HawkinsOperationsDetection Engineering SOC

Reviewer evidence bay

Reviewer artifacts.Each card keeps its own ceiling.

Filter the evidence by family. Every card routes reviewers to the receipt and states what it supports and what it does not prove. Website cards are not the evidence.

Open the evidence bay →Reviewer pathsAnchor artifactsProof authority
Receipts, not vibes

This is a receipt room: every artifact carries its own ceiling, a supports / does-not-prove split, and a route to the evidence. Private evidence is excluded and website rendering is not proof.

Reviewer paths

Pick where to start.

The same evidence bay reads differently depending on who is inspecting. Choose a lens; the route stays inside surfaces that already exist.

New high-ROI reviewer receipts

Start with the newest bounded receipts, then inspect the full bay.

These cards surface the newest reviewer routes first. They still keep source route, support, does-not-prove, and proof-boundary notes attached to each artifact.

Control Plane & Workflow

Source-backed receipts that expose the detection-to-validation-to-proof workflow structure reviewers can inspect.

ARCHITECTURESUPPORTED

Detection Factory / Validation Factory Controller

Governed control planeCONTROL_PLANE_STRUCTURE
Supports
A bounded controller pattern exists for status and plan packets across detection, validation, and proof workflow structure.
Does not prove
Every detection is validated, runtime execution occurred, signal observation happened, autonomous SOC authority exists, or AI approved anything.
Reviewer metadata
Public-safe status
PUBLIC_STRUCTURE_SUMMARY
Reviewer action
Inspect the controller as workflow structure, then follow validation/proof routes for individual detection claims.
Related surface / repo
Platform / Validation / Proof / Detections
Proof boundary note
The controller emits bounded status; promotion and proof authority remain outside the controller.
Open platform contract

Validation & Proof Boundary

Receipts that keep controlled validation, runtime boundaries, and reviewer packets separated from proof promotion.

VALIDATIONSUPPORTED

HO-DET-012 Controlled Validation / Runtime Boundary

Validation TruthCONTROLLED_TEST_VALIDATED
Supports
HO-DET-012 has a controlled-test validation package, a proof record, and a bounded public summary with raw evidence kept private.
Does not prove
Runtime-active public proof, signal-observed proof, scheduled-task coverage completeness, production deployment, or public-safe runtime proof.
Reviewer metadata
Public-safe status
BOUNDED_PUBLIC_SAFE_SUMMARY_APPROVED
Reviewer action
Inspect the runtime-boundary page, then verify the validation registry row and proof ceiling.
Related surface / repo
Proof / Validation / Runtime Proof Factory
Proof boundary note
The public website may summarize the bounded boundary; raw runtime material and stronger runtime/signal claims stay blocked.
Open runtime boundary
PUBLIC PACKETSUPPORTED

Proof Loop Reviewer Brief / Review ZIP Standard

Reviewer packetREVIEWER_PACKET_STANDARD
Supports
A reviewer packet route and inspection standard exist for bounded proof review.
Does not prove
Runtime truth, public-safe truth, production readiness, customer validation, or SOCaaS maturity.
Reviewer metadata
Public-safe status
PUBLIC_REVIEWER_PACKET
Reviewer action
Start with the manifest, then compare each receipt against the does-prove and does-not-prove boundary.
Related surface / repo
Proof Pack 001 / Proof manifest / Governance Saves
Proof boundary note
A reviewer packet routes inspection; it does not raise a claim ceiling by existing.
Open Proof Pack 001

Telemetry & AI Boundary

Boundary cards for telemetry routes, NDR visibility contracts, and support-only AI triage authority.

