v1.0.0 — Initial Release: Lab + Pipeline
v1.0.0 — Purple Loop Initial Release
What's included
- Wazuh 4.9.2 single-node lab with Linux Docker victim + Windows 11 VMware victim
- Five pluggable Go interfaces: Executor (Docker + SSH), Collector (Wazuh archives), Evaluator (Sigma), Feed (static + arbiter), Reporter (JSON + HTML + ATT&CK Navigator)
- Campaign orchestration: executes technique plans, collects real telemetry, produces verdicts
- threat-intel-arbiter integration: SSVC-prioritized campaigns from CISA KEV + MISP feeds
- Multi-stage emulation plans: discovery chain + APT29 subset
- Detection-as-code CI: Sigma lint + fixture regression + gitleaks
- 10 Sigma rules with fixture pairs for regression testing
Lab
- Linux victim: agent 001 (Docker), command + SCA telemetry
- Windows victim: agent 002 (VMware bridged), Sysmon + Windows Event Channel
- SSH key-auth to Windows with firewall on (port 22 only)
Architecture
See DESIGN.md for the full architecture and interface contracts.