Artifact Contracts
Artifact contracts define the minimum fields required for reusable CTI, hunting, and detection-engineering outputs.
PIR Register
A PIR row MUST include:
pir_iddecision_ownerdecisionquestiontime_horizonstatusconfidence_threshold
SIR Register
A SIR row MUST include:
sir_idpir_idquestiondata_sourceevidence_typeownerdue_datestatus
Evidence Register
An evidence row MUST include:
evidence_idclaim_idactor_idsource_idclaimsource_quote_or_summaryevidence_labelsource_reliabilityinformation_credibilityanalyst_confidenceconfidence_reasoncontradiction_or_gapnotes
Persona Claims Register
A persona claim row MUST include:
claim_idpersonaclaim_dateclaimed_victimclaimed_sectorclaim_channelevidence_capturedlocal_telemetry_matchthird_party_corroborationconfidencerecommended_comms_actionlegal_comms_ownerstatusnotes
Persona claims MUST remain separate from evidence-backed intrusion claims. A Telegram post, leak-site post, or public claim MAY trigger preservation and triage, but it MUST NOT be promoted to confirmed compromise without telemetry, victim statement, government advisory, or credible third-party technical corroboration.
Threat Scenario Register
A threat scenario row MUST include:
scenario_idpir_idactor_or_patternasset_or_sectorattack_pathlikelihoodimpactexposuredetection_gaptime_sensitivitypriority_scorestatus
Hunt Backlog
A hunt row MUST include:
hunt_idscenario_idhypothesisrequired_telemetryquery_pathexpected_observablestatusowner
Detection Backlog
A detection row MUST include:
detection_idtitlescenario_idattack_iddata_sourcedrlrule_pathtest_statussoc_actionownerpriorityplatform_field_mappingdrl_evidence_pack
Gate Evidence Pack
A gate evidence pack MUST include:
- Gate result.
- Scope.
- Required evidence table.
- Blockers or explicit statement that no blockers remain.
- Approver or owner.
- Review date.
Metrics Register
A metrics row MUST include:
metric_idmetric_namescopevalueunitmeasurement_dateownernotes