Roadmap PRD §1.3 + §12.4

The 24-month milestone arc

Five gated phases (P0 → P4). 22 modules. 10 → 20 Members. Compliance gates that flip every quarter.

CyberOS ships in five gated phases over 24 months, anchored on dogfooding signal and compliance gates. The founder's commitment is captured in the headcount column: scale only when CyberOS itself absorbs the new operational load. Per PRD §1.3, internal productivity (P1) is the moat — external SaaS is P4 only. This page enumerates each phase's modules, headcount budget, compliance gate, success criteria, and risks; ends with module dependency graph + headcount trajectory + KPI dashboard.

Horizontal timeline Dependency graph Headcount + revenue
0

The horizontal timeline

Five phases · five compliance gates · five module-count milestones. The slope changes after P3: P0–P3 is internal-first execution (12 months); P4 is the external-GA arc (M+13 → M+24).

P0 · Foundations
M0 – M+3
P1 · Productivity
M+4 – M+6
P2 · Operations
M+7 – M+9
P3 · SaaS-ready
M+10 – M+12
P4 · Client-facing
M+13 – M+24
M0
kickoff
M+3
P0 exit · 7/22
M+6
P1 exit · 15/22
M+9
P2 exit · 17/22
M+12
P3 exit · 19/22
M+18/24
P4 · 22/22
P0 exit · M+3
7 modules: AUTH · AI · MCP · OBS · CHAT · BRAIN · GENIE/CUO
Headcount: 10
Gate: T1 Floor
A05 DPIA · DPO · Trust Center · Stripe SAQ-A · VPAT 2.5
P1 exit · M+6
+8 modules: PROJ · TIME · CRM · KB · HR · EMAIL · REW · LEARN
Headcount: 12
Gate: T2 base
SOC 2 Type I · CSA STAR L1 · AI-CAIQ · DSAR APIs
P2 exit · M+9
+2 modules: INV · ESOP
Headcount: 14
Gate: T2 EU enterprise
SOC 2 Type II · ISO 27001:2022 · CSA STAR L2 · EU AI Act Annex III §4
P3 exit · M+12
+2 modules: RES · OKR
Headcount: 16
Gate: T3 large enterprise
ISO 42001 AIMS · ISO 27701 · Singapore HoldCo flip (if ARR ≥ $1.5M)
P4 entry · M+18
+3 modules: DOC · PORTAL · TEN
Headcount: 20
Gate: T3+ regulated
TX-RAMP · StateRAMP Cat 2 · FedRAMP 20x · eIDAS QTSP
Phase-exit gate sequence — what "P-N exit" actually means
sequenceDiagram autonumber participant ENG as Eng Lead participant FOUNDER as Founder/CEO participant DPO as DPO participant CUO as CUO (CTO skill) participant CP as CP module participant AUDIT as Auditor (SOC 2 / ISO) participant BOARD as Board (P2+) Note over ENG,BOARD: T-30 days before phase exit ENG->>CUO: ready-check { phase: P-N } CUO->>CP: enumerate compliance backlog CP-->>CUO: { open: 12, closed: 88, blocked: 0 } CUO-->>ENG: digest · what's missing ENG->>ENG: ship remaining items Note over ENG,BOARD: T-7 days DPO->>CP: pre-audit DPIA review AUDIT->>CP: dry-run access (read-only) AUDIT-->>FOUNDER: findings · severity-tiered Note over ENG,BOARD: T0 phase exit FOUNDER->>CP: declare phase exit CP->>AUDIT: trigger formal audit window CP->>BOARD: board approval (P2+ phases) BOARD-->>CP: approve CP-->>FOUNDER: phase N+1 unlocked CP->>CUO: publish achievement memo
Module rollout — Gantt view
gantt title CyberOS 24-month module rollout dateFormat YYYY-MM axisFormat M+%m section P0 Foundation AUTH :done, p0a, 2026-06, 60d AI Gateway :done, p0b, 2026-06, 60d MCP Gateway :done, p0c, 2026-06, 60d OBS :done, p0d, 2026-07, 60d CHAT :done, p0e, 2026-07, 60d BRAIN :done, p0f, 2026-06, 90d GENIE / CUO :done, p0g, 2026-07, 60d section P1 Productivity PROJ :p1a, 2026-09, 90d TIME :p1b, 2026-09, 60d CRM :p1c, 2026-09, 90d KB :p1d, 2026-10, 60d HR (full) :p1e, 2026-10, 60d EMAIL :p1f, 2026-10, 90d REW (core) :p1g, 2026-09, 90d LEARN :p1h, 2026-11, 60d section P2 Operations INV :p2a, 2026-12, 90d REW (full pool calc) :p2b, 2026-12, 60d ESOP :p2c, 2027-01, 90d section P3 SaaS-readiness RES :p3a, 2027-03, 90d OKR :p3b, 2027-04, 60d Singapore HoldCo flip :milestone, p3c, 2027-05, 1d section P4 Client-facing DOC (eIDAS QTSP) :p4a, 2027-06, 180d PORTAL :p4b, 2027-08, 180d TEN (tenancy + billing) :p4c, 2027-08, 240d First external tenant :milestone, p4d, 2027-12, 1d
P0

