Downloads Catalog
Every artifact aligned to SOaC\'s five pillars. GitHub is the source of truth — direct downloads are provided where files are available locally.
🚀 Start Here
SOaC Enterprise White Paper v2.0
v2.0 | March 2026Executive overview of the Distributed Intelligence Architecture — board-ready presentation of vision, ROI, and adoption roadmap.
CISO Transformation Guide v2.0 (PDF)
v2.0 | March 2026From reactive risk to programmable resilience — strategic framework for CISOs evaluating SOaC adoption across all four operational roles.
What's New in v2.0-PLATINUM
v2.0 | March 2026Comprehensive release brief — Four-Role Model, Evidence Engine, Team Games, all verified MTIP packages.
Executive Architecture Brief v2.0
v2.0 | March 2026Two-page strategic snapshot of the Distributed Intelligence Architecture — four pillars, role-to-pillar mapping, deployment topology.
Architecture Reference v2.0 (PDF)
v2.0 | March 2026Technical blueprint covering all four pillars, data flow, role-to-pillar mapping, and Play → Verify → Integrate deployment topology.
Validation & Evidence Model v2.0 (PDF)
v2.0 | March 2026Three-level validation framework — Schema (L1), Cross-Reference (L2), Replay & Evidence (L3) with Evidence Bundles.
How It Works — Technical Overview v2.0 (PDF)
v2.0 | March 2026End-to-end walkthrough of the SOaC data path with deployment models and integration patterns.
SOC / IR Deployment Runbook v2.0 (PDF)
v2.0 | March 2026Operational playbook for SOC analysts and incident responders — lab setup, scenario execution, CLAW deployment, and role-based workflows.
Team Game Operations Guide v2.0 (PDF)
v2.0 | March 2026Multi-role team simulations — role selection, walkthroughs, scoring, and After Action Review (AAR) templates.
Platform Operating Model v2.0 (PDF)
v2.0 | March 2026Governance, ownership, change management, and steady-state operations — RACI matrices, KPIs, and escalation paths.
CLAW Playbook Schema v1.0 Spec (PDF)
Formal specification of the CLAW YAML schema — the contract between human operators and automated response.
Quick Start Validation Script
Python script to validate your SOaC deployment end-to-end in under 5 minutes.
Compliance Matrix
Maps SOaC controls to NIST, MITRE, ISO 27001, and SOC2 requirements.
CLAW Playbook Template v1.0
Canonical YAML schema for all CLAW automated response playbooks. Every playbook in every package MUST conform to this template.
Detection Rule Template v1.0
Canonical YAML schema for all detection rules. Multi-platform support (Splunk, Sentinel, CrowdStrike, Sigma).
Policy-as-Code Template v1.0
Canonical YAML schema for policy definitions. Covers environment constraints, action controls, and compliance mapping.
Package Metadata Template v1.0
Required metadata.yml manifest for every SOaC package. Declares identity, threat coverage, artifacts, and validation status.
SOaC Harness — CLI Validation Engine
v2.0.0Offline, CI-ready CLI that validates Playbooks, Detections, Policies, and Package Metadata at Level 1 (Schema) and Level 2 (Cross-Reference).
GitHub Actions CI Pipeline
Ready-made soac-ci.yml workflow that runs Level 1 + Level 2 harness validation on every push and PR to main.
🛡️ The Body — Telemetry & Detections
Sample Identity Theft Alert (JSON)
Example AitM phishing alert payload showing the telemetry structure SOaC consumes.
Vendor Packs (Sigma/KQL/SPL/LQL)
Detection rules in all major SIEM query languages, ready to deploy.
All 11 Package Folders
Browse the full set of detection + response packages on GitHub.
🧠 The Brain — Reasoning & Governance
AI Governance Baseline (YAML)
Prompt injection defense, data-leakage prevention, and decision authority matrix for Claude Security AI.
Compliance Matrix
Maps SOaC controls to NIST, MITRE, ISO 27001, and SOC2 requirements.
⚡ The Purpose — CLAW Playbooks-as-Code
CLAW Schema v1.0 Spec (PDF)
Full specification defining the YAML contract for automated response playbooks.
CLAW Schema (Markdown)
Human-readable schema reference for CLAW playbooks.
Master Orchestrator (Python)
The central orchestration engine that executes CLAW playbooks.
Requirements
Python dependencies for running the orchestrator and validation scripts.
🌐 The Edge — Enforcement & Policy-as-Code
Edge API Spec
HMAC-signed enforcement API for distributed policy enforcement at the network edge.
Lab Safety Policy (YAML)
Policy-as-code controlling lab vs. staging vs. production behavior boundaries.
