HawkinsOperationsDetection Engineering SOC

Evidence vault · claim authority hub

Proof is what survives validation, boundaries, and human review.

The website routes reviewers to proof. It does not authorize claims. Claims either survive the vault — validators, evidence boundaries, and human review — or they stop at the gate.

Public ceiling · CONTROLLED_TEST_VALIDATED72 public-facing governance savesRuntime claims boundedPrivate-only records excluded
Governance SavesProof Pack 001Runtime Boundary

Governance Saves · proof of value

Controls Fired Before Bad Truth Shipped

72 public-facing records from GS-001 through GS-080 source range. Private-only records are excluded from this surface.

Open explorer
16782133216572controls firedpublic-facing
View as table
Controls fired by category across 72 public-facing records.
CategoryCountWhat it covers
Claim boundary16Public copy was downgraded, narrowed, or held to match repo-visible evidence — never inflated to runtime, signal, or production wording.
Runtime boundary7Private runtime evidence, mirror traffic, and legacy automation were kept out of public runtime/signal claims.
Validator hardening8Review-thread fixes converted verifier edge cases into deterministic fail-closed paths before merge.
AI authority2AI output stayed support-only. Verifiers enforce human review and block AI-decided disposition.
Merge authority13Green CI never became merge authority. Review, scope, resolved threads, and human approval stayed above checks.
Evidence protection3Non-public evidence, host-local paths, and operator notes were kept off public surfaces and out of public proof.
Release gate2Release wording, checksums, and reviewer-package state were gated before any "approved release" claim could surface.
Branch hygiene16Branch divergence, dirty trees, wrong-branch preflights, and direct-main pushes were stopped before they touched source truth.
Workflow hardening5Required-check rulesets, audit findings, and CODEOWNERS reality were treated as enforcement evidence only when verified.

Private-only records are excluded from this surface.

In plain EnglishGovernance saves are the moments a control fired before bad truth shipped — drift was attempted, the control caught it, and the public surface stayed honest. Private-only records are excluded from this view.

Claim firewall

Claims pass, wait, or stop at the gate.

A deterministic scanner, evidence gates, and human review authority sit between a claim and the public surface. Blocked terms stay visible — they describe what this surface does not assert.

View all lanes as text

ALLOWEDPasses the gate

These claims are backed by reviewer-inspectable evidence at the controlled-test ceiling, so they ship to the public surface.

  • Controlled validation where supported
  • Reviewer-inspectable proof surfaces
  • Reviewer-inspectable artifacts
  • Governance saves — controls that fired

CAREFULHeld for review

These describe bounded, private-evidence work. They survive only as summaries and require a separate evidence-backed promotion gate before any stronger wording advances.

  • Runtime-supported (private)
  • Runtime-observed (private, source-supported only)
  • Closed controlled loop
  • SOCaaS-style model
  • AI triage support (support-only)

BLOCKED · NOT CLAIMEDStops at the gate

These terms are blocked from public wording. They are not claimed anywhere on this surface and stay blocked until a separate evidence-backed promotion gate changes their state.

  • runtime-active
  • signal-observed
  • public-safe runtime proof
  • production-ready
  • production/customer/SOCaaS deployment
  • SOCaaS-ready
  • FortiSIEM integration proven
  • fleet-wide
  • live Splunk fired
  • Splunk-proven Runtime Signal 001
  • Cribl-routed
  • Wazuh-routed
  • AWS-live
  • autonomous SOC
  • AI-approved disposition
  • analyst-approved disposition
  • public-safe
  • public runtime proof (unless separately promoted)
  • production / customer validated
  • partner / endorsed

Blocked claims

Kept off the public surface by design

These claims remain blocked unless separate evidence-backed promotion changes their state. Visibility of the blocked list keeps the supported ceiling honest.

CLAIM FIREWALL · ACTIVE
  • runtime-active
  • signal-observed
  • public-safe runtime proof
  • production-ready
  • production/customer/SOCaaS deployment
  • SOCaaS-ready
  • FortiSIEM integration proven
  • fleet-wide

Public-safe runtime proof is not claimed.

Cribl-routed, Wazuh-routed, AWS-live are not claimed.

Autonomous SOC and AI-approved disposition are not claimed.

Sealed reviewer package

Proof Pack 001 — a bounded reviewer package.

