Registry

Coverage map of HawkinsOps closed claims and their Ledger review state. Every case study gets a row. Every row names its status honestly: reviewed, queued, not yet assigned, or a system surface that pairs at the component-claim level.

Reviewer shortcut

Claim status matrix

The matrix collapses this registry into claim families: supported wording, blocked wording, current route, paired external surface, and next gate. Unreviewed rows are unresolved on RayleeOps, not disproven.

Open the public claim status matrix →

As of 2026-04-29 · 1 resolved · 2 reviewed/narrowed · 1 queued cross-cutting sub-claim · 18 unreviewed · 3 system surfaces

System & flagship

signalfoundry · hawkinsops.com

Incident response & recovery

case-study-race-condition · hawkinsops.com

Detection engineering

case-study-sigma-library · hawkinsops.com

Sigma Detection Library

Reviewed/narrowed

Artifact / surface: case-study-sigma-library
Supported claim: 103-rule Sigma library with count, drift, UUID uniqueness, and strict content validation.
Blocked claim: runtime signal; universal SIEM deployability.
What changed: File/count proof was separated from runtime/signal proof.
Next gate: link runtime/signal proof artifact before any signal or deployability claim.
Receipt: The Counter Certified Nothing

case-study · hawkinsops.com

Wazuh Rule Blocks — Authored and Validated

No public review

case-study-wazuh · hawkinsops.com

Wazuh Windows Telemetry Remediation

Reviewed/narrowed

Artifact / surface: case-study-wazuh
Supported claim: Historical primary-endpoint process-creation telemetry restoration and manager-to-indexer delivery validation during remediation window.
Blocked claim: fleet-wide visibility; current-runtime visibility.
What changed: Historical remediation-window proof was separated from current/fleet claims.
Next gate: link evidence/proof artifact for current and fleet visibility before either claim is made.
Receipt: The Dashboard Lied Politely

case-study-detection-harness · hawkinsops.com

Threat hunting

case-study-threat-hunt-4688 · hawkinsops.com

Live Splunk Threat Hunt — EventID 4688

No public review

case-study-splunk-codex-hunt · hawkinsops.com

When AI Tooling Looks Like a LOLBin

No public review

Infrastructure & hardening

enterprise-security · hawkinsops.com

Cross-cutting sub-claims

auto-close metric · benchmark surfaces

Auto-close metric — ~88% headline figure

Queued Sub-claim across signalfoundry, case-studies, and proof. Review question: defend the headline with caveats, or retract.

Registry

Claim status matrix

System & flagship

SignalFoundry

Detection Coverage

Signal Architecture — AutoSOC System Model

March 2026 System Hardening & Pipeline Evolution

Incident response & recovery

Production Race Condition Recovery

Pipeline Fault Recovery — Two Failure Domains

IR Case: Level 12 FIM Alert — Triage to BENIGN

IR Playbook Library

CVE-2025-55130 — Detect to Remediation

Hotfix RCA: Triage Quality Chart Renderer

AutoSOC Infrastructure Cutover

Detection engineering

Sigma Detection Library

Wazuh Rule Blocks — Authored and Validated

Wazuh Windows Telemetry Remediation

Wazuh Detection Harness

Splunk Detection Rule Audit — Four Noise Sources

Migrating Legacy Detection Rules from Python 2 to Python 3

Threat hunting

Live Splunk Threat Hunt — EventID 4688

When AI Tooling Looks Like a LOLBin

Infrastructure & hardening

Enterprise Security Hardening

Audit Policy Baseline Assessment

Cowrie Honeypot + Wazuh + Grafana

Honeypot (Wazuh) Sanitized Alert Proof

PP_SOC Integration — Live Detection Workflow

Cross-cutting sub-claims

Auto-close metric — ~88% headline figure