HawkinsOperationsDetection Engineering SOC

Case file

HO-DET-001

SOCaaS Pilot Receipt · controlled-test validation

RENDERING_ONLYCONTROLLED_TEST_VALIDATEDNOT_PUBLIC_SAFE

HO-DET-001

SOCaaS Pilot Receipt · source to public boundary

ceiling · CONTROLLED_TEST_VALIDATED
01SOURCE_PRESENT02ALERT_SHAPE03CONTROLLED_VALIDATION04CASE_PACKET_CONTRACT05AI_SUPPORT_ONLY06HUMAN_REVIEW_GATE07PROOF_AUTHORITY08CEILING_HELD
  1. 01SOURCE_PRESENTHO-DET-001 source is reviewable as Suspicious PowerShell EncodedCommand detection material.Open ↗
  2. 02ALERT_SHAPEThe receipt describes endpoint process context and expected fixture behavior without exposing raw runtime evidence.Open →
  3. 03CONTROLLED_VALIDATIONFourteen positive and negative fixtures define the controlled-test validation boundary.Open ↗
  4. 04CASE_PACKET_CONTRACTCase packet workflow routes source facts, validation status, blocked actions, and support-only review fields.Open →
  5. 05AI_SUPPORT_ONLYAI accelerates labor: drafting, scaffolding, reviewer prep. AI does not promote claims.Open →
  6. 06HUMAN_REVIEW_GATEHuman review authorizes any stronger claim movement; green checks and rendering do not.Open →
  7. 07PROOF_AUTHORITYProof record and validation artifacts own the current ceiling; this website is only the route.Open ↗
  8. 08CEILING_HELDPublic claim ceiling holds at CONTROLLED_TEST_VALIDATED. Stronger wording requires a separate promotion gate.Open →

SOCaaS Pilot Receipt

HO-DET-001 SOCaaS Pilot Receipt

A reviewer-readable receipt for a SOCaaS-style pilot loop: source-controlled detection, controlled alert shape, deterministic validation, support-only case packet flow, proof authority, and human review gate. The website renders the receipt; it does not authorize stronger proof.

Detection source

  • Detection route: Suspicious PowerShell EncodedCommand.
  • Source truth lives in the detections repository; source presence does not prove runtime deployment.
  • Validation truth lives in controlled fixtures and verifiers, not in website rendering.

Alert shape

  • Alert subject: encoded PowerShell process behavior.
  • Reviewer shape: endpoint process context, command-line indicator, expected positive / negative fixture outcomes, and blocked response authority.
  • The page does not expose raw private telemetry, internal host data, customer data, or runtime evidence.

Controlled validation

  • The public ceiling is stated as CONTROLLED_TEST_VALIDATED.
  • Blocked promotions are visible instead of hidden.
  • Website rendering remains separated from evidence authority.
  • The platform verifier preserves NOT_PUBLIC_SAFE and BLOCKED runtime promotion fields.
  • The SOCaaS Pilot Receipt shows source, alert shape, validation, case packet, AI support, and human review as separate stages.

Case packet / workflow contract

  • Case packet contract: route source facts, validation result, missing context, blocked actions, and reviewer-safe wording.
  • Workflow boundary: a packet can support analyst review; it cannot close a case, approve containment, or promote proof.
  • Proof Pack 001 and the proof record are the reviewer routes for the current ceiling.

Proof authority

  • Proof authority remains the proof record and validation artifacts, not the website page.
  • Current public ceiling remains CONTROLLED_TEST_VALIDATED.
  • Website rendering is not proof.

AI support boundary

  • AI may draft, summarize sanitized facts, identify missing context, and prepare reviewer wording.
  • AI cannot approve disposition, containment, case closure, proof promotion, public-safe status, or release authority.
  • AI labor remains below deterministic checks and human governance.

Human review gate

  • Human review authorizes claim movement above the current ceiling.
  • Green checks and website rendering are not merge, proof, publication, or promotion authority.
  • Stronger runtime, signal, public-safe, deployment, SOCaaS-ready, FortiSIEM, autonomous, or analyst-disposition wording stays blocked until separately approved.

Blocked claims

  • Runtime activation is not claimed.
  • Signal observation is not claimed.
  • Public-safe runtime proof is not claimed.
  • Live Splunk fired, Cribl-routed status, Wazuh-routed public proof, AWS-live status, production-ready status, fleet-wide coverage, autonomous SOC operation, AI-approved disposition, and analyst-approved disposition are not claimed.
  • External-use approval is not claimed.
  • Public-safe proof is not claimed.
  • Production/customer/SOCaaS deployment, SOCaaS-ready status, FortiSIEM integration proven status, and autonomous production alert resolution are not claimed.

SOC workflow pilot loop

Workflow contract

The flow is visualized as source, validation, case packet, support-only AI, human review, and proof-controlled reporting. Each stage keeps its own authority boundary.

  1. 01SOURCE

    Detection engineering

    Source-controlled rules + ATT&CK context

    Detection source, rule logic, status metadata, and ATT&CK-aligned context live in the detections repo. Reviewable in plain text, version-controlled, mappable.

  2. 02CONTRACT

    Telemetry confidence

    Route contracts + visibility evidence

    Telemetry routes and contracts are treated as visibility or private/internal evidence. Public-safe runtime/signal status requires a separate promotion gate.

  3. 03CONTROLLED

    Validation

    Deterministic verifiers + controlled fixtures

    Controlled-test validation packages and fixtures support controlled validation claims. Verifiers fail closed; no runtime promotion happens here.

  4. 04SUPPORT-ONLY

    Alert-to-case flow

    Case packets, support gates, blocked actions

    Case-packet schemas and samples model analyst support, response gates, and blocked actions. Mutation, closure, and disposition authority stay outside the contract.

  5. 05AI SUPPORT-ONLY

    AI-assisted triage

    Sanitized summaries + missing context

    AI may summarize sanitized facts and call out missing context. It does not decide disposition, close cases, approve actions, or promote proof.

  6. 06HUMAN

    Human review authority

    Visible reviewer + MERGE_APPROVED

    Visible human review is the authority layer. AI is below human review; CI is below human review; momentum is below human review.

  7. 07PROOF CEILING

    Proof-controlled reporting

    Reviewer packets at the current ceiling

    Proof Pack 001 and proof records route reviewer claims under the current ceiling. Website rendering remains a route to proof, not proof itself.

Precision boundary

What HO-DET-001 does not claim

The receipts above support the bounded ceiling. The terms below are blocked from this case file unless a separate evidence-backed promotion changes their state.

WORDINGSCANNERCEILINGBLOCKEDCLAIM · CI/CDDETERMINISTIC GATE
runtime-activesignal-observedpublic-safe runtime proofproduction-readyproduction/customer/SOCaaS deploymentSOCaaS-readyFortiSIEM integration provenfleet-widelive Splunk firedSplunk-proven Runtime Signal 001Cribl-routedWazuh-routedAWS-liveautonomous SOCAI-approved dispositionanalyst-approved dispositionpublic-safe

Before stronger public wording

Promotion requirements

  • Preserved validation output linked to the record.
  • Evidence bundle with current trust classification.
  • Runtime and signal claims reviewed independently.
  • Public wording reviewed against blocked promotions.

Evidence routes

Related links

Open route

Proof Pack 001 release

Official GitHub Release for the bounded HO-DET-001 reviewer ZIP. Stronger public proof status remains blocked.

Inspect pathOpen route

Proof record

The canonical public proof record route for HO-DET-001.

Inspect pathOpen route

Source repo

Detection source candidates. Source presence does not prove runtime.

Inspect path