HawkinsOperations is a governed detection-engineering system that lets AI accelerate security work while evidence and human review authorize claims.
CONTROLLED_TEST_VALIDATED · HO-DET-001 · NOT_PUBLIC_SAFE · RENDERING_NOT_PROOF · HUMAN_REVIEW_REQUIRED
Proof Pack 001 release · Proof Pack 001 Discussion · hawkinsoperations.com · HO-DET-001 proof route · proof repo · validation repo · detections repo
AI can accelerate security work. It cannot authorize the truth.
Without a control system, AI-generated output becomes a public claim, an analyst conclusion, an operational action, a security disposition, and an executive truth — before any evidence or human review ever authorized it.
AI OUTPUT
│
▼
UNVERIFIED CLAIM
│
▼
OPERATIONAL ACTION
│
▼
SECURITY DISPOSITION
│
▼
EXECUTIVE TRUTH ✕ BLOCKED ✕
This is the failure mode HawkinsOperations is built to prevent.
AI labor enters the system. Source, validation, deterministic verification, evidence records, proof records, and human review stand between labor and any public claim.
AI LABOR
│ scoped: drafts, scaffolds, summaries — never authorization
▼
SOURCE hawkinsoperations-detections
│
▼
CONTROLLED VALIDATION hawkinsoperations-validation
│
▼
DETERMINISTIC VERIFIER fixtures · checks · CI gates
│
▼
EVIDENCE RECORD bounded, scoped, reviewable
│
▼
PROOF RECORD hawkinsoperations-proof
│
▼
HUMAN REVIEW required · not delegable to AI
│
▼
PUBLIC BOUNDARY hawkinsoperations.com · .github
AI generates work. Evidence and human review authorize claims.
|
HO-DET-001 reviewer release package The official, bounded reviewer route for the HO-DET-001 detection: source, validation, case packet, proof record, and the public boundary — packaged as one bounded reviewer ZIP and one GitHub Release.
|
What this release is
|
What this release does not prove. It is a reviewer route and a bounded ZIP. It does not promote runtime-active public proof, signal-observed public proof, public-safe runtime proof, production readiness, SOCaaS, autonomous SOC, AI-approved disposition, or analyst-approved disposition. Website/GitHub rendering is not proof.
Pick the route that matches your review job. The route changes how you inspect the system; it does not change the proof state.
| Route | Time | What you inspect | Start here |
|---|---|---|---|
| Hiring manager | 3 min | What the system is, what is proven, what stays blocked. | hawkinsoperations.com |
| Detection engineer | 10 min | Detection source, validation scope, HO-DET-001 path. | detections repo |
| SOC automation lead | 10 min | Case packet flow, deterministic checks, CI boundaries, runtime-contract separation. | validation repo |
| AI governance reviewer | 10 min | Where AI supports labor and where human review authorizes claims. | proof repo |
| Public rendering reviewer | 2 min | Public presentation and reviewer navigation only; rendering does not create proof. | HO-DET-001 proof route |
Each surface supports its own claims, nothing more. Authority does not flow between them by presentation.
| Surface | Supports | Does not assert |
|---|---|---|
| Source truth | A source artifact exists and can be reviewed. | Deployment, runtime behavior, signal observation, or public proof. |
| Validation truth | A deterministic validation process passed inside its stated scope. | Runtime operation, public signal, or external-use authorization. |
| Runtime truth | A control or detection is active in a runtime environment when runtime evidence is reviewed. | Signal observation, evidence linkage, or public-safe proof. |
| Signal truth | A bounded signal was observed in a stated context when signal evidence is reviewed. | Fleet scope, production readiness, or public-safe status. |
| Evidence truth | A preserved artifact supports a specific bounded claim. | Claims outside the evidence boundary. |
| Public rendering | Website and GitHub presentation of reviewed routes and wording. | Proof of any kind. |
flowchart LR
A[Source] --> B[Validation]
B --> C[Case packet]
C --> D[Proof record]
D --> E[Public boundary]
F[AI support] -. labor only .-> A
F -. labor only .-> B
G[Human review] --> D
H[Deterministic checks] --> D
E -. rendering is not proof .-> I[Website / GitHub]
Six repositories. Three planes. Authority flows through scoped records, not presentation.
