks are required before granting access? Options: OS patch level, Disk encryption, Anti-malware running, Screen lock enabled, MFA presence, Device enrolled in MDM
    • Do you already have MDM/EDR telemetry available for posture evaluation? Options: Yes — integrated MDM/EDR, Partially — some telemetry, No
    • Should failed posture checks block access, quarantine, or present a remediation flow to the user? Options: Block access, Quarantine access to remediation portal, Allow limited access with warning
    • How frequently should posture be reevaluated during a session? Options: On every session start, Periodic (e.g., every 15 minutes), Only on IP/connection change
    • Do you require automated remediation or ticket creation when posture fails? Options: Yes — automated remediation steps, Yes — create helpdesk ticket, No
    • Are there special device classes (lab machines, shared terminals, CI/CD agents) that need different posture rules? Options: Yes — list them, No

    Set up split DNS and internal name resolution

    • Do you currently use split-horizon DNS or conditional forwarding for internal names? Options: Yes — split-horizon DNS, Yes — conditional forwarders, No
    • Which internal domains and DNS zones must be resolvable via the pilot connectors?
    • Will clients use system DNS, DNS proxy, or DoH/DoT for internal name resolution? Options: System DNS, Proxy via connector, DoH/DoT, Other
    • Are there internal name resolution dependencies (LDAP, AD Web Services, internal CA) that require DNS entries? Options: Yes — list dependencies, No, Unknown — need discovery
    • Are there requirements for caching TTLs or DNS failover during DNS server outages? Options: Yes, No, Not sure
    • Describe any DNSSEC or zone-signing requirements that must be preserved.

    Forward session and audit logs to SIEM

    • Which SIEM solution(s) will ingest session and audit logs for the pilot? Options: Splunk, Elastic, QRadar, Azure Sentinel, Datadog, Other
    • What log formats and transport methods are preferred (syslog, HTTPS JSON, agent-forward, API)? Options: Syslog (TCP/UDP), HTTPS JSON/API, Agent-based forwarder, Other
    • What retention and access-control requirements exist for session recordings and audit logs? Options: 90 days, 1 year, Multi-year, Custom — provide policy
    • Do logs require PII/masked fields or redaction before forwarding to SIEM? Options: Yes — redact PII, No, Some fields only — specify
    • Who manages SIEM ingestion and mapping (internal SOC team or vendor)? Provide contact. Options: Internal SOC, Vendor, Shared
    • Are there bandwidth or storage constraints for log forwarding we should plan for? Options: Yes — constraints exist, No significant constraints, Unknown

    Deploy high-availability connector clusters

    • Which regions or datacenters require connector presence for HA and low latency?
    • What are your availability SLAs or RTO/RPO targets for connector uptime? Options: 99.9%, 99.99%, Custom — specify
    • Estimated concurrent sessions and peak connections expected during pilot? Options: Less than 100, 100-500, 500-2,000, 2,000+
    • Do you require multi-AZ or active-active connector clusters versus active-passive? Options: Active-active, Active-passive, Single region only
    • Are there maintenance windows or change freeze periods that restrict connector upgrades? Options: Yes, No, Limited windows — specify
    • Will connectors be deployed on VMs, containers, or appliance hardware? List preferences. Options: Virtual machines (VMs), Containers/Kubernetes, Physical appliances, Cloud-managed
  4. Mutual Commit

    Agree pilot terms (60–90 days), responsibilities, rollback criteria, telemetry sharing, and evaluation cadence.

    Agreement Modules

    • Statement of Work (SOW)
    • Pilot Agreement & Terms
    • Roles & Responsibilities (RACI)
    • Rollback & Remediation Criteria
    • Telemetry & Data Sharing Agreement
    • Evaluation Cadence & Acceptance Criteria
    • Trial Licensing & Billing Terms
    • Security & Access Controls Addendum
    • Support & Escalation Plan
    • Change Control & Scope Management
    • Confidentiality & Data Protection (NDA/DPA)
    • Termination & Exit Plan
    • Acceptance Sign-off & Decision Authority
  5. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Confirm app mappings, connector placements, device posture checks, test accounts, and owners are in place for a low-risk pilot run.

      Readiness Questions

      Quick Snapshot: Who’s In This Room?

