HawkinsOperationsDetection Engineering SOC

Runtime Proof Factory v0

Bounded summaries for private lab runtime receipts.

This route summarizes HO-DET-011 and HO-DET-012 without exposing private material or promoting public runtime or signal proof.

CONTROLLED_TEST_VALIDATEDRAW_EVIDENCE_PRIVATESPLUNK_NOT_VERIFIEDPUBLIC_RUNTIME_PROOF_BLOCKED

Public inspection layer

source truthseparate
runtime truthseparate
signal truthseparate
evidence truthseparate
public proofseparate

Runtime Proof Factory

Bounded runtime summaries

The website may render bounded summaries already represented in site data. It must not publish raw material or imply production, fleet, autonomous SOC, AI-approved, or analyst-approved claims.

Detection ID

HO-DET-011

Windows Service Creation / Binary Change · bounded summary

CeilingCONTROLLED_TEST_VALIDATED
Validation
controlled-test validation · 17 fixtures · bounded summary approved
Runtime
private lab runtime receipt summary
Signal
public signal-observed proof blocked
Splunk
NOT_VERIFIED

What exists

  • A controlled-test validation package with 17 fixtures.
  • A private lab runtime receipt with Wazuh-backed private observation.
  • Merged deterministic verifier, review packet, decision gate, and Runtime Proof Factory v0 summary.

Not claimed

  • Public runtime proof and public signal-observed proof are not claimed.
  • Splunk remains NOT_VERIFIED.
  • Production, fleet-wide, autonomous SOC, AI-approved, and analyst-approved claims are not made.
Detection ID

HO-DET-012

Suspicious Scheduled Task Creation · bounded summary

CeilingCONTROLLED_TEST_VALIDATED
Validation
controlled-test validation · 8 fixtures
Runtime
private lab runtime receipt summary
Signal
public signal-observed proof blocked
Splunk
NOT_VERIFIED

What exists

  • A controlled-test validation package with 8 fixtures.
  • A governed proof record exists for controlled-test validation.
  • A private lab runtime receipt with Wazuh-backed private observation.
  • Merged deterministic verifier, review packet, decision gate, and Runtime Proof Factory v0 summary.

Not claimed

  • Public runtime proof and public signal-observed proof are not claimed.
  • Splunk remains NOT_VERIFIED.
  • Production, fleet-wide, autonomous SOC, AI-approved, and analyst-approved claims are not made.

Routes

Continue inspection

Open route

Proof ledger

Return to current proof authority and promotion gates.

Inspect pathOpen route

Validation registry

Inspect the controlled-test packages behind the summaries.

Inspect pathOpen route

Proof repo

Open the proof repository for source-controlled proof records.

Inspect path