# Practical First Steps + Partner Selection Red Flags

# Practical First Steps + Partner Selection Red Flags

## 5-Step Roadmap to Launch ALAI Security Audit Service Line

### Step 1: Identify 2-3 Norwegian Partners with CREST + ISO 27001

**Recommended candidates:**

- Defendable
- Netsecurity
- Possibly Promon

**Do NOT approach:**

- Mnemonic — they only operate as prime contractor, will not sub-contract

### Step 2: NDA + Confidential Teaser Exchange

Share ALAI AI Services offering (existing legal pack, client pipeline, vertical focus). Gauge partner interest in white-label arrangement.

### Step 3: Negotiate MSA Template (ALAI Preferred)

Use ALAI's preferred MSA template (to be created — similar to Retainer template in AI Services legal pack). Include all clauses from [Legal &amp; Marketing Constraints](/books/alai-sec-service-line/page/legal-marketing-constraints) page.

### Step 4: Pilot with One Client

Run single pen-test engagement. Verify:

- Operational quality of partner deliverable
- SLA adherence (timeline, report quality)
- Back-to-back DPA flow
- Client satisfaction

### Step 5: Public Marketing (Only After Pilot Success)

Launch "ALAI Security Audit" service line publicly. Add to website, outreach campaigns, AI Services pricing page.

---

## Partner Selection Red Flags

⚠️ **Do NOT proceed** if partner exhibits any of these:

### 1. Certification Lapsed

Verify CREST registry directly ([https://www.crest-approved.org/member-companies/](https://www.crest-approved.org/member-companies/)). Do NOT rely on partner's claim alone.

### 2. Cyber Insurance &lt; 5M NOK

Request current insurance certificate. If partner carries less than 5M NOK professional indemnity + cyber liability → STOP.

### 3. Refuse Right-to-Audit

If partner refuses contractual right for ALAI to audit their security practices → RED FLAG. This is standard for sub-processor relationships.

### 4. Refuse Back-to-Back DPA

If partner refuses to sign Sub-Processor DPA under GDPR Art.28 → STOP. This is non-negotiable for any client data processing.

### 5. Silent Sub-Contracting

Partner sub-contracts to third tier without ALAI's written approval. MSA must include "no further sub-contracting without prior written consent" clause.

---

## Cost Estimate for Outsource Model Launch

**White-label model (recommended):** 200-500K NOK

- MSA legal drafting + Norwegian advokat review: 50-100K NOK
- Partner search + NDA negotiations: 20-40K NOK
- Pilot setup (ALAI project management overhead): 80-150K NOK
- Marketing materials (website, pricing page): 30-50K NOK
- Cyber insurance upgrade (if needed): 20-60K NOK/year

**Comparison to building own security firm:** 5-8M NOK upfront (certification journey, senior hires, insurance, tooling).

---

## Open Questions for CEO Decision

1. **Which 2-3 partners to approach first?** (Defendable, Netsecurity, other?)
2. **ISO 27001 certification lead time for ALAI Holding?** (12-18 months typical — do we start now or wait until first client commits?)
3. **Cyber insurance vendor confirmation?** (Gjensidige, IF, other? MC #9412 referenced but status unclear.)
4. **Norwegian advokat for MSA review?** (Wiersholm/BAHR/Schjødt security practice — which firm and contact?)
5. **AI/LLM red-team specialization?** (Should ALAI position as AI-security specialist vs. general pen-test coordinator?)

---

*Related: [Outsource Models](/books/alai-sec-service-line/page/outsource-models), [Legal &amp; Marketing Constraints](/books/alai-sec-service-line/page/legal-marketing-constraints)*

*Source: MC #10446, CEO email 2026-05-01 (Message-ID 4929b145)*