Read this first. It maps each chapter of Shrink-Wrap It: the GovCon Productization Playbook to NorthAI's specific situation and links to the artifact where that chapter's analysis lives.
The firms that will thrive in the next decade aren't abandoning services. They're wrapping services around products.
On the discovery call, the book was named by title. The 14-chapter arc is not being introduced to NorthAI for the first time, it is being applied to a situation that the call already mapped in rough outline. This walkthrough makes that mapping explicit. One section per chapter. Each section names the framework the chapter introduces, shows where it applies to NorthAI specifically, and links to the artifact that operationalizes it. Read this before clicking anything else in this directory.
A $50 million pure services firm might sell for $40-60 million. The same revenue with a product component could command $75-125 million.
Ch 1 establishes the market pressure that makes productization urgent rather than optional. Federal IT spending reached $102.3 billion in FY2025, but 72% funds operations and maintenance of legacy systems. The 28% that flows to modernization and new capability is where NorthAI's three product lines compete.
NorthAI's 5.5-year OUSD R&E engagement is a pure-services story: NorthAI delivered intelligence-fusion analysis as a sub-of-prime under a cleared US prime. The engagement ended in 2023. The valuation gap Ch 1 identifies is the gap NorthAI is currently crossing: NorthStar, Tech Vector, and Defense BD are the product layer being built on top of that services pedigree. Palantir's market cap exceeding Lockheed by 4x is the benchmark that frames the stakes.
Compliance is part of your product from the start. Design for it from the beginning or don't start at all.
Ch 2 introduces the No-Delusion Gate: five filters (TAM, compliance cost reality, ATO path viability, vehicle access, internal capability) that must all pass before productization investment begins. Failure on any filter is disqualifying. The chapter also introduces the Productization Spectrum: Level 1 (Productized Service) through Level 4 (Federal SaaS).
On the discovery call, the investor "no's" question came up as a signal that the productization gap had already been surfaced externally. That framing is Ch 2's No-Delusion Gate applied by external observers. HARBOR's initial diagnostic placed NorthAI in the 45/100 "Overcorrection" band, the error of moving too fast toward Level 4 when Level 2 is the right starting position. Ch 2's Productization Spectrum is the roadmap for walking that back.
This translation function is rare. It requires understanding all four domains: technical, operational, sales, finance.
Ch 3 names the five Builder-Operator characteristics that federal productization requires: acquisition literacy, ATO understanding, CLIN awareness, compliance vs. theater distinction, and technical-business translation. These are not aspirational; the DoD Software Acquisition Pathway assumes vendors can demonstrate them.
The discovery call made the Builder-Operator split explicit: one founder is the Builder (data infrastructure, product architecture, 200M-document corpus), the other is the Operator (growth, federal BD, customer relationships). Ch 3 says this split is rare and differentiating. The Steward role in the engagement runs across this split, protecting both from each other's blind spots: the Builder's impulse to over-engineer compliance and the Operator's impulse to accept verbal commitments as procurement authority.
Most GovCon services firms are sitting on valuable intellectual property they've never recognized, extracted, or monetized.
Ch 4 introduces contract archaeology: the four-step process of pulling proposal archives, interviewing delivery leads, mapping the repeats, and assessing documentation state. The three types of hidden IP are Process IP (methodology), Tool IP (scripts, utilities, dashboards), and Data IP (accumulated benchmarks, models, patterns).
NorthAI's situation is the clearest possible illustration of this chapter: the 5.5-year OSI&A engagement produced validated intelligence-fusion methodology, a 200-million-document corpus, and 15,000 RDT&E program mappings. All three are Data IP in Ch 4's taxonomy, already proven in federal environments, not yet extracted into product candidates. The federal award footprint shows what the archaeology uncovered (and what it couldn't find in public records). The outside-in mirror shows why the archaeology matters: the hidden IP is the only thing that makes NorthAI differentiated from a buyer's perspective.
The question isn't 'should we productize?' but 'at what level, with what compliance investment, through which vehicles, given our current capabilities, and do the economics actually work?'
Ch 5 introduces the Six Dimensions scorecard: Repeatability, Cross-Agency Demand, Compliance Leverage, Vehicle Access, ATO Feasibility, and Economic Viability. Each dimension is scored 1-5. A product candidate that scores below 3.0 overall should be restructured or abandoned. The chapter also introduces the "fans without procurement authority" pattern, the single most common productization trap.
On the discovery call, a directed-energy program was described that generated interest ("crickets" once follow-up came for contracts). That is the fan-not-buyer pattern from Ch 5 in exact form. The S2P scorecard across NorthAI's three product lines (Tech Vector, NorthStar, Defense BD) is the analytical engine that determines ship order and investment allocation. Tech Vector scores highest on Vehicle Access and Repeatability. NorthStar scores highest on Cross-Agency Demand. Defense BD scores highest on Economic Viability but lowest on ATO Feasibility.
A product isn't validated until three unrelated customers are paying for it. Not piloting at discounted rates. Paying full price under signed contracts.
