Field notes
-
Essay #181 — Chat Control after the vote: 314 against, 112 absent, and what an eight-voice post-vote stack means for EU operators
Community essay from the SecOps-NG Digital Commons. Between the Chat Control 1.0 vote and this reading, eight independent voices — five Tier-1 English-language outlets, a US security trade press outlet, a Tier-1 French-mainstream voice, and a community-litigation-financing signal from the fediverse — have layered onto the same event within a single analytical cycle. The Tier-1 French read foregrounds a specific number: 314 against, 112 absent MEPs. The community-litigation-financing signal names an operator posture that did not exist in the record before. This essay reads the eight-voice stack, names MEP-absenteeism as a governance accountability substrate operators should track, notes what a community-funded litigation track does to the regulatory timeline every EU operator plans against, and points at the portable-artifact posture the commons was built to hold while the underlying legislation moves.
-
Essay #182 — Belgian hospitals, a Paris datacentre, and the day a thermal event cancelled surgeries across a border
Community essay from the SecOps-NG Digital Commons. Flemish hospitals reportedly cancelled surgeries after an overheating server in a Paris datacentre took critical infrastructure offline. This essay reads the incident as a lived example of cross-border-cloud-locality risk at the bedside — the operational failure mode the NIS2 Article 21 network-security and supply-chain obligations exist to prevent — and points at the portable playbook content the commons already ships against that surface.
-
Essay #183 — Twenty-two days: EU AI Act general applicability, GPAI fining, and what 2026-08-02 means for operators running security-adjacent AI
Community essay from the SecOps-NG Digital Commons. On 2026-08-02, Regulation (EU) 2024/1689 reaches general applicability and the GPAI fining powers under Article 101 become enforceable. This essay reads the deadline as a concrete operator-risk marker for anyone running LLM-adjacent components in security operations, and points at the portable playbook and control-mapping content the commons already ships against the Article 9 risk-management surface.
-
Field note #184 — EDPB confirms GDPR Article 22 enforcement on automated hiring, with retroactive 2018 scope: what EU operators need to know
Field note one hundred and eighty-four from the SecOps-NG Digital Commons. The European Data Protection Board has issued the first monitoring-era institutional confirmation that GDPR Article 22 — the right not to be subject to a solely automated individual decision, including profiling — applies to automated-hiring systems, with retroactive scope back to the regulation's 2018 application date. This is an enforcement signal, not a legislative proposal, and it lands directly against a coverage surface the framework already ships: the Article 15–22 data-subject-rights mapping ring and the data_subject_rights operator-side intake playbook. This note takes the operator read.
-
Field note #185 — EU AI Act Art.10 + Art.15 inbound mapping lands: data governance and accuracy/robustness/cybersecurity join the G-02 ring ahead of the 2026-08-02 deadline
Field note one hundred and eighty-five from the SecOps-NG Digital Commons. Two framework pull requests merged today extend the EU AI Act inbound mapping surface with Article 10 (data governance) and Article 15 (accuracy, robustness, cybersecurity). Together they close the last major EU AI Act mapping-ring gap that was open ahead of the 2026-08-02 general-applicability grace-period-end, alongside the Art.11 / Art.13 / Art.72 CORE work still under review. Practitioners running high-risk AI systems now have CACAO-compatible mapping references for Art.10 and Art.15 anchored on the same risk-management and vulnerability-management playbooks the framework already carries.
-
Field note #186 — EU AI Act inbound mapping ring closes: all seven high-risk-AI obligation articles are live in the commons with 22 days to 2026-08-02
Field note one hundred and eighty-six from the SecOps-NG Digital Commons. Three framework pull requests merged today complete the EU AI Act inbound mapping ring: Article 15 (accuracy, robustness, cybersecurity), Article 10 (data governance), and Article 11 / Article 13 / Article 72 (technical documentation, transparency, post-market monitoring) — the last three promoted draft→live with metric_refs wired. Together with the already-live Article 6 (high-risk classification gate) and Article 9 (risk management) mappings, every primary obligation article for high-risk AI system providers now has a CACAO-compatible, OCSF-grounded, sovereign mapping reference in the commons — with 22 days until 2026-08-02 general applicability.
-
Essay #171 — The sovereignty narrative is contested: what a productised EU-native offering and a think-tank op-ed mean for operators who still have to ship this quarter
Community essay from the SecOps-NG Digital Commons. In the same week an EU-native security vendor publicly launched a productised sovereignty programme and a Brussels-facing think tank published a sovereignty-conundrum op-ed. Two different registers, one converging signal: the sovereignty question has left the whitepaper stage and reached the procurement conversation. For operators discharging NIS2 Article 21(2)(g), DORA operational resilience and the EU AI Act cybersecurity duties, the question is no longer whether sovereignty is on the agenda but which artifact still holds when the underlying stack changes underneath. This essay names the moment, refuses the market frame, and points at what the commons offers instead: portable, dated, per-cycle-auditable playbooks that compile against whichever EU-sovereign stack the operator picked.
-
Essay #177 — When a named EU encrypted-service provider publicly weighs leaving the jurisdiction: reading Tutanota against Chat Control 2.0
Community essay from the SecOps-NG Digital Commons. On 2026-07-10 Tutanota — a named EU-based encrypted-service provider — publicly stated that if Chat Control 2.0 is passed the two remaining options are to leave the jurisdiction or to litigate. This is the first commercial-provider voice on the record in the post-EP-vote analytical cycle, and it lands on top of an already five-tier substrate: academics, MEPs, user communities, journalists, and now operators. This essay reads the signal for what it is — a data point every EU operator evaluating a sovereign stack now has to process — names the sovereignty paradox the proposed regulation creates, and points at the portable-artifact posture the commons was built to hold when the underlying stack changes underneath the operator.
-
Essay #178 — When a member-state government orders its own tax agency to halt a Microsoft 365 migration: reading the Dutch executive signal against the EU sovereignty substrate
Community essay from the SecOps-NG Digital Commons. On 2026-07-10 the Dutch government ordered its Tax Services (Belastingdienst) to halt an in-progress migration to Microsoft 365 — an executive-branch mandate rather than a legislative debate, and the first sovereignty-first order of that shape in the current monitoring cycle. This essay reads the signal for what it is — a category above the legislative tracks already in motion in Ireland and Greece — and points at the portable-artifact posture the commons was built to hold when the compliance floor moves under the operator.
-
Field note #172 — G-04 identity/access-management pair lands: MFA enforcement rate KPI and privileged access review completion KRI close the last NIS2 Art. 21 catalogue gap
Field note one hundred and seventy-two from the SecOps-NG Digital Commons. Framework PR #777 (F-MET-G04-IDENTITYACCESS SKELETON) lands two new YAML metric definitions under content/metrics/: kpi.identity_mfa_enforcement_rate@v1 (target ≥95%, bound to OCSF Authentication class 3002) and kri.access_review_completion_rate@v1 (threshold ≥90%, alert <80%, bound to OCSF Account Change class 3001). Regulatory anchors span NIS2 Art. 21(2)(i)/(j), DORA Art. 5(2), and GDPR Art. 32(1)(a). The identity/access-management domain — the last major NIS2 Art. 21 limb without operator-readable numbers in the catalogue — now has a KPI/KRI pair operators can drop into their monitoring stack today.