ARCHITECTUREREFERENCE

HO-PIPE-001 Telemetry Route Boundary

Telemetry route boundarySOURCE_EXISTS_VALIDATION_PLANNED
Supports
HO-PIPE-001 is represented in the public detection map as a source-existing telemetry route boundary with validation planned.
Does not prove
Live route validation, Cribl reduction proof, runtime-active public proof, public-safe proof, or production telemetry routing.
Reviewer metadata
Public-safe status
PUBLIC_ROUTE_BOUNDARY_SUMMARY
Reviewer action
Inspect HO-PIPE-001 in the attack coverage source, then use the rendered detections map only as navigation.
Related surface / repo
Detections / Attack coverage source
Proof boundary note
SOURCE_EXISTS / VALIDATION_PLANNED is not route proof and does not promote telemetry runtime claims.
Open detections map
ARCHITECTUREREFERENCE

HO-NDR-001 Security Onion Visibility Contract

NDR visibility contractBOUNDARY_CONTRACT_ONLY
Supports
HO-NDR-001 is represented as a contract-only visibility boundary with no fixtures and no proof record.
Does not prove
Production NDR, permanent SPAN, public-safe NDR proof, live NDR coverage, or cross-source corroboration as public proof.
Reviewer metadata
Public-safe status
PUBLIC_BOUNDARY_CONTRACT_SUMMARY
Reviewer action
Read the validation-registry row as contract-only; do not promote it into observed Security Onion proof.
Related surface / repo
Validation registry / Platform contracts / Detections
Proof boundary note
A visibility contract is not NDR proof; runtime, signal, and corroboration claims require separate promoted evidence.
Open validation registry
GOVERNANCEREFERENCE

HO-LAB-AUTO / Support-only AI Triage Boundary

AI support boundarySUPPORT_ONLY_AI
Supports
A public support-only AI boundary is represented: AI may assist labor, but human review remains authority.
Does not prove
AI-approved disposition, autonomous SOC, public runtime proof, production readiness, or analyst-approved outcome.
Reviewer metadata
Public-safe status
PUBLIC_BOUNDARY_SUMMARY
Reviewer action
Use this card to inspect where AI support stops and human review authority begins.
Related surface / repo
AI Security / Platform contracts
Proof boundary note
AI support can summarize and route; it cannot approve disposition, proof promotion, or public-safe status.
Open AI security model

Evidence bay

Filter by family · the ceiling travels with the artifact.

One control room for every reviewer artifact. Pick a family; each card shows its owning surface, what it supports, what it does not prove, and where to inspect it.

25 artifacts · all families

PROOF RECORDSUPPORTED

HO-DET-001 Proof Record

Supports
A public proof record exists with a stated ceiling, blocked promotions, and a path back to source and validation.
Does not prove
Runtime activation, signal observation, fleet scope, or external-use authorization.
Open proof card
GOVERNANCESUPPORTED

Website Rendering Is Not Proof

Supports
The public website owns presentation only and routes reviewers to evidence and proof records.
Does not prove
Runtime, signal, or evidence claims that live in their own repositories and gates.
Read field note
CASE STUDYSUPPORTED

HO-DET-001 Case File

Supports
The bounded scope of controlled-test validation status against an explicit promotion gate list.
Does not prove
Runtime or signal authority outside the controlled-test path.
Open case file
PROOF RECORDSUPPORTED

AWS-DET-001 Proof Record

Supports
AWS-DET-001 passed fixture-only validation against controlled CloudTrail-style IAM denial fixtures.
Does not prove
AWS-live, CloudTrail live, cloud runtime-active, signal-observed, or public-safe runtime proof.
Open proof record
PROOF RECORDBLOCKED · PENDING

HO-DET-001 Private Runtime Boundary

Supports
Only that the public card routes reviewers to a blocked private/internal boundary, not to a public runtime fact.
Does not prove
Runtime-active deployment, public-safe runtime proof, fleet-wide coverage, Cribl-routed telemetry, Wazuh-routed public proof, AWS-live status, or live Splunk fired as public proof.
Open proof record
PROOF RECORDBLOCKED · PENDING

Private Marker Delivery Boundary

Supports
Only that the public card routes reviewers to a blocked private/internal boundary, not to a public Splunk or Cribl fact.
Does not prove
HO-DET-001/Sysmon telemetry is Cribl-routed, Cribl-routed telemetry for production or fleet scope, Wazuh-routed public proof, live Splunk fired as public proof, or any change to the public proof ceiling.
Open proof record
VALIDATIONSUPPORTED

Validation Report — Controlled-Test Scope

Supports
A bounded test path passed inside its declared scope.
Does not prove
Runtime activity, public signal, or external-use approval.
Read field note
VALIDATIONSUPPORTED

