HawkinsOperationsDetection Engineering SOC

AI Security

A governed implementation model for AI-assisted detection engineering and security operations.

HawkinsOperations demonstrates a governed SOCaaS-style implementation model for AI-assisted detection engineering and security operations: detection work, telemetry confidence, validation, case packets, support-only AI triage, human review, and proof-controlled reporting.

AI_SUPPORT_ONLYHUMAN_AUTHORITY_REQUIREDPRODUCTION_CLAIM_BLOCKED

Public inspection layer

source truthseparate
runtime truthseparate
signal truthseparate
evidence truthseparate
public proofseparate

SOC workflow

Workflow: detection → proof-controlled reporting

Each stage owns a distinct truth. AI supports labor; verifiers gate evidence; humans authorize claims.

  1. 01SOURCE

    Detection engineering

    Source-controlled rules + ATT&CK context

    Detection source, rule logic, status metadata, and ATT&CK-aligned context live in the detections repo. Reviewable in plain text, version-controlled, mappable.

  2. 02CONTRACT

    Telemetry confidence

    Route contracts + visibility evidence

    Telemetry routes and contracts are treated as visibility or private/internal evidence. Public-safe runtime/signal status requires a separate promotion gate.

  3. 03CONTROLLED

    Validation

    Deterministic verifiers + controlled fixtures

    Controlled-test validation packages and fixtures support controlled validation claims. Verifiers fail closed; no runtime promotion happens here.

  4. 04SUPPORT-ONLY

    Alert-to-case flow

    Case packets, support gates, blocked actions

    Case-packet schemas and samples model analyst support, response gates, and blocked actions. Mutation, closure, and disposition authority stay outside the contract.

  5. 05AI SUPPORT-ONLY

    AI-assisted triage

    Sanitized summaries + missing context

    AI may summarize sanitized facts and call out missing context. It does not decide disposition, close cases, approve actions, or promote proof.

  6. 06HUMAN

    Human review authority

    Visible reviewer + MERGE_APPROVED

    Visible human review is the authority layer. AI is below human review; CI is below human review; momentum is below human review.

  7. 07PROOF CEILING

    Proof-controlled reporting

    Reviewer packets at the current ceiling

    Proof Pack 001 and proof records route reviewer claims under the current ceiling. Website rendering remains a route to proof, not proof itself.

Detection to proof

Closed controlled loop

A repo-visible loop reviewers can trace end-to-end. Runtime, signal, and production promotion sit outside this loop on purpose.

01

Detection

Source rule + ATT&CK context in detections repo.

02

Validation

Controlled fixtures + deterministic verifier pass.

03

Case packet

SOAR-shaped case structure with support-only AI fields.

04

Verifier

Schema, claim-boundary, and parity gates fail closed.

05

Proof record

Proof record / card under the current ceiling.

06

Reviewer surface

Website route + reviewer packet to the bounded truth.

Public claim boundary stops at the reviewer surface. Runtime / signal / production / customer / fleet promotion requires separate gates.

Claim ladder

Runtime boundary ladder

Controlled validation is real. Public runtime proof is not promoted until a separate evidence and approval gate fires.

  1. 01Controlled validationSUPPORTED

    Validation packages, controlled fixtures, and deterministic verifiers run on every PR. This is the strongest publicly supported tier.

  2. 02Runtime path initializedSOURCE-VISIBLE

    Runtime contracts, truth-spine schemas, and case-packet structures exist in source. Initialization is repo-visible.

  3. 03Runtime-supported (private)PARTIAL

    Private runtime support is acknowledged in boundary docs (e.g. RS003 Cribl route marker). Evidence stays private; public-safe status remains BLOCKED_PENDING_REVIEW.

  4. 04Runtime-observed (private)PARTIAL

    Mirrored visibility, Zeek packets, and other observation surfaces exist privately. They are not promoted into public NDR, Suricata, or cross-source proof.

  5. 05Public runtime claimBLOCKED

    Public runtime, signal-observed, or public-safe runtime claims remain blocked. They require separate capture, verifier, checklist, and human approval gates.

  6. 06Production / customer / fleetBLOCKED

    Production-ready, customer-validated, partner-endorsed, and fleet-wide claims are not made anywhere on this surface.

Transferable model

What transfers to a SOC

Each item is repo-visible discipline that maps to real security operations work without requiring HawkinsOperations infrastructure.

Transfers

Source-controlled detections

Rule logic, ATT&CK mapping, status metadata, and review history are version-controlled and auditable.

Transfers

Deterministic verifiers

Validation packages, schema checks, and claim-boundary scanners fail closed before merge.

Transfers

Case-packet structure

SOAR-shaped case packets with support-only AI fields, blocked actions, and dry-run defaults.

Transfers

Human review authority

Visible human review sits above CI, above AI output, above implementation momentum.

Transfers

Claim ceiling discipline

Scanners, record boundaries, and record-is-not-rendering rules keep public copy below evidence ceilings.

Transfers

Governance saves discipline

The public-facing Governance Saves subset models what controls fired looks like across merge, claim, runtime, evidence, and validator surfaces.

Evidence routes

Reviewer inspection path

Start with the strongest bounded reviewer package, then inspect detections, validation, and Governance Saves.

Open route

Proof Pack 001

HAWKINSOPERATIONS_PROOF_PACK_001 routes a bounded HO-DET-001 reviewer package at CONTROLLED_TEST_VALIDATED.

Inspect pathOpen route

Governance Saves

Public-facing subset: what was blocked, what control fired, why it matters.

Inspect pathOpen route

Detections

Detection portfolio, validation status, ATT&CK mapping, and proof boundaries.

Inspect pathOpen route

Validation registry

8 controlled-test validation packages and 85 fixtures with blocked runtime / signal states.

Inspect path

Claim ceiling

What remains blocked

HawkinsOperations is not presented as a production SOCaaS platform.

Customer validation, partner endorsement, and live enterprise deployment are not claimed.

Runtime-active public proof and public signal-observed proof remain blocked unless separately proven and approved.

AI-approved disposition, autonomous SOC, and analyst-approved-by-AI wording remain blocked.

Repos

Source-controlled context

Open route

Reproducible reviewer path

Clone-runnable route through all six repos without private runtime access.

Inspect pathOpen route

Required checks matrix

Observed checks, report-only controls, and website rendering boundaries.

Inspect pathOpen route

Detection Factory Controller v0

Bounded reviewer status and plan emitter; platform visibility, not proof promotion.

Inspect path