-
Field note #173 — G-04 threat-intelligence pair lands: indicator ingestion-rate KPI and stale-IoC ratio KRI close the last operator-facing gap on the NIS2 Art. 23 / DORA Art. 19 information-sharing surface
Field note one hundred and seventy-three from the SecOps-NG Digital Commons. Framework PR #783 (F-MET-G04-THREATINTEL SKELETON) and PR #784 (CORE) land two new YAML metric definitions under content/metrics/: kpi.threat_intel_indicator_ingestion_rate@v1 (target ≥100 admitted indicators per rolling hour, bound to the playbook.threat_intel_ingest@v1 admission step and the OCSF Detection Finding / Security Finding classes 2004 / 2001) and kri.threat_intel_stale_ioc_ratio@v1 (warn >0.10, alert >0.20, breach >0.35, rolling 7-day window). Regulatory anchors span NIS2 Art. 23 (early-warning and information-sharing), NIS2 Art. 26(2) (reporting-quality obligation on shared cyber-threat information), and DORA Art. 19 (information sharing among financial entities). Both metrics are wired into the nightly orphan-CI assertion lane (58/58 green).
-
Field note #174 — G-04 vulnerability-management pair lands: SLA compliance KPI and P99 long-tail KRI make NIS2 Art. 21(2)(e) an operator-readable ratio
Field note one hundred and seventy-four from the SecOps-NG Digital Commons. Framework PRs #756 and #787 land two paired vulnerability-management metric definitions under content/metrics/: kpi.vuln_remediation_sla_compliance@v1 (target ≥0.90, per-severity SLA windows Critical ≤7d, High ≤30d, Medium ≤90d, bound to OCSF Vulnerability Finding class 2002) and kri.vuln_critical_open_age_p99@v1 (target ≤14 days, long-tail companion to the P95 headline). Regulatory anchors span NIS2 Art. 21(2)(e) vulnerability handling and disclosure, and DORA Art. 9(4)(c) with JC RTS Art. 10 on ICT vulnerability and patch management for financial entities. The G-04 vulnerability-management domain now has both the compliance-view KPI and the tail-view KRI operators need to see the whole ageing distribution, not just its shoulder.
-
Field note #175 — F-WF-SECAWARENESS CORE ships: the NIS2 Art. 21(2)(g) training playbook now compiles byte-parity to n8n, Temporal, and LangGraph, against a threat landscape where the automation itself is the supply chain
Field note one hundred and seventy-five from the SecOps-NG Digital Commons. Framework PR #788 lands the CORE layer of the security_awareness_training playbook — three reference compile-target worked examples (n8n, Temporal, LangGraph) and per-target byte-parity golden tests, generated from the same CACAO v2 source that shipped in the SKELETON (PR #767) and was documented in the EXTEND cookbook (PR #768, field note #167). NIS2 Article 21(2)(g) — the security awareness training obligation on essential and important entities — now has all three reference compilations sitting alongside its programme-governance and per-cohort-delivery scaffold. The ship lands in the same week that the agentic security press is closing a three-pass narrative arc from passive threat to active exploitation to supply-chain systemic risk. When the automation is agentic, the automation itself becomes a supply chain worth inspecting, and determinism plus community review are the only honest answers.
-
Field note #176 — F-CACAO-NIS2-ART20 EXTEND ships: the practitioner cookbook for the NIS2 Article 20 management-body governance cycle is on main
Field note one hundred and seventy-six from the SecOps-NG Digital Commons. The F-CACAO-NIS2-ART20 EXTEND phase ships docs/cookbook/nis2_art20_governance.md — the operator walkthrough for the four-step management-body governance cycle (schedule → present → approve → log) that discharges NIS2 Article 20(1) approval of the Article 21 risk-management measures and Article 20(2) management-body training attestation, with auditable OCSF 6003 governance-record emission.
-
Field note #179 — network_security CACAO v2 playbook ships: NIS2 Article 21(2)(e) coverage lands on main with three-target compiler fan-out
Field note one hundred and seventy-nine from the SecOps-NG Digital Commons. The network_security CACAO v2 playbook ships in the framework today — a five-step topology (inventory_network_segments → evaluate_segmentation_policy → detect_policy_violations → enforce_remediation → generate_posture_evidence_artifact) bound to OSCAL SC-7/SC-3, OCSF Network Activity, and D3FEND D3-NTA, compiling identically to n8n, Temporal, and LangGraph — closing one of the top-5 NIS2 Article 21 control families with no prior dedicated CACAO entry in the framework.
-
Field note #180 — The EU Cybersecurity + AI Action Plan, the operator read: an AI vulnerability testing mandate for critical infrastructure meets portable, framework-agnostic content
Field note one hundred and eighty from the SecOps-NG Digital Commons. The European Commission's Cybersecurity + AI Action Plan has now been read across three independent voices — HPCwire on the trade-press side, Techerati on the UK-trade side, and a US-legal client alert from Hunton Andrews Kurth — and the substrate that survives all three readings is the same: an ENISA-anchored AI vulnerability testing platform for critical infrastructure, an operational-AI security governance framing, and an explicit NIS2/DORA alignment surface. This note takes the operator read: what the plan actually names, what it means for any EU SecOps team weighing agentic tools into the running posture, and where the portable content the commons already ships lands against the audit surface the Action Plan is building.
-
Field note #159 — F-WF-PATCH and F-WF-CYBERHYG flip to Shipped: the two NIS2 Art. 21(2)(e) and (g) hygiene pillars now carry formal ROADMAP entries
Field note one hundred and fifty-nine from the SecOps-NG Digital Commons. Framework PR #746 formally lands patch_management and cyber_hygiene_training as Shipped on the ROADMAP, closing a governance-maturity gap: both trilogies (SKELETON + CORE + EXTEND) had already landed in-tree; this entry names them on the roadmap where an operator can find them. The two playbooks discharge the maintenance and awareness-training legs of NIS2 Art. 21(2).
-
Field note #160 — Measuring agentic security: three new KPI/KRI definitions join the commons as EU regulation converges on the same surface
Field note one hundred and sixty from the SecOps-NG Digital Commons. Framework PR #747 lands the first agentic-security KPI/KRI triad under content/metrics/ — agentic_threat_detection_rate, agentic_model_decision_latency_seconds, and agentic_false_positive_rate — wired to the agentic_threat_response playbook. The metrics ship the same week the European Commission unveiled the EU Cloud and AI Development Act plus the AI Cybersecurity Action Plan, converging on the same agentic-security surface the commons has been building for.
-
Field note #161 — NIS2 Art. 21 operational metrics triad lands in the catalogue, and the contributor pitfalls guide closes good-first-issue #197
Field note one hundred and sixty-one from the SecOps-NG Digital Commons. Two community-facing landmarks land in the same cycle: framework PR #752 adds three NIS2 Art. 21 operational-compliance metric definitions (a security-measure conformance KPI, an audit-finding remediation-lag KRI, and a cyber-awareness training-completion KPI) to content/metrics/, each with OCSF class binding, units, calculation method, playbook refs, and reference viz. Framework PR #753 lands a 'Common pitfalls when binding activity bodies' section on all three per-target threat_intel_ingest READMEs (n8n, Temporal, LangGraph), closing good-first-issue #197 and reducing friction for first-time contributors.
-
Field note #162 — G-04 batch 3 lands: vulnerability_management, supply_chain, and business_continuity KPI/KRI pairs extend the catalogue across three NIS2 Art. 21 domains
Field note one hundred and sixty-two from the SecOps-NG Digital Commons. Framework PRs #755, #756, and #757 land three sibling KPI/KRI pairs under content/metrics/ — vuln_remediation_sla_compliance + unpatched_critical_cve_age_days (Art. 21(2)(e)), supplier_attestation_overdue_ratio + supply_chain_audit_coverage (Art. 21(2)(d)), and bcp_exercise_completion_rate + backup_integrity_failure_rate (Art. 21(2)(c)). The G-04 catalogue now carries operator-readable numbers across six operational domains, each with OCSF-bound calculation, playbook refs, and a committed reference visualisation.
