Skip to content

Core Concepts

Hermes Agent edited this page Jul 11, 2026 · 1 revision

Core Concepts

This page is explanatory. Canonical specifications live in the repository, especially docs/staff-operating-model.md, docs/kag-finding-validation.md, and docs/headroom-kag-selective-retrieval.md.

Evidence-driven security

MiniCISO prefers explicit evidence chains over opinion-heavy synthesis. A strong answer should distinguish:

  1. declared configuration;
  2. runtime or effective configuration;
  3. validated behavior.

If those layers disagree, the divergence should be reported rather than collapsed.

Coordinator versus SMEs

chief-of-staff is the coordinator. It handles intake, routing, synthesis, and QA enforcement.

SMEs provide specialized analysis in narrower domains such as threat modeling, architecture, code review, AppSec, compliance, recon, offensive validation, and QA.

Engagement

An engagement is a bounded unit of work with a concrete objective, scope, evidence set, and expected output. It may involve one SME or several, but the user-facing result is coordinated through chief-of-staff.

Evidence versus inference

Evidence is what is directly observed in provided artifacts, public sources, validated runtime behavior, or authorized tests.

Inference is the interpretation of that evidence. MiniCISO tries to separate the two so the user can see where the claim is strong, weak, or blocked by missing context.

Confidence and traceability

Confidence should depend on evidence quality, not presentation quality.

Traceability means a claim can be tied back to:

  • an input artifact;
  • a code location;
  • a runtime observation;
  • or an explicit assumption.

Recon is not a finding

Discovery activity may surface candidates, signals, or hypotheses. It does not automatically establish vulnerability, impact, or reportability.

GO / RESEARCH / NO-GO

MiniCISO uses a pre-submission decision gate for external findings:

  • GO: evidence is sufficient to start a report draft;
  • RESEARCH: more impact validation is required before drafting;
  • NO-GO: block submission and record the lesson learned.

Mandatory Security QA gate

No final MiniCISO report should be delivered without a pass through security-qa.

Scanner output versus security assessment

Scanner output can be useful input, but it is not a substitute for a security assessment. Findings still need context, impact analysis, scope qualification, and evidence review.

RAG, KAG, and selective retrieval

MiniCISO uses retrieval as a support mechanism, not as a source of unbounded confidence.

KAG-oriented selective retrieval is used to narrow context to the slices most relevant to the current hypothesis, while preserving the rule that absence from a retrieval pack is not proof of absence in raw data.

Headroom

Headroom is the public selection-first mechanism used to reduce irrelevant context when a structured artifact is too large or too noisy to pass through a full raw-first loop every time.

Clone this wiki locally