📋 Releases & Changelog
v2.0-M5 — Public Evidence Surfaces
Interactive evidence viewer for all MTIP packages: MITRE coverage tables, replay timelines, pillar charts, and raw artifact downloads — all publicly accessible.
v2.0-M4 — Replay & Evidence
Level 3 Replay Engine: scenario-driven evidence generation with MITRE ATT&CK coverage metrics. Each MTIP package now ships with a machine-readable Evidence Bundle proving artifact reachability.
v2.0-M3 — Package Manager & Lab
MTIP Package Manager with 11 downloadable packages, interactive Scenario Lab with per-package walkthroughs, and CI-integrated Level 1 + 2 validation.
Release 1.0 Roadmap
Milestone plan and delivery timeline for the SOaC 1.0 release.
Contributing Guide
How to contribute detection rules, playbooks, and documentation to SOaC.
Code of Conduct
Community standards for respectful, inclusive collaboration.
📦 Packages — All 11 Bundles
0APT Identity Pivot
Detect and contain AitM phishing, session hijacking, and identity-based attacks across Okta, Entra ID, and Azure AD. Simulates 0APT threat actor TTPs.
Qilin Ransomware Containment
Full ransomware containment exercise: Qilin RaaS deployment, VSS deletion, encryption chain, host isolation, forensic evidence collection.
Cloud Control Plane Hijack
Simulate AWS IAM privilege escalation, cross-account pivoting, and cloud control plane compromise. Pattern-based cloud attack scenarios.
SaaS Pivot & Data Extortion
SaaS OAuth abuse, token theft, and data extortion simulation. Covers OAuth consent phishing, application impersonation, and data exfiltration via SaaS APIs.
Social Engineering + RMM Abuse
Callback phishing, vishing, and remote monitoring/management (RMM) tool abuse. Simulates social engineering to deploy unauthorized RMM persistence.
EvilProxy Credential Harvest
AiTM phishing kit simulation using EvilProxy toolkit. Covers reverse-proxy credential theft, session token replay, and post-compromise detection.
Perimeter & Exploit Chaining Defense
External recon, vulnerability exploitation, webshell deployment, and privilege escalation. Full exploit chain from perimeter breach to lateral movement.
Cloud Control Plane Defense
Blue team defense against cloud control plane attacks. AWS + Azure IAM hardening, cross-account trust analysis, and privilege boundary enforcement.
SaaS OAuth Abuse & Extortion Defense
Defend against SaaS OAuth token abuse, consent phishing, and application-level data extortion. Detection and containment of malicious OAuth grants.
Callback Phishing & RMM Persistence Defense
Detect and contain callback phishing campaigns and unauthorized RMM tool persistence. Covers vishing response, RMM detection, and social engineering defense.
GenAI & LLM Abuse Defense
Defend against generative AI and LLM abuse: prompt injection, model manipulation, data leakage via AI tools, and shadow AI detection.
LiteLLM Supply Chain Attack Defense
Elite-tier supply chain attack simulation. A trojanized Python package deploys a .pth persistence hook that harvests cloud credentials, SSH keys, and Kubernetes tokens. Full red/blue/SOC/CISO response chain.
CI/CD Supply Chain Defense
Defense package targeting CI/CD pipeline supply chain attacks including dependency confusion, pipeline poisoning, artifact tampering, version tag mutation (Trivy-style), and secret exfiltration from b...
Axios Supply Chain Compromise Defense
A sophisticated supply chain attack targeting the popular Axios JavaScript library through compromised npm maintainer accounts, resulting in malicious versions that deploy cross-platform RAT malware. ...
APT37 (Famous Chollima) - Operation HanKook Phantom Defense
APT37 (Famous Chollima) is a North Korean state-sponsored threat actor conducting sophisticated cyber espionage campaigns since 2012. In 2025, they launched Operation HanKook Phantom, targeting South
UAT-8837: AD Recon, Identity Pivot & Reverse Tunnel Defense
UAT-8837, a China-nexus APT group, targets critical infrastructure sectors in North America using zero-day and n-day vulnerabilities for initial access. The group deploys various open-source tools inc
Exploit Chain Disruption: Web Exploit → Sandbox Escape → AWS Metadata (Mythos Pattern)
Instance-level exploit chain package: Web application exploitation (T1190) chains to process injection sandbox escape (T1055), pivoting to AWS metadata credential theft (T1552.005). Implements the Mythos autonomous chain pattern with 2 defensive breakpoints and cross-domain correlation.
AI Agent Governance: Prompt Injection & Multi-Domain Lateral Pivot Disruption
AI coding agent governance package for AI Coding Agent (Claude Code / Cursor): interactive mode, critical risk
Storm-1175 High-Velocity Medusa Ransomware Campaign Defense
N-Day defense package for CVE-2025-31324 (SAP NetWeaver — primary anchor): Microsoft Exchange, Papercut, Ivanti Connect Secure, Ivanti Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, Sim