-
Field note #163 — eIDAS 2.0 EUDIW identity-verification playbook lands: wallet presentation → PID verification → LoA-to-tier → audit-evidence → access provisioning, across all three compile targets
Field note one hundred and sixty-three from the SecOps-NG Digital Commons. Framework PRs #759 (SKELETON) and #760 (CORE) land a CACAO v2 operational playbook for the eIDAS 2.0 European Digital Identity Wallet identity-verification lifecycle. Five operational steps — request an EUDIW presentation, verify the PID credential against the EU trust-anchor registry, assess the Level of Assurance, emit the OCSF Account Change 3001 audit-evidence artifact, hand off to access provisioning — compiled into n8n, Temporal, and LangGraph reference targets, with seven byte-parity golden tests across the three.
-
Field note #164 — NIS2 Art. 20 management-body governance playbook lands (SKELETON): the cadence a CISO cannot discharge alone, portably compiled and audit-traceable
Field note one hundred and sixty-four from the SecOps-NG Digital Commons. Framework PR #762 lands the SKELETON of nis2_art20_governance — a CACAO v2 operational playbook for the NIS2 Directive Article 20(1)/(2) management-body cybersecurity governance cycle. Convene the management-body review on the operator's documented cadence, present Article 21(2)(a)–(j) risk posture, record management approval of cybersecurity risk-management measures, emit a dated OCSF API Activity (6003) governance-record artifact. CORE fans it into n8n, Temporal, and LangGraph next.
-
Field note #165 — Two EU signals in one afternoon: Chat Control 1.0 clears Parliament, the Cybersecurity + AI Action Plan lands, and the commons already ships portable content for the surface both name
Field note one hundred and sixty-five from the SecOps-NG Digital Commons. Two European signals land within hours of each other on 2026-07-09: the Chat Control 1.0 text passes the European Parliament 314:276 (Council re-approval pending), and the European Commission unveils its Cybersecurity + AI Action Plan naming an EU AI vulnerability testing platform for critical infrastructure. Both point at surfaces the commons is already building portable content for — cryptographic_controls, mfa_secured_comms, the agentic-security KPI/KRI triad, the eIDAS 2.0 EUDIW identity playbook, vulnerability_management. This is the operator read.
-
Field note #166 — NIS2 Art. 20 CORE-PRIMITIVES lands: the four deterministic step bodies that turn a management-body governance cycle into a machine-readable, replay-safe audit trail
Field note one hundred and sixty-six from the SecOps-NG Digital Commons. Framework PR #764 closes the CORE-PRIMITIVES ring on the nis2_art20_governance triplet: four replay-safe step-body primitives — resolve_governance_cycle, conduct_art20_review, record_management_approval, emit_governance_evidence — with twenty-six unit tests green, on top of the SKELETON shipped in PR #762. The three-target compiler fan-out (n8n, Temporal, LangGraph) is next. Practitioners get a governance-evidence backbone that emits OCSF API Activity class_uid 6003 artifacts into any OCSF-compliant SIEM/SOAR.
-
Field note #167 — F-WF-SECAWARENESS EXTEND ships: the governance-to-delivery bridge for NIS2 Art. 21(2)(g) is now a two-layer, machine-readable playbook pair with an operator cookbook
Field note one hundred and sixty-seven from the SecOps-NG Digital Commons. The F-WF-SECAWARENESS trilogy closes with an EXTEND phase that ships the operator cookbook — docs/cookbook/security_awareness_training.md — for the two-layer NIS2 Art. 21(2)(g) training scaffold. security_awareness_training governs the annual programme cycle; cyber_hygiene_training delivers per-cohort runs. Both are CACAO v2 playbooks, deterministic and replay-safe, anchored to NIS2 Art. 21(2)(g), GDPR Art. 32(1)(b), and ISO/IEC 27001 A.6.3.
-
Field note #168 — DORA Article 19 major-incident reporting playbook lands (SKELETON): the 4-hour / 72-hour / one-month reporting cycle, portably compiled and cross-regime-aware
Field note one hundred and sixty-eight from the SecOps-NG Digital Commons. Framework PR #769 lands the SKELETON of dora_major_incident_reporting — a CACAO v2 operational playbook for the DORA Chapter III major-ICT-related-incident reporting cycle a financial entity discharges to its competent authority under DORA Regulation (EU) 2022/2554 Article 19. Five operational steps — Art. 18 classify → initial (4h / 24h) → intermediate (72h) → final (one month) → close-and-archive — anchored on the Commission ITS content shape (2024/2956) and the Commission Delegated Regulation classification criteria (2024/1772). CORE fans it into n8n, Temporal, and LangGraph next.
-
Field note #169 — DORA Article 19 major-incident reporting trilogy ships: CORE + EXTEND close, the 4-hour / 72-hour / one-month cycle now portable across n8n, Temporal, and LangGraph with a practitioner cookbook attached
Field note one hundred and sixty-nine from the SecOps-NG Digital Commons. Framework PRs #770 (CORE) and #771 (EXTEND) close the DORA Article 19 major-ICT-related-incident reporting ring on top of the SKELETON covered by field note #168. The dora_major_incident_reporting CACAO v2 playbook now compiles byte-parity to n8n, Temporal, and LangGraph, and a practitioner cookbook walks operators through the full Art. 18 classification gate, Art. 19(4)(a)/(b)/(c) timeline, CACAO topology, OSCAL anchors, and three-target hand-off. ROADMAP F-DORA-ART19 flips to Shipped.
-
Field note #170 — NIS2 Article 20 governance ring closes: nis2_art20_governance CACAO v2 playbook now byte-parity across n8n, Temporal, and LangGraph, with the management-body cycle end-to-end auditable
Field note one hundred and seventy from the SecOps-NG Digital Commons. Framework PRs #765 (CORE-FANOUT) and #766 (CORE-GOLDENS) close the F-CACAO-NIS2-ART20 ring on top of the SKELETON (PR #762, field note #164) and CORE-PRIMITIVES (PR #764, field note #166). The nis2_art20_governance playbook — management-body approval, Art. 21(2)(a)–(j) oversight review, training-completion evidence, and OCSF API Activity (6003) governance-record emission — now compiles byte-parity to n8n, Temporal, and LangGraph, with golden tests holding every target deterministic against the CACAO v2 source. NIS2 Article 20 enforcement is active from July 2026; the artifact is portable, dated, and audit-evident today.
-
Field note #149 — F-WF-DORA-TPR trilogy ships: DORA Art.28/30 ICT third-party risk management playbook complete
Field note one hundred and forty-nine from the SecOps-NG Digital Commons. The F-WF-DORA-TPR trilogy lands: a CACAO v2 playbook for the DORA Article 28 / 30 ICT third-party risk management lifecycle (onboarding → clause-check → register-entry → periodic-review → exit-assessment), three-target compile examples with byte-parity goldens, and a practitioner cookbook. Together with F-WF-DORA-SELFASSESS (Chapter II) and F-WF-DORA-TLPT (Chapter IV), this closes the DORA operational-resilience surface on the framework to three complete lifecycle spines.
-
Field note #150 — the inbound mapping ring closes on business_continuity and dora_tpr_management: both new spines now readable from every regulatory axis they touch
Field note one hundred and fifty from the SecOps-NG Digital Commons. Two mapping PRs (#724, #725) close the inbound G-02 rings for the two most recently shipped CACAO v2 playbooks — dora_tpr_management (DORA Chapter V) and business_continuity (NIS2 Art.21(2)(c)) — before their orphan-CI grace windows expire. Both playbooks are now discoverable from every regulatory axis they touch: NIS2, DORA, GDPR, CRA, and EU AI Act, with reviewed skip rationales where the axis genuinely does not carry the obligation.
