HawkinsOperationsDetection Engineering SOC

Detection Operations Cockpit

Detection Operations Cockpit.

ATT&CK / Kill Chain orientation, source-backed rows, controlled validation, proof ceilings, and Hoxline claim control in one routed machine.

8source-backed rows49validation fires106validation cases0public-safe
  1. 01Source truth

    detection source packages, ATT&CK orientation, event-field contracts

    hawkinsoperations-detections
  2. 02ATT&CK context

    reviewer orientation; not live coverage proof

    detections metadata
  3. 03Controlled validation

    49 controlled validation fires / 106 validation cases

    hawkinsoperations-validation
  4. 04Proof ceiling

    proof records and claim ceilings where present

    hawkinsoperations-proof
  5. 05Claim boundary

    unsupported runtime/signal/public-safe wording blocked or downgraded

    Hoxline / Claim Firewall
  6. 06Website render

    public navigation only

    hawkinsoperations-website

Detection artifact to public wording

Source work does not ship as a claim until the route survives the gates.

The route starts in detection source and only becomes public wording after validation, proof ceiling, Hoxline claim control, and website rendering boundaries are respected.

DetectionsATT&CK-oriented source packages
ATT&CK / Kill Chainreviewer orientation only
Validation49 fires / 106 cases
Proof8 records / 31 blocked claims
HoxlineGauntlet v0 loop
Claim Firewallblock / downgrade / harden
Website Renderrendering only
31claims blocked
106validation cases
8proof records
0public-safe

ATT&CK / Kill Chain operations board

Detection work mapped to source, validation, proof, and gates.

ExploitationHO-DET-001

Suspicious PowerShell EncodedCommand Execution

T1059.001 · Command and Scripting Interpreter: PowerShell

Lane
Sigma + Splunk + Sysmon mapping
Validation
14 controlled cases: 7 positive, 7 negative, 0 missed, 0 false-positive negatives
Ceiling
CONTROLLED_TEST_VALIDATED
Open route ->
InstallationHO-DET-011

Windows Service Creation / Binary Change

Persistence: service creation — ATT&CK mapping in source artifact

Lane
Sigma + Wazuh + Splunk
Validation
17 controlled cases: 7 positive, 10 negative, 0 missed, 0 false-positive negatives
Ceiling
private runtime evidence captured and excluded from public proof · NOT_PUBLIC_SAFE
Open route ->
InstallationHO-DET-012

Suspicious Scheduled Task Creation

Scheduled Task/Job: Scheduled Task — ATT&CK mapping in source artifact

Lane
Sigma + Wazuh + Splunk
Validation
8 controlled cases: 4 positive, 4 negative, 0 missed, 0 false-positive negatives
Ceiling
CONTROLLED_TEST_VALIDATED
Open route ->
DeliveryAWS-DET-001

CloudTrail-Style IAM Denial

Cloud / IAM denial — mapping in source/proof artifacts

Lane
CloudTrail fixture
Validation
6 fixture cases: 3 positive, 3 negative
Ceiling
CONTROLLED_TEST_VALIDATED · FIXTURE_ONLY
Open route ->
ATT&CK orientationID-DET-001..004

Identity Detection Family

ATT&CK-aligned identity behavior (mapping per detection)

Lane
Identity / Splunk source candidate
Validation
ID-DET-001…004 each: 10 controlled cases — 5 positive, 5 negative, 0 missed, 0 false-positive negatives
Ceiling
CONTROLLED_TEST_VALIDATED
Open route ->
ATT&CK orientationHO-DET-013

Defense Tool and Telemetry Tamper Attempt

Defense evasion / telemetry tamper — mapping in source artifact

Lane
Sigma / Splunk / Wazuh planned lane
Validation
Validation not complete.
Ceiling
SOURCE_EXISTS · VALIDATION_PLANNED
Open route ->
Command & ControlHO-NDR-001

Security Onion / NDR Visibility Boundary

Boundary / corroboration contract — not a coverage claim

Lane
Security Onion / NDR contract
Validation
Contract surface — no validation count.
Ceiling
BOUNDARY_CONTRACT_ONLY
Open route ->
Command & ControlHO-PIPE-001

Cribl / Pipeline Route Integrity

Pipeline route contract — not an ATT&CK detection proof

Lane
Cribl pipeline contract
Validation
Source exists; validation planned.
Ceiling
SOURCE_EXISTS · VALIDATION_PLANNED
Open route ->

Kill Chain navigator

Attack context is navigation, not proof promotion.