      • Tell us who is sponsoring this initiative and who will be the day-to-day contact for the pilot (name, role, email)
      • What user population are you planning to pilot with? Options: 200–500 engineers, 100–199 users, 500–1000 users, Less than 100, Other
      • What is your target pilot duration? Options: 60 days, 90 days, 30 days, Other
      • Which measurable signals would you use to call the pilot a success? (pick up to three, then describe) Options: Connection reliability (uptime), Access latency (time-to-connect), Helpdesk ticket delta, Application compatibility (thick-client/RDP), Policy granularity / admin confidence, Other
      • Who from your team owns rollback decisions if the pilot interrupts business operations? (name & role)
      • What's the earliest date you’d be ready to begin a low-risk parallel pilot? Options: Within 2 weeks, 2–4 weeks, 1–2 months, Later than 2 months

      If Your VPN Failed Tomorrow, How Fast Would You Notice?

      • When was the last time a VPN outage materially impacted productivity or revenue at your company? Options: Within last month, Within 3 months, Within 12 months, More than a year ago, Never
      • Describe a specific incident (outage, red team finding, or audit) that prompted interest in replacing or segmenting VPN access
      • If a single compromised VPN session could roam freely inside your network right now, what systems or teams would you expect to be at greatest risk? Options: Core infrastructure (AD, domain controllers), Developer CI/CD systems, Production databases, Finance or HR systems, Other
      • How emotionally urgent is this project to leadership—are they demanding a fix immediately, open to a measured pilot, or skeptical? Options: Immediate fix required, Supportive of measured pilot, Skeptical / watching costs, Depends on vendor evidence
      • What would be the organizational consequences if a pilot caused a high-severity outage during business hours? Options: Emergency rollback and exec briefing, Limited user impact with controlled rollback, Acceptable risk if documented, Unacceptable—pilot must be non-disruptive

      Where Does Your Access Architecture Actually Live Today?

      • Who owns the VPN estate today (team or role)? Options: Network team, Security/InfoSec, IT ops, Cloud/network shared team, Other
      • Map your current VPN topology at a high level (centralized hub, regional concentrators, cloud-hosted, appliance at each DC, other) Options: Centralized hub/gateway, Regional concentrators, Cloud-hosted VPN service, Appliance per datacenter, Split-tunnel configuration, Other
      • Approximately how many unique applications or services does the VPN currently provide access to (give a number or range)? Options: Fewer than 50, 50–200, 200–500, 500–1,000, More than 1,000
      • Which access patterns are most common through your VPN today (select all that apply)? Options: Browser-based web apps, Thick-client apps (legacy), RDP / VDI sessions, Database client connections, SSH and CLI access, File shares (SMB/NFS), Other
      • Describe any custom routing, hairpinning, or security appliances that a migrated session would still need to touch (e.g., DLP, proxy chaining)

      What Could Be Hiding Behind ‘It Just Works’?

      • How confident are you that you have a complete inventory of dependencies that the VPN currently enables? Options: Very confident, Somewhat confident, Unsure / likely gaps, Not confident at all
      • What methods have you used to discover undocumented dependencies (network flows, packet captures, helpdesk logs, interviews, none)? Options: Netflow/IPFIX, Packet capture / logging, Helpdesk ticket analysis, App owner interviews, Agent telemetry, We haven’t looked
      • Share one example of an undocumented dependency you discovered in a past migration and the impact it had
      • How long does it usually take you to map an application’s full connectivity profile (ports, hosts, backends, firewall rules)? Options: Days, Weeks, Months, We don’t have a reliable process
      • What internal sources of truth (CMDB, asset inventory, network diagrams) do we have permission to access during discovery? Options: CMDB, Asset inventory, Network diagrams, None / restricted, Other

      How Do Your Users Really Connect—And How Fragile Is That?

      • Which client types do your users rely on most (choose all that apply)? Options: Native thick-clients (custom), Remote desktop / RDP / VDI, Browser-only SaaS, CLI/SSH clients, VPN client + split tunnel, Other
      • Which mission-critical thick-client apps must remain fully functional during the pilot? Please list by name and business owner
      • What percentage of pilot users rely daily on RDP or other remote desktop sessions? Options: 0–10%, 11–30%, 31–60%, 61–100%
      • Have you previously attempted browser-only ZTNA or gateway-based ZTNA for these apps? What broke and why?
      • How do you currently validate thick-client behavior (test accounts, synthetic monitoring, user feedback)? Options: Test accounts & scripts, Synthetic monitoring, Manual user testing, Helpdesk feedback only, Other

      Can This Pilot Be Run Without a Fire Drill?

