AdversaryGraph v6 Reproducible Case Studies
These cases use fictional repository inputs. They demonstrate implemented workflows and acceptance criteria; they are not customer testimonials, external benchmarks, or proof of real-world detection efficacy.
Case Study 1: Report Evidence To Detection Review
Use demo/sample-report.md, expected-techniques.json,
expected-iocs.json, and expected-report.md to review source-bound ATT&CK
candidates, IOC extraction, Evidence Graph gaps, and analyst decisions.
Acceptance requires behaviorally relevant evidence for accepted mappings, explicit attribution caveats, and draft labeling for untested detection logic.
Case Study 2: Asset Exposure Prioritization
Use demo/asset-inventory.csv, the Evidence Graph sample assets, and Threat
Radar templates to review products, dependencies, exposure, criticality,
inventory-derived ATT&CK candidates, and PSIRT/Hunt/IR/Detection handoff.
Acceptance requires authoritative inventory review, preserved scoring inputs, stable entity relationships, and sanitized legal-sensitive metadata.
Case Study 3: Controlled Attack Simulation And SIEM Validation
Use the built-in approved attack-lab-web target, the T1595 HTTP/TLS scenario,
and a non-production collector to verify target-side run identifiers, guarded
SIEM delivery, parser results, detection results, and telemetry gaps.
Successful HTTP delivery is not successful detection. Real lab and synthetic telemetry must remain separately labeled, and no arbitrary target, exploit, or command execution is permitted.
See the complete case-study source and v6 release readiness.