Active stage

Reconnaissance

Use this stage to inspect visibility planning, identity-context validation, and gap tracking without inferring live coverage.

Mapped artifacts
ID-DET-001..004, HO-NDR-001, HO-PIPE-001
Strongest artifact
ID-DET validation reports and HO-NDR-001 / HO-PIPE-001 boundary contracts.
Blocked claim lane
live IdP / live SIEM/NDR / complete identity coverage / public-safe runtime proof

Detection Inventory Cockpit

Source truth feeds validation truth, proof ceilings, and public rendering.

ATT&CK and Cyber Kill Chain mapping help reviewers navigate detection intent. They do not prove live telemetry, runtime deployment, signal observation, or customer use.

3controlled validated
1fixture only
1private boundary
2validation planned
1contract only

Endpoint / PowerShell

HO-DET-001Suspicious PowerShell EncodedCommand Execution

T1059.001 · Command and Scripting Interpreter: PowerShell

Ceiling
CONTROLLED_TEST_VALIDATED
Validation
14 controlled cases: 7 positive, 7 negative, 0 missed, 0 false-positive negatives
Runtime and signal claims are blocked at this ceiling. No production, customer-deployment, or autonomous-resolution claim is made.

Endpoint / Persistence

HO-DET-011Windows Service Creation / Binary Change

Persistence: service creation — ATT&CK mapping in source artifact

Ceiling
private runtime evidence captured and excluded from public proof · NOT_PUBLIC_SAFE
Validation
17 controlled cases: 7 positive, 10 negative, 0 missed, 0 false-positive negatives
Private runtime evidence is held privately and is blocked from public proof; no public-safe runtime claim is made and runtime/signal stay blocked.
HO-DET-012Suspicious Scheduled Task Creation

Scheduled Task/Job: Scheduled Task — ATT&CK mapping in source artifact

Ceiling
CONTROLLED_TEST_VALIDATED
Validation
8 controlled cases: 4 positive, 4 negative, 0 missed, 0 false-positive negatives
Proof record present in hawkinsoperations-proof. Runtime, signal, public-safe runtime proof, and completeness claims remain blocked at this ceiling.

Cloud / IAM

AWS-DET-001CloudTrail-Style IAM Denial

Cloud / IAM denial — mapping in source/proof artifacts

Ceiling
CONTROLLED_TEST_VALIDATED · FIXTURE_ONLY
Validation
6 fixture cases: 3 positive, 3 negative
Fixture-only. Live AWS and CloudTrail proof are blocked at this ceiling; no live-cloud claim is made.

Identity / Access Behavior

ID-DET-001…004Identity Detection Family

ATT&CK-aligned identity behavior (mapping per detection)

Ceiling
CONTROLLED_TEST_VALIDATED
Validation
ID-DET-001…004 each: 10 controlled cases — 5 positive, 5 negative, 0 missed, 0 false-positive negatives
Live IdP, production identity coverage, and completeness claims are blocked at this ceiling; no live-identity claim is made.

Telemetry / Defense Evasion

HO-DET-013Defense Tool and Telemetry Tamper Attempt

Defense evasion / telemetry tamper — mapping in source artifact

Ceiling
SOURCE_EXISTS · VALIDATION_PLANNED
Validation
Validation not complete.
Source exists only. Validation, runtime, and signal claims are blocked at this ceiling; no validation claim is made yet.

