The Artifact

ATT&CK matrix tied to detectors.

Click a technique. See the detector that covers it. Pick a detection event, walk back to the receipt it produced.

Open the explorer Watch the scenario
AK
Dimension
ATT&CK matrix
0.12 J
per call

MITRE ATT&CK v15.1 as the substrate

Every detector, every BAS scenario, every coverage assertion is keyed to ATT&CK v15.1 technique ids. Hover a cell to see the detectors that cover it, the BAS scenarios that exercise it, and the most recent witnessed detection receipt. The Navigator JSON layer is itself a signed artifact.

Sample receipt
JWP ReceiptPayload
kind "cyber.coverage.layer.published"
techniques_in_layer 596
techniques_covered 4
joules 0.12
cite "MITRE ATT&CK v15.1 · Navigator v5"
sig "ed25519:0x4f...c1a"
Anatomy — operational specs
version
ATT&CK v15.1 (Enterprise)
viewer
ATT&CK Navigator v5
BAS
Dimension
BAS playbook
2.31 J
per call

Breach-and-attack simulation as IaC

Scenario WIRE-BEC-2026Q2 declared in OpenTofu HCL: emulator agents, isolated VPC, victim mailbox, spoofed sender infrastructure, OAuth consent lure. Re-applying the plan rebuilds the range from clean state. The playbook is the test, the plan hash is the version.

Sample receipt
JWP ReceiptPayload
kind "cyber.range.provisioned"
scenario_id WIRE-BEC-2026Q2
isolated_vpc true
joules 2.31
cite "OpenTofu HCL2 · NIST SP 800-115 §5.2"
sig "ed25519:0x4f...c1a"
Anatomy — operational specs
iac
OpenTofu HCL2
isolation
dedicated VPC + egress deny-all
Dt
Dimension
Detector library
0.18–0.46 J / fire
per call

Signed rules with ATT&CK coverage

R-DKIM-001 (RFC 6376), R-DMARC-014 (RFC 7489), R-AUTH-031 (T1078.004), R-BEC-227 (T1657 SimHash). Each rule is a code artifact with a version, a coverage assertion against ATT&CK, and a reproducible test vector from the BAS playbook. Detectors that lose coverage when ATT&CK is updated are flagged automatically.

Sample receipt
JWP ReceiptPayload
kind "cyber.detect.attested"
rules_in_library 418
avg_fire_ms_p95 21
joules 0.34
cite "ATT&CK v15.1 · NIST 800-53 Rev 5 SI-4"
sig "ed25519:0x4f...c1a"
Anatomy — operational specs
format
YAML + WASM evaluator
signing
Ed25519 per rule release
Cr
Dimension
Cyber range
IaaS
per call

Offensive-capability playground as a service

Tenants spin up scenario environments from the BAS catalog. Each environment is one isolated VPC, one OpenTofu plan, one signed run archive. Re-running a scenario id reproduces the same coverage outcome — the range is a function, not a snowflake lab.

Sample receipt
JWP ReceiptPayload
kind "cyber.range.archived"
scenarios_in_catalog 186
tenancy single-tenant VPC
joules 1.08
cite "NIST SP 800-115 · OpenTofu HCL2"
sig "ed25519:0x4f...c1a"
Anatomy — operational specs
isolation
VPC per scenario instance
archive
BLAKE3-addressed bundle
Wd
Dimension
Receipt-witnessed detection
0.34 J
per call

The SIEM IS the receipt log

Every detector firing emits a cyber.detect.* receipt pinning the input artifact hash, the rule id and version, and the ATT&CK technique covered. ComplianceOS consumes the same receipt as evidence for NIST 800-53 SI-4 (System Monitoring) and AU-12 (Audit Record Generation). No separate SIEM table to reconcile.

Sample receipt
JWP ReceiptPayload
kind "cyber.detect.attested"
detections_signed 4
consumers ComplianceOS · Insights
joules 0.34
cite "ATT&CK v15.1 · NIST 800-53 Rev 5 SI-4 + AU-12"
sig "ed25519:0x4f...c1a"
Anatomy — operational specs
addressing
BLAKE3 input + rule hash
signing
Ed25519 per detection

CyberSecurityOS, in one line

defense, made inspectable.

Click anything. The same primitives that compose the rest of the Transaction Science family — receipts, joules, signed transport — show up here too. The family is one system.

← Watch the scenario Back to Transaction Science →