v0.6.0 — Documentation depth
Comprehensive documentation layer added. The repo now answers: how do I use it, what does it catch, what's the design rationale.
Walkthroughs
5 end-to-end deployment guides under docs/walkthroughs/:
- Deploy Microsoft Sentinel on a fresh subscription
- Harden Defender for Office 365 baseline
- Deploy MTA-STS + TLS-RPT via Cloudflare
- Deploy baseline Conditional Access policies (report-only → enforce)
- Defender for Cloud tuning (Free vs Standard tier matching)
Each is operator-runnable copy-paste sequence with framework alignment summary.
Threat model
docs/THREAT-MODEL.md is honest scope:
- Per-domain enumeration of what the toolkit catches
- Explicit non-coverage (active threats, out-of-scope domains)
- Trust boundaries
- Attacker-subversion paths and mitigations
FAQ
docs/FAQ.md covers 20+ operator questions:
- General toolkit positioning + competitor comparison
- Running the toolkit (auth issues, missing modules, cross-platform)
- Remediation artifact safety
- Findings + reports (count drift between versions, custom checks)
- Framework alignment usage with GRC platforms
Architecture Decision Records
docs/adr/ documents 6 significant design choices:
- Schema-first finding emission (versioned finding contract)
- Mock mode via fixture replay (adoption-barrier mitigation)
- PowerShell as primary language
- Out-of-scope domain boundaries (concentration over breadth)
- Framework anchors over operational specifics
- Severity rubric (P1/P2/P3 with deadlines, why not CVSS)
Each ADR follows the standard template: context, decision, consequences, alternatives considered.
Test coverage
114 Pester tests still passing. End-to-end mock run still produces 58 findings.
Next: v1.0 (public release)
Generate-Report polish (severity histogram, MITRE coverage map, diff mode), repo visibility flip, launch blog post, distribution channels.