-
Field note #151 — last-mile inbound closure: cryptographic_controls lands on CRA §1(e), dora_tpr_management logs its EU AI Act skip
Field note one hundred and fifty-one from the SecOps-NG Digital Commons. Two small mapping PRs (#726, #727) close the last inbound edges for two of this week's new spines. cryptographic_controls now anchors CRA Annex I §1(e) as the lifecycle-lane companion to crypto_posture_management. dora_tpr_management logs the reviewed EU AI Act skip. Both playbooks are now readable from every regime that legitimately touches them, with rationale on record wherever a regime does not.
-
Field note #152 — F-WF-VULN-MGMT trilogy ships: vulnerability management playbook (NIS2 Art.21(2)(e) + CRA + DORA sovereign lifecycle)
Field note one hundred and fifty-two from the SecOps-NG Digital Commons. The F-WF-VULN-MGMT trilogy lands: a CACAO v2 playbook for the deployed-estate vulnerability and patch management lifecycle (trigger_vulnerability_scan → triage_severity → decide_remediation → verify_remediation → emit_audit_evidence), three-target compile examples with byte-parity goldens, and a practitioner cookbook. The playbook discharges the operator-side leg of NIS2 Article 21(2)(e) and composes cleanly with the CRA Art. 13(4)–13(5) manufacturer disclosure spine and the DORA Article 25 vulnerability-management surface.
-
Field note #153 — G-03 byte-parity expansion wave: four playbooks now pinned across all three reference compile targets
Field note one hundred and fifty-three from the SecOps-NG Digital Commons. Two batches of golden tests land on the framework: alert triage, phishing triage, agentic threat response, and asset management now carry byte-identical-on-replay assertions across all three reference compile targets (n8n, Temporal, LangGraph), enforced in CI. Twelve new golden tests, four playbooks off the G-03 parity gap, no silent drift between runtimes.
-
Field note #154 — G-03 parity wave, batch three: eight playbooks now byte-pinned across all three reference compile targets
Field note one hundred and fifty-four from the SecOps-NG Digital Commons. Batch three of the byte-parity wave lands: cloud misconfiguration, data exfiltration, EU AI Act risk management, and identity compromise now carry byte-identical-on-replay golden tests across n8n, Temporal, and LangGraph. Cumulative across the three merged batches: eight reference playbooks, twenty-four golden tests, one parity matrix filling in row by row. Batch four is already in flight.
-
Field note #155 — G-03 byte-parity gap fully closed: every reference playbook now pinned across all three compile targets
Field note one hundred and fifty-five from the SecOps-NG Digital Commons. Batches four and five of the byte-parity wave land in the same session that started with batch three. Nine more playbooks — incident management, infrastructure posture management, on-call rotation, post-incident review, ransomware containment, threat intel ingest, vulnerability intake, DORA third-party risk management, and executive metrics — now carry byte-identical-on-replay golden tests on n8n, on Temporal, and on LangGraph. The G-03 gap is closed. Every reference playbook the commons ships compiles to identical bytes on each of the three targets. Five batches, one contributor path, one session.
-
Field note #156 — G-03 byte-parity ring closes: xfail guards lifted, every playbook × every target enforced in CI
Field note one hundred and fifty-six from the SecOps-NG Digital Commons. The byte-parity ring has closed. The last two PRs of the wave lift the CI escape hatches — the LangGraph goldens xfail guard and the legacy langgraph-test xfail guard — so the parity property now runs as a hard assertion on every PR, on every playbook, on every one of the three reference compile targets. What was a stated invariant is now a mechanised CI floor with no exceptions left.
-
Field note #157 — DORA Chapter II ring closes: Art.13 learning and Art.14 crisis-communication now name the playbooks that operate them
Field note one hundred and fifty-seven from the SecOps-NG Digital Commons. A small framework PR (#742) wires playbook_refs on the last two DORA Chapter II mapping entries carrying empty pointers — Art.13 (learning and evolving) now points at post_incident_review; Art.14 (crisis communication) now points at business_continuity and mfa_secured_comms. Chapter II is now readable end-to-end from the article side.
-
Field note #158 — F-WF-CRA-CVD ring closes: the cra_cvd cookbook now walks CRA Art.14 coordinated disclosure end-to-end across three compile targets
Field note one hundred and fifty-eight from the SecOps-NG Digital Commons. Framework PR #744 lands the EXTEND cookbook for cra_cvd, closing the SKELETON → CORE-B-PRIM → CORE-B-EXAMPLES → EXTEND arc for the CRA Article 14 coordinated vulnerability disclosure playbook. Intake → ack_to_reporter → coordinate_disclosure → publish_advisory now runs end-to-end against n8n, Temporal, and LangGraph from a single CACAO source, with three JSON-native envelope primitives and no hardcoded endpoints.
-
Field note #136 — D3FEND four-axis wave closes: defensive-technique traceability across NIS2, DORA, CRA and GDPR
Field note one hundred and thirty-six from the SecOps-NG Digital Commons. With the GDPR crosswalk landing at CORE, the D3FEND × EU-regulation control map now carries CORE-level coverage on all four axes — NIS2, DORA, CRA and GDPR — closing the defensive-technique traceability ring across the framework's regulatory surface.
-
Field note #137 — ISO 27001 Annex A and SOC 2 TSC land as OSCAL component definitions, both with nightly CI
Field note one hundred and thirty-seven from the SecOps-NG Digital Commons. Two substrate waves closed the same day: ISO 27001 Annex A and the SOC 2 Trust Services Criteria now ship as OSCAL component definitions in the framework, each with a nightly CI assertion lane guarding orphans and entry counts.
-
Field note #138 — D3FEND five-axis ring opens: EU AI Act crosswalk lands, defensive-technique traceability now runs on every EU-regulation column
Field note one hundred and thirty-eight from the SecOps-NG Digital Commons. With the EU AI Act D3FEND crosswalk landing at SKELETON, the defensive-technique traceability ring now extends to every one of the five EU-regulation axes the framework carries — NIS2, DORA, CRA, GDPR and EU AI Act — the same shape, the same substrate, one column further out.
-
Field note #139 — agentic_threat_response cookbook ships: the end-to-end walkthrough for the agentic SOC playbook lands in the commons
Field note one hundred and thirty-nine from the SecOps-NG Digital Commons. The operator-facing cookbook for the F-WF-AGENTICSEC playbook has landed — a full walkthrough from ingest through triage, containment, escalation, and evidence preservation, wired through all three reference compile targets (n8n, Temporal, LangGraph) with OCSF telemetry bindings and KPI/KRI hooks made explicit at every step.
-
Field note #140 — ISO 27001 D3FEND crosswalk lands: the six-axis defensive-technique traceability ring closes on Annex A
Field note one hundred and forty from the SecOps-NG Digital Commons. With the ISO 27001 Annex A D3FEND crosswalk landing at SKELETON, the defensive-technique traceability ring now runs on all six axes — NIS2, DORA, CRA, GDPR, EU AI Act and ISO 27001. One D3FEND technique, one lookup, every applicable clause across the EU regulatory estate and the international standard alongside it.
-
Field note #141 — ISO 27001 D3FEND crosswalk pulls to CORE and a seventh axis knocks: SOC 2 in review
Field note one hundred and forty-one from the SecOps-NG Digital Commons. The ISO 27001 Annex A D3FEND crosswalk broadens from SKELETON to CORE — the six-axis defensive-technique ring is now uniformly at CORE — and the SOC 2 Trust Services Criteria crosswalk is in review as a seventh column on the same substrate.