Network / Visibility Contract

HO-NDR-001Security Onion / NDR Visibility Boundary

Boundary / corroboration contract — not a coverage claim

Ceiling
BOUNDARY_CONTRACT_ONLY
Validation
Contract surface — no validation count.
Security Onion observed proof is blocked; this defines a visibility boundary and makes no observed-signal claim.

Pipeline / Telemetry Contract

HO-PIPE-001Cribl / Pipeline Route Integrity

Pipeline route contract — not an ATT&CK detection proof

Ceiling
SOURCE_EXISTS · VALIDATION_PLANNED
Validation
Source exists; validation planned.
Cribl-routed proof is blocked at this ceiling; no Cribl-routed claim is made.
source truthvalidation truthproof ceilingpublic rendering

Authority boundary

Detection rendering keeps the claim boundary visible.

Detection cards show source, validation, mapping, and proof-boundary status. They do not create deployment, signal, or public proof.

Source truth
hawkinsoperations-detections
Behavior truth
hawkinsoperations-validation
Proof authority
hawkinsoperations-proof
Website
rendering only

Source truth into claim control

Detection lifecycle feeds Hoxline

Detection source and controlled validation can feed the Hoxline loop, but the runtime and signal gates remain separate until evidence exists.

stage_status_distribution

Visual stage status data

Capability Visual Data Pack v1 exposes the loop as status data, not as a flat warning list.

PASS
7
BLOCKED
1
MISSING_EVIDENCE
1
HUMAN_REVIEW_REQUIRED
1
REFERENCE_ONLY
1

build_timeline

Reviewer path from source to gated claims

Tap a node to inspect what exists today and what remains gated.

manifest

HO-DET-001 controlled demo packaging

Controlled demo artifacts and reviewer entry points were packaged.

Flagship controlled-validation example

HO-DET-001: Suspicious PowerShell EncodedCommand Execution

T1059.001 · Command and Scripting Interpreter: PowerShell

runtime not promotedsignal not promotedpublic_safe false

Validation

Controlled validation passed

Controlled fixture status remains distinct from runtime or signal proof.

Proof ceiling

CONTROLLED_TEST_VALIDATED

Runtime and signal claims are blocked at this ceiling. No production, customer-deployment, or autonomous-resolution claim is made.
Open route

Hoxline ProofOps route

Inspect the Hoxline loop that governs the claim boundary.

Inspect pathOpen route

HO-DET-001 route

Open the existing bounded reviewer case-file route.

Inspect pathOpen route

Validation registry

Inspect controlled fixtures and validation status.

Inspect path

Source -> validation -> proof ceiling

Detection systems

Each card keeps source, validation, proof ceiling, and runtime/signal boundary visible so detection work cannot be over-promoted.

Endpoint / PowerShell

HO-DET-001VALIDATED

Suspicious PowerShell EncodedCommand Execution

T1059.001 · Command and Scripting Interpreter: PowerShell

Validation
Controlled validation passed
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Runtime and signal claims are blocked at this ceiling. No production, customer-deployment, or autonomous-resolution claim is made.
Inspect route ->

Endpoint / Persistence

HO-DET-011PRIVATE

Windows Service Creation / Binary Change

Persistence: service creation — ATT&CK mapping in source artifact

Validation
Controlled validation passed
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Private runtime evidence is held privately and is blocked from public proof; no public-safe runtime claim is made and runtime/signal stay blocked.
Inspect route ->

Endpoint / Persistence

HO-DET-012VALIDATED

Suspicious Scheduled Task Creation

Scheduled Task/Job: Scheduled Task — ATT&CK mapping in source artifact

Validation
Controlled validation passed
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Proof record present in hawkinsoperations-proof. Runtime, signal, public-safe runtime proof, and completeness claims remain blocked at this ceiling.
Inspect route ->