| Plane | Repository | Authority | Boundary |
|---|---|---|---|
| Governance / routing | .github |
Organization profile, reviewer routing, control summaries. | Routes reviewers; does not prove source, runtime, signal, evidence, or public proof. |
| Authority chain | hawkinsoperations-detections |
Detection source logic and ownership trail. | Source does not prove validation or runtime. |
| Authority chain | hawkinsoperations-validation |
Fixtures, validators, case packets, deterministic checks. | Validation does not prove public runtime or signal state. |
| Internal / private runtime contract | hawkinsoperations-platform |
Runtime contracts, interface boundaries, non-promotional guardrails. | Internal/private runtime-contract route; not a public proof route and not public proof. |
| Authority chain | hawkinsoperations-proof |
Proof records, claim ceilings, evidence boundary records, cited case packets. | Proof records do not publish private evidence or raise ceilings by presentation. |
| Rendering | hawkinsoperations-website |
Public reviewer navigation and rendered wording. | Rendering is not proof and cannot approve a claim. |
Detections → validation → proof feeds the authority chain. .github routes reviewers. hawkinsoperations-platform remains an internal/private runtime-contract route. The website renders receipts; it does not author them.
Public wording passes through boundary review before it ships. Blocked terms stay listed because they describe what this surface does not assert.
Blocked unless separately promoted and approved:
public-safe · production-ready · fleet-wide · live enterprise deployment · autonomous SOC · AI-approved disposition · analyst-approved disposition · runtime-active public proof · signal-observed public proof · evidence-linked public proof · live Splunk public proof · Cribl-routed public proof · Wazuh-routed public proof · AWS-live proof · customer-ready product · sold product · enterprise deployment
Allowed public boundary for this profile:
| Field | Current value |
|---|---|
| Flagship path | HO-DET-001 |
| Public proof ceiling | CONTROLLED_TEST_VALIDATED |
| Public-safe status | NOT_PUBLIC_SAFE |
| Surface mode | RENDERING_NOT_PROOF |
| Promotion authority | HUMAN_REVIEW_REQUIRED |
| Runtime-active public proof | BLOCKED |
| Signal-observed public proof | BLOCKED |
| Evidence-linked public proof | BLOCKED |
| Production / fleet / autonomous claim | BLOCKED |
HO-DET-001 is the artifact reviewers can trace end to end without accepting a stronger public claim.
| Receipt | Review route | What it supports |
|---|---|---|
| Source | Detection source repo | The detection source exists under version control. |
| Validation | Validation repo | Controlled positive and negative test scope can be inspected. |
| Case packet | Validation repo and Proof repo | Case packets are produced/validated in validation and cited/recorded by proof. |
| Proof record | HO-DET-001 proof record | The current public ceiling and blocked claims are recorded. |
| Public rendering | HO-DET-001 public route | Reviewer navigation only; rendering does not create proof. |
Public proof ceiling remains CONTROLLED_TEST_VALIDATED. Public-safe status remains NOT_PUBLIC_SAFE.
HawkinsOps V1 / SignalFoundry metrics are prior operating context only. They are not current HawkinsOperations proof and do not raise the current HawkinsOperations ceiling.
| Prior context | Boundary |
|---|---|
| 324,074 cases processed | Historical V1 / HawkinsOps context only. |
| 200+ detections built | Historical V1 / HawkinsOps context only. |
| 208/208 CI assertions | Historical V1 / HawkinsOps context only. |
| 39.7% reduction measured | Historical V1 / HawkinsOps context only. |
| 100% high-severity preservation | Historical V1 / HawkinsOps context only. |
Current HawkinsOperations claims are bounded by source, validation, evidence, and the public-proof surface.
Repo separation creates review boundaries. Real control comes from required review, deterministic verification, CI checks, proof records, and bounded public wording. The split is necessary; it is not sufficient. Treat the boundary as the artifact, not the architecture diagram.
AI generates work. Evidence and human review authorize claims.
Build loud. Verify hard. Claim tight. Ship receipts.