Foundations · M0 → M+3

The infrastructure plane plus the substrate (BRAIN), the catalog (SKILL — already shipped) and the orchestrator (CUO). At P0 exit, Slack and Zalo are decommissioned; CyberSkill's 10 Members work inside CyberOS-only.

Modules added (7 of 22)

  • BRAIN — universal memory · 3-layer · already shipped
  • GENIE/CUO — orchestrator · 5 of 10 C-level skills live
  • AUTH — OAuth 2.1 + JWT + per-tenant authz server
  • AI Gateway — LiteLLM + Bedrock + redaction + cost ledger
  • MCP Gateway — 2025-11-25 spec + tool registry
  • OBS — LGTM stack + LangSmith for CUO sessions
  • CHAT — message + thread + @genie call-out

Compliance gate at exit · T1 Floor

  • A05 DPIA filed with MoPS
  • DPO designated (Founder)
  • Trust Center live at trust.cyberos.world
  • Stripe SAQ-A AOC published
  • VPAT 2.5 INT (accessibility) filed
  • Decree 20/2026 SME-status flag set

Success criteria

  • All 10 internal Members on CyberOS for chat + memory by M+3
  • Slack + Zalo billing terminated by M+3
  • CUO answers ≥ 50 questions/week with ≥ 98% citation rate (N(FR pending))
  • BRAIN search p95 ≤ 250ms on 50k-chunk corpus
  • Zero compensation/equity facts ingested into BRAIN (denylist DEC-036)
  • p95 GraphQL ≤ 400ms across all subgraphs (N(FR pending))

Risks · likelihood × impact

  • R-001 (M×H) — Anthropic Skills spec churns; CUO loadout breaks. Mitigation: schema-pin + conformance tests.
  • R-002 (M×H) — MCP 2025-11-25 spec evolves before P0 exit. Mitigation: dual-spec compat for 1 phase.
  • R-003 (L×M) — Bedrock Singapore region capacity issue. Mitigation: Anthropic ZDR fallback already wired.
  • R-004 (L×M) — Vietnamese embedding quality regression. Mitigation: parity tests vs BGE-M3 baseline.

Key milestones within P0

  • M0: module template + Federation router + design tokens repo live
  • M+1: AUTH + AI Gateway in beta; BRAIN + SKILL already shipped baseline
  • M+2: MCP Gateway live; CUO router-only mode
  • M+3: CHAT live; OBS LGTM stack live; 7/22 modules ready; Trust Center launched
P1

Internal Productivity · M+4 → M+6

The productivity moat. PROJ + TIME + CRM + KB + HR + EMAIL + REW + LEARN — eight modules that turn the platform from "infrastructure" into "the thing the team uses every day." First payroll cycle, first promotion review through Hội đồng Chuyên môn.

Modules added (+8 = 15 of 22)

  • PROJ — projects · tasks · cycles · assignments
  • TIME — time entries · expense tracking
  • CRM — clients · deals · activities
  • KB — knowledge base · canonical docs
  • HR (full) — Members · roles · leave · onboarding
  • EMAIL — Stalwart-based mail + inbox + i18n RFC 6532
  • REW (core) — 3P income · payslip · BP balance
  • LEARN — career path · Hội đồng peer-review

Compliance gate · T2 base

  • SOC 2 Type I issued (point-in-time)
  • CSA STAR L1 self-assessment via CAIQ v4.0.3
  • AI-CAIQ "Valid-AI-ted" badge
  • DSAR APIs end-to-end (GDPR Art. 15 ready)
  • Article 50 transparency badges in all AI surfaces

Headcount

10 → 12 Members

  • +1 HR/Ops Lead (REW dogfooding)
  • +1 Engineer (PROJ + KB owner)
  • Existing Founder/CEO + Eng Lead + 7 Engineers continue

