HawkinsOperationsDetection Engineering SOC

Validation registry

Controlled-test packages, fixture counts, and validation status.

This route owns the validation registry. It shows what passed inside controlled validation scope and what remains outside validation authority.

CONTROLLED_TEST_VALIDATED85 fixtures8 packagesVALIDATION_TRUTH_ONLY

Public inspection layer

source truthseparate
runtime truthseparate
signal truthseparate
evidence truthseparate
public proofseparate

Registry owner

Controlled validation packages

Filter by family, inspect fixture counts, and keep blocked runtime / signal / public-safe states visible without turning them into proof.

The validation registry is contract-enforced and human-review gated. It records controlled-test packages, verifier routes, and blocked runtime / signal / public-safe states.

85total fixtures
8passed packages
5no-proof-record rows
1contract-only rows
9public-runtime blocked
HO-DET-001Endpoint
Suspicious PowerShell EncodedCommand
total 14pos 7neg 7missed 0fp-neg 0
CONTROLLED_TEST_VALIDATED
Inspect · HO-DET-001

What exists

  • A controlled-test validation package with 14 fixtures.
  • A public proof record and reviewer release route.

What it proves

  • 14 / 14 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

What it does not prove

  • Runtime-active status is blocked from this surface.
  • Signal-observed status is not claimed.
  • Live Splunk, Cribl/Wazuh routing, production, fleet, and public-safe runtime proof are blocked.
  • AI / analyst disposition is not claimed.
HO-DET-011Endpoint
Windows Service Creation / Binary Change
total 17pos 7neg 10missed 0fp-neg 0
CONTROLLED_TEST_VALIDATEDPUBLIC_SAFE_APPROVED

Bounded public-safe summary approved; private runtime evidence remains outside public repos.

Inspect · HO-DET-011

What exists

  • A controlled-test validation package with 17 fixtures.
  • A private lab runtime receipt with Wazuh-backed private observation.
  • Merged deterministic verifier, runtime review packet, public-safe decision gate, and Runtime Proof Factory v0 summary.

What it proves

  • 17 / 17 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

What it does not prove

  • Public runtime proof and public signal-observed proof are blocked.
  • Splunk remains NOT_VERIFIED.
  • Production, fleet-wide, autonomous SOC, AI-approved, and analyst-approved claims are blocked.
  • Raw private evidence, private markers, private paths, internal network details, and private hashes are excluded.
HO-DET-012Endpoint
Suspicious Scheduled Task Creation
total 8pos 4neg 4missed 0fp-neg 0
CONTROLLED_TEST_VALIDATEDPUBLIC_SAFE_APPROVED
Inspect · HO-DET-012

What exists

  • A controlled-test validation package with 8 fixtures.
  • A governed proof record exists for controlled-test validation.
  • A private lab runtime receipt with Wazuh-backed private observation.
  • Merged deterministic verifier, runtime review packet, public-safe decision gate, and Runtime Proof Factory v0 summary.

What it proves

  • 8 / 8 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

What it does not prove

  • Public runtime proof and public signal-observed proof are blocked.
  • Splunk remains NOT_VERIFIED.
  • Production, fleet-wide, autonomous SOC, AI-approved, and analyst-approved claims are blocked.
  • Raw private evidence, private markers, private paths, internal network details, and private hashes are excluded.
AWS-DET-001Cloud
CloudTrail-style IAM denial
total 6pos 3neg 3missed 0fp-neg 0
CONTROLLED_TEST_VALIDATEDAWS_LIVE_BLOCKED

Fixture-only CloudTrail-style IAM denial validation; live AWS proof is blocked.

Inspect · AWS-DET-001

What exists

  • A fixture-only CloudTrail-style detection candidate.
  • A fixture-only validation report with 6 fixtures.

What it proves

  • 6 / 6 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

What it does not prove

  • Live AWS and CloudTrail live evidence are not claimed.
  • Cloud runtime-active and signal-observed status are blocked.
ID-DET-001Identity
Suspicious identity session context
total 10pos 5neg 5missed 0fp-neg 0
CONTROLLED_TEST_VALIDATEDNO_PROOF_RECORD
Inspect · ID-DET-001

What exists

  • A controlled-test validation package with 10 fixtures.
  • No proof record exists yet; the row is validation-only.

What it proves

  • 10 / 10 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

What it does not prove

  • Live IdP / SIEM / NDR coverage is not claimed.
  • Production identity coverage and autonomous / AI disposition are blocked.
ID-DET-002Identity
MFA fatigue / repeated MFA failure
total 10pos 5neg 5missed 0fp-neg 0
CONTROLLED_TEST_VALIDATEDNO_PROOF_RECORD
Inspect · ID-DET-002

What exists

  • A controlled-test validation package with 10 fixtures.
  • No proof record exists yet; the row is validation-only.

What it proves

  • 10 / 10 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

What it does not prove

  • Live IdP and live SIEM / NDR are not claimed.
  • Proof promotion and public-safe state are blocked.
ID-DET-003Identity
Privileged role / admin group change
total 10pos 5neg 5missed 0fp-neg 0
CONTROLLED_TEST_VALIDATEDNO_PROOF_RECORD
Inspect · ID-DET-003

What exists

  • A controlled-test validation package with 10 fixtures.
  • No proof record exists yet; the row is validation-only.

What it proves

  • 10 / 10 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

What it does not prove

  • Live IdP / SIEM coverage is not claimed.
  • Production coverage and AI / analyst disposition are blocked.
ID-DET-004Identity
Impossible travel / anomalous session
total 10pos 5neg 5missed 0fp-neg 0
CONTROLLED_TEST_VALIDATEDCOMPLETENESS_BLOCKEDNO_PROOF_RECORD
Inspect · ID-DET-004

What exists

  • A controlled-test validation package with 10 fixtures.
  • No proof record exists yet; the row is validation-only.

What it proves

  • 10 / 10 fixtures pass deterministically.
  • 0 missed positives and 0 false-positive negatives.

What it does not prove

  • Impossible-travel and session-hijacking completeness are not claimed.
  • Live IdP and public-safe state are blocked.
HO-NDR-001NDR/Telemetry
Security Onion visibility contract
no fixtures · contract sample
BOUNDARY_CONTRACT_ONLY

Contract sample only; no fixtures. Cross-source corroboration contract defined, not proof promotion.

Inspect · HO-NDR-001

What exists

  • A boundary contract sample for Security Onion visibility.
  • No fixtures and no proof record; the row is contract-only.

What it proves

  • A cross-source corroboration contract is defined.

What it does not prove

  • Security Onion runtime, Splunk search, and Cribl/Wazuh routes are blocked.
  • Zeek / Suricata quality and public-safe proof are not claimed.

Continue

Validation dependencies

Open route

Operational pipeline

See where validation sits in the source-to-rendering flow.

Inspect pathOpen route

Proof ledger

Open the proof authority route that consumes validation results under a stated ceiling.

Inspect pathOpen route

Validation repo

Open the source-controlled validation repository.

Inspect path