-
Field note #142 — a business-continuity playbook lands: NIS2 Art.21(2)(c) BCM lifecycle in CACAO
Field note one hundred and forty-two from the SecOps-NG Digital Commons. A CACAO v2 business-continuity playbook lands in the commons — seven workflow steps from event declaration through authority notification, failover, and post-incident review — closing the NIS2 Art.21(2)(c) leg of the regulatory mapping ring and co-anchored with the existing backup and recovery drill lane.
-
Field note #143 — SOC 2 D3FEND crosswalk ships: the seventh axis lands and the defensive-technique ring closes across every framework the operator estate reads
Field note one hundred and forty-three from the SecOps-NG Digital Commons. The SOC 2 Trust Services Criteria D3FEND crosswalk lands, completing the seven-axis defensive-technique ring — NIS2, DORA, CRA, GDPR, EU AI Act, ISO 27001 Annex A, and SOC 2 TSC now all read against the same D3FEND substrate.
-
Field note #144 — the business-continuity trilogy closes: SKELETON, CORE, and cookbook all land against NIS2 Art.21(2)(c)
Field note one hundred and forty-four from the SecOps-NG Digital Commons. The F-NIS2-BCP trilogy is fully shipped — CACAO v2 plan-lifecycle scaffold, three compile targets with byte-parity goldens across n8n, Temporal, and LangGraph, and a practitioner cookbook — closing the NIS2 Art.21(2)(c) business-continuity column end-to-end.
-
Field note #145 — the cryptographic-controls trilogy closes: key-lifecycle SKELETON, CORE, and cookbook all land against NIS2 Art.21(2)(h)
Field note one hundred and forty-five from the SecOps-NG Digital Commons. The F-WF-CRYPTOMGMT trilogy is fully shipped — CACAO v2 key-lifecycle scaffold, three compile targets with byte-parity goldens across n8n, Temporal, and LangGraph, and a practitioner cookbook — closing the NIS2 Art.21(2)(h) cryptographic-controls column end-to-end and, on the same day as the F-NIS2-BCP close, taking two NIS2 Art.21 control families to full trilogy on a single day.
-
Field note #146 — the DORA-TLPT trilogy closes on the same day it opens, and NIST CSF 2.0 opens as the eighth crosswalk axis
Field note one hundred and forty-six from the SecOps-NG Digital Commons. The F-WF-DORA-TLPT trilogy — CACAO v2 threat-led penetration testing scaffold, three compile targets with byte-parity goldens across n8n, Temporal, and LangGraph, and a dora_tlpt_programme cookbook walkthrough — ships end-to-end against DORA Article 24 and Article 26. On the same day, NIST CSF 2.0 opens as the eighth crosswalk axis with the GV/ID/PR/DE/RS/RC Core Functions mapping. Three trilogies closed on 2026-07-07 and one new crosswalk axis opened.
-
Field note #147 — NIST CSF 2.0 crosswalk closes as the eighth axis: SKELETON → CORE → EXTEND on a single day
Field note one hundred and forty-seven from the SecOps-NG Digital Commons. The NIST CSF 2.0 crosswalk closes end-to-end on the same day it opened: SKELETON (22 Categories across GV/ID/PR/DE/RS/RC), CORE (106 Subcategories with playbook_refs or gap_note against every leaf), and EXTEND (a practitioner cookbook at docs/cookbook/nist_csf_crosswalk.md, with the ROADMAP entry flipped to Shipped). The eighth crosswalk axis is now a full ring — an operator running a CSF programme can navigate into NIS2, DORA, CRA, GDPR, ISO 27001, SOC 2, or D3FEND through the same anchors.
-
Field note #148 — SOC 2 TSC crosswalk cookbook ships: seven-axis regime ring carries a practitioner walkthrough per axis
Field note one hundred and forty-eight from the SecOps-NG Digital Commons. The SOC 2 Trust Services Criteria crosswalk gains its EXTEND tier — a cookbook walkthrough at docs/cookbook/soc2_crosswalk.md — closing SOC 2 to a full three-tier ring alongside Security (CC1-CC9), Availability (A1.1-A1.3), Confidentiality (C1.1-C1.2), Processing Integrity (PI1.1-PI1.5), and Privacy (P-series) already on-disk. Together with ISO 27001 Annex A, NIS2, DORA, GDPR, CRA, and NIST CSF 2.0, this is the seven-axis regime ring carrying a practitioner cookbook per axis.
-
Field note #129 — ISO 27001 Annex A crosswalk third wave (A.5.7–A.5.18 + A.8.28–A.8.34 close-out) (G-06)
Field note one hundred and twenty-nine from the SecOps-NG Digital Commons. Three merges land the ISO/IEC 27001:2022 Annex A crosswalk further: A.5 organisational-controls extend from 6 to 18 of 37 entries (A.5.7–A.5.18), and A.8 technological-controls close their final batch (A.8.28–A.8.34, 34/34 pending the A.8.18–A.8.22 sibling PR). The Annex A surface now carries every A.8 technological-controls entry once the in-flight rebase lands, and A.5 is halfway populated.
-
Field note #130 — SOC2 Trust Service Criteria crosswalk opens, ISO 27001 Annex A A.5/A.6/A.7 close out (G-06/G-07)
Field note one hundred and thirty from the SecOps-NG Digital Commons. A ten-PR wave lands two things at once: the SOC2 Trust Service Criteria crosswalk opens as a new framework track (Security CC1–CC9 skeleton merged, Availability A1.1–A1.3 merged, Confidentiality C1.1–C1.2 in review), and the ISO/IEC 27001:2022 Annex A crosswalk closes its A.5 organisational, A.6 people, and A.7 physical themes end-to-end. Cross-regime coverage now spans NIS2, DORA, CRA, GDPR, ISO 27001, and SOC2 against a single set of versioned controls.
-
Field note #131 — SOC 2 TSC crosswalk series complete, all five Trust Service Categories in the commons (G-06/G-07)
Field note one hundred and thirty-one from the SecOps-NG Digital Commons. Three more merges close the SOC 2 Trust Service Criteria crosswalk end-to-end: Confidentiality (C1.1–C1.2), Processing Integrity (PI1.1–PI1.5), and Privacy (P-series). With Security (CC1–CC9) and Availability (A1.1–A1.3) already in tree, all five TSC categories now sit alongside the ISO 27001, NIS2, DORA, CRA, and GDPR mappings against the same versioned playbooks and controls.
-
Field note #132 — F-WF-AGENTICSEC trilogy ships: an agentic-threat detection and response playbook in the commons (G-01/G-04)
Field note one hundred and thirty-two from the SecOps-NG Digital Commons. Three sequential framework merges land F-WF-AGENTICSEC end-to-end: a CACAO v2 playbook for detecting and containing agentic AI system threats — credential enumeration by autonomous agents, sub-minute lateral-movement bursts, agentic-supply-chain compromise — with OSCAL pins against NIS2 Art.21(2)(b)/(e), D3FEND tactic coverage, three-target compile parity across n8n, Temporal, and LangGraph, and OCSF telemetry bindings wired to KPI/KRI hooks.
-
Field note #133 — F-WF-EUAIACT trilogy ships: an EU AI Act Article 9 risk-management playbook in the commons (G-01/G-03)
Field note one hundred and thirty-three from the SecOps-NG Digital Commons. Two sequential framework merges land F-WF-EUAIACT SKELETON and CORE: the first community-governed CACAO v2 playbook covering EU AI Act Article 9 risk-management obligations for providers of high-risk AI systems, with OSCAL pins on RA-3, PM-9, and PL-2, a D3FEND tag on the risk-assessment step, and byte-parity compile targets for n8n, Temporal, and LangGraph.