The receipt states what the package supports and what it does not prove. Raw / private runtime evidence is excluded and public runtime proof stays blocked.

HAWKINSOPERATIONS_PROOF_PACK_001CONTROLLED_TEST_VALIDATED
Included · reviewer package (7)
REVIEWER_PACKET.md Boundary packet for HO-DET-001.
SHA256SUMS.txt Source-controlled checksums for packet files.
HO-DET-001 proof card Bounded controlled-test proof card.
HO-DET-001 proof record Public proof record with stated ceiling.
Validation record 14 / 14 controlled fixtures.
Ledger / schema Evidence ledger and schema.
Proof verifier Structure / parity / boundary checks.
Excluded · blocked from public release (2)
Raw / private runtime evidence NOT_PUBLIC_SAFE — excluded from the public proof basis.
Public-safe runtime proof BLOCKED until evidence linkage and explicit promotion.
Does not prove
Runtime-active status is not claimed.
Signal-observed status is not claimed.
Evidence-linked public runtime proof is blocked.
Production-ready and SOCaaS availability are not claimed.
Live Splunk, Cribl/Wazuh, and live AWS are blocked.
Autonomous SOC and AI / analyst disposition are not claimed.
DIRECT_RELEASE_ROUTESOURCE_PACKET_CHECK_MODENO_SIGNED_ARTIFACT

An official direct GitHub Release route exists. Source packet manifest / check-mode language remains source-packet / release-candidate metadata — a route / status distinction, not a stronger proof claim.

Render-only ledger route

Lifetime Case Ledger v1

The website is render-only; the proof repo owns the summary and proof bundle. The badges are workflow-status indicators only. Boundary: no runtime, signal, public-safe runtime proof, SOCaaS, production, autonomous SOC, disposition, or case-closure claim is made.

LEDGER STATUSNOT_PUBLIC_SAFEProof ceiling: SCHEMA_CONTRACT_VERIFIER_EXISTS_ONLY
COUNT SNAPSHOTtotal_ledger_events=6total_cases=6 · public_safe_count=0 · closed_case_count=0
APPENDED DETECTIONSHO-DET-001, HO-DET-011, HO-DET-012Tracked by proof-owned summary references, not by website authority.
VERIFICATION STATUSWorkflow-status indicators onlyInspect lifetime-ledger-public-summary and lifetime-ledger-proof-bundle jobs in Governance Gate.
PROOF-OWNED PUBLIC SUMMARYproof/records/lifetime-case-ledger-v1-public-summary.jsonbounded count and boundary summaryOpen ↗PROOF BUNDLEproof/records/lifetime-case-ledger-v1-proof-bundle.jsonreviewer verification packet sourceOpen ↗BADGE VERIFICATION.github/workflows/governance-gate.ymlworkflow-status routing for ledger verifier jobsOpen ↗
Boundarywebsite is render-only; proof repo owns the summary and proof bundle; badges are workflow-status indicators only; no runtime, signal, public-safe runtime proof, SOCaaS, production, autonomous SOC, disposition, or case-closure claim is made. Does not prove: live runtime activity; signal observation; public proof; public-safe runtime proof; SOCaaS deployment; production deployment; autonomous SOC authority; AI-approved final disposition; analyst-approved final disposition; case closure authority.

Runtime boundary

The runtime proof tower — what survives, what stays sealed.

Each level names a stronger runtime status. The public surface holds at controlled validation; higher rungs are sealed gates that require separate evidence and human approval.

View levels as text
Runtime proof boundary levels.
LevelStatusWhat it does not prove
01 · Controlled validationSUPPORTEDIt does not prove runtime activation or any signal observation.
02 · Runtime path initializedSOURCE-VISIBLESource presence is not runtime; nothing here is claimed as executed in production.
03 · Runtime-supported (private)PARTIALPublic runtime proof is blocked; the private marker is not a public claim.
04 · Runtime-observed (private)PARTIALPublic NDR, cross-source, and signal-observed proof are not claimed from this surface.
05 · Public runtime proofBLOCKEDRuntime-active, signal-observed, and public-safe runtime proof are blocked and not claimed until a separate promotion gate clears them.
06 · Production / customer / fleetBLOCKEDProduction-ready, customer-validated, partner-endorsed, fleet-wide, and autonomous SOC claims are blocked and not made anywhere on this surface.