HO-DET-012 Controlled Validation / Runtime Boundary

Supports
HO-DET-012 has a controlled-test validation package, a proof record, and a bounded public summary with raw evidence kept private.
Does not prove
Runtime-active public proof, signal-observed proof, scheduled-task coverage completeness, production deployment, or public-safe runtime proof.
Reviewer metadata
Public-safe status
BOUNDED_PUBLIC_SAFE_SUMMARY_APPROVED
Reviewer action
Inspect the runtime-boundary page, then verify the validation registry row and proof ceiling.
Related surface / repo
Proof / Validation / Runtime Proof Factory
Proof boundary note
The public website may summarize the bounded boundary; raw runtime material and stronger runtime/signal claims stay blocked.
Open runtime boundary
ARCHITECTUREREFERENCE

HO-PIPE-001 Telemetry Route Boundary

Supports
HO-PIPE-001 is represented in the public detection map as a source-existing telemetry route boundary with validation planned.
Does not prove
Live route validation, Cribl reduction proof, runtime-active public proof, public-safe proof, or production telemetry routing.
Reviewer metadata
Public-safe status
PUBLIC_ROUTE_BOUNDARY_SUMMARY
Reviewer action
Inspect HO-PIPE-001 in the attack coverage source, then use the rendered detections map only as navigation.
Related surface / repo
Detections / Attack coverage source
Proof boundary note
SOURCE_EXISTS / VALIDATION_PLANNED is not route proof and does not promote telemetry runtime claims.
Open detections map
ARCHITECTUREREFERENCE

HO-NDR-001 Security Onion Visibility Contract

Supports
HO-NDR-001 is represented as a contract-only visibility boundary with no fixtures and no proof record.
Does not prove
Production NDR, permanent SPAN, public-safe NDR proof, live NDR coverage, or cross-source corroboration as public proof.
Reviewer metadata
Public-safe status
PUBLIC_BOUNDARY_CONTRACT_SUMMARY
Reviewer action
Read the validation-registry row as contract-only; do not promote it into observed Security Onion proof.
Related surface / repo
Validation registry / Platform contracts / Detections
Proof boundary note
A visibility contract is not NDR proof; runtime, signal, and corroboration claims require separate promoted evidence.
Open validation registry
PUBLIC PACKETSUPPORTED

Proof Loop Reviewer Brief / Review ZIP Standard

Supports
A reviewer packet route and inspection standard exist for bounded proof review.
Does not prove
Runtime truth, public-safe truth, production readiness, customer validation, or SOCaaS maturity.
Reviewer metadata
Public-safe status
PUBLIC_REVIEWER_PACKET
Reviewer action
Start with the manifest, then compare each receipt against the does-prove and does-not-prove boundary.
Related surface / repo
Proof Pack 001 / Proof manifest / Governance Saves
Proof boundary note
A reviewer packet routes inspection; it does not raise a claim ceiling by existing.
Open Proof Pack 001
ARCHITECTURESUPPORTED

Detection Factory / Validation Factory Controller

Supports
A bounded controller pattern exists for status and plan packets across detection, validation, and proof workflow structure.
Does not prove
Every detection is validated, runtime execution occurred, signal observation happened, autonomous SOC authority exists, or AI approved anything.
Reviewer metadata
Public-safe status
PUBLIC_STRUCTURE_SUMMARY
Reviewer action
Inspect the controller as workflow structure, then follow validation/proof routes for individual detection claims.
Related surface / repo
Platform / Validation / Proof / Detections
Proof boundary note
The controller emits bounded status; promotion and proof authority remain outside the controller.
Open platform contract
GOVERNANCEREFERENCE

HO-LAB-AUTO / Support-only AI Triage Boundary

Supports
A public support-only AI boundary is represented: AI may assist labor, but human review remains authority.
Does not prove
AI-approved disposition, autonomous SOC, public runtime proof, production readiness, or analyst-approved outcome.
Reviewer metadata
Public-safe status
PUBLIC_BOUNDARY_SUMMARY
Reviewer action
Use this card to inspect where AI support stops and human review authority begins.
Related surface / repo
AI Security / Platform contracts
Proof boundary note
AI support can summarize and route; it cannot approve disposition, proof promotion, or public-safe status.
Open AI security model
GOVERNANCESUPPORTED

