HawkinsOperationsDetection Engineering SOC

HawkinsOperations command center

Security command center.

AI accelerates work. Evidence owns authority.

HawkinsOperations is a proof-governed AI security operations system exposing the machine: detections, ATT&CK context, validation, proof ceilings, Hoxline, Claim Firewall, Governance Saves, and rendering boundaries.

Open HoxlineExplore Governance SavesInspect Detection OpsOpen Claim Firewall
Generated public status v0 snapshotSnapshot under 14-day freshness windowWebsite rendering reads this snapshot; proof, validation, platform, detections, Hoxline, and org routing records own their respective facts.public-status.json
72controls fired

public-facing Governance Saves records

31claims blocked

reviewer metrics blocked-claim count

106validation cases

controlled validation case count

8proof records

proof-record activity metric

0public-safe

public-safe count remains zero

Inspect / download / clone / run

Reviewer can verify

Generated status prevents stale website numbers from becoming accidental authority. The source routes and commands make the review path inspectable instead of presentation-only.

InspectDownloadCloneRun
  1. 01Snapshot
  2. 02Sources
  3. 03Download
  4. 04Clone
  5. 05Run
Open generated public status JSONWebsite-rendered snapshot data and source-owner routes.Open Hoxline repoProduct/control route for the HO-DET-001 Gauntlet path.Open proof recordsProof authority route for records, proof packs, and ceilings.Open validation registryControlled validation status and fixture scope.
Download, clone, and run commandsReviewer-runnable
Clonegit clone https://github.com/HawkinsOperations/hoxline.git

Working directory after clone: hoxline repo root

Hoxline testspython -B -m pytest -q tests

Repo: HawkinsOperations/hoxline. Working directory: hoxline repo root.

Hoxline Gauntlet output verifierpython -B -m hoxline gauntlet verify --input examples/gauntlet/ho-det-001-full-loop-run-v0.json --schema schemas/gauntlet-full-loop-run-v0.schema.json

Repo: HawkinsOperations/hoxline. Working directory: hoxline repo root.

Website site contractnpm run check:site

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

Website static buildnpm run build

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

These commands are review paths in their owning repositories. Website rendering displays the route; it does not convert command output into proof authority.

01Detectionssource truth

ATT&CK-oriented source packages

02ATT&CK / Kill Chaincontext

reviewer orientation only

03Validationbehavior truth

49 fires / 106 cases

04Proofclaim ceiling

8 records / 31 blocked claims

05Hoxlinecontrol plane

Gauntlet v0 loop

06Claim Firewallclaim clamp

block / downgrade / harden

07Website Renderpublic surface

rendering only

Org routing.github

reviewer routing, authority maps, governance summaries

Source truthDetections

detection source packages, ATT&CK framing, event-field contracts

Behavior truthValidation

controlled fixtures, deterministic checks, validation reports

Contracts and mechanicsPlatform

schemas, ledgers, case packets, runner trust, promotion mechanics

Proof recordsProof

proof records, proof cards, claim ceilings, reviewer receipts

ProofOps control planeHoxline

Gauntlet, Claim Authority packaging, Claim Firewall decisions

Public renderingWebsite

public reviewer navigation and rendered product surfaces

CAPABILITY_VISUAL_DATA_PACK_V1Hoxline PR #13ho-det-001-capability-visual-data-pack-v1stage_status_distribution 5
11Canonical loop stagesmeasured in PR #13 pack
7Authority surfacesmeasured in PR #13 pack
2Reviewer outputsJSON and Markdown
53Current pytest countpack validation run

Flagship product

Hoxline Engine Preview: executable ProofOps control.

HawkinsOperations is not just a portfolio. Hoxline runs a controlled ProofOps loop for HO-DET-001 and emits bounded reviewer artifacts while runtime, signal, public release, production, customer, and approval claims remain gated.

stage_status_distribution

Visual stage status data

Capability Visual Data Pack v1 exposes the loop as status data, not as a flat warning list.

