Every attack, beside its detection
The role layers are two halves of one loop. dotfiles-Kali runs the attack; dotfiles-Defense ships the Sigma rule that catches it. The pairing itself is the source of truth: it lives in htpx as ATT&CK-tagged red↔blue entries, and this table is generated straight from them.
Each row is a technique you can execute on demand from Kali and confirm firing in Defense — the purple loop closed in a single line. Filter by platform, and follow a badge to its ATT&CK page. See the three-layer architecture → for how the layers fit together.
On-prem AD / Windows 24
Cloud IAM (Entra · AWS · GCP) 5
Okta 3
Google Workspace 3
Kubernetes 3
GitHub Actions 3
GitLab CI/CD 3
Jenkins 3
Harbor registry 3
HashiCorp Vault 3
Terraform Cloud 3
Snowflake 3
Cloudflare edge 3
npm registry 3
PyPI registry 3
Slack 3
What the blue side actually detects
The other half of the loop: the Sigma rules dotfiles-Defense ships,
rolled up across the ATT&CK matrix. Every rule is drift-gated in CI and generates its
own ATT&CK Navigator layer plus a COVERAGE.md report — this is that same roll-up, live.
By ATT&CK tactic
Each bar is rules per tactic; the trailing /Nt is the distinct techniques covered. A rule spanning two tactics counts in both.
By logsource
Techniques detected 41
The corpus is generated from the htpx entries/ by
scripts/collect-corpus.mjs, and the coverage roll-up is generated from the
dotfiles-Defense Sigma rules by scripts/collect-coverage.mjs (mirroring that repo's
drift-gated gen-coverage.sh). Neither is hand-typed.