Cloud / IAM

AWS-DET-001FIXTURE

CloudTrail-Style IAM Denial

Cloud / IAM denial — mapping in source/proof artifacts

Validation
Controlled validation passed
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Fixture-only. Live AWS and CloudTrail proof are blocked at this ceiling; no live-cloud claim is made.
Inspect route ->

Identity / Access Behavior

ID-DET-001…004VALIDATED

Identity Detection Family

ATT&CK-aligned identity behavior (mapping per detection)

Validation
ID-DET-001…004 each: 10 controlled cases — 5 positive, 5 negative, 0 missed, 0 false-positive negatives
Proof ceiling
CONTROLLED_TEST_VALIDATED
Runtime / signal boundary
Live IdP, production identity coverage, and completeness claims are blocked at this ceiling; no live-identity claim is made.
Inspect route ->

Telemetry / Defense Evasion

HO-DET-013PLANNED

Defense Tool and Telemetry Tamper Attempt

Defense evasion / telemetry tamper — mapping in source artifact

Validation
Validation not complete.
Proof ceiling
SOURCE_EXISTS · VALIDATION_PLANNED
Runtime / signal boundary
Source exists only. Validation, runtime, and signal claims are blocked at this ceiling; no validation claim is made yet.
Inspect route ->

Network / Visibility Contract

HO-NDR-001CONTRACT

Security Onion / NDR Visibility Boundary

Boundary / corroboration contract — not a coverage claim

Validation
Contract surface — no validation count.
Proof ceiling
BOUNDARY_CONTRACT_ONLY
Runtime / signal boundary
Security Onion observed proof is blocked; this defines a visibility boundary and makes no observed-signal claim.
Inspect route ->

Pipeline / Telemetry Contract

HO-PIPE-001PLANNED

Cribl / Pipeline Route Integrity

Pipeline route contract — not an ATT&CK detection proof

Validation
Source exists; validation planned.
Proof ceiling
SOURCE_EXISTS · VALIDATION_PLANNED
Runtime / signal boundary
Cribl-routed proof is blocked at this ceiling; no Cribl-routed claim is made.
Inspect route ->

Claim boundary

What remains blocked

Blockedruntime-active status
Blockedruntime proven status
Blockedsignal observed status
Blockedpublic-safe proof
Blockedproduction-ready status
BlockedSOCaaS-ready status
Blockedcustomer deployed status
Blockedpublic runtime proof
Blockedpublic signal proof

Mapping

ATT&CK and lifecycle map

Cyber Kill Chain and ATT&CK mapping help reviewers understand lifecycle stage, detection intent, and coverage. They do not prove live telemetry, runtime deployment, signal observation, or customer use.

Reconnaissance

Boundary/source contracts plus controlled identity validation reports.

Use this stage to inspect visibility planning, identity-context validation, and gap tracking without inferring live coverage.

Strongest reviewer artifact: ID-DET validation reports and HO-NDR-001 / HO-PIPE-001 boundary contracts.

Weaponization

Defensive behavior modeling with source, validation, and proof truth separated.

Use this stage to see how behaviors become testable detection artifacts and where proof records do or do not exist.

Strongest reviewer artifact: Proof records for HO-DET-001, HO-DET-011, HO-DET-012, and AWS-DET-001 where present.

Delivery

FIXTURE_ONLY / CONTROLLED_TEST_VALIDATED.

Use this stage for cloud-access fixture review only; it does not assert a live AWS deployment.

Strongest reviewer artifact: AWS-DET-001 proof record and proof card.

Exploitation

CONTROLLED_TEST_VALIDATED.

Use this stage to trace PowerShell execution detection from ATT&CK mapping through source, validation, and proof boundary.

Strongest reviewer artifact: HO-DET-001 proof record, proof card, Proof Pack 001, and validation report.

Routes

Inspect source

Open route

Detections repo

Open source-controlled detection packages.

Inspect pathOpen route

Validation registry

Inspect fixture counts, pass states, and blocked runtime/public signal states.

Inspect pathOpen route

Proof authority

Inspect proof records, Governance Saves, and blocked claims.

Inspect path