HawkinsOperationsDetection Engineering SOC
CONTROLLED_TEST_VALIDATEDRUNTIME CLAIMS BLOCKEDWEBSITE RENDERING IS NOT PROOF

HO-DET-001Public pipeline proof.

A controlled-test validated detection routed through public workflow gates, deterministic pass/fail checks, and blocked-claim enforcement.

HO-DET-001 is CONTROLLED_TEST_VALIDATED through a public proof-loop workflow with controlled positive and negative test cases, deterministic pass/fail output, and blocked-claim enforcement. The proof-loop workflow carries the receipt route; the website renders the map.

See the pipeline →What it does not proveWorkflow ↗

Receipts at a glance

Four clusters · receipt-backed.

Workflow scope, controlled cases, determinism, and the blocked-claim boundary. Each cluster groups its own receipts.

Workflow

Public proof-loop

1
public proof-loop workflow
3
repos checked out by workflow
13
verifier / check steps
11
referenced Python scripts
Validation

Controlled cases

14
controlled test cases
7
positive cases
7
negative cases
14/14
passed
Quality

Determinism check

0
failed
0
missed positives
0
false-positive negatives
0
missing referenced scripts
Boundary

Blocked claim categories

10
unsupported claim categories blocked
0
blocked claim shipped
0
boundary regressions
0
scanner failures merged

Pipeline flow

Source → controlled cases → harness → workflow → report → record → boundary.

Each stage routes to a public artifact or repo surface. The website renders the map; it does not replace the proof record.

  1. GATE · 01Detection sourceSOURCEReviewable rule and SPL source under version control.truth surface · source
  2. GATE · 02Controlled test casesCASES7 positive and 7 negative cases with expected outcomes.truth surface · validation
  3. GATE · 03Deterministic harnessHARNESSPython verifiers produce deterministic pass/fail output.truth surface · validation
  4. GATE · 04Public workflowWORKFLOWPublic proof-loop checks out 3 repos and runs 13 verifier/check steps.truth surface · workflow
  5. GATE · 05Pass/fail report14/1414 passed, 0 failed, 0 missed positives, 0 false-positive negatives.truth surface · report
  6. GATE · 06Proof recordRECORDProof repo preserves the public label and internal verifier boundary.truth surface · proof
  7. GATE · 07Public claim boundaryBLOCKED10 unsupported claim categories stay blocked instead of implied.truth surface · public claim
STAGES · 07SOURCE → BOUNDARYBLOCKED · 10

Proof boundary

What this proves — and what it does not.

Proves

Controlled-test validation, visible in public.

  • HO-DET-001 has controlled-test validation.
  • Validation uses controlled positive and negative cases.
  • The harness produces deterministic pass/fail results.
  • The public workflow checks supporting proof-loop gates.
  • Unsupported claims remain blocked at the public surface.

Does not prove

Runtime and promotion claims stay blocked.

  • runtime-active deployment
  • production readiness
  • fleet-wide coverage
  • public-safe runtime evidence
  • live Splunk firing
  • Cribl-routed telemetry
  • Wazuh live collection
  • autonomous disposition
  • evidence-linked public runtime proof
  • analyst-approved disposition

Open the receipts

Every visible claim has a route.

These lanes point to merged public artifacts on main or merged PR/commit records. The website renders the lanes; the artifacts are the proof.

PUBLIC ROUTE · WORKFLOWPublic proof-loop workflow13 verifier / check steps across 3 repos.Inspect path ↗PUBLIC ROUTE · HARNESSValidation harnessPython validation harness — deterministic pass/fail output.Inspect path ↗PUBLIC ROUTE · CASESControlled test cases7 positive and 7 negative controlled test cases.Inspect path ↗PUBLIC ROUTE · REPORTValidation report14/14 passed · 0 missed positives · 0 false-positive negatives.Inspect path ↗PUBLIC ROUTE · PIPELINE PROOFMerged pipeline proof packValidation report merged on main.Inspect path ↗PUBLIC ROUTE · PROOF RECORDProof record on mainMerged proof boundary record on main.Inspect path ↗PUBLIC ROUTE · VALIDATION MERGEValidation PR #27Validation merge commit for the public proof-loop report.Inspect path ↗PUBLIC ROUTE · PROOF MERGEProof PR #27Proof merge commit for the proof-boundary record.Inspect path ↗PUBLIC ROUTE · RULEDetection rule sourceRule file in the detections repo.Inspect path ↗PUBLIC ROUTE · SPLSplunk SPL sourceSPL source file in the detections repo · not live firing evidence.Inspect path ↗

Release path · governed

Proof Pack 001 · source / check-mode release path implemented.

The release-path implementation is merged on the proof repo main branch. No official release, tag, zip, or signed artifact is claimed from this surface; the next gate is explicit release approval.

CONTROLLED_TEST_VALIDATED
Detection
HO-DET-001
Pack ID
PROOF_PACK_001
Pack status
RELEASE_PATH_IMPLEMENTED
Source mode
CHECK_MODE_SOURCE_ONLY
Next gate
OFFICIAL_RELEASE_PENDING_APPROVAL
Public-safe state
NOT_PUBLIC_SAFE
no tag · no GitHub Release · no zip · no signing claimed · routing onlyProof ledger →

Reviewer takeaway · signed note

This is not a production claim. It is a public proof loop.

A detection source, controlled cases, deterministic validation, workflow gates, and explicit blocked claims. The value is not that the claim is maximal — the value is that the claim cannot silently exceed the evidence. The scanner scope expanded from 5 files to 7 before merge, so the public route reflects the merged validation and proof records without widening the claim ceiling.

— hawkinsoperations · public surface · routing only