A proposal · Omar G. Nagy
A cybersecurity risk-management platform — built three ways, with full transparency.
You sent me a clear, ambitious workflow. I want to show you exactly how I'd build it — and the three architecture paths you can choose from depending on what matters more: frontier AI capability, single-tenant control, or a physical air gap.
هذا عرض تقني تفاعلي. اخترتُ بناءه كموقع كامل بدل المستند الجامد عشان تشوفي النظام من غير ما تتخيليه — ثلاث طرق معمارية، تكلفة شفافة، وعرض حيّ للذكاء الاصطناعي.
What you sent me
I read your workflow doc carefully. Here's what I understood — and what I'm proposing to build.
Your ask, in one paragraph
An automated cybersecurity risk-management system aligned with the National Cybersecurity Authority (NCA) — 15 workflow steps from trigger through continuous reassessment, covering ECC, CCC, CSCC, DCC, and OSMACC. Risk-matrix scoring, SLA-driven treatment plans, dashboards, Power BI reporting, audit trail, and an AI Risk Scenario Generator at the heart of it.
What I'm hearing as the real priority
- Security + privacy — no data leak, no model training on your data.
- Air-gap is not a hard requirement — what matters is the property, not the topology.
- NCA-aligned compliance content, not generic templates.
- AI does the heavy lifting on scenario generation and compliance mapping.
The reframe: privacy is a property you can achieve three different ways, with different cost-and-capability tradeoffs. Air-gap is one of them — not the only one. Below you'll see all three side-by-side, and the live demo so you can feel the system.
Architecture · the three paths
Each path gets you the same system. The difference is where the AI lives and how privacy is guaranteed.
Hybrid with Frontier AI
هجين مع نماذج الذكاء الاصطناعي المتقدمة
Your system runs on a single-tenant server you control. AI calls (the Risk Scenario Generator and the Compliance Mapping Engine) go to Anthropic's Claude or OpenAI's GPT under an enterprise contract with zero data retention and no training on your inputs. Everything else — risks, controls, audit log, evidence — stays on your server.
Privacy posture
Contractual + technical isolation. Enterprise no-train DPA, encrypted in transit, zero-retention policy.
Capability ceiling
Frontier (Claude Opus 4.7 / GPT-5 class). Substantially better risk-scenario quality than any open-source model in 2026.
Best for
Teams that want frontier-grade AI and the fastest path to a working system, and are comfortable with a contractually-isolated cloud AI provider.
The tradeoff
AI inference data leaves your network for milliseconds. Anthropic/OpenAI enterprise contracts forbid retention and training, with audit rights. This is acceptable for most regulated workloads.
Components
- Application serverNext.js + Node 22, single-tenant on a Saudi/UAE cloud region or your VPS
- DatabasePostgreSQL 16 + pgvector, encrypted at rest
- AI providerAnthropic Claude Sonnet 4.6 (primary) · OpenAI GPT-5 (fallback) · both under enterprise zero-retention DPA
- AuthenticationLocal users + Entra ID / SAML option
- DashboardsPower BI Service OR self-hosted dashboards — your choice (Power BI Service is allowed in this path)
- Email alertsInternal SMTP or SendGrid/SES
- Audit logAppend-only Postgres table, 7-year retention default
One-time
$9,500–19,500
Time
3–9 wk
Monthly
$870–1,030
No GPU required. AI runs at the vendor under enterprise contract.
Side-by-side
The full comparison — no salesy obfuscation.
Every dimension that actually drives the decision, in one table. The cell with the stronger position is highlighted.
| Dimension | Path C · Hybrid | Path B · Private | Path A · Air-Gapped |
|---|---|---|---|
| One-time build (all phases) | $9.5K–19.5K | $14.5K–26.5K | $18.5K–39K |
| Time to ship v1 | 3–4 weeks | 4–5 weeks | 5–6 weeks |
| GPU hardware capex (her side) | $0 | $7K–35K | $28K–35K |
| Monthly run-rate (after launch) | ~$870–1,030/mo | ~$1,500–4,000/mo | ~$2,500/mo |
| AI capability ceiling | Frontier (Claude/GPT) | Open-source (Qwen 72B) | Open-source (Qwen 72B) |
| Risk-scenario latency (single user) | 1–3 sec | 2–5 sec | 2–5 sec |
| Privacy posture | Contractual no-train + zero-retention DPA | Cryptographic + architectural | Physical air gap (verifiable) |
| NCA tier fit | Essential / Advanced (with cloud DPA review) | Essential / Advanced / Minimal | All tiers incl. Critical National Infrastructure |
Highlighted cell = the path that wins on that dimension. No single path wins on everything — that's why we're showing all three. Pick by what matters most to you.
Live demo · the AI Risk Scenario Generator
Type any asset. Watch a risk-register entry get generated.
This is the real engine — not a recording. It produces a structured Risk-Register entry: threat, vulnerability, likelihood × impact, mapped NCA / ISO controls, mitigation, and residual risk. Mapped controls are placeholder IDs in this demo (full system maps to the real NCA control catalogue via RAG).
