-
-
Notifications
You must be signed in to change notification settings - Fork 0
Core Concepts
This page is explanatory. Canonical specifications live in the repository, especially
docs/staff-operating-model.md,docs/kag-finding-validation.md, anddocs/headroom-kag-selective-retrieval.md.
MiniCISO prefers explicit evidence chains over opinion-heavy synthesis. A strong answer should distinguish:
- declared configuration;
- runtime or effective configuration;
- validated behavior.
If those layers disagree, the divergence should be reported rather than collapsed.
chief-of-staff is the coordinator. It handles intake, routing, synthesis, and QA enforcement.
SMEs provide specialized analysis in narrower domains such as threat modeling, architecture, code review, AppSec, compliance, recon, offensive validation, and QA.
An engagement is a bounded unit of work with a concrete objective, scope, evidence set, and expected output. It may involve one SME or several, but the user-facing result is coordinated through chief-of-staff.
Evidence is what is directly observed in provided artifacts, public sources, validated runtime behavior, or authorized tests.
Inference is the interpretation of that evidence. MiniCISO tries to separate the two so the user can see where the claim is strong, weak, or blocked by missing context.
Confidence should depend on evidence quality, not presentation quality.
Traceability means a claim can be tied back to:
- an input artifact;
- a code location;
- a runtime observation;
- or an explicit assumption.
Discovery activity may surface candidates, signals, or hypotheses. It does not automatically establish vulnerability, impact, or reportability.
MiniCISO uses a pre-submission decision gate for external findings:
- GO: evidence is sufficient to start a report draft;
- RESEARCH: more impact validation is required before drafting;
- NO-GO: block submission and record the lesson learned.
No final MiniCISO report should be delivered without a pass through security-qa.
Scanner output can be useful input, but it is not a substitute for a security assessment. Findings still need context, impact analysis, scope qualification, and evidence review.
MiniCISO uses retrieval as a support mechanism, not as a source of unbounded confidence.
KAG-oriented selective retrieval is used to narrow context to the slices most relevant to the current hypothesis, while preserving the rule that absence from a retrieval pack is not proof of absence in raw data.
Headroom is the public selection-first mechanism used to reduce irrelevant context when a structured artifact is too large or too noisy to pass through a full raw-first loop every time.