Success criteria

  • First full payroll cycle issued through REW (month-end M+6)
  • First promotion review through Hội đồng Chuyên môn
  • P1 base salary invariant verified: zero system-reductions (N(FR pending))
  • BP balance tracked with anti-inflation interest at ACB rate
  • EMAIL daily summary in BRAIN for every Member
  • CRM activities auto-logged from EMAIL outgoing (CaMeL safe extraction)

Risks

  • R-101 (M×H) — REW parameter versioning bug; retroactive recompute could violate N(FR pending). Mitigation: anti-retroactive CI gate; replay tests on every release.
  • R-102 (M×H) — EU AI Act Annex III §4 over-application; HR features flagged as high-risk. Mitigation: DEC-054 — drafts only, no scoring.
  • R-103 (M×M) — Stalwart self-hosted EMAIL reliability. Mitigation: fallback SMTP relay; OBS alarms on bounce rate.
  • R-104 (L×M) — SOC 2 Type I auditor unavailability in Vietnam. Mitigation: Schellman, A-LIGN shortlist; remote audit option.
P2

Operations · M+7 → M+9

Bill-to-cash and Phantom Stock. INV closes the revenue loop; ESOP closes the equity-honour loop. First SP grant issued; first annual SP valuation cycle complete.

Modules added (+2 = 17 of 22)

  • INV — invoicing · MST validation · VAT e-invoice via GDT T-VAN · monthly VAT filing
  • ESOP — Phantom Stock · 4-year vesting · put options from Year 3 · annual SP valuation
  • REW upgrade: full pool calculation with BP overflow + sabbatical accrual

Compliance gate · T2 EU enterprise

  • SOC 2 Type II issued (6-mo observation window)
  • ISO/IEC 27001:2022 Stage 1 audit complete
  • CSA STAR L2 third-party attestation
  • EU AI Act Annex III §4 conformity pack for REW + LEARN
  • Decree 13 full regime — graduate from SME

Headcount

12 → 14 Members

  • +1 vCISO (fractional security · cert prep)
  • +1 Account Manager (CRM + INV dogfooding)

Success criteria

  • First SP grant issued (after Board-approved valuation)
  • First annual SP valuation cycle complete
  • First e-invoice filed to GDT successfully
  • Monthly VAT return submitted via vn-tax-filing skill
  • ARR > $300k (internal-equivalent or first design partner)
  • Good Leaver / Bad Leaver branch tested via tabletop exercise

Risks

  • R-201 (L×VH) — ESOP put-option model violates Vietnamese tax interpretation. Mitigation: counsel review at every parameter version; cash-collected pool only.
  • R-202 (M×H) — SP valuation methodology challenged by Board. Mitigation: dual-signed by Founder + Board; methodology in CP module.
  • R-203 (M×M) — GDT T-VAN provider connectivity. Mitigation: multiple T-VAN provider integrations; manual fallback via VN-tax-filing skill.
P3

SaaS Readiness · M+10 → M+12

The platform earns the right to sell. RES + OKR ship; capacity planning becomes visible; the first quarterly OKR cycle closes. If ARR ≥ $1.5M, the Singapore HoldCo flip happens.

Modules added (+2 = 19 of 22)

  • RES — resource plan · capacity vs forecast · CUO COO-skill rebalancing suggestions
  • OKR — objectives · key results · quarterly cycle · CUO CEO/CSO-skill cycle-close prompts
  • Mobile app evaluation — RN-based, P3 stretch

Compliance gate · T3 Large enterprise

  • ISO/IEC 42001 (AIMS) certified
  • ISO/IEC 27701 (PIMS) — if EU/UK customers push
  • SOC 2 Type II annual refresh
  • Singapore HoldCo flip (CyberSkill Pte Ltd as parent · if ARR ≥ $1.5M)

Headcount

14 → 16 Members

  • +1 Designer (mobile evaluation + PORTAL prep)
  • +1 Engineer (TEN module groundwork)

Success criteria

  • First full quarterly OKR cycle closed (Q1 2027)
  • Capacity-vs-forecast rebalancing run weekly via CUO
  • 3 design-partner tenants signed (paid pilot)
  • ARR ≥ $1.5M triggers Singapore HoldCo flip
  • eu-shard activated for at least one EU pilot tenant

Risks

  • R-301 (M×H) — Singapore HoldCo flip legal complexity exceeds 3-month window. Mitigation: counsel engaged at M+9; flip is optional gate.
  • R-302 (M×H) — RES rebalancing flagged as employment-decision high-risk. Mitigation: suggestion-only mode; human accept/reject required.
  • R-303 (M×M) — ISO 42001 AIMS audit window misalignment. Mitigation: Stage 1 readiness check at M+10.
P4

Client-Facing · M+13 → M+24

External GA. DOC + PORTAL + TEN close the gap. First external paying tenant onboarded. Multi-tenant external GA opens. Regulated-commercial path open via TX-RAMP, StateRAMP Cat 2, FedRAMP 20x Moderate (no-sponsor route if US sub exists).

