HawkinsOperationsDetection Engineering SOC
HawkinsOperations — Detection Engineering SOC. Proof. Truth. Authority.

Detection Engineering SOC · Proof > Truth > Authority

AI Security Operations · Reviewer cockpit

Governance that catches bad security truth before it ships.

HawkinsOperations is a governed AI Security Operations and detection engineering control plane. It turns fast AI-assisted security work into evidence-bounded, reviewer-inspectable output.

The proof is not that a website renders. The proof is that controls fired: unsafe claims were blocked, stale truth was corrected, private evidence stayed private, and AI stayed support-only.

Controls fired before public truth72 public-facing governance examplesProof Pack 001 availableAI support-onlyRuntime claims boundedPrivate-only records excluded
See ProofInspect ArtifactsView AI Security Model

Trust boundary. Website rendering is not proof. Evidence, validators, and human review authorize claims.

Proof loop

Generate → Constrain → Validate → Review → Publish.

Each stage shows what happens, what control sits over it, and what gets blocked. The verifier owns pass and fail; human review owns merge authority.

  1. 01

    Generate

    Happens
    AI-assisted drafting accelerates detection-as-code, SPL, and reviewer prose.
    Control
    Generation runs against repo source; no public copy ships from a draft.
    Blocked
    AI cannot decide disposition or promote claims.
  2. 02

    Constrain

    Happens
    Schema, contracts, and the blocked-claim scanner cap wording at source.
    Control
    Public surfaces are gated by a site-contract scan and runtime boundary rules.
    Blocked
    Unsafe wording (runtime, customer, fleet, production) is not allowed to render.
  3. 03

    Validate

    Happens
    Deterministic controlled-test packages decide pass or fail.
    Control
    The verifier owns the gate; case packets stay bounded to the validation result.
    Blocked
    Source presence is not signal observation; ceilings remain capped.
  4. 04

    Review

    Happens
    Human review must resolve threads before merge authority is granted.
    Control
    Green CI is not merge authority; review and scope sit above checks.
    Blocked
    AI-approved disposition and analyst-approved disposition are not claimed.
  5. 05

    Publish

    Happens
    Bounded reviewer artifacts surface: proof records, receipts, governance saves.
    Control
    Stronger claims require a separate promotion path with new evidence.
    Blocked
    Private-only evidence and host-local paths stay off public surfaces.

Cyber Kill Chain / MITRE ATT&CK

Attack context routes into proof boundaries.

Use attack-lifecycle mapping to orient detection intent, ATT&CK context, validation state, and claim ceilings. The map helps reviewers navigate the system; it does not prove live coverage or runtime signal.

  1. Cyber Kill ChainOrient where a behavior sits in the attack lifecycle.
  2. MITRE ATT&CKMap detection intent to ATT&CK techniques and tactics.
  3. Detection SourceInspect the repo-backed detection package behind the mapping.
  4. Validation StateRead controlled-test counts and the claim ceiling.
  5. Proof BoundaryValidation records and proof boundaries authorize claims; live coverage and runtime signal stay blocked.RUNTIME / SIGNAL · BLOCKED
Mapped families
  • Endpoint / PowerShellvalidated
  • Endpoint / Persistenceprivate · not public-safe
  • Cloud / IAMfixture-only
  • Identity / Access Behaviorvalidated
  • Telemetry / Defense Evasionvalidation planned
  • Network / Visibility Contractcontract only

Boundary. Mapping is reviewer navigation. Validation records and proof boundaries authorize claims.

Inspect coverage map

Reviewer mode

Pick the lens you read this site through.

The site routes the same proof differently for an executive scan, a proof-pack audit, or a technical deep dive. Use the keyboard arrows to switch lenses.

Why governed AI Security Operations exists, what the value story looks like, and where the AI authority boundary sits.

Six public doors

Pick the surface you want to inspect.

The public site routes through six primary doors. Support routes still exist, but they serve these doors.

Public door

Proof

Claim authority, Governance Saves, Proof Pack 001, runtime boundaries, validation ceilings, and blocked claims.

Public door

Artifacts

Reviewer receipts, proof packages, evidence cards, release artifacts, and does-prove / does-not-prove boundaries.

Public door

Detections

Detection engineering portfolio with validation status, ATT&CK mapping, proof ceilings, and runtime boundaries.

Public door

AI Security

SOCaaS-style implementation model for AI-assisted triage, deterministic verification, and human authority.

Public door

About

Mission, operating thesis, current HawkinsOperations boundary, and archive / legacy context.

External

Inspect Source

Open the HawkinsOperations GitHub organization. Repos carry the evidence; the website routes reviewers.

Governance Saves · proof of value

Controls Fired Before Bad Truth Shipped

72 public-facing records from GS-001 through GS-080 source range. Private-only records are excluded from this surface.

Open explorer
16782133216572controls firedpublic-facing
View as table
Controls fired by category across 72 public-facing records.
CategoryCountWhat it covers
Claim boundary16Public copy was downgraded, narrowed, or held to match repo-visible evidence — never inflated to runtime, signal, or production wording.
Runtime boundary7Private runtime evidence, mirror traffic, and legacy automation were kept out of public runtime/signal claims.
Validator hardening8Review-thread fixes converted verifier edge cases into deterministic fail-closed paths before merge.
AI authority2AI output stayed support-only. Verifiers enforce human review and block AI-decided disposition.
Merge authority13Green CI never became merge authority. Review, scope, resolved threads, and human approval stayed above checks.
Evidence protection3Non-public evidence, host-local paths, and operator notes were kept off public surfaces and out of public proof.
Release gate2Release wording, checksums, and reviewer-package state were gated before any "approved release" claim could surface.
Branch hygiene16Branch divergence, dirty trees, wrong-branch preflights, and direct-main pushes were stopped before they touched source truth.
Workflow hardening5Required-check rulesets, audit findings, and CODEOWNERS reality were treated as enforcement evidence only when verified.

Private-only records are excluded from this surface.

From cockpit to receipts

Home explains the control plane. Artifacts shows the receipts.

Every claim on this site is meant to be inspectable. Artifacts is the evidence bay: each card routes to a receipt and states what it supports and what it does not prove. Website rendering is not proof.

Open the evidence bay