Your 15-step workflow
Every step you specified, with the artifact it produces.
Click a step to see what it does. The system enforces the order, but a human reviews every AI-produced artifact before it commits.
Step 1 · what it does
Trigger / Risk Assessment Initiation
إطلاق التقييم
Triggered by new projects, changes, cloud services, third parties, incidents, or vulnerabilities. Creates a Risk Assessment Ticket linked to the asset or project.
Artifact produced
Risk Assessment Ticket
Risk-level matrix
Likelihood × Impact = Risk Score
Both axes on a 1–5 scale. Cells use the score, scale below.
| Impact 1 | Impact 2 | Impact 3 | Impact 4 | Impact 5 | |
|---|---|---|---|---|---|
| L=5 | 5 | 10 | 15 | 20 | 25 |
| L=4 | 4 | 8 | 12 | 16 | 20 |
| L=3 | 3 | 6 | 9 | 12 | 15 |
| L=2 | 2 | 4 | 6 | 8 | 10 |
| L=1 | 1 | 2 | 3 | 4 | 5 |
Treatment SLA grid
Risk level → required response time
Auto-applied on every treatment-plan record.
- Very LowLight monitoring—
- LowPeriodic review—
- MediumPlan within 20 business daysExecute within 6 months
- HighPlan within 5 business daysExecute within 3 months
- CatastrophicPlan within 5 business daysExecute within 1 month
Security & privacy
Three different mechanisms. Same property: your data stays yours, and is never used to train any model.
You said the real concern is privacy + no leak + no training on your data — not the air-gap itself. Here's exactly how each path delivers that property.
Path C
Contractual + technical isolation. Enterprise no-train DPA, encrypted in transit, zero-retention policy.
- Anthropic Enterprise: zero data retention by default, no model training on your inputs (DPA Article 3), SOC 2 Type II + ISO 27001 certified
- TLS 1.3 for every API call · no plaintext on the wire
- Your data: stays in your single-tenant server. The AI provider only sees the specific question being asked, never your full database
- Audit rights: you can request quarterly DPA compliance reports from Anthropic
- Kill switch: you can fall back to Path B (self-hosted Qwen) at any time without re-architecting — just point the AI client at a local endpoint
Path B
Cryptographic + architectural isolation. Self-hosted model, your server, your network rules.
- Model + data on the same machine inside your network: AI inference never crosses your perimeter
- Inputs and outputs are processed in memory; nothing persists outside your Postgres
- Network: VPN-only access · IP whitelist · TLS 1.3 · per-user audit logging on every read/write
- Encryption at rest: full-disk LUKS encryption + Postgres TDE on sensitive columns
- Hardware: a single rack box in your DC or a dedicated cloud instance (AWS me-central-1 Saudi region, or Saudi Cloud)
Path A
Physical isolation. Verifiable via packet capture — zero egress traffic possible.
- Physical air gap: no Ethernet, no Wi-Fi, no Bluetooth, no cellular. The box cannot phone home because no path exists.
- Verifiable by packet capture on the upstream switch — zero egress traffic possible
- Model weights, vectors, audit logs, and all data: persist only on this single box (with encrypted backup to a second internal box)
- All external integrations replaced by on-prem equivalents (e.g., internal SIEM only, no hosted Threat-Intel feeds)
- NCA Compliance Audit Pack recommended for this path — control-by-control documentation + external auditor coordination
On the no-training contract (Path C specifically)
What "enterprise zero-retention" actually means.
- Anthropic enterprise terms: by default, prompt + completion data is deleted after request processing. No retention unless explicitly opted in for abuse-monitoring.
- No training: enterprise customer data is explicitly excluded from model training data, contractually guaranteed in the DPA.
- Compliance certifications: SOC 2 Type II, ISO 27001, HIPAA-eligible, GDPR-compliant.
- Audit rights: you can request compliance reports and the DPA itself before signing.
- Data residency: Anthropic offers EU-region routing; OpenAI also offers region pinning. We'll select the closest jurisdiction to your data-residency needs.
- Kill switch: if regulators change posture, your system can fall back to Path B (self-hosted Qwen) by changing one environment variable. Zero re-architecture cost.
Pricing · phase by phase
Transparent, phased, and 5–10× cheaper than Saudi Big-4 for comparable scope.