-
Field note #134 — EU AI Act regulatory mapping layer lands: the G-02 traceability ring closes on the high-risk AI playbook (G-02)
Field note one hundred and thirty-four from the SecOps-NG Digital Commons. Framework PR #685 lands the inbound regulatory-mapping layer for the EU AI Act — four clause YAMLs across Art. 9, Art. 11, Art. 13, and Art. 72, an OSCAL 1.1.2 component definition mirroring the GDPR/CRA/NIS2 peers, and cross-regime edges to NIS2 Art. 21(2)(a) and GDPR Art. 35 DPIA. The traceability chain from EU AI Act obligation through OSCAL control to compiled playbook artefact is now auditable end-to-end.
-
Field note #135 — the EU AI Act playbook and its full regulatory-mapping ring landed in a single community-contributor wave (G-02/G-06)
Field note one hundred and thirty-five from the SecOps-NG Digital Commons. The EU AI Act Article 9 risk-management playbook trilogy and the full G-02 regulatory-mapping ring around it — NIS2 Art.21(2)(a) edge, GDPR Art.35 DPIA edge, EU AI Act OSCAL component definition, and the audited DORA/CRA no-interaction closures — landed as one contribution wave from a community contributor outside the founding maintainer set. Second major external wave after the ISO 27001 crosswalk series.
-
Field note #125 — the cookbook is complete: every shipped playbook now carries a practitioner walkthrough, and the operator on-ramp is end-to-end (G-01/G-07)
Field note one hundred and twenty-five from the SecOps-NG Digital Commons. As of tonight every shipped playbook in content/playbooks/ has a matching practitioner walkthrough in docs/cookbook/. Thirty-three playbooks, thirty-three walkthroughs, one-to-one. Combined with the sovereign operator quickstart guide landed two field notes ago, the framework now carries a documented on-ramp from bare EU-sovereign infrastructure to any of the shipped playbooks running end-to-end, with zero documentation debt in between.
-
Field note #126 — the ISO/IEC 27001:2022 Annex A crosswalk opens: operators can now map their existing 27001 controls into the commons (G-06), and CRA Art.13(11) record-retention lands alongside (G-02)
Field note one hundred and twenty-six from the SecOps-NG Digital Commons. A wave of merges today opens the ISO/IEC 27001:2022 Annex A crosswalk under content/mappings/iso27001/: the organisational A.5 theme (A.5.1–A.5.6), the people A.6 theme (A.6.1 screening, A.6.3 awareness), the first physical A.7 entries (A.7.1 perimeters, A.7.2 entry), and the first stretch of technological A.8 controls (A.8.1 through A.8.7). Alongside, the CRA Art.13(11) ten-year record-retention obligation lands under content/mappings/cra/. Operators using ISO 27001 as their baseline can now see which SecOps-NG playbooks satisfy which Annex A controls, in the same YAML shape the NIS2, DORA, CRA, and GDPR crosswalks already carry.
-
Field note #127 — the ISO/IEC 27001:2022 Annex A crosswalk continues: A.5 organisational controls fill in and the A.8 technological theme reaches A.8.17 (G-06)
Field note one hundred and twenty-seven from the SecOps-NG Digital Commons. A second wave of Annex A merges extends the ISO/IEC 27001:2022 crosswalk under content/mappings/iso27001/: the A.5 organisational file fills in A.5.2 through A.5.6, and the A.8 technological file now covers A.8.3 through A.8.17. A.8.18 through A.8.22 are in flight and land in the same wave. Operators reading the framework in Annex A vocabulary now see direct playbook mappings across most of the technological theme and the anchor of the organisational theme.
-
Field note #128 — a community contributor lands eight consecutive ISO 27001 Annex A mapping PRs in a single day (G-06)
Field note one hundred and twenty-eight from the SecOps-NG Digital Commons. A community contributor from outside the founding maintainer set opened and merged eight consecutive ISO/IEC 27001:2022 Annex A crosswalk PRs against secops-ng-framework in a single day (2026-07-05), delivering the A.5–A.8 opening surface end to end. A ninth PR (Annex A.8.18–A.8.22) is in flight pending a rebase. The mapping layer now speaks ISO 27001 alongside NIS2, DORA, CRA, GDPR, and D3FEND — and the ISO vocabulary was added by the community.
-
Field note #114 — the GDPR Art. 35 DPIA playbook ships as a full trilogy; scaffold, three compilers, and cookbook land together (F-WF-DPIA, G-01/G-02)
Field note one hundred and fourteen from the SecOps-NG Digital Commons. The data protection impact assessment playbook lands as a complete lifecycle object: CACAO v2 scaffold anchored on GDPR Art. 35 with an Art. 36 prior-consultation branch, three reference compilers (n8n, Temporal, LangGraph) with a shared evidence schema and byte-parity goldens, and a cookbook walkthrough — all in one wave. GDPR Art. 35 is now a durable, framework-native playbook, not a mapping row.
-
Field note #115 — NIS2 enforcement month is here; the Article 21 self-assessment now runs as a playbook in the commons (F-WF-NIS2-SELF-ASSESS, G-06/G-07)
Field note one hundred and fifteen from the SecOps-NG Digital Commons. NIS2 enforcement is live for in-scope operators. The whole-Article-21(2) self-assessment ships as a durable playbook object: a CACAO v2 scaffold that rolls the ten (a–j) sub-clause atoms into one dated attestation, three reference compilers (n8n, Temporal, LangGraph) with byte-parity goldens, and a cookbook that walks an operator from evidence-store to supervisory-authority-ready attestation.
-
Field note #116 — CRA, DORA, and NIS2 incident-notification latency triads all land in the KPI/KRI catalogue (G-04)
Field note one hundred and sixteen from the SecOps-NG Digital Commons. Three regulatory incident-notification clock cascades — CRA Article 14, DORA Article 17/19, and NIS2 Article 23 — now carry latency KRI triads in content/metrics/, each with a hard statutory bound on the wall, an OCSF Compliance Finding binding, a regulatory anchor, a sovereign_stack_note, and a reference visualisation.
-
Field note #117 — GDPR Art. 33/34 breach-notification latency triad lands, closing the four-regime coverage ring (G-04)
Field note one hundred and seventeen from the SecOps-NG Digital Commons. A GDPR Article 33/34 personal-data breach notification latency triad now ships in content/metrics/, alongside the CRA, DORA, and NIS2 triads landed in field note #116 — the four-regime incident-notification latency ring is closed in the KPI/KRI catalogue at G-04.
-
Field note #118 — F-MET-AVAILABILITY ships: NIS2/DORA service-availability KPI triad lands in the G-04 catalogue
Field note one hundred and eighteen from the SecOps-NG Digital Commons. A NIS2 Art.21(1)(b–c) / DORA Art.11 service-availability and continuity KPI triad now ships in content/metrics/, closing the operator-side continuity measurement loop alongside the four-regime incident-notification latency ring at G-04.
-
Field note #119 — the NIS2 Article 21 self-assessment cookbook walkthrough ships, third cookbook in the current compliance wave
Field note one hundred and nineteen from the SecOps-NG Digital Commons. The nis2_self_assessment cookbook walkthrough is now on the shelf: a full practitioner walk from evidence store to dated attestation, wired through all three reference compile targets (n8n, Temporal, LangGraph), and joining the DPIA and DSR walkthroughs as the third cookbook in the current NIS2/GDPR compliance wave.
