Validate Before You Deploy
SOaC runs every detection, playbook, and policy through a three-level validation pipeline before it earns the REPLAY VERIFIED badge. Schema v3.0 enforces mitre_version, platform_targets, simulation_steps, and detection format requirements.
L1: Schema Validation
Ensures every manifest conforms to Harness v3.0. Required fields, types, MITRE ATT&CK IDs, platform targets, and simulation steps are checked.
- package_id & title present
- schema_version = 3.0
- mitre_version declared
- platform_targets[] ≠ empty
- simulation_steps[] ≠ empty
L2: Cross-Reference Integrity
Validates detection formats include sigma, KQL, or SPL. Checks that playbooks and policies exist and MITRE techniques reference real ATT&CK IDs.
- Detection → Sigma/KQL/SPL present
- Playbook coverage
- Policy completeness
- MITRE technique validity
L3: Replay Engine
Feeds synthetic attack telemetry through the full detection pipeline. Confirms end-to-end MITRE coverage and evidence bundle integrity.
- Synthetic telemetry injection
- Rule-by-rule re-execution
- MITRE coverage computation
- Verdict: PASS / PARTIAL / FAIL
How the Replay Engine Works
The L3 Replay Engine feeds synthetic attack telemetry through every detection rule, then validates end-to-end MITRE technique coverage.
Platform Proof
Live Per-Package Validation
Click any package to see per-field pass/fail against Harness v3.0 schema, detection format coverage, and MITRE coverage score.
Ready to Explore?
Validate your SOaC Artifacts
Paste or write YAML below with full syntax highlighting. Real-time Level 1 (Schema) + Level 2 (Cross-Reference) validation runs as you type. Supports Playbooks, Detections, Policies, and Package Metadata.
Real-time validation
Start typing or load a sample template