Ch 6 introduces the Hill Selection Matrix (Market Access, Competitive Position, Authorization Alignment, Economics) and the 3-Customer Validation Threshold. The core discipline: concentration beats diversification. One product pursued with full resources beats three products pursued with split attention. The chapter also introduces the revenue-stability signal that gates Product #2 readiness: ARR covers ConMon + 1 FTE, 90%+ renewal rate, Product #1 runs without founder involvement.
The framing on the call, "strategy and planning vs tactical", is Ch 6's hill-selection language. NorthAI's current situation requires a single-hill focus decision: which of the three product lines (Tech Vector, NorthStar, Defense BD) reaches three paying customers first? That hill gets full resources. The allied-buyer map applies the same concentration logic to allied markets: NATO STO research partnership first, bilateral agencies second.
Companies treat authorization as a finish line. It's not. It's a starting gun.
Ch 7 makes the phase-vs-discipline distinction explicit and quantifies the stakes: real ConMon costs for FedRAMP Moderate run $200-500K annually in perpetuity. Without dedicated compliance ownership, ConMon fails. Engineering has feature deadlines; compliance has no visible deadline until authorization expires. The staffing options (full-time compliance lead at $3M+ ARR, fractional at $8-15K/month, compliance-as-service at $10-20K/month) are the concrete choices NorthAI faces.
On the discovery call, a framing of authorization options ("GCC High, IL4, IL5, GovCloud") initiated the FedRAMP conversation. Ch 7 is the chapter that explains why the initial authorization path matters less than the ongoing ConMon model. NorthAI's current stage (pre-FedRAMP, pre-ATO) is the moment to make the compliance-as-discipline decision, before the first contract rather than after.
The first agency took nine months. The second agency took six weeks because of reciprocity.
Ch 8 quantifies authorization levels and costs (LI-SaaS $50-150K / 3-6mo; Low $150-400K / 4-8mo; Moderate $500-1.5M / 6-12mo; High $1.5-3M+ / 12-18mo) and explains the sponsor agency relationship: the hardest part of FedRAMP is not the technical assessment but finding an agency willing to commit 200-400 hours of internal ISSO time. The sponsorless FedRAMP 20x path eliminates that dependency.
Ch 8's "authorization as trust mechanism" framing is the investor pitch logic: FedRAMP authorization transforms NorthAI from "a startup claiming Pentagon access" to "a platform any agency can verify in four weeks." The firewall-precedents artifact extends Ch 8's trust-infrastructure logic into the allied-investor context: FOCI mitigation agreements are the allied equivalent of FedRAMP, the structure that makes foreign-owned defense companies trustworthy counterparties for classified contracts.
Draw the tightest defensible boundary around the core capability that processes federal data. Push optional features, integrations, and administrative functions outside the boundary where possible.
Ch 9 introduces the five Survivable Architecture Principles: Minimize authorization boundary, Layered and segmented design, Configuration over customization, API-first design, and Environment parity. It quantifies control inheritance: typical Moderate on GovCloud = 85 inherited / 65 shared / 175 customer controls. Understanding inheritance can reduce compliance burden by 40-60%, saving $200-500K in initial authorization costs.
NorthAI's 200-million-document corpus and multi-agent analysis pipeline are the architecture decision that determines whether FedRAMP Moderate is achievable or whether the boundary becomes unmanageably large. Ch 9's "tightest defensible boundary" principle applies directly: the corpus storage and retrieval layer may be archiveable outside the authorization boundary; the analysis and output layer is the boundary core. The allied-pathway memo's ISO 27001 + IRAP certification requirement applies Ch 9's environment-parity principle: the same platform architecture must satisfy multiple allied certification regimes simultaneously without separate code branches.
Codification isn't about replacing experts; it's about amplifying them, enabling one expert to support 5-10 engagements simultaneously instead of delivering one at a time.
Ch 10 introduces the four Codification Criteria (repeatedly applied 3+ times/year; high value $100K+; differentiating; transferable) and the five-step Codification Process. The payoff: codification enables 10 engagements where one was previously delivered, at 40-60% gross margin vs 15-25% on custom work.
NorthAI's 200-million-document corpus and 15,000 RDT&E technology mappings are the raw material for Ch 10's codification process. The intelligence-fusion methodology that drove 5.5 years of OSI&A work, the decision trees for which signals matter, which sources contradict, which vectors are high-confidence, lives in the founders' and the team's heads. Extracting that into the Tech Vector SKU specification is exactly the Chapter 10 exercise. The customer onboarding playbook is the downstream deliverable.
The 70/30 principle: aim for approximately 70% standardized core and 30% configurable surface.
Ch 11 operationalizes standardization decisions: security controls, compliance artifacts, core functionality, and infrastructure never vary between customers (they are what FedRAMP authorization covers). Workflows, reporting configurations, integrations, and UI customization are the configurable surface. Pricing custom work separately under T&M CLINs ensures scope creep does not erode base margins.
The product.html page of the microsite already references Ch 11's 70/30 framework for NorthAI's three product lines. The 70/30 boundary diagram artifact makes the product-by-product cuts explicit: for Tech Vector, the standardized 70% is the technology-vector extraction methodology and the alert classification engine; the configurable 30% is the agency-specific source-prioritization rules and reporting frequency. For NorthStar and Defense BD, the cuts are different, which is why the boundary diagram exists as a standalone artifact.