Evidence bay

Proof records — receipts, not a ledger.

The flagship record leads; supporting records follow at lower weight. Each holds its bounded ceiling and a supports / does-not-prove split.

HO-DET-001

SOCaaS Pilot Receipt · controlled-test validation

CONTROLLED_TEST_VALIDATEDPROOF RECORD PRESENT

Supports

  • The public ceiling is stated as CONTROLLED_TEST_VALIDATED.
  • Blocked promotions are visible instead of hidden.
  • Website rendering remains separated from evidence authority.
  • The platform verifier preserves NOT_PUBLIC_SAFE and BLOCKED runtime promotion fields.
  • The SOCaaS Pilot Receipt shows source, alert shape, validation, case packet, AI support, and human review as separate stages.

Does not prove

  • Runtime activation is not claimed.
  • Signal observation is not claimed.
  • Public-safe runtime proof is not claimed.
  • Live Splunk fired, Cribl-routed status, Wazuh-routed public proof, AWS-live status, production-ready status, fleet-wide coverage, autonomous SOC operation, AI-approved disposition, and analyst-approved disposition are not claimed.
  • External-use approval is not claimed.
  • Public-safe proof is not claimed.
  • Production/customer/SOCaaS deployment, SOCaaS-ready status, FortiSIEM integration proven status, and autonomous production alert resolution are not claimed.
Remaining gates & promotion requirements

Remaining blocked

  • Runtime evidence must be promoted separately.
  • Signal evidence must be promoted separately.
  • Public proof requires evidence linkage.
  • The platform runtime contract does not promote HO-DET-001 beyond CONTROLLED_TEST_VALIDATED.
  • Blocked-claim scanner must stay clean before wording changes ship.

Promotion requirements

  • Preserved validation output linked to the record.
  • Evidence bundle with current trust classification.
  • Runtime and signal claims reviewed independently.
  • Public wording reviewed against blocked promotions.
AWS-DET-001

CloudTrail-style IAM denial fixture proof card

CONTROLLED_TEST_VALIDATEDPROOF RECORD PRESENT

Supports

  • AWS-DET-001 passed fixture-only validation against controlled CloudTrail-style IAM denial fixtures.
  • The website renders the public ceiling as CONTROLLED_TEST_VALIDATED.

Does not prove

  • AWS-live status is not claimed.
  • AWS CloudTrail live evidence is not claimed.
Remaining gates & promotion requirements

Remaining blocked

  • AWS-live proof requires separate evidence and Raylee approval.
  • Cloud runtime-active proof requires separate deployment evidence.
  • Signal-observed public proof requires preserved cloud telemetry.
  • Public-safe runtime proof requires evidence linkage and promotion.

Promotion requirements

  • Real CloudTrail evidence with sanitization and stale review.
  • Cloud deployment evidence linking the rule to an enabled environment.
  • Public wording reviewed against the blocked-claim list.
  • Raylee approval after evidence and claim review.
HO-DET-011

Windows Service Creation / Binary Change · bounded summary

CONTROLLED_TEST_VALIDATEDPRIVATE RUNTIME BOUNDARY

Supports

  • 17 / 17 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

Does not prove

  • Public runtime proof and public signal-observed proof are not claimed.
  • Splunk remains NOT_VERIFIED.
Remaining gates & promotion requirements

Remaining blocked

  • Raw Wazuh lines, Windows event payloads, command output, host/user details, private paths, internal network details, service markers, correlation markers, and private hashes remain excluded.
  • Public runtime proof requires a separate approval beyond this bounded summary.

Promotion requirements

  • Separate proof/index vocabulary and approval before any stronger runtime or signal claim.
  • Fresh wording review before publishing any evidence anchor or private hash.
HO-DET-012

Suspicious Scheduled Task Creation · bounded summary

CONTROLLED_TEST_VALIDATEDPROOF RECORD PRESENT

Supports

  • 8 / 8 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

Does not prove

  • Public runtime proof and public signal-observed proof are not claimed.
  • Splunk remains NOT_VERIFIED.
Remaining gates & promotion requirements

Remaining blocked

  • Raw Wazuh lines, Windows event payloads, command output, host/user details, private paths, internal network details, task markers, correlation markers, and private hashes remain excluded.
  • Public runtime proof requires a separate approval beyond this bounded summary.