      • Who will be the on-call operational owner during pilot execution (name & role)?
      • Which rollback criteria would trigger an immediate revert to VPN for affected users? Options: High-severity outage, Unacceptable latency increase, Spike in critical helpdesk tickets, Security incident, Other
      • Do you already have test accounts and service accounts set up for every critical application the pilot touches? Options: Yes — complete set, Partial coverage, No — we need help creating them
      • Which device posture checks are required before granting access (OS version, EDR present, disk encryption, patch level)? Options: OS version, Endpoint Detection (EDR), Disk encryption, Patch level, MFA presence, Other
      • What maintenance window or change freeze restrictions must we respect during the pilot? Options: No restrictions, M-F business hours only, After-hours only, Specific blackout dates (provide list)

      How Will You Rig the Scoreboard?

      • Which baseline metrics do you currently collect that we should use for side-by-side comparison? Options: Connection uptime, Average access latency, Helpdesk ticket count, Authentication failures, App-specific success rates, We don’t collect baselines
      • What SLO or SLA thresholds would you consider non-negotiable for pilot acceptance? Options: >99.9% uptime, >99% uptime, Latency within 10% of current, No increase in critical helpdesk tickets, Other
      • Who will own telemetry sharing and vendor comparison reporting during the pilot? Options: Network ops, Security team, Project manager, Third-party auditor, Other
      • Do you require raw telemetry (pcap/flow), aggregated dashboards, or both for evaluation? Options: Raw telemetry, Aggregated dashboards, Both, Prefer vendor summary only
      • How frequently should we review pilot progress with stakeholders? Options: Daily ops sync, Weekly review, Bi-weekly, Ad-hoc as issues arise

      Who Gets to Say Yes or No?

      • List the decision-makers who must sign off on pilot acceptance and on full deployment (names and roles)
      • What criteria beyond technical compatibility will influence the buy decision (cost, vendor roadmap fit, compliance, procurement terms)? Options: Cost/ROI, Vendor roadmap, Compliance requirements, Procurement/contract terms, Vendor references
      • How will you score or compare vendors—are there weighted criteria we should know about? Options: Technical compatibility weighted highest, Security posture weighted highest, Cost weighted highest, Balanced scoring, We don’t have a formal rubric yet
      • Who needs to be involved in live troubleshooting during pilot execution (network, security, app owners, helpdesk)? Options: Network, Security, App owners, Helpdesk, SRE/Platform team, Other
      • Are there legal or compliance constraints on telemetry sharing with vendors (e.g., PII, export controls)? Please explain

      Imagine the Pilot Went Flawlessly—What Happens Next?

      • If the pilot meets your success signals, what is your expected timeline to expand beyond the pilot group? Options: Immediate phased roll-out (3–6 months), 6–12 months, 12–18 months, Undecided
      • Which downstream projects depend on a successful pilot (cloud migration, firewall decommissioning, segmentation initiatives)?
      • What internal change management work will be required to replace VPN (runbooks, trainings, updated support flows)? Options: Runbooks & SOPs, Helpdesk training, User communications, Policy rework, All of the above
      • What are the top three risks you foresee after a successful pilot when scaling to the wider organization?
      • What support or guarantees from the vendor would most reduce your organizational friction when approving full deployment? Options: Rollback guarantees, White-glove migration support, Extended trial for additional cohorts, Financial protections, Other

      Final Checklist: Do We Have the Low-Risk Pilot Essentials?

      • Confirm which of the following are already in place for the pilot (select all that apply) Options: App mapping complete, Connector placement plan, Test accounts created, Device posture checks defined, Owners assigned for each app, Telemetry destinations approved
      • If any checklist item is missing, which is the single highest-priority gap to address before start? Options: App mapping, Connectors, Test accounts, Device posture, Ownership/ops runbook, Telemetry sharing
      • Provide the names and contact info for the app owners and the engineers who will validate thick-client and RDP behavior
      • Are there environmental constraints for connector placement (e.g., air-gapped segments, cloud-only apps, on-prem-only workloads)? Please describe
      • On a scale of 1–5, how ready is your organization operationally to run a parallel pilot alongside the existing VPN (1 = not ready, 5 = fully ready)? Options: 1, 2, 3, 4, 5
    2. Pilot Execution

      Run the parallel pilot (our agent alongside the VPN), collect telemetry across vendors, monitor helpdesk tickets, and log compatibility issues in real time.

    3. Validation Checklist

      Verify acceptance: connection reliability, access latency, thick-client and RDP behavior, and complete app coverage before wider cutover.