PASS
7
BLOCKED
1
MISSING_EVIDENCE
1
HUMAN_REVIEW_REQUIRED
1
REFERENCE_ONLY
1

generated_outputs_chart

Output artifact wall

Reviewer-readable outputs are surfaced as artifacts. They are routes to inspect, not proof promotion.

json

Full-loop JSON

Target reader: reviewer or website data loader.

Open artifact ->
JSON: 1Markdown: 1Schema: 2

claim_decision_chart

Allowed, blocked, and required evidence

Toggle the decision families. Blocked claims are visible as boundaries, not as product claims.

allowed

Allowed controlled claim

One allowed controlled-validation claim is present in the visual data pack.

HO-DET-001 has controlled validation evidence from controlled positive and negative process-creation fixtures and remains under review.
7Controlled positivesmeasured
7Controlled negativesmeasured
7Matched positivesmeasured
0Missed positivesmeasured
0False-positive negativesmeasured
23Blocked familiesclaim authority metrics
17Missing evidence groupsclaim decision chart
8Output contract teststest_hoxline_gauntlet.py

authority_surface_chart

Seven surfaces, separated

Hoxline is the control route. It does not replace proof, source, validation, platform, website, or org routing boundaries.

control

hoxline

ProofOps control plane

Owns claim boundary packaging, Gauntlet runner, output contract, and website-ready data; does not own proof authority.

visual modules

PR #13 module map

The website renders the exact visual modules defined by the Capability Visual Data Pack v1.

mission_control_heroMission Control Hero

Show Hoxline as a working ProofOps control plane for one artifact.

proofops_loop_orbitProofOps Loop Orbit

Render the 11-stage loop with status coloring.

gauntlet_execution_consoleGauntlet Execution Console

Show generated outputs and verifier command.

capability_maturity_visualCapability Maturity Visual

Separate built capabilities from gated capabilities.

authority_constellationAuthority Constellation

Show seven-repo authority separation.

evidence_pipeline_timelineEvidence Pipeline Timeline

Trace artifact data from demo packaging through Gauntlet output.

claim_decision_matrixClaim Decision Matrix

Show one allowed claim and collapsed blocked families.

generated_outputs_wallGenerated Outputs Wall

Show the concrete artifacts available to reviewers and website loaders.

reviewer_path_timelineReviewer Path Timeline

Show how a reviewer moves from source references to safe claim.

still_gated_panelStill Gated Panel

Summarize remaining gates without making them the primary story.

complexity_stats_railComplexity Stats Rail

Show bounded counts that explain the amount of working structure.

V2 current system

Proof-governed AI security operations with separated authority surfaces.

Hoxline control plane72 public-facing controls fired8 proof records0 public-safe promotions

Current public truth is governed by proof records, validation, claim boundaries, and human review.

Current proof spine

Proof authority, validation engine, platform control layer.

HawkinsOperations exposes built work first: proof records, controlled validation, platform ledgers, governed metrics, reviewer routes, and claim-boundary controls are separated so reviewers can inspect the system without trusting the website presentation.

6governed cases
49validation fires
106validation cases
8proof records
31claims blocked
0public-safe

Generated public-status rendering input: Snapshot under 14-day freshness window. Counts route to owning proof, platform, and validation records; this website does not authorize them.

Layer 01

Proof Authority

Proof records, proof cards, proof packs, reviewer maps, accomplishment ledgers, and authority-boundary case studies control what can be claimed.

Layer 02

Validation Engine

Local pipelines, parity checks, case-packet contracts, claim scanners, activity ledgers, and CI gates turn detection claims into repeatable checks.

Layer 03

Platform Control Layer

Factory commands, ledger gates, state manifests, runtime candidates, recoverability drills, and SOAR packet contracts turn detections into governed workflow artifacts.

