HawkinsOperationsDetection Engineering SOC

AI support under ProofOps control

AI Securitywithout AI authority

A governed implementation model where AI helps security work move faster, while evidence and human review decide what can be claimed.

This route separates AI support, deterministic verification, human authority, proof ceilings, and blocked claims so the model reads like an operator workflow instead of a long report.

AI rolesupport only
Verifierdeterministic
Authorityhuman review
Promotionbounded

Governed AI triage

AI moves faster inside a cage of evidence, verifiers, and review.

01Alert / detection context

source and ATT&CK orientation enter as context

02AI-assisted summary

AI summarizes and organizes; it does not approve

03ATT&CK orientation

mapping guides review without proving live coverage

04Deterministic verifier

controlled checks and contracts own pass/fail

05Claim Firewall

unsupported public wording is blocked or downgraded

06Human review

authority stays with evidence and review

07Bounded output

public wording stays under the proof ceiling

Governed AI Workflow

AI drafts. Verifiers test. Claim Firewall clamps. Human review decides.

The workflow shows where AI helps and where the system stops it. Public wording stays below evidence, proof ceilings, and human review gates.

  1. 01AI Draft
  2. 02Verifier
  3. 03Claim Firewall
  4. 04Human Review
  5. 05Public Wording

Authority boundary

AI support does not become claim authority.

The route keeps AI, deterministic verifiers, human review, and proof ceilings visually separated.

AI support
labor and drafting
Verifier
schema and controlled checks
Human authority
promotion gate
Website
rendering only
Not claimed
AI approved disposition
Not claimed
analyst approved disposition

Hoxline visual intelligence

AI support is governed by ProofOps control

Gauntlet v0 shows how AI-assisted security work enters a controlled loop, emits reviewer artifacts, and keeps runtime, signal, approval, and public-safe claims gated.

What Hoxline can verify today

capability_maturity_chart

Positive capability is shown first; the PR #13 maturity chart keeps gated areas visible without taking over the story.

availableCanonical ProofOps loop

Hoxline can run the canonical ProofOps loop for HO-DET-001.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
availableReviewer-readable JSON

Hoxline can emit reviewer-readable JSON.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
availableReviewer-readable Markdown

Hoxline can emit reviewer-readable Markdown.

examples/gauntlet/ho-det-001-full-loop-run-v0.md
availableOutput contract verification

Hoxline can verify the Gauntlet full-loop output contract.

schemas/gauntlet-full-loop-run-v0.schema.json
controlledProof ceiling preservation

Hoxline can preserve the CONTROLLED_TEST_VALIDATED proof ceiling.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
availableSafe claim mapping

Hoxline can map artifact state to allowed claim wording.

examples/gauntlet/ho-det-001-proofcard-v0.json
availableBlocked claim mapping

Hoxline can map blocked claim families to safer wording and missing evidence.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
gatedRuntime and signal gating

Hoxline can keep runtime and signal gated when evidence is missing.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
controlledAuthority separation

Hoxline can represent authority separation across the seven-repo system.

README.md
availableSingle-artifact story

Hoxline can show one artifact, one loop, one safe claim, and blocked stronger claims.

docs/gauntlet/HO_DET_001_GAUNTLET_RUN.md
Gauntlet full-loop runner
operational v0
Gauntlet output contract
contracted v0
Controlled validation packaging
validated in controlled scope
Claim Authority packaging
working boundary control
Runtime evidence
gated
Signal evidence
gated
Public-safe release
not public-safe
Business, legal, and market claims
not asserted
LOCAL_CHECKOUT_CLI
$env:PYTHONPATH='src'; python -B -m hoxline gauntlet run --artifact HO-DET-001 --format json
$env:PYTHONPATH='src'; python -B -m hoxline gauntlet run --artifact HO-DET-001 --format markdown
JSON outputMarkdown outputcontract tests 8runtime gatedsignal missing evidence

Support -> verify -> review -> bound

Workflow visualization

The same Hoxline loop applies to AI-assisted security work: AI helps; evidence gates; humans promote.

Interactive ProofOps loop

AI helps. Evidence gates. Humans promote.

Tap a step to inspect the control.

5 of 11: Controlled Validation

Active gate

Controlled Validation

What happens
Controlled positive and negative fixtures define the current evidence state.
Control
The ceiling is CONTROLLED_TEST_VALIDATED.
Still blocked
Controlled validation proves controlled validation only.

Read the model by authority

Reviewer lenses

The page is organized by what each layer can do and what it cannot claim.

Reviewer lens

AI is labor

AI can help draft detections, summarize reviewer context, and organize case packets, but it does not authorize disposition.

  • AI output enters the same artifact intake path.
  • Claim wording is checked against evidence ceilings.
  • AI approval is not claimed.

Claim discipline

Evidence ceiling and blocked claims

Controlled validation

Supported where records exist

Controlled validation remains distinct from runtime and signal proof.

public_safe

false unless approved

Public release safety requires separate evidence and approval.

Human gate

required

Human review sits above AI output and green checks.
Blockedruntime-active status
Blockedruntime proven status
Blockedsignal observed status
Blockedpublic-safe proof
Blockedproduction-ready status
BlockedSOCaaS-ready status
BlockedSOCaaS deployed status
Blockedcustomer deployed status
Blockedautonomous SOC operation
BlockedAI approved disposition
Blockedanalyst approved disposition
Blockedfinal human authorization
Blockedcase closed status

Evidence routes

Reviewer inspection path

Start with Hoxline, then inspect proof, detections, and validation routes. Each surface keeps its own authority boundary.

Open route

Hoxline

Open the ProofOps control plane route and interactive claim loop.

Inspect pathOpen route

Proof Pack 001

HAWKINSOPERATIONS_PROOF_PACK_001 routes a bounded HO-DET-001 reviewer package at CONTROLLED_TEST_VALIDATED.

Inspect pathOpen route

Detections

Detection portfolio, validation status, ATT&CK mapping, and proof boundaries.

Inspect pathOpen route

Validation registry

8 controlled-test validation packages and 85 fixtures with blocked runtime / signal states.

Inspect path

Operator-grade pattern

What transfers

Transfer

Source control

Rule logic, mapping, status metadata, and review history remain auditable.

Transfer

Deterministic gates

Validation packages, schema checks, and claim-boundary scans fail closed.

Transfer

Case structure

Case packets can carry support-only AI fields and blocked action defaults.

Transfer

Human review

Review authority stays visible above CI, AI output, and implementation momentum.

Transfer

Claim ceilings

Public copy remains below the evidence ceiling attached to each artifact.

Transfer

Reviewer routes

Routes help reviewers inspect evidence without turning rendering into proof.

Repos

Source-controlled context

Open route

Reproducible reviewer path

Clone-runnable route through all six repos without private runtime access.

Inspect pathOpen route

Required checks matrix

Observed checks, report-only controls, and website rendering boundaries.

Inspect pathOpen route

Detection Factory Controller v0

Bounded reviewer status and plan emitter; platform visibility, not proof promotion.

Inspect path
AI approval not claimedanalyst approval not claimedcase closure not claimed