      Validation Questions

      How this began — the moment that pulled you into this work

      • Tell the story of the single event (outage, red team, audit, or executive ask) that started this evaluation—what happened and when?
      • Which of the following best describes the immediate trigger for this project? Options: VPN outage / major availability event, Red team / penetration test finding, Cyber insurance requirement, Executive security initiative, Operational pain (helpdesk surge), Other
      • Who sponsored or signed off on initiating the project, and who is the operational owner pushing it forward? Options: CISO, VP Security/Infra, Head of Network/Security Architecture, IT Operations Manager, Helpdesk Lead, Procurement, Other
      • What immediate business consequences did the trigger cause (revenue loss, compliance risk, customer impact, engineering downtime)? Be specific and attach any metrics you have.
      • How are you feeling about this initiative right now—energized, cautious, frustrated, pressured, or something else? Options: Energized, Cautious, Frustrated, Under pressure, Skeptical, Hopeful, Other

      If it happens again, what would actually break the company?

      • Describe the worst-case outcome you fear from another VPN compromise—what systems, customers, or operations would be affected?
      • How likely do you think that scenario is in the next 12 months given your current controls and telemetry? Options: Very unlikely, Very likely, Somewhat likely, Unlikely, Unsure
      • How long would it typically take you to detect and contain a lateral movement event originating from a remote session today? Options: Minutes, Hours, A day, Multiple days, We don't know
      • Share a concrete example (date, impact, root cause) where an access-related failure or test exposed material risk.
      • What emotional or reputational pressure does this create for you and your team when those incidents land in front of execs or auditors?

      Why rely on one chokepoint that can take everyone down?

      • How would you briefly describe your current VPN/access architecture (concentrators, cloud VPN, firewall hairpin, SASE, agent-based ZTNA, other)? Options: Centralized concentrators (on-prem), Cloud VPN / vendor gateway, Firewall + VPN modules, SASE / cloud-delivered, Agent-based microtunnel, Hybrid, Unsure / need to diagram
      • How many physical or logical VPN concentrators / gateways and geographic locations are in play for remote access?
      • What is your average concurrent session (remote users) count and peak observed during incidents?
      • Where do you see the most operational complexity today (firewall rule explosion, NAT/hairpinning, split tunneling issues, routing, monitoring blind spots)? Options: Firewall rule sprawl, Hairpinning / choke points, Split-tunnel complexity, Routing and DNS surprises, Monitoring blind spots, Client stability, Other
      • How confident are you that your admin console and policy model today give network teams the granularity they need to replace firewall rules? Options: Completely confident, Mostly confident, Somewhat confident, Not confident, We haven't assessed this

      The inventory you think you have vs. the one you'll discover

      • How confident are you that every application, port, and dependency behind the VPN is fully documented? Options: Very confident, Somewhat confident, Unsure, Not confident at all
      • Approximately how many unique applications or services are reachable via your VPN (include web apps, databases, green-screen, thick clients)? Options: Under 50, 50–200, 200–500, 500–1,000, Over 1,000, Don't know
      • Which legacy or high-friction protocols do you rely on that often cause surprises during migration? Options: RDP, SMB/CIFS, ICA/ICA for Citrix, Custom thick-client TCP ports, Database ports (Oracle, MSSQL), SSH, Other
      • How do you currently discover undocumented dependencies? Select all methods you use and identify which is most effective. Options: Network flow analysis (NetFlow), Firewall / gateway logs, Agent-based endpoint discovery, App owner interviews, ServiceNow / ticket history, Active scanning, Other
      • Tell us about a time you missed a dependency—what was the fallout and how long did the rollback or remediation take?

      Which apps will make or break a decision—nail the critical test cases

      • For the pilot cohort, which application types are absolute must-work (select all that must be validated)? Options: RDP and remote desktops, Proprietary thick-client apps, SaaS web apps, Internal web portals (HTTP/S), Database clients, File share protocols (SMB/NFS), VoIP / softphone, Other
      • Which single application or workflow would, if it failed during the pilot, force a rollback or block signoff?
      • What level of latency increase or connection variation is tolerable for your users before the experience is considered degraded? Options: No increase tolerated, Under 10% increase, 10–30% increase, 30–50% increase, We need measurable parity or improvement, Unsure
      • Have you run compatibility tests with vendor agents against these critical apps before? If so, what were the results? Options: Yes — passed, Yes — partial issues, Yes — failed, No tests yet, Other
      • How will you validate thick-client and RDP behavior during the pilot (automated tests, user volunteers, helpdesk tickets, synthetic monitoring)? Options: Automated synthetic tests, User volunteer feedback, Helpdesk ticket tracking, Endpoint session logs, Vendor side-by-side captures, Other

      If the pilot only proves one thing to leadership, what must it be?

