HawkinsOps V1 is retired.

The active system is HawkinsOperations.

HawkinsOps V1 remains online as a historical archive of the original SOC automation and detection engineering work.

The current governed rebuild lives in the HawkinsOperations GitHub organization and on hawkinsoperations.com, where source, validation, platform contracts, proof records, governance routing, and public rendering are separated.

View Current System Open GitHub Organization View HO-DET-001 Proof Route
HawkinsOps V1

Single public proof surface, historical snapshot, original SOC automation work.

routes to
HawkinsOperations

Six-repo governed system: source truth, validation truth, platform contracts, proof records, governance routing, public navigation.

0
Historical V1 cases
~88%
Historical auto-close
0
Historical evidence packs
211
Historical artifacts

Historical HawkinsOps V1 context only. These metrics are not current HawkinsOperations runtime proof, production proof, public-safe proof, customer deployment proof, or SOCaaS availability proof.

Why HawkinsOperations Exists

The successor separates what V1 bundled together.

Proof boundaries

V1 showed output. HawkinsOperations shows controlled proof boundaries.

Separated surfaces

V1 bundled story and proof together. HawkinsOperations separates source, validation, platform, proof, governance, and rendering.

Governed successor

V1 was a closed snapshot. HawkinsOperations is the active governed system for review, validation, routing, and claim control.

What the New Organization Does Better

Current reviewer routes are split by authority.

Source Truth

Detection source lives in hawkinsoperations-detections.
Validation Truth

Controlled validation lives in hawkinsoperations-validation.
Platform Contracts

Ledgers, case packets, and automation boundaries live in hawkinsoperations-platform.
Proof Authority

Proof records and claim ceilings live in hawkinsoperations-proof.
Governance Routing

Reviewer routes and authority maps live in .github.
Public Navigation

hawkinsoperations.com renders reviewer paths, but does not create proof.

HawkinsOps V1 remains useful for historical context, prior artifacts, and the closed V1 proof surface, but it should not be treated as the active operating architecture. Website rendering is not proof. GitHub rendering is not runtime truth. Green CI is not final authority. AI is support labor, not final security authority.

SignalFoundry Pipeline

Every alert passes through this system.

SignalFoundry 7-stage pipeline diagram
AutoSOC triage decision flow
System page: SignalFoundry →
Case Disposition
324,074
total cases
Auto-Closed Known FP Escalated
MITRE ATT&CK Tactic Coverage
13
IMP
11
PER
10
PE
10
DE
10
CA
10
DIS
10
LM
10
COL
10
EXF
9
EXE

Full detection grid →

System Overview

SignalFoundry

Wazuh alerts in → policy-driven triage → mandatory redaction → evidence packs → reconciliation gate → published proof. 35-script Python pipeline. Deterministic. Nothing publishes without PASS.

Detection Inventory
211 rules
σ
Sigma
10 MITRE ATT&CK tactics · portable
103
Wazuh XML
Custom rule blocks · lab Wazuh pack
29
>
Splunk SPL
Investigation layer · home lab
79
📋
IR Playbooks
7-step structured · reproducible evidence
10
Case Flow

How alerts become evidence

Every alert enters the same pipeline. Most are auto-closed. The rest produce structured evidence packs.

Case Processing Funnel Alert Intake 324,074 total cases Auto-Closed Benign ~88% policy-matched, no human action Escalated for Review 8,574 analyst judgment required Evidence Packs Published redacted, gated, repo-committed
Detection Inventory

What the pipeline watches for

211 detection rules across 4 platforms, mapped to MITRE ATT&CK (+ 10 IR playbooks). Full searchable inventory →

Detection Platform Breakdown Sigma 103 rules Wazuh 29 rule blocks IR 10 playbooks Splunk 79 queries Splunk: home lab only. Not an enterprise or production SOC claim.
Sigma YAML

MITRE-mapped behavioral detections across tactic folders: process creation, lateral movement, credential access, persistence, and more.

Wazuh XML

Custom rule IDs (100000+ range), deployed to Wazuh Manager. Lab-validated with detection harness.

IR Playbooks

7-step structured response: detect, triage (5 min), investigate (30 min), contain, eradicate, recover, document.

Splunk SPL

Investigation queries against Wazuh-forwarded events. Home lab scope — not enterprise deployment.

Stable Benchmark

Pipeline integrity

Locked snapshot from data/truth/current-authority.json. These values do not change from later telemetry. Full proof →

  • Public benchmark snapshot: reviewer-authoritative values from data/truth/current-authority.json.
  • Runtime snapshot: informational telemetry remains subordinate and is disclosed on /proof.
  • Generated at: 04-21-2026
  • Source artifact: site/data/truth/current-authority.json
Heartbeat SUCCESS

Pipeline health check.

Host Coverage 8/8

All endpoints reporting.

Escalations 8,574

Analyst-ready evidence packs.

Reconciliation PASS

0 mismatches between stages.

Locked 04-21-2026

Snapshot date.

Source: /assets/data/ops-metrics.json · Locked: 04-21-2026 · Full verification →

Public benchmark snapshot · Runtime snapshot · Generated at 04-21-2026 · Source artifact /assets/data/ops-metrics.json

Architecture & Surface Routing

Where each public surface belongs

HawkinsOps is the closed V1 proof surface. HawkinsOperations is the successor governance architecture, split across detection, validation, platform, proof, and website repositories so source, runtime, signal, evidence, and public-proof claims do not collapse into one surface. RayleeOps carries public review/context. Website pages render approved claims; they do not create proof by themselves.

HawkinsOps

Closed V1 proof surface with reviewer-facing evidence and verification routes.
AI Proof

Governed AI-assisted SOC workflows, LLM-output validation, evidence packaging, and public-claim discipline.
HawkinsOperations

Successor governance architecture public rendering.
Reproducible

Verify it yourself

Every claim on this site traces back to a verification command. Clone the repo and run these:

Terminal
# Count verification (source of truth)
pwsh -NoProfile -File ".\scripts\verify\verify-counts.ps1"

# Metrics generation
node scripts/generate-metrics.js

# Drift scan (HTML/JSON/Markdown consistency)
python scripts/drift_scan.py

# Metrics schema validation
python scripts/validate_metrics.py

# Site health diagnosis
node scripts/diagnose-site.js

# Full site data pipeline
node scripts/generate-site-data.js