Skip to main content

AdversaryGraph v6 Reproducible Case Studies

These cases use fictional repository inputs. They demonstrate implemented workflows and acceptance criteria; they are not customer testimonials, external benchmarks, or proof of real-world detection efficacy.

Case Study 1: Report Evidence To Detection Review

Use demo/sample-report.md, expected-techniques.json, expected-iocs.json, and expected-report.md to review source-bound ATT&CK candidates, IOC extraction, Evidence Graph gaps, and analyst decisions.

Acceptance requires behaviorally relevant evidence for accepted mappings, explicit attribution caveats, and draft labeling for untested detection logic.

Case Study 2: Asset Exposure Prioritization

Use demo/asset-inventory.csv, the Evidence Graph sample assets, and Threat Radar templates to review products, dependencies, exposure, criticality, inventory-derived ATT&CK candidates, and PSIRT/Hunt/IR/Detection handoff.

Acceptance requires authoritative inventory review, preserved scoring inputs, stable entity relationships, and sanitized legal-sensitive metadata.

Case Study 3: Controlled Attack Simulation And SIEM Validation

Use the built-in approved attack-lab-web target, the T1595 HTTP/TLS scenario, and a non-production collector to verify target-side run identifiers, guarded SIEM delivery, parser results, detection results, and telemetry gaps.

Successful HTTP delivery is not successful detection. Real lab and synthetic telemetry must remain separately labeled, and no arbitrary target, exploit, or command execution is permitted.

See the complete case-study source and v6 release readiness.