You stop at the end of any phase — no scope lock-in. Phase 0 (paid scoping) credits 100% against Phase 1 if you proceed.
| Phase | Time | Path C | Path B | Path A |
|---|---|---|---|---|
Paid Scoping (optional) التحديد المدفوع Written technical spec, architecture diagram, firm fixed-fee quote. Credited 100% against Phase 1 if you proceed. | 1 wk | $750 | $750 | $750 |
Phase 1 — Core v1 المرحلة الأولى — النواة All 15 workflow steps · AI Risk Scenario Generator · ECC + CCC compliance mapping (RAG) · Risk Register · Dashboards · Audit log · Email alerts · Mocked external connectors for SIEM/SOC/Scanner/Threat-Intel · Single org · Up to 10 users. | 3–6 wk | $9,500 | $14,500 | $18,500 |
Phase 2 — Frameworks Expansion المرحلة الثانية — توسعة الأطر Add CSCC + DCC + OSMACC mapping · Multi-organization support · Evidence Repository (file upload + indexing) · Enhanced reporting + custom report builder. | 1–3 wk | $5,500 | $7,000 | $8,500 |
Phase 3 — Live Integrations المرحلة الثالثة — التكاملات الحية Replace the mocked connectors with real integrations to your SIEM, SOC, Vulnerability Scanner, and Threat-Intelligence feeds. Continuous Monitoring pollers. Real-time alert routing. | 2–4 wk | $4,500 | $5,000 | $7,500 |
NCA Compliance Audit Pack (optional) حزمة التدقيق وفق NCA Control-by-control mapping document · audit-trail templates · external auditor coordination · evidence-collection runbooks. Recommended for Path A; optional for B and C. | 1–2 wk | $3,500 | $4,000 | $4,500 |
| Phases 0 + 1 + 2 + 3 total (excluding optional audit pack) | 7–14 wk | $20,250 | $27,250 | $35,250 |
Monthly run-rate
After v1 ships
| Line item | C | B | A |
|---|---|---|---|
| AI inference (Claude API · enterprise zero-retention) | $20–80/mo (200–1,000 assessments) | $0 | $0 |
| Hosting infra (single-tenant, Saudi/UAE region) | $50–150/mo | $0–2,000/mo (self vs cloud GPU) | $0 (your facility) |
| Maintenance + support (99% uptime · 4h P1 · 1-bday P2) | $800/mo | $1,500/mo | $2,500/mo |
Maintenance is billed quarterly in advance, cancellable with 30 days' notice.
GPU hardware (Paths B + A)
Sourced via Saudi distributor, no margin
You buy the GPU directly. We help you spec and source — no markup, no inventory risk for either of us.
- 1× NVIDIA H100 80GB PCIe$25–28KRecommended for Path B (good balance) · paths B
- 1× NVIDIA H100 80GB SXM$28–32KRequired for Path A (enterprise air-gap grade) · paths A
- 2× NVIDIA A100 80GB$15–20K used / $30–35K newMost common, well-tested with vLLM · paths B / A
- 1× NVIDIA L40S 48GB$7–8KEntry tier; supports Qwen 32B only (not 72B) · paths B
Notes & assumptions
- All prices in USD. SAR conversion at 3.75:1 (pegged).
- Billing schedule: 40% kickoff, 30% Phase 1 acceptance, 30% Phase 2 acceptance. Phase 3 billed separately upon scope sign-off.
- Maintenance + support billed quarterly in advance, cancellable with 30 days' notice.
- Not included: hardware capex (Paths A & B), AI API consumption (Path C, billed direct to you by Anthropic/OpenAI), existing software licenses (Power BI, OS, etc.), Saudi WHT (deducted by you at payment per ZATCA).
- Rate basis: $75/hr USD senior AI engineering. 5–10× cheaper than equivalent Saudi Big-4 consulting ($200K+ for comparable scope), ~3× cheaper than US/EU boutique builds.
Delivery timeline
Side-by-side, week by week.
Each row is a path. Each block is a phase. We'll start with Phase 0 (paid scoping) the moment we agree on the path.
About
Who I am and why I'd be the right person to build this.
I'm Omar G. Nagy — an Egyptian AI engineer who has spent the last two years shipping production AI systems for compliance-adjacent businesses. I work hands-on (I don't hand off to a team), I ship fast (the proof is this site, built in under 24 hours), and I tell you the tradeoffs honestly even when they cut against the higher-priced option.
What you're looking at right now — this interactive proposal, the live AI demo behind it, the architecture diagrams, the pricing transparency — is the kind of work I'll be doing on your project, just at a larger scale.
Selected work
- RetailOSAI-first multi-tenant retail SaaS. Production. Live customers.
- MedPrüfAustrian medical-exam prep platform — 10K+ AI-augmented questions, GA4 + Clarity instrumented.
- NeuraScaleFirst-party analytics + booking + lead-qualification platform; own-stack.
- Bridge SourcingB2B sourcing platform leveraging Egypt's 0% tariff lanes.
More at omargnagy.com
Next step
Pick a path — or let's use a paid scoping week to settle it.
If you're ready, I'll send a fixed-fee SOW for your chosen path within 24 hours of confirmation. If you're between two paths, a one-week paid scoping engagement ($750, fully credited against Phase 1) gets you a written technical spec and a firm quote with zero ambiguity.
لو اخترتي مسار، هبعتلك SOW بسعر ثابت خلال 24 ساعة. لو محتاجة تحسمي بين مسارين، أسبوع التحديد المدفوع ($750، يخصم بالكامل من المرحلة الأولى) بيديكي عرض تقني مكتوب وسعر نهائي بدون أي غموض.