Claim Firewall

Supports
The supported public ceiling and the explicit list of claims kept off the public surface.
Does not prove
That blocked claims are merely pending; some remain blocked by design.
Open firewall
CI / VERIFIERSUPPORTED

Blocked-Claim CI Scanner

Supports
Rendering wording has a deterministic scanner and a published blocked-claim list.
Does not prove
Runtime control coverage, required-check enforcement, or branch-protection status.
Site contract
ARCHITECTURESUPPORTED

Truth Surface Model

Supports
Each surface owns a different question; none inherits proof by presentation.
Does not prove
That every surface is currently active for HawkinsOperations claims.
Open model
ARCHITECTURESUPPORTED

Repository Authority Map

Supports
Repository plane separation by ownership and authority.
Does not prove
Runtime state across repositories.
Open repo map
GOVERNANCESUPPORTED

Control Status Matrix

Supports
A central reviewer-facing routing surface for control status exists in the .github profile repo.
Does not prove
Runtime control activation outside the matrix's own statements.
Open matrix
ARCHITECTURESUPPORTED

Claim Promotion Flow

Supports
A documented promotion path with separate gates per surface.
Does not prove
That a given claim has currently passed every gate.
Open architecture
PUBLIC PACKETSUPPORTED

Reviewer Route — 3 Speeds

Supports
Reviewer-friendly entry routes into proof and architecture.
Does not prove
That reading the route promotes any claim.
Open route
FIELD NOTESUPPORTED

Field Notes Codex

Supports
A short-form public surface that defends the system's boundary doctrine.
Does not prove
Runtime claims; field notes route to records.
Open field notes
GOVERNANCESUPPORTED

AI Authority Boundary

Supports
Where AI assistance ends and human-approved governance begins inside this system.
Does not prove
That any model output is itself a proof artifact.
Read field note
GOVERNANCESUPPORTED

Blocked Public Claims

Supports
Reviewers can see what is blocked, not just what is supported.
Does not prove
Hidden claims; the blocked list is intentionally visible.
Open firewall
LEGACYREFERENCE

Legacy Boundary

Supports
Legacy material exists and can give context.
Does not prove
Current runtime, signal, or evidence claims for HawkinsOperations.
Open boundary
PUBLIC PACKETSUPPORTED

System History

Supports
Rendering changes are tracked publicly.
Does not prove
Runtime or signal changes to the underlying detection system.
Open changelog

Reviewer anchors

Start with the proof-bearing artifacts.

The proof record holds the bounded ceiling. The doctrine keeps rendering separate from proof. The route line shows how the rendered card points back to evidence.

PROOF RECORDSUPPORTED

HO-DET-001 Proof Record

The flagship public proof record with controlled-test validation status, bounded ceiling, and explicit blocked promotions.

Proves
A public proof record exists with a stated ceiling, blocked promotions, and a path back to source and validation.
Does not prove
Runtime activation, signal observation, fleet scope, or external-use authorization.
Open proof card
GOVERNANCESUPPORTED

Website Rendering Is Not Proof

The boundary doctrine that separates a rendered page from a proof record. Routing is not evidence.

Proves
The public website owns presentation only and routes reviewers to evidence and proof records.
Does not prove
Runtime, signal, or evidence claims that live in their own repositories and gates.
Read field note

Local GPU Triage / Factory Lane

Governed platform work · bounded receipts and status packets.

Recent platform work defines bounded workflow gates, receipt emission, and status packets. This lane is reviewer-visible governed labor only. It does not claim model execution in CI, GPU CI proven status, runtime-active status, signal-observed status, or public-safe runtime proof.

Governed labor only
  1. 01 · Phase A

    Phase A scaffold

    Pipeline structure scaffolded as governed labor.

    Does not prove runtime activity or GPU CI status.

    Open artifact ↗

  2. 02 · Phase B

    Phase B workflow gate

    Second-phase workflow gate added as bounded structure.

    Governed labor only; not runtime proof.

    Open artifact ↗

  3. 03 · Receipt

    Receipt-emit hardened

    Workflow emits a bounded receipt artifact for governed inspection.

    Does not prove model execution in CI or public-safe runtime proof.

    Open artifact ↗

  4. 04 · Factory

    Factory status packets

    Detection Factory Controller v0 emits bounded status packets.