      • Which of the following outcomes are you most intent on proving during a 60–90 day pilot? Options: Improved connection reliability, Lower access latency, Reduced blast radius, Parity of thick-client support, Fewer helpdesk tickets, Security telemetry parity, Admin policy parity
      • Please provide current baseline metrics we should aim to beat or match (e.g., VPN uptime %, average access latency ms, average helpdesk tickets/week).
      • What pilot cohort size do you consider meaningful for decision-making? Options: Under 100, 100–200, 200–500, 500–1,000, Over 1,000
      • Preferred pilot duration? Options: 30 days, 60 days, 90 days, Custom (specify)
      • What specific rollback criteria would you require to stop the pilot early (e.g., X% increased tickets, Y critical app failures, security incident)?

      Who will fight for this when things get uncomfortable?

      • List the stakeholders who must be involved for pilot approval, execution, and final decision (operations, security, app owners, procurement, legal, exec sponsors). Options: CISO, VP Security/Infrastructure, Network/Security Architect, IT Operations, Application Owners, Helpdesk, Procurement, Legal/Compliance, CIO/CTO
      • Who is the single decision maker for pilot acceptance and who will sign off on production rollouts? Options: CISO, VP Security, Network Ops Lead, CIO/CTO, Procurement Committee, Other
      • What are the most likely internal objections you'll hear from Network/IT Ops, and how have you handled similar resistance before? Options: Loss of firewall control, Fear of breaking apps, Operational complexity, Monitoring blind spots, Vendor lock-in concerns, Resource constraints, Other
      • Which team will own day-to-day pilot operations and who is the escalation contact? Options: IT Operations, Network Security, Cloud Engineering, SecOps, Vendor-managed, Other
      • How will you keep executive sponsors engaged if early wins are subtle or incremental?

      Are you ready to let the data be the tiebreaker?

      • What level of telemetry and log sharing are you comfortable providing to vendor teams during the pilot? Options: Full telemetry sharing, Anonymized/aggregated data only, Limited specific logs, No telemetry sharing
      • Which of these telemetry sources can you readily export for vendor analysis? Options: NetFlow / flow logs, Gateway/firewall logs, Endpoint agent logs, SIEM alerts, Helpdesk ticket exports, RDP/session logs, Application logs, Other
      • Who in your org owns privacy, legal, or compliance approval for sharing telemetry externally? Options: Security/InfoSec, Legal, Privacy Officer, Compliance/Audit, IT Ops, No formal owner yet
      • How often would you prefer evaluation check-ins during the pilot (weekly, bi-weekly, cadence tied to milestones)? Options: Weekly, Bi-weekly, Monthly, Milestone-based, Ad-hoc
      • Which platform(s) would you prefer for dashboards and data delivery (select all that apply)? Options: Vendor portal, Splunk, Grafana, Datadog, ELK/Elastic, CSV exports, Other

      If we flip the switch and users call, what’s the plan to calm things down?

      • Do you have a tested rollback plan that can restore VPN-only access quickly if the pilot causes critical user impact? Options: Yes — fully tested, Partially tested, Documented but untested, No rollback plan
      • What is the maximum acceptable percentage of pilot users experiencing degraded access before you trigger rollback? Options: Any single critical user impact, 1–3%, 3–10%, 10–25%, No specific threshold (case-by-case)
      • How will you communicate pilot status and outages to users (channels and cadence)? Options: Email, ServiceNow / ITSM, Slack/MS Teams, In-app notifications, Phone/Calls, Other
      • Who has the authority to approve an emergency rollback during the pilot? Options: IT Ops Lead, Network Security Lead, CISO, CIO, Change Advisory Board, Other
      • Describe the executive signal or metric that would convince leadership to greenlight a wider cutover.

      Next steps and what success looks like to everyone involved

      • With everything we've discussed, what would you say are the top three non-negotiables for a successful pilot?
      • What resources (people, time, labs, test accounts, network diagrams) can you commit to the pilot immediately? Options: Named application owners, Network diagrams / topology, Test accounts, Dedicated support engineers, Lab/test environment, None yet
      • What would make you hesitant to proceed with a pilot right now? Options: Lack of resources, Pending compliance requirements, Stakeholder disagreement, Unresolved legacy apps, Timing / business calendar, Other
      • If we scheduled a 60–90 day side-by-side pilot, what would be a realistic target date to begin? Options: Within 2 weeks, Within a month, 1–2 months, 3+ months, Unsure
      • What would you like us to deliver next—a discovery workshop, an app-mapping plan, a pilot proposal, or a technical PoC? Options: Discovery workshop, App-mapping plan (inventory), Pilot proposal (scope & SOW), Technical PoC / lab test, Vendor comparison template, Other
  6. Success

    Review pilot outcomes, decide path to full deployment, and maintain a shared backlog for issues and enhancements.

