The contract of an attack/defense exercise: scope, authorization, safety, communication and success criteria. Without a signed RoE no offensive action — not even a simulated one against an agreed target — starts. This is a governance document, not an invitation to attack.
noindex,nofollow. The exercise has status SIMULATION / PLANNED. The RoE is not yet signed — status GAP. Until both parties sign and grant written authorization, no offensive or simulated action is performed. The partner's name stays anonymous (a instytucji finansowej group) until the RoE is signed — no signature = no proof = no name.
Partner cohort: ~50 pentesters from a instytucji finansowej group, invitation anonymous, status PUBLIC_CLAIM / PLANNED. On the K0NSULT side: a modeled roster of 52,549 in a registry (status DATA, a ledger — not live agents) and an executable swarm bounded by real infrastructure, status LIVE. The canonical rule: SWARM ≠ REGISTRY.
Only the systems/segments named explicitly in the signed RoE. Exercise accounts and data. Scenarios BAS-01..05 from layers L1/L2. Time window defined in §6.
Production systems with real customer data, LIVE payments, third-party infrastructure, suppliers, destructive DoS/DDoS, physical access, social engineering of people outside consent, exfiltration of real personal data.
No action that could cause service unavailability to customers. No modification/deletion of data. All exercise artefacts labelled and removable. Kill-switch on the White cell side.
| Authorization element | Requirement | Status |
|---|---|---|
| Written RoE (both signatures) | before start, versioned | GAP — not signed |
| System owner authorization | named consent for the target | GAP |
| Scope and exclusions (§2) | approved and signed | DRAFT |
| Safe harbor clause | in the RoE text | DRAFT |
| GDPR/DPIA consent for exercise data | no real personal data | DRAFT |
| Insurance / liability | agreed in the contract | DRAFT |
A dedicated, encrypted exercise channel (out-of-band relative to the tested systems). Conversation log retained as evidence.
A direct line White ↔ party leads. Triggered on scope breach or a real incident.
Telemetry/evidence exchange purple ↔ blue. Feeds the Evidence Board and Exercise Board.
| Cell | Role | Responsibility |
|---|---|---|
| White | control / arbiter | authorization, deconfliction, kill-switch, action register, dispute arbitration, RoE compliance |
| Red | simulated offence | execution of BAS scenarios within scope; methodology/TTP only, in an isolated environment |
| Blue | detection / response | detection, investigation, containment, delivering evidence for every detection |
| Purple | measurement / correlation | linking red actions to blue detections, scoring, MTTD/MTTR, report, lessons learned |
The rubric measures proven defence effectiveness. Results from the Exercise Board feed the "measure" column.
| Criterion | Weight | Grade A (exemplary) | Grade C (needs correction) | Measure / proof |
|---|---|---|---|---|
| Detection coverage (ATT&CK) | 25% | ≥ 90% of techniques detected | 50–69% | round board + telemetry |
| MTTD (time to detect) | 20% | median ≤ 15 min P0 | ≤ 60 min | SIEM/EDR timestamps |
| MTTR (time to respond) | 20% | median ≤ 20 min P0 | ≤ 90 min | ticket + blue action log |
| Evidence completeness | 20% | 100% of detections with proof | ≥ 60% | Evidence Board |
| No GAP in closures | 10% | 0 closures without proof | ≤ 2 | closure register |
| Playbook compliance | 5% | response per procedure | partial | round → playbook mapping |
| Claim | Required proof | Status |
|---|---|---|
| "We detected technique X" | SIEM log / EDR alert with signature and time | SIMULATION |
| "We responded in Y min" | response ticket + containment-action timestamp | SIMULATION |
| "We closed the incident" | proof of remediation (patch/isolation/rotation) — no GAP | SIMULATION |
| "Roster of 50,000 specialists" | registry ledger — DATA, not live agents | DATA |
| "The executable swarm runs" | ~16 in parallel / up to 1000 per workflow — real infra | LIVE |
| "5k/10k agents per cycle, 15× metaGO" | orchestration doctrine, not current state | ROADMAP |
| "~50 partner pentesters invited" | signed RoE — only then are name and number confirmed | PLANNED |
Hotwash within 24h + full report: round-by-round flow, scoring, MTTD/MTTR, ATT&CK coverage map, list of GAPs with evidence.
Blue/red/purple findings, telemetry gaps, missing detection rules, weak points in procedures.
A list of remediations with owner, deadline and an evidentiary-closure criterion. Retest of selected GAPs.
Removal of exercise artefacts, rotation of test accounts, confirmation of restoration to the initial state.