Evidence Packs

Definition: an Evidence Pack is a defender-ready companion to an attack model. It turns steps and prerequisites into an evidence map: what to log, where to look, what to baseline, and how to validate safely.

Free: Evidence Pack Lite generates an exportable Markdown pack and an observability score from a Composer model plus a structured telemetry self-check.

Premium: Environment-aware Evidence Packs generated in-product from your inputs. Upload an environment profile and telemetry inventory, optionally add schema samples. You get confidence scoring, correlation logic, multi-SIEM query bundles, baselines, and audit-ready exports, with an optional automation add-on for bulk workflows.

Why practitioners use this

Most teams can agree on a scenario, but they struggle to convert it into operational work. Evidence Packs close that gap. They produce what people actually need for day-to-day execution: evidence hooks per step, safe validation tasks, and a short, defensible backlog of the missing telemetry that limits certainty.

Evidence Pack Lite builder

1) Load a Composer model

Upload a Composer JSON export, paste JSON, or pull your latest model from the Composer page.

Upload Composer JSON Load latest from Composer Load sample case

Or paste JSON

Sample files: sample model JSON, sample Evidence Pack Lite output, and Premium input examples (env_profile.yaml, telemetry_inventory.yaml, data_exports_manifest.yaml).

2) Quick telemetry self-check

This does not collect logs. It is a structured checklist that lets the pack compute observability and highlight blind spots.

Premium edition

In Premium, you upload an environment profile, a telemetry and logging inventory, and optional schema samples. The platform uses that input to generate environment-aware baselines, confidence scoring, correlation logic, and SIEM-ready query packs. A CLI automation add-on is available for bulk generation and CI-style workflows.

Premium inquiry

3) Generate and export

You will get a step-by-step evidence map, an observability table, and a safe validation plan. Export as Markdown for tickets and runbooks.

Generate Evidence Pack Lite Copy Markdown Download Markdown Reset

Generated Markdown

Defensive use only. This tooling avoids exploit instructions and focuses on prerequisites, observables, and defensive actions. If you have feedback, email [email protected].

Premium edition inputs and outputs

Premium Evidence Packs are generated inside your workspace for a specific environment. You upload a small, structured set of inputs through the interface. The package includes templates and guidance so teams can build consistently across sites without exposing raw events.

What you input

Environment profile (YAML): zones and conduits, identity and remote access assumptions, safety and availability constraints, and the invariants you want validated.
Telemetry inventory (YAML): sources in scope, locations, retention, field availability, and ownership. This anchors correlation and confidence scoring.
Data exports manifest (YAML): a structured description of optional schemas and example exports, such as SIEM log exports, EDR process events, VPN gateway events, firewall flow logs, OT NDR protocol metadata, and historian alarms or tag lists.
Optional mappings and schema hints: index patterns, field mappings for KQL, Splunk SPL, Elastic, or Sentinel, plus redacted schema-level exports where needed.
Additional environment add-ons: optional supplemental files and guidance packs that extend coverage for specific stacks and industries.

What you get

Confidence scoring per step: corroboration across independent sources, not just single-signal visibility.
Correlation logic and baselines: environment-aware expectations, change-window alignment, and validation rules designed to reduce noise.
Multi-SIEM query packs: reusable detection and hunt queries aligned to your telemetry inventory and mappings.
Schema-first exports: audit-ready appendices, validation notes, and structured schema bundles that can be merged programmatically into reporting pipelines.
Optional automation add-on: a CLI for bulk generation and CI-style workflows, alongside a richer interface for review and tuning.

Designed to scale from one site to multi-site estates. If you need deeper tailoring, we also offer optional consulting for field mapping, bespoke correlations, and environment-specific validation rules.

How scoring works

Observability is about whether you can see each step with your current telemetry. Lite uses your self-check to score the availability and retention of key sources, then highlights the blind spots that limit path validation.

Confidence is about corroboration across independent sources and clean correlation. That is Premium because it requires field mapping, correlation logic, and environment-aware baselining.

Where this fits

Composer generates the structured model
Path Analysis explains chokepoints, break sets, and validation
Library provides standards and reference hubs

Attack Models