    Success Reviews

    • Pilot Outcomes Review (Decision)
    • Technical Validation & Acceptance (Solution Experience)
    • Deployment Roadmap & Phased Cutover Planning
    • Shared Backlog & Continuous Improvement Workshop
    • Executive Sponsor Alignment & Approval

    Issues & Enhancements

    • Create a prioritized backlog of pilot issues and enhancements with owners and SLAs.
    • Schedule the Technical Validation & Acceptance session within two weeks to validate any fixes.
    • Pre-meeting Checklist Review
    • Demonstrate conclusively that the pilot delivers the defined future state using customer data.
    • Confirm compatibility for all critical thick-client and RDP workflows or capture precise failure modes.
    • Obtain technical acceptance or a prioritized remediation list with retest windows.
    • Agree rollback criteria and the conditions under which production cutover may be paused.
    • Document validated acceptance metrics and collect signatures/confirmations from technical stakeholders.
    • Log any technical exceptions into the shared backlog with repro steps, priority, and an owner for remediation.
    • If remediation required, define the remediation plan, owners, and retest schedule; schedule the retest session.
    • Objectives, Constraints & Decision Criteria
    • Agree on a concrete rollout approach with measurable gates and dates.
    • Confirm required staffing, runbooks, and support model for phase 1.
    • Establish risk controls, rollback procedures, and monitoring required during cutover.
    • Identify procurement or budget steps and assign owners to advance them.
    • Produce a phased deployment plan with milestones, acceptance gates, resource matrix, and runbooks.
    • Create a cutover checklist and rollback playbook for the first wave.
    • Schedule milestone review meetings and stakeholder check-ins aligned to gates.
    • Workshop Objectives & Backlog Principles
    • Introductions & Meeting Objectives
    • Define telemetry-driven acceptance criteria for each item to prevent regressions.
    • Establish a governance model and cadence for backlog triage and deployment of fixes.
    • Populate the shared backlog with all pilot findings, including priority, owner, SLA, and acceptance criteria.
    • Configure dashboards and alerts to track remediation progress and telemetry validation.
    • Schedule weekly backlog triage meetings for the first 90 days post-cutover.
    • Executive Summary of Pilot Outcomes
    • Secure executive approval to proceed to full deployment or receive a clear list of executive conditions.
    • Confirm budget and procurement triggers needed to start phase 1.
    • Establish executive sponsor as the escalation and prioritization owner for the deployment.
    • Record and circulate the executive decision, including any conditions or follow-up items.
    • If approved, trigger procurement and budget allocation steps and notify deployment leads.
    • Schedule the formal phase 1 kickoff meeting and invite executive sponsor for a brief opening alignment.
    • Confirm whether pilot met pre-agreed success criteria and identify any formal exceptions.
    • Select a recommended path forward (vendor + pilot-to-production scope) or define the set of conditions required to get there.
    • Identify and assign owners for any remediation required before cutover.
    • Agree a near-term timeline and decision gate for moving to deployment planning.
    • Produce a concise pilot outcomes report including side-by-side vendor metrics and circulate to stakeholders.
    • Assign owners and estimated effort for each critical remediation item identified.
    • Deployment Options Overview
    • Current State Summary (One-sentence)
    • Risk & Business Impact Overview
    • Review of Pilot Findings
    • Current State (One-sentence)
    • Phased Rollout Proposal
    • Cost, Timeline, and Approval Ask
    • Consequence & Business Impact Summary
    • Prioritization Exercise
    • Consequence Quantification
    • Future State & Acceptance Criteria
    • Executive Questions & Concerns
    • Resourcing, Roles & Runbook Requirements
    • Owner Assignment & SLA Definition
    • Pilot Results Snapshot
    • Risk Mitigation & Rollback Procedures
    • Telemetry & Acceptance Criteria for Backlog Items
    • Live Proof Using Customer Telemetry
    • Formal Approval Capture & Next Executive Milestones
    • Gaps, Risks, and Open Issues
    • Future State Definition (One-sentence)
    • Budget & Procurement Triggers
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.