Hero system · Controlled test validated

HO-DET-001 Receipt Chain

Supports
Connects detection source, validation receipt, platform contract, proof case study, website route, and reviewer handoff.
Boundary
Open proof ceilingDoes not prove SOCaaS deployment, customer deployment, FortiSIEM integration, production readiness, or public-safe runtime proof.
Trace HO-DET-001
Hero system · append-gated accounting spine

Lifetime Case Ledger v1

Supports
Provides governed-case accounting, append gates, verifier-backed metrics, and state-manifest control.
Boundary
Open proof ceilingDoes not prove production case tracking, autonomous closure, or public runtime case proof.
Inspect ledger route
Hero system · reviewer-visible metrics

Reviewer Metrics Pipeline v1

Supports
Separates strict governed cases from validation activity, proof records, and blocked-claim counts.
Boundary
Open proof ceilingDoes not prove production SOC metrics, customer metrics, runtime case volume, or public-safe runtime proof.
Open proof metrics route
Supporting system · private candidate lane

Runtime Case Collector v0

Supports
Separates route, dedupe, append-gate handling, and Runtime Route Proof v1 private-candidate review routing.
Boundary
Open proof ceilingDoes not prove governed case append, public runtime-active proof, public signal-observed proof, or public-safe runtime proof.
Review runtime boundary
Supporting system · workflow trust boundary

Runner Trust Boundary

Supports
Separates public PR checks from manually triggered trusted-runner proof routes.
Boundary
Open proof ceilingDoes not expose private runner details or claim broad self-hosted PR safety.
Open platform contracts
Supporting system · reviewer-routing controls

Standing Governance Controls

Supports
Maintains blocked-claim controls, reviewer routing, PR review rituals, and proof-boundary enforcement surfaces.
Boundary
Open proof ceilingDoes not make GitHub Project metadata, website rendering, runtime truth, or signal truth into proof.
Open Claim Firewall
Supporting system · bounded reviewer package

Proof Pack 001 Quick Check

Supports
Routes the 90-second reviewer check, release path, manifest, hash/verification path, and verifier cards.
Boundary
Open proof ceilingDoes not prove runtime promotion, public-safe runtime proof, or production deployment.
Open Proof Pack 001
BoundaryWebsite rendering is not proof; public navigation only. This section compresses the operating model for reviewers; it does not promote proof, runtime-active status, signal-observed status, public-safe runtime proof, production/SOCaaS/customer deployment, FortiSIEM integration, autonomous SOC, AI disposition, or analyst disposition authority.

Proof loop

Generate → Constrain → Validate → Review → Publish.

Each stage shows what happens, what control sits over it, and what gets blocked. The verifier owns pass and fail; human review owns merge authority.

CLAIM FIREWALLUnsupported public security claims fail before they ship.Open the public wording gate that keeps website rendering below proof authority.Inspect Claim Firewall ->
  1. 01

    Generate

    Happens
    AI-assisted drafting accelerates detection-as-code, SPL, and reviewer prose.
    Control
    Generation runs against repo source; no public copy ships from a draft.
    Blocked
    AI cannot decide disposition or promote claims.
  2. 02

    Constrain

    Happens
    Schema, contracts, and the blocked-claim scanner cap wording at source.
    Control
    Public surfaces are gated by a site-contract scan and runtime boundary rules.
    Blocked
    Unsafe wording (runtime, customer, fleet, production) is not allowed to render.
  3. 03

    Validate

    Happens
    Deterministic controlled-test packages decide pass or fail.
    Control
    The verifier owns the gate; case packets stay bounded to the validation result.
    Blocked
    Source presence is not signal observation; ceilings remain capped.
  4. 04

    Review

    Happens
    Human review must resolve threads before merge authority is granted.
    Control
    Green CI is not merge authority; review and scope sit above checks.
    Blocked
    AI-approved disposition and analyst-approved disposition are not claimed.
  5. 05

    Publish

    Happens
    Bounded reviewer artifacts surface: proof records, receipts, governance saves.
    Control
    Stronger claims require a separate promotion path with new evidence.
    Blocked
    Private-only evidence and host-local paths stay off public surfaces.

Cyber Kill Chain / MITRE ATT&CK

Attack context routes into proof boundaries.