-
Field note #120 — four-regime playbook_refs ring closes: DORA/NIS2/GDPR latency KRIs wire back into the CACAO chains (G-02/G-04)
Field note one hundred and twenty from the SecOps-NG Digital Commons. Nine latency KRI entries across DORA Art. 19(4), NIS2 Art. 23(4), and GDPR Art. 33/34 now carry canonical playbook_refs back into the shipped incident_management and data_exfil CACAO chains — joining the CRA triad from PR #622 and closing the four-regime metric-to-playbook back-reference ring at G-02 and G-04.
-
Field note #121 — F-MET-AVAILABILITY EXTEND ships: NIS2/DORA residual-risk KRI triad closes the availability sextet (G-04)
Field note one hundred and twenty-one from the SecOps-NG Digital Commons. The residual-risk counterpart to the F-MET-AVAILABILITY KPI triad now ships in content/metrics/ — three KRIs on NIS2 Art.21(2)(e) and DORA Art.8 that read the exposure the operator's continuity posture accumulates before the aggregate KPIs slip. Availability, RTO, and continuity-test lanes covered on both the performance and the residual-risk axes.
-
Field note #122 — the DORA Chapter II ICT risk self-assessment roll-up ships as a full trilogy; scaffold, three compilers, and cookbook land together (F-WF-DORA-SELFASSESS, G-01/G-03)
Field note one hundred and twenty-two from the SecOps-NG Digital Commons. The DORA Chapter II ICT risk management self-assessment roll-up playbook lands as a complete lifecycle object in a single wave: a CACAO v2 scaffold anchored on Art. 6/7/8/10/11 with the Art. 6(5) annual review cadence and the post-major-incident review trigger modelled explicitly, three reference compilers (n8n, Temporal, LangGraph) with byte-parity goldens, and a cookbook walkthrough. DORA Chapter II is now a durable, framework-native playbook, not five mapping rows.
-
Field note #123 — the sovereign operator quickstart lands: an EU-native deployment path documented end to end, from clone through compile through Temporal audit trail (G-07/G-05)
Field note one hundred and twenty-three from the SecOps-NG Digital Commons. The sovereign quickstart guide on the framework repo is rewritten for the content-first layout: Temporal as the durable-code reference path, phishing_triage as the guided entry-point workflow, EU-resident LM defaults with no silent fallback to non-EU endpoints, and a sovereign provider shortlist (Nebul, OVHcloud, Scaleway, Hetzner) named without commercial claims attached. A stale pre-restructure guide that had been carrying its own obsolescence banner is gone. Evaluating an EU-native deployment is now a followable walk.
-
Field note #124 — F-MAP-GDPR-OSCAL ships: a GDPR OSCAL component definition lands with a nightly parity lane, and the four-regime OSCAL ring closes across CRA, DORA, NIS2, and GDPR (G-02)
Field note one hundred and twenty-four from the SecOps-NG Digital Commons. The GDPR OSCAL component definition lands under content/mappings/gdpr/oscal-component-definition.json, mirroring the CRA, DORA, and NIS2 pattern already in the tree, and a nightly orphan-CI lane now asserts schema, coverage, and a fifty-five implemented-requirement floor out-of-band from PR CI. All four regulatory regimes the framework carries now expose machine-readable OSCAL component definitions with the same nightly parity floor. The regulatory OSCAL ring is closed.
-
Field note #103 — NIS2 enforcement month arrives, and SecOps-NG carries the full coverage stack into it
Field note one hundred and three from the SecOps-NG Digital Commons. July 2026 is the NIS2 Article 21 enforcement month — the calendar the project has been rowing toward since the first commit. The stack that meets it is now on the catalogue: twenty-nine CACAO v2 playbooks, the full NIS2 / DORA / CRA / GDPR outbound mapping ring, a KPI/KRI catalogue with anchors into the same control language, and cookbook walkthroughs that turn each playbook into a working compile in the operator's own orchestrator. The Digital Commons crosses the enforcement boundary carrying its own weight, and it is asking for yours.
-
Field note #104 — alert_triage closes its G-02 mapping ring across NIS2, DORA, and GDPR
Field note one hundred and four from the SecOps-NG Digital Commons. Two framework PRs — #603 and #605 — land the last two edges of alert_triage's cross-framework mapping. The highest-frequency operational playbook on the catalogue now carries NIS2 Article 21(2)(b), DORA Article 10, and GDPR Article 6 as machine-readable per-clause YAMLs alongside its CACAO source. Every alert disposition can trace itself to the EU regulatory surface it discharges, without the operator writing that linkage by hand.
-
Field note #105 — GDPR Art.25 by-design and Art.35 DPIA land, completing the GDPR clause tree
Field note one hundred and five from the SecOps-NG Digital Commons. Two framework PRs — #607 and #608 — bring GDPR Article 25 data-protection-by-design and Article 35 data-protection-impact-assessment into the machine-readable mapping tree. The GDPR surface on the catalogue now carries eight per-clause YAMLs, from Article 5 through Article 35, and every alert, incident, and vulnerability-management step can trace itself to the article it discharges.
-
Field note #106 — first-contributor onboarding toolkit ships (G-06)
Field note one hundred and six from the SecOps-NG Digital Commons. Three framework PRs — #599, #600, and #601 — land the contributor onboarding trilogy: good-first-issues and issue templates, a playbook-authoring guide with a compiler walkthrough, and a review-process guide with community norms. The commons now has a documented, end-to-end path a first contributor can walk from a starter issue to a merged mapping overlay.
-
Field note #107 — the four-regime mapping ring closes across NIS2, DORA, CRA, and GDPR
Field note one hundred and seven from the SecOps-NG Digital Commons. With GDPR Article 25 by-design, Article 35 DPIA, and CRA Annex I §1(h) DDoS response landing on main, every anchored playbook on the catalogue now traces to all four EU regulatory regimes in machine-readable per-clause YAMLs. No orphaned regime, no linkage left for the operator to write — and orphan-lint in CI keeps it that way.
-
Field note #108 — sovereignty-axis metrics expand from eight to twenty (F-METRICS-04 EXTEND, PR #611)
Field note one hundred and eight from the SecOps-NG Digital Commons. Twelve new sovereignty-axis KPI/KRI definitions land under content/metrics/ — the largest single expansion of the catalogue to date. Operators drop EU-resident endpoint monitoring, AI-provider neutrality enforcement, and storage residency verification straight into their dashboards without writing the linkage themselves.
-
Field note #109 — auditability axis lands on the KPI/KRI catalogue (F-METRICS-04 CORE, PR #612)
Field note one hundred and nine from the SecOps-NG Digital Commons. Five auditability-axis KPI/KRI definitions land under content/metrics/, closing the fourth and final FOUNDATION-property axis on the catalogue. All four FOUNDATION properties — sovereignty, auditability, determinism, operability — now carry explicit, threshold-guarded catalogue entries with viz siblings and OCSF source bindings.
-
Field note #110 — the USED-BY.md registry is open, self-attestation lives at the framework root (F-ADOPT-01, G-07)
Field note one hundred and ten from the SecOps-NG Digital Commons. The self-attesting adoption registry is live at the framework repository root. If you are running SecOps-NG playbooks — in production, in staging, in evaluation, or in a research setting — add your organisation and let the community see it in the open.
-
Field note #111 — determinism and operability land, FOUNDATION ring closes (F-METRICS-04, PR #613)
Field note one hundred and eleven from the SecOps-NG Digital Commons. Ten new KPI/KRI entries land under content/metrics/ — five on determinism, five on operability — closing the FOUNDATION-property ring on the catalogue. All four properties now carry threshold-guarded entries with viz siblings and reproducible source bindings.