Modules added (+3 = 22 of 22)

  • DOC — document signing · eIDAS QTSP integration · PDF/A-2 archival
  • PORTAL — external client portal · approval workflow · client-facing AI answers via CUO CXO skill
  • TEN — tenancy management · per-tenant config · billing (Stripe + VNPay)

Compliance gate · T3+ regulated

  • TX-RAMP (Texas state)
  • StateRAMP Cat 2
  • FedRAMP 20x Moderate (no-sponsor route if US sub exists)
  • eIDAS QTSP for DOC module — EU-compliant qualified e-signature
  • SOC 2 Type II + ISO 27001 + ISO 42001 all annual-refresh certified

Headcount

16 → 20 Members

  • +2 Customer Engineers (onboard external tenants)
  • +1 Sales (Account Manager promoted to head)
  • +1 Legal Counsel (CLO; replaces CUO-as-CLO)

Success criteria

  • First external paying tenant onboarded by M+18
  • 5 external paying tenants by M+21
  • 10 external paying tenants by M+24 → ARR ≥ $3M
  • NPS ≥ 40 from external tenants
  • Zero tenant data leakage incidents (N(FR pending) maintained)
  • First eIDAS QTSP-signed document issued

Risks

  • R-401 (M×VH) — eIDAS QTSP integration partner unreliable. Mitigation: multiple QTSP integrations; degraded mode = advanced e-signature.
  • R-402 (M×H) — first external tenant onboarding takes 4× expected. Mitigation: TEN module ships ≥ 3 months before first paid customer.
  • R-403 (L×VH) — FedRAMP 20x no-sponsor route deprecated. Mitigation: TX-RAMP + StateRAMP first; FedRAMP deferred.
A

Module dependency graph

Every module depends on the P0 infrastructure plane (AUTH, AI, MCP, OBS) and on BRAIN for memory + audit. P1 modules dogfeed each other (TIME → REW; CRM → EMAIL); P2 modules close revenue + equity loops; P3 modules read from everything; P4 modules sit at the edge.

flowchart LR subgraph P0 ["P0 Foundation"] AUTH(("AUTH")) AI(("AI")) MCP(("MCP")) OBS(("OBS")) BRAIN(("BRAIN")) CUO(("CUO")) CHAT(("CHAT")) end subgraph P1 ["P1 Productivity"] PROJ(("PROJ")) TIME(("TIME")) CRM(("CRM")) KB(("KB")) HR(("HR")) EMAIL(("EMAIL")) REW(("REW")) LEARN(("LEARN")) end subgraph P2 ["P2 Operations"] INV(("INV")) ESOP(("ESOP")) end subgraph P3 ["P3 SaaS-ready"] RES(("RES")) OKR(("OKR")) end subgraph P4 ["P4 External"] DOC(("DOC")) PORTAL(("PORTAL")) TEN(("TEN")) end AUTH --> CHAT & PROJ & TIME & CRM & KB & HR & EMAIL & REW & LEARN & INV & ESOP & RES & OKR & DOC & PORTAL & TEN AI --> CUO & BRAIN MCP --> CUO OBS -. observes .-> CHAT & PROJ & CRM & REW & ESOP & RES & OKR CUO --> CHAT & BRAIN BRAIN --> CUO TIME --> REW PROJ --> TIME CRM --> EMAIL CRM --> INV EMAIL --> BRAIN KB --> BRAIN HR --> REW REW --> LEARN REW --> ESOP PROJ --> RES TIME --> RES HR --> OKR RES --> OKR CRM --> PORTAL HR --> TEN AUTH --> TEN INV --> TEN KB --> DOC classDef p0 fill:#e8d4c2,stroke:#45210e,stroke-width:2px classDef p1 fill:#f5ede6,stroke:#45210e classDef p2 fill:#fef6e0,stroke:#9c750a classDef p3 fill:#f9c64f,stroke:#9c750a classDef p4 fill:#f0eee9,stroke:#475569 class AUTH,AI,MCP,OBS,BRAIN,CUO,CHAT p0 class PROJ,TIME,CRM,KB,HR,EMAIL,REW,LEARN p1 class INV,ESOP p2 class RES,OKR p3 class DOC,PORTAL,TEN p4

Cycle-free by construction. The only "circular" arrow (BRAIN ⇄ CUO) is the legitimate read/write split: CUO writes inquiry context, BRAIN returns search hits.