Your ATO covers a specific system boundary. Every new integration, data source, or capability potentially changes your authorization boundary. Undocumented boundary changes become assessment findings.
Ch 12 introduces the four Boundary Zones: Zone 1 (Core Product, always included), Zone 2 (Configurable, customer-adjusted), Zone 3 (Optional Modules, additional CLINs), Zone 4 (Excluded Scope, custom development only). The cost of boundary violations is quantified: seemingly small requests carry $75-150K+ and 2-4 months of schedule impact in ATO re-assessment and 3PAO re-engagement.
The language from the discovery call, "scope by deliverable not by hour", is Ch 12's boundary discipline stated as a principle. For NorthAI's Level 2 productized-service model, the boundary discipline is especially important because the customer relationship is still early: the first buyer will ask for customizations that feel reasonable but constitute Zone 4 (custom development) under the contract. The SLA template and contract-paper template both embed Ch 12's boundary language as standard terms.
The shift from hours to outcomes, from labor rates to unit pricing, is what transforms your economics.
Ch 13 enumerates the federal-compatible pricing models: Per-User/Seat (GSA MAS approved), Per-Unit/Asset (endpoint-based, audit-friendly), Subscription/Term (fixed recurring, annual budgets), Outcome-Based (mission impact + base fee). ConMon costs must be built into pricing from day one: $200-500K annual recurring burden at FedRAMP Moderate allocates across the customer base. Value justification without hours requires Total Cost of Ownership, Mission Impact Metrics, FTE Avoidance, and Market Comparisons.
The mandate that came up on the call, "demo and contract in the same meeting", is the Ch 13 pricing-and-entry collapse goal. It only works when the pricing is pre-defined, the value justification is pre-packaged, and the CLIN structure is ready to sign. The pricing-range memo operationalizes this for NorthAI's Tech Vector first SKU. The first-invoice template is the Ch 13 implementation artifact.
Simplified acquisition threshold ($350K, effective October 1, 2025) enables fast purchasing on GSA Schedule with no formal competition required.
Ch 14 maps the vehicle landscape: GSA MAS (broad market, 6-18 month approval, $51.9B FY24 scale, SIN 54151S for SaaS), GWACs/IDIQs (task-order competition, OASIS+ Phase II), OTA (60-90 day awards, DoD only, non-traditional status required). The SaaS Subscription CLIN pattern is CLIN 0001 (SaaS/FFP per-user annual) + CLIN 0002 (Onboarding/FFP) + CLIN 0003 (Custom Dev/T&M). The vehicle selection framework: GSA MAS for broad access; GWACs for large task orders; OTA for innovative defense products.
NorthAI's current vehicle reality: CHN Analytics LLC holds a 2021 AFWERX STTR (SBIR Phase I). The SBIR/STTR D2P2 pathway (Developmental Test and Evaluation, Phase II Direct to Phase II competition) is a potential fast-track vehicle for non-traditional defense technology vendors. The vehicle-delta tracker maps the gap between where NorthAI is today and where the CLIN structures need to be for the first signed contract. The UK / allied pathway memo extends Ch 14's vehicle logic to allied markets, where G-Cloud 15 was the allied equivalent of GSA MAS and NATO NCIA Neo is the tactical fallback.
The artifacts in this directory are grouped by phase and role. This is not the only valid reading order, but it is the one that builds context incrementally from the current state forward.
This artifact is grounded in public sources, the discovery call, and six B-stream research outputs. There are at least four scenarios that would materially change the chapter mapping:
If it is confirmed that CHN Analytics LLC was a direct prime contractor on the 2018-2023 OSI&A engagement (not sub-of-prime below the FFATA threshold), the past-performance strategy and vehicle-delta analysis in Ch 14 change significantly. A direct prime contract with a classified program office creates a different competitive position than a sub-of-sub untraced engagement.
If the current PE/VC raise closes with a Five Eyes allied investor at 5%+ board representation before US FedRAMP authorization is complete, FOCI mitigation (Ch 8 extended) becomes a Phase 1 priority rather than a Phase 3 consideration. The entire authorization timeline stretches by 6-12 months. The walkthrough's phasing assumption collapses.
The HARBOR analysis treats NorthStar, Tech Vector, and Defense BD as three separate product candidates scored independently on the S2P scorecard. If Stephanie clarifies that all three are modules within a single integrated platform (not separable SKUs), the Ch 11 standardization logic and Ch 12 boundary work change substantially. A single-platform SKU requires a different 70/30 cut than three independent product candidates.
If NorthAI signs a paying customer before the SKU spec, boundary diagram, and compliance-lead hire are in place, the engagement shifts from "build for market" to "deliver against customer" mode. Phase 1 and Phase 2 collapse into a single sprint. The Ch 13 ConMon cost allocation and Ch 12 boundary defense become immediate operational priorities rather than planning considerations. The HARBOR engagement would need to reprioritize accordingly.