Use attack-lifecycle mapping to orient detection intent, ATT&CK context, validation state, and claim ceilings. The map helps reviewers navigate the system; it does not prove live coverage or runtime signal.

  1. Cyber Kill ChainOrient where a behavior sits in the attack lifecycle.
  2. MITRE ATT&CKMap detection intent to ATT&CK techniques and tactics.
  3. Detection SourceInspect the repo-backed detection package behind the mapping.
  4. Validation StateRead controlled-test counts and the claim ceiling.
  5. Proof BoundaryValidation records and proof boundaries authorize claims; live coverage and runtime signal stay blocked.RUNTIME / SIGNAL · BLOCKED
Mapped families
  • Endpoint / PowerShellvalidated
  • Endpoint / Persistenceprivate · not public-safe
  • Cloud / IAMfixture-only
  • Identity / Access Behaviorvalidated
  • Telemetry / Defense Evasionvalidation planned
  • Network / Visibility Contractcontract only

Boundary. Mapping is reviewer navigation. Validation records and proof boundaries authorize claims.

Inspect coverage map

Reviewer mode

Pick the lens you read this site through.

The site routes the same proof differently for an executive scan, a proof-pack audit, or a technical deep dive. Use the keyboard arrows to switch lenses.

Why governed AI Security Operations exists, what the value story looks like, and where the AI authority boundary sits.

Public product doors

Pick the surface you want to inspect.

The public site now leads with Hoxline as the current product route, then routes reviewers into proof, artifacts, detections, AI security, source, and operating context.

Public door

Hoxline

Flagship ProofOps control plane with Gauntlet v0 loop execution, reviewer outputs, and gated runtime/signal states.

Public door

Proof

Claim authority, Governance Saves, Proof Pack 001, runtime boundaries, validation ceilings, and blocked claims.

Public door

Artifacts

Reviewer receipts, proof packages, evidence cards, release artifacts, and does-prove / does-not-prove boundaries.

Public door

Detections

Detection engineering portfolio with validation status, ATT&CK mapping, proof ceilings, and runtime boundaries.

Public door

AI Security

Governed AI security operations model for AI-assisted triage, deterministic verification, and human authority.

Public door

About

Mission, operating thesis, current HawkinsOperations boundary, and archive / legacy context.

External

Inspect Source

Open the HawkinsOperations GitHub organization. Repos carry the evidence; the website routes reviewers.

Governance Saves · proof of value

Controls Fired Before Bad Truth Shipped

72 public-facing records from GS-001 through GS-080 source range. Private-only records are excluded from this surface.

Open explorer
16782133216572controls firedpublic-facing
View as table
Controls fired by category across 72 public-facing records.
CategoryCountWhat it covers
Claim boundary16Public copy was downgraded, narrowed, or held to match repo-visible evidence — never inflated to runtime, signal, or production wording.
Runtime boundary7Private runtime evidence, mirror traffic, and legacy automation were kept out of public runtime/signal claims.
Validator hardening8Review-thread fixes converted verifier edge cases into deterministic fail-closed paths before merge.
AI authority2AI output stayed support-only. Verifiers enforce human review and block AI-decided disposition.
Merge authority13Green CI never became merge authority. Review, scope, resolved threads, and human approval stayed above checks.
Evidence protection3Non-public evidence, host-local paths, and operator notes were kept off public surfaces and out of public proof.
Release gate2Release wording, checksums, and reviewer-package state were gated before any "approved release" claim could surface.
Branch hygiene16Branch divergence, dirty trees, wrong-branch preflights, and direct-main pushes were stopped before they touched source truth.
Workflow hardening5Required-check rulesets, audit findings, and CODEOWNERS reality were treated as enforcement evidence only when verified.

Private-only records are excluded from this surface.

From cockpit to receipts

Home explains the control plane. Artifacts shows the receipts.

Every claim on this site is meant to be inspectable. Artifacts is the evidence bay: each card routes to a receipt and states what it supports and what it does not prove. Website rendering is not proof.

Open the evidence bay