    Does not claim autonomous SOC or AI-approved disposition.

    Open artifact ↗

BoundaryGPU / factory artifacts are reviewer-visible governed work. They do not prove model execution in CI, GPU CI status, runtime-active status, signal-observed status, or public-safe runtime proof. Public ceiling stays at CONTROLLED_TEST_VALIDATED.

Recent governed work · by surface

Grouped by where the work lives.

Each group is a hand-maintained static snapshot. Cards open reviewer review pages. No card claims runtime-active, signal-observed, or public-safe runtime proof.

Proof · case studies

Evidence boundary

Proof-repo updates and reviewer-visible case studies. Does not promote runtime or public-safe runtime proof.

Governed work · Proof surface

Proof / case study artifacts

Proof-repo updates and reviewer-visible case studies.

SNAPSHOT · 2026-05-18
Snapshot scope: governed labor and reviewed merges. Hand-maintained. Not auto-updated. Does not claim runtime-active, signal-observed, or public-safe runtime proof — those wordings remain blocked by the claim firewall.Open the org ↗

Platform · GPU · Factory

Governed labor

Platform-repo work — bounded workflow gates, receipt emission, and Detection Factory Controller status packets. Governed labor only; does not claim model execution in CI or GPU CI proven status.

Governed work · Platform surface

Platform / GPU / Factory artifacts

Bounded workflow gates and receipts. Governed labor only.

SNAPSHOT · 2026-05-18
Snapshot scope: governed labor and reviewed merges. Hand-maintained. Not auto-updated. Does not claim runtime-active, signal-observed, or public-safe runtime proof — those wordings remain blocked by the claim firewall.Open the org ↗

Validation · verifiers

Controlled-test boundary

Validation-repo verifier work for HO-DET-001 AI triage. Closes controlled-test edge cases; runtime and signal-observed status remain blocked at this surface.

Governed work · Validation surface

Validation / verifier artifacts

Controlled-test verifier work.

SNAPSHOT · 2026-05-18
Snapshot scope: governed labor and reviewed merges. Hand-maintained. Not auto-updated. Does not claim runtime-active, signal-observed, or public-safe runtime proof — those wordings remain blocked by the claim firewall.Open the org ↗

Website · public rendering

Public rendering

Website-repo updates. Public rendering only — website rendering is not proof.

Governed work · Website surface

Website / public rendering artifacts

Public rendering updates only.

SNAPSHOT · 2026-05-18
Snapshot scope: governed labor and reviewed merges. Hand-maintained. Not auto-updated. Does not claim runtime-active, signal-observed, or public-safe runtime proof — those wordings remain blocked by the claim firewall.Open the org ↗

Coverage heatmap

Family coverage at a glance.

Select a family to read its coverage across planes. Cells show where each family exists in public, where the website routes, and what stays private or blocked. The matrix below holds the same data as a table.

Reviewer evidence coverage

Artifact family coverage.

This matrix groups artifact families across planes. Cells declare what exists in public, what the website routes, and what is held private or blocked. The matrix does not promote claims; it shows family-level coverage.

Artifact familySourceValidationProofWebsitePrivate evidencePublic status
HO-DET-001 proof looppresentpresentpresentroutedcontrolled-test
Proof Pack 001presentpresentroutedroutedreviewer-routed
HO-DET-001 detection sourcepresentpresentroutedroutedcontrolled-test
Validation CI / reportpresentpresentroutedroutedpresent
Backend adapter · field mappingprivateprivatereferenceprivateblocked
AI support · GPU supportprivateprivateprivateblocked
NDR · Security Onion recordprivatereferencereferenceprivateunpublished
Cyber Kill Chain / ATT&CK reviewer mappresentpresentroutedroutedrendering
Governance · review authoritypresentpresentroutedroutedpresent
Website proof routingpresentpresentroutedroutedrendering

Legend · present = public artifact exists on its authority repo · routed = website surface points to the receipt · private = held in private/internal evidence, not public · reference = referenced but not promoted · blocked = not eligible for public claim until promotion gate clears · reviewer-routed = bounded reviewer route available; not proof promotion. Website rendering is not proof; the matrix only describes coverage state.