Promotion requirements

  • Separate proof/index vocabulary and approval before any stronger runtime or signal claim.
  • Fresh wording review before publishing any evidence anchor or private hash.
ID-DET-001

Suspicious identity session context · no proof record

CONTROLLED_TEST_VALIDATEDNO PROOF RECORD

Supports

  • 10 / 10 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

Does not prove

  • Live IdP / SIEM / NDR coverage is not claimed.
  • Production identity coverage and autonomous / AI disposition are not claimed.
Remaining gates & promotion requirements

Remaining blocked

  • A proof record must be created before public proof status.

Promotion requirements

  • Proof record authored and linked to validation output.
ID-DET-002

MFA fatigue / repeated MFA failure · no proof record

CONTROLLED_TEST_VALIDATEDNO PROOF RECORD

Supports

  • 10 / 10 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

Does not prove

  • Live IdP and live SIEM / NDR are not claimed.
  • Proof promotion and public-safe state are not claimed.
Remaining gates & promotion requirements

Remaining blocked

  • A proof record must be created before public proof status.

Promotion requirements

  • Proof record authored and linked to validation output.
ID-DET-003

Privileged role / admin group change · no proof record

CONTROLLED_TEST_VALIDATEDNO PROOF RECORD

Supports

  • 10 / 10 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

Does not prove

  • Live IdP / SIEM coverage is not claimed.
  • Production coverage and AI / analyst disposition are not claimed.
Remaining gates & promotion requirements

Remaining blocked

  • A proof record must be created before public proof status.

Promotion requirements

  • Proof record authored and linked to validation output.
ID-DET-004

Impossible travel / anomalous session · no proof record

CONTROLLED_TEST_VALIDATEDNO PROOF RECORD

Supports

  • 10 / 10 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

Does not prove

  • Impossible-travel and session-hijacking completeness are not claimed.
  • Live IdP and public-safe state are not claimed.
Remaining gates & promotion requirements

Remaining blocked

  • Completeness is blocked; a proof record must be created before public proof status.

Promotion requirements

  • Proof record authored and linked to validation output.
HO-NDR-001

Security Onion visibility contract · boundary scaffold

BOUNDARY_CONTRACT_ONLYBOUNDARY CONTRACT ONLY

Supports

  • A cross-source corroboration contract is defined.

Does not prove

  • Security Onion runtime, Splunk search, and Cribl / Wazuh routes are not claimed.
  • Zeek / Suricata quality and public-safe proof are not claimed.
Remaining gates & promotion requirements

Remaining blocked

  • Cross-source corroboration contract is defined, not promoted to proof.

Promotion requirements

  • Fixtures authored and validated before any proof record.

Each record holds its bounded ceiling and routes reviewers to source and validation. Website rendering is not proof.

Promotion gates

What must hold before stronger wording ships.

The ladder is sequential — no rung is skipped. Stronger runtime, signal, and public proof wording cannot ship until its gate clears.

  1. G·01Current source artifact remains reviewable in the owning repository.
  2. G·02Validation output is deterministic and linked to the proof record.
  3. G·03Runtime state is independently evidenced before runtime claims move forward.
  4. G·04Signal state is independently evidenced before signal claims move forward.
  5. G·05Evidence linkage is explicit before public proof status changes.
  6. G·06Public wording is scanned against the blocked-claim list before release.

Governed work · Snapshot as of 2026-05-18

Recent governed proof-repo work

Recent governed work on the proof repo. Reviewer-visible cards that do not change the public claim ceiling. Stronger wording requires a separate evidence-backed promotion gate.

SNAPSHOT · 2026-05-18
Snapshot scope: governed labor and reviewed merges. Hand-maintained. Not auto-updated. Does not claim runtime-active, signal-observed, or public-safe runtime proof — those wordings remain blocked by the claim firewall.Open the org ↗

Routes

Where to inspect next.

GOVERNANCE SAVESControls that prevented unsafe truthPublic-backed examples where review, verifiers, branch hygiene, and claim ceilings blocked drift.Open →ARCHITECTUREPlane separation mapWhere each surface lives and what its promotion gate looks like.Open →CONTROL MATRIX ↗Status routingRouting surface for HawkinsOperations control ownership and promotion state.Open ↗

Rendering is not proof.

Evidence, validators, and human review authorize claims. The website routes reviewers to proof; it does not author it.