B

Headcount · modules · revenue trajectory

Three curves laid on the same time axis. Headcount grows only when CyberOS itself absorbs the operational load. Module count is the leading indicator; revenue is the trailing indicator.

Headcount (Members)
10 → 20
+10 over 24 months. Hires are gated on CyberOS's ability to absorb that Member's onboarding via REW + LEARN + KB.
Modules shipped
7 → 22
+15 over 24 months. The 7 P0 modules are the heaviest lift; subsequent phases ship 8 / 2 / 2 / 3.
ARR target
$0 → $3M
$0 at P0 (internal). Design-partner pilots at P2. $1.5M trigger for HoldCo flip at P3. $3M+ at P4 with 10 paying tenants.
Headcount trajectory
xychart-beta title "Member count over 24 months" x-axis ["M0", "M+3", "M+6", "M+9", "M+12", "M+15", "M+18", "M+21", "M+24"] y-axis "Members" 0 --> 22 line [10, 10, 12, 14, 16, 17, 18, 19, 20]
Module count trajectory
xychart-beta title "Modules shipped (out of 22)" x-axis ["M0", "M+3", "M+6", "M+9", "M+12", "M+15", "M+18", "M+21", "M+24"] y-axis "Modules" 0 --> 22 line [3, 7, 15, 17, 19, 19, 20, 22, 22]
ARR trajectory ($k)
xychart-beta title "Annual Recurring Revenue projection ($k)" x-axis ["M0", "M+3", "M+6", "M+9", "M+12", "M+15", "M+18", "M+21", "M+24"] y-axis "ARR ($k)" 0 --> 3500 line [0, 0, 0, 300, 800, 1500, 2000, 2600, 3200]
C

KPI dashboard targets per phase

Each phase has a "north-star plus three" KPI set. North-star is the dogfooding-signal proxy; the three supporting metrics are the leading-edge measurements that tell the founder whether the phase is ready to exit.

PhaseNorth-starKPI 2KPI 3KPI 4 · guardrail
P0 Slack + Zalo decommissioned · 100% Members on CHAT CUO citation rate ≥ 98% BRAIN search p95 ≤ 250ms Zero compensation in BRAIN (denylist)
P1 First full payroll cycle issued through REW SOC 2 Type I issued Time-tracked hours = 100% of billable P1 base salary system-reductions = 0
P2 First SP grant + first SP valuation cycle complete SOC 2 Type II + ISO 27001 Stage 1 VAT e-invoice file rate 100% Parameter version retroactive mutations = 0
P3 Quarterly OKR cycle closed · capacity rebalanced weekly ISO 42001 certified ARR ≥ $1.5M (HoldCo trigger) EU AI Act Annex III §4 conformance · 100% drafts-only
P4 First external paying tenant onboarded 10 paying tenants by M+24 NPS ≥ 40 from external tenants Tenant data leakage incidents = 0

Continuous (cross-phase) NFRs

  • N(FR pending) GraphQL p95 ≤ 400ms
  • N(FR pending) BRAIN search p95 ≤ 250ms on 1M chunks
  • N(FR pending) Platform availability ≥ 99.5%
  • N(FR pending) CHAT availability ≥ 99.9%
  • N(FR pending) Tenant data leakage = 0
  • N(FR pending) CUO citation rate ≥ 98%

Anti-metrics (we watch these not grow)

  • CUO auto-acts on irreversible op without confirm
  • P1 base salary system-reductions
  • Parameter version retroactive mutations
  • Compensation/equity facts in BRAIN
  • CUO answers without citation when source exists
  • Prompt-injection exfiltration via email/document

References

PRD source sections

  • PRD §1.3 — The 12-month milestone arc
  • PRD §4.2 — OKRs by phase exit
  • PRD §4.3 — Guardrail (anti-)metrics
  • PRD §7.1 — All 22 modules catalogued
  • PRD §11.1 — Foundational locked decisions
  • PRD §11.2 — Non-Functional Requirements
  • PRD §12.4 — Compliance tier model per phase
  • PRD §13 — AI-driven productivity matrix
  • PRD §17 — 12-week shipping plan

Cross-references in CyberOS docs

Previous · Tech stack Back to home