The Scenario

A wire instruction passes BEC, DKIM, SPF, DMARC.
5.08 joules.

Title company's email domain checked against ATT&CK BEC patterns. Sender authenticated. Body fingerprint vs. 2026 wire-fraud campaign: no match. The wire instruction is signed and dispatched. 0.9 joules.

Start the walkthrough Skip to the artifact

Range Provision

BAS scenario

2.31 J

A BAS scenario is provisioned in the cyber range as IaC.

Scenario WIRE-BEC-2026Q2 declared in OpenTofu HCL: one victim mailbox, one spoofed title-company domain, one OAuth-consent lure, one wire-instruction payload. 14 resources, 0 drift, fully isolated VPC. The range is reproducible — re-applying the plan rebuilds the same emulated environment from clean state.

JWP ReceiptPayload

kind "cyber.range.provisioned"

scenario WIRE-BEC-2026Q2

resources 14

joules 2.31

cite "OpenTofu HCL2 · NIST SP 800-115 §5.2"

sig "ed25519:0x4f...c1a"

ATT&CK T1078

Initial Access

0.46 J

Emulator obtains valid OAuth tokens via T1078.004 — Cloud Accounts.

The BAS agent replays a published 2026-Q1 consent-phishing technique to mint a refresh token against a tenant-trust mailbox. ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) registered as covered. Tokens flow back to the emulator's C2 over a TLS 1.3 channel.

JWP ReceiptPayload

kind "cyber.emulation.t1078.executed"

technique T1078.004

tokens_obtained 1

joules 0.46

cite "MITRE ATT&CK v15.1 · T1078.004"

sig "ed25519:0x4f...c1a"

ATT&CK T1566.002

Spearphishing Link

0.21 J

Spoofed sender bypasses look-alike checks but fails DKIM (RFC 6376).

Emulator sends from titlec0mpany.com (zero-for-O homoglyph) with a forged From header. SPF (RFC 7208) returns softfail because the sending IP isn't in the spoofed domain's SPF record. DKIM signature verification fails: signing key absent for d=titlec0mpany.com. Detector rule R-DKIM-001 fires in 18 ms.

JWP ReceiptPayload

kind "cyber.detect.dkim.fail"

spf_result softfail

dkim_result fail

joules 0.21

cite "RFC 6376 DKIM · RFC 7208 SPF · ATT&CK T1566.002"

sig "ed25519:0x4f...c1a"

ATT&CK T1534

Internal Spearphishing

0.18 J

DMARC (RFC 7489) policy p=reject quarantines the lure before delivery.

Receiver evaluates DMARC for spoofed domain: published policy is p=reject, pct=100. Alignment fails on both SPF and DKIM, message routed to the quarantine queue rather than the inbox. Aggregate report (RUA) emitted to the legitimate domain owner per RFC 7489 §7.2. Detector R-DMARC-014 covers ATT&CK T1534.

JWP ReceiptPayload

kind "cyber.detect.dmarc.reject"

dmarc_policy p=reject

disposition quarantine

joules 0.18

cite "RFC 7489 DMARC · ATT&CK T1534"

sig "ed25519:0x4f...c1a"

ATT&CK T1657

Financial Theft

0.38 J

Wire-instruction payload is fingerprinted against the 2026 BEC signature set.

Even hypothetically delivered, the wire-change payload is hashed against the SimHash index of the 2026-Q1/Q2 wire-fraud campaign corpus (4,118 known lures). Closest neighbor distance 0.07 — well inside the 0.18 match threshold. ATT&CK T1657 (Financial Theft) covered; detector R-BEC-227 emits a witness receipt.

JWP ReceiptPayload

kind "cyber.detect.bec.match"

neighbor_distance 0.07

corpus_size 4,118

joules 0.38

cite "ATT&CK T1657 · SimHash 64-bit · corpus 2026-Q1Q2"

sig "ed25519:0x4f...c1a"

Coverage

ATT&CK Navigator

0.12 J

Coverage layer asserts: 3 techniques attempted, 3 detected, 0 misses.

ATT&CK Navigator layer regenerated from the run: T1078.004 detected by R-AUTH-031, T1566.002 detected by R-DKIM-001, T1534 detected by R-DMARC-014, T1657 detected by R-BEC-227. Heat map renders 4 cells green, 596 cells outside scenario scope unchanged. Coverage delta vs last quarter: +2 techniques.

JWP ReceiptPayload

kind "cyber.coverage.layer.published"

techniques_covered 4

delta_vs_q1 +2

joules 0.12

cite "ATT&CK Navigator v5 · ATT&CK v15.1"

sig "ed25519:0x4f...c1a"

Witnessed Detection

Receipt chain

0.34 J

Every detection is a receipt — the SIEM is the receipt log.

Four detector firings emit four cyber.detect.* receipts, each pinning the input artifact hash (header bundle, payload SimHash, OAuth token jwt id) and the rule id and version. Aggregate detection latency 21 ms p95. The receipt log is queried by ComplianceOS as evidence for AU-12 and SI-4.

JWP ReceiptPayload

kind "cyber.detect.attested"

detections_signed 4

p95_latency_ms 21

joules 0.34

cite "ATT&CK v15.1 · 800-53 Rev 5 SI-4"

sig "ed25519:0x4f...c1a"

Range Teardown

OpenTofu destroy

1.08 J

The range tears down; the signed run artifact persists.

OpenTofu destroy: 14 resources removed, 0 residual. The scenario's full signed transcript — provision plan, emulation steps, detector firings, coverage layer — is written to the immutable run archive as one BLAKE3-addressed bundle. Re-running the same scenario id reproduces the same coverage outcome.

JWP ReceiptPayload

kind "cyber.range.archived"

resources_destroyed 14

bundle_kb 428

joules 1.08

cite "OpenTofu HCL2 · BLAKE3 content addressing"

sig "ed25519:0x4f...c1a"

CyberSecurityOS, in one line

5.08 joules. One receipt.

CyberSecurityOS handles defense as a typed, signed, energy-metered operation. The whole pillar is one shape: take a claim, do the work, sign the receipt.

Open the artifact → See the receipt format →

A wire instruction passes BEC, DKIM, SPF, DMARC. 5.08 joules.

A BAS scenario is provisioned in the cyber range as IaC.

Emulator obtains valid OAuth tokens via T1078.004 — Cloud Accounts.

Spoofed sender bypasses look-alike checks but fails DKIM (RFC 6376).

DMARC (RFC 7489) policy p=reject quarantines the lure before delivery.

Wire-instruction payload is fingerprinted against the 2026 BEC signature set.

Coverage layer asserts: 3 techniques attempted, 3 detected, 0 misses.

Every detection is a receipt — the SIEM is the receipt log.

The range tears down; the signed run artifact persists.

5.08 joules. One receipt.

A wire instruction passes BEC, DKIM, SPF, DMARC.
5.08 joules.