K0NSULT // ai-truth/ipIII
k0nsult.cloud / ai-truth / ipIII / CIVILIZATION / engagement / en

Rules of Engagement + scoring rubric

The contract of an attack/defense exercise: scope, authorization, safety, communication and success criteria. Without a signed RoE no offensive action — not even a simulated one against an agreed target — starts. This is a governance document, not an invitation to attack.

EXERCISE-LOG · STAGING · NOINDEX. A working document of an exercise in a demonstration environment, noindex,nofollow. The exercise has status SIMULATION / PLANNED. The RoE is not yet signed — status GAP. Until both parties sign and grant written authorization, no offensive or simulated action is performed. The partner's name stays anonymous (a instytucji finansowej group) until the RoE is signed — no signature = no proof = no name.
Signature BEFORE action. No RoE = no authorization = no exercise.

Partner cohort: ~50 pentesters from a instytucji finansowej group, invitation anonymous, status PUBLIC_CLAIM / PLANNED. On the K0NSULT side: a modeled roster of 52,549 in a registry (status DATA, a ledger — not live agents) and an executable swarm bounded by real infrastructure, status LIVE. The canonical rule: SWARM ≠ REGISTRY.

PATH: RoE draftLEGAL REVIEWSIGNATURE OF BOTH PARTIESDECONFLICTIONTIME WINDOWEXERCISEREPORTCORRECTIVE ACTIONS

1 · Purpose of the exercise

2 · Scope

IN SCOPE agreed

Only the systems/segments named explicitly in the signed RoE. Exercise accounts and data. Scenarios BAS-01..05 from layers L1/L2. Time window defined in §6.

OUT OF SCOPE forbidden

Production systems with real customer data, LIVE payments, third-party infrastructure, suppliers, destructive DoS/DDoS, physical access, social engineering of people outside consent, exfiltration of real personal data.

Boundary conditions

No action that could cause service unavailability to customers. No modification/deletion of data. All exercise artefacts labelled and removable. Kill-switch on the White cell side.

3 · Safe harbor / written authorization

Necessary condition. The RoE must be signed by authorized representatives of both parties before any action. As long as there is no signature, the status of the whole is GAP, and any offensive action is unauthorized and forbidden. Safe harbor covers only actions within the signed scope and time window. Going out of scope voids the protection and triggers an immediate stop.
Authorization elementRequirementStatus
Written RoE (both signatures)before start, versionedGAP — not signed
System owner authorizationnamed consent for the targetGAP
Scope and exclusions (§2)approved and signedDRAFT
Safe harbor clausein the RoE textDRAFT
GDPR/DPIA consent for exercise datano real personal dataDRAFT
Insurance / liabilityagreed in the contractDRAFT

4 · Deconfliction

5 · Communication channels

Primary channel

A dedicated, encrypted exercise channel (out-of-band relative to the tested systems). Conversation log retained as evidence.

Escalation channel

A direct line White ↔ party leads. Triggered on scope breach or a real incident.

Technical channel

Telemetry/evidence exchange purple ↔ blue. Feeds the Evidence Board and Exercise Board.

6 · Time window

7 · Roles — exercise cells

CellRoleResponsibility
Whitecontrol / arbiterauthorization, deconfliction, kill-switch, action register, dispute arbitration, RoE compliance
Redsimulated offenceexecution of BAS scenarios within scope; methodology/TTP only, in an isolated environment
Bluedetection / responsedetection, investigation, containment, delivering evidence for every detection
Purplemeasurement / correlationlinking red actions to blue detections, scoring, MTTD/MTTR, report, lessons learned

8 · Escalation rules

  1. Stop-the-exercise: either party may demand an immediate pause (keyword). White confirms in <5 min.
  2. Scope breach: automatic stop, review, resumption only after correction and acceptance.
  3. Real incident: exercise frozen, switch to the production response playbook.
  4. Impact on customers/production: unconditional stop, priority to restoring services over continuing the exercise.

9 · Success criteria — scoring rubric

The rubric measures proven defence effectiveness. Results from the Exercise Board feed the "measure" column.

CriterionWeightGrade A (exemplary)Grade C (needs correction)Measure / proof
Detection coverage (ATT&CK)25%≥ 90% of techniques detected50–69%round board + telemetry
MTTD (time to detect)20%median ≤ 15 min P0≤ 60 minSIEM/EDR timestamps
MTTR (time to respond)20%median ≤ 20 min P0≤ 90 minticket + blue action log
Evidence completeness20%100% of detections with proof≥ 60%Evidence Board
No GAP in closures10%0 closures without proof≤ 2closure register
Playbook compliance5%response per procedurepartialround → playbook mapping

10 · How K0NSULT "proves itself" (metric → proof)

ClaimRequired proofStatus
"We detected technique X"SIEM log / EDR alert with signature and timeSIMULATION
"We responded in Y min"response ticket + containment-action timestampSIMULATION
"We closed the incident"proof of remediation (patch/isolation/rotation) — no GAPSIMULATION
"Roster of 50,000 specialists"registry ledger — DATA, not live agentsDATA
"The executable swarm runs"~16 in parallel / up to 1000 per workflow — real infraLIVE
"5k/10k agents per cycle, 15× metaGO"orchestration doctrine, not current stateROADMAP
"~50 partner pentesters invited"signed RoE — only then are name and number confirmedPLANNED

11 · After the exercise

Report

Hotwash within 24h + full report: round-by-round flow, scoring, MTTD/MTTR, ATT&CK coverage map, list of GAPs with evidence.

Lessons learned

Blue/red/purple findings, telemetry gaps, missing detection rules, weak points in procedures.

Corrective actions

A list of remediations with owner, deadline and an evidentiary-closure criterion. Retest of selected GAPs.

Clean-up

Removal of exercise artefacts, rotation of test accounts, confirmation of restoration to the initial state.

12 · Readiness checklist

[ ] RoE signed by both parties GAP
[ ] System owner authorization (named) GAP
[ ] Scope in/out confirmed and versioned DRAFT
[ ] Safe harbor in the RoE text DRAFT
[ ] Deconfliction signal agreed DRAFT
[ ] Time window + blackout windows agreed DRAFT
[ ] Communication channels (primary/escalation/technical) live DRAFT
[ ] Cell roles (White/Red/Blue/Purple) staffed DRAFT
[ ] Scoring rubric accepted by both parties DRAFT
[ ] Isolated environment + kill-switch tested DRAFT
[ ] GDPR/DPIA consent (no real personal data) DRAFT
Overriding principle. The exercise does not start with an open GAP in the readiness checklist — just as the portal does not close an incident without proof. The partner's name appears only after a signed RoE; until then anonymity applies (a instytucji finansowej group). This is not a formality — it is the same currency of trust: claim ≤ proof.
References. The methodology rests on recognised frameworks: TIBER-EU, DORA TLPT (threat-led penetration testing), PTES, OWASP WSTG/Top10, MITRE ATT&CK, the Cyber Kill Chain, tabletop/BAS. Related pages: Sentinel · Hackathon · Banking demo · Evidence-first · Evidence Board.