-
Field note #112 — the quickstart guide and the adoption registry land together; the onboarding path is open (F-DOCS-QS-01 + F-ADOPT-01, G-06/G-07)
Field note one hundred and twelve from the SecOps-NG Digital Commons. A practitioner can now go from clone to first working compile in under thirty minutes, across all three reference targets, and self-attest their deployment in the community registry — no maintainer gatekeeping between the two steps.
-
Field note #113 — the GDPR data subject rights playbook ships; Art. 15 through Art. 22 land in one CACAO scaffold (F-WF-DSR SKELETON, G-01/G-02)
Field note one hundred and thirteen from the SecOps-NG Digital Commons. The first GDPR Art. 15–22 data subject rights playbook lands as a portable CACAO v2 scaffold with OSCAL and D3FEND overlays and a full inbound clause mapping — operators running GDPR-in-scope workloads now have a machine-readable DSR handling workflow with regulatory traceability, framework-agnostic, ready for compiler fan-out.
-
DORA year-one — sovereign incident reporting and the EU operator's posture
DORA's first supervisory year closed on 2 July 2026 and the first tranche of supervisory incident data is now public. The pattern is clear: the gap that hurts is not 'did something happen' but 'can you produce an Article 19-shaped report from your own timeline, on your own soil, on the regulator's clock'. This post walks through what the year-one data shows, how the SecOps-NG commons frames the same problem as a portable open workflow, and what 'sovereign' actually has to mean for DORA reporting to hold up.
-
Field note #100 — MFA-secured comms reaches CORE across the three-target ring, and three more cookbook walkthroughs land (framework PRs #577-#581)
One hundredth field note from the SecOps-NG Digital Commons: mfa_secured_comms lands its CORE milestone with deterministic primitives, detection bindings, and byte-parity across all three reference compile targets — the authentication anchor for NIS2 Article 21(2)(j) and DORA Article 9. In the same window, three more cookbook walkthroughs join the operator adoption library: ddos_response, mfa_secured_comms, and crypto_posture_management. Twenty-five of twenty-seven shipped playbooks now carry an end-to-end walkthrough.
-
Field note #101 — CRA Article 14 SRP notification lands as a three-target playbook, and a full trilogy closes in one window (framework PRs #583-#585)
The Cyber Resilience Act Article 14 single-reporting-platform (SRP) obligation now has a portable, deterministic CACAO v2 implementation on the SecOps-NG framework. SKELETON, CORE, and EXTEND-DOCS ship in the same window: the cra_srp_notify playbook scaffold, three-target durable-timer emitters across n8n, Temporal, and LangGraph, and the operator-facing cookbook walkthrough for the 24-hour / 72-hour / 14-day CRA cascade. G-01 count moves. G-02 mapping stays closed at 27/27. G-03 gains one more three-target-parity member.
-
Field note #102 — CRA Article 14 CVD lands as a full SKELETON → CORE trilogy → EXTEND stack, and closes the Article 14 disclosure surface with #101 (framework PRs #591-#595)
The Cyber Resilience Act Article 14 §1 and §6 coordinated-vulnerability-disclosure (CVD) obligation now has a portable, deterministic CACAO v2 playbook on the SecOps-NG framework. SKELETON, a three-part CORE (templates, adapters, KPI wiring), and EXTEND-DOCS ship in the same window: the cra_cvd playbook scaffold, the acknowledgement-letter and CSAF 2.0 advisory templates, the CVE-request / CSIRT-coordination / PGP-delivery adapter stubs, D3-IRA + IR-6 + SI-2 + Art.14§6 acknowledgement-SLA KPI wiring, and the operator-facing cookbook walkthrough. Together with field note #101, the full CRA Article 14 disclosure surface — reporter-facing lifecycle and regulator-facing notification — now lands as two composable playbooks keyed on the same case.
-
Field note #96 — cookbook walkthroughs land for detection-engineering and backup-recovery (framework PRs #566-#567)
Ninety-sixth field note from the SecOps-NG Digital Commons: two cookbook entries merge to secops-ng-framework, bringing documented end-to-end walkthroughs to thirteen of twenty-seven shipped playbooks. F-WF-04 EXTEND-DOCS adds the detection-engineering four-state rule-lifecycle walkthrough (#566). F-WF-BACKUP EXTEND-DOCS adds the backup-recovery restore-drill walkthrough with the two-lane integrity-check branch (#567). Content coverage is met; the cookbook is the connective narrative that makes the catalogue adoptable end-to-end.
-
Field note #97 — G-01 cookbook wave closes with five walkthroughs (framework PRs #568-#572)
Ninety-seventh field note from the SecOps-NG Digital Commons: five cookbook entries merge to secops-ng-framework in a single wave, bringing documented end-to-end walkthroughs to eighteen of twenty-seven shipped playbooks. On-call rotation (#568), phishing triage (#569), post-incident review (#570), data exfil (#571), and identity compromise (#572) each land a full operator-facing walkthrough — CACAO topology, three-target compile view across n8n / Temporal / LangGraph, NIS2 / DORA / CRA / GDPR anchors, operator customisation points, replay-and-audit story. The G-01 cookbook-coverage window closes.
-
Field note #98 — G-01 cookbook wave continues with four more walkthroughs (framework PRs #573-#576)
Ninety-eighth field note from the SecOps-NG Digital Commons: four more cookbook entries land against secops-ng-framework in the same window, bringing documented end-to-end walkthroughs to twenty-two of twenty-seven shipped playbooks. Ransomware containment (#573), cloud misconfiguration (#574), threat-intel ingest (#575), and cyber-hygiene training (#576) each land a full operator-facing walkthrough — CACAO topology, three-target compile view across n8n / Temporal / LangGraph, NIS2 / DORA / CRA / OSCAL anchors, operator customisation points, replay-and-audit story. G-01 cookbook coverage continues to close in.
-
Field note #99 — the mapping ring closes: 27/27 playbooks carry regulatory overlays, on the eve of NIS2 enforcement
Ninety-ninth field note from the SecOps-NG Digital Commons: the last outbound regulatory-mapping overlay lands, closing the G-02 ring at 27/27 shipped CACAO v2 playbooks. Alert triage — the most operationally-active workflow in a SOC — was the final gap, and it lands in the same window July 2026 became the NIS2 Article 21 enforcement month. Every shipped playbook now carries OSCAL control anchors, MITRE D3FEND references, OCSF class bindings, and EU regulatory clause references in one per-playbook mappings.yaml an operator can query programmatically.
-
Field note #91 — the residual-risk pairing invariant reaches the determinism corner, and the per-cluster OCSF binding lint opens two more clusters (post-incident-review, regulatory-notification)
Ninety-first field note from the SecOps-NG Digital Commons: four framework PRs extend the sovereignty-corner pairing invariant into the determinism corner (#544), open the F-MET-OCSF-PIR triplet for the post-incident-review cluster on SKELETON + CORE (#545, #546), and open F-MET-OCSF-REGNOTIFY on SKELETON for the regulatory-notification cluster (#547). All four ride the same nightly orphan-CI cadence and arm at zero findings on the shipped catalogue.
-
Field note #92 — the per-cluster OCSF binding lint sweeps across three more KPI/KRI clusters (regulatory-notification CORE, identity-&-access SKELETON+CORE, vulnerability-&-patch SKELETON+CORE)
Ninety-second field note from the SecOps-NG Digital Commons: five framework PRs widen the G-04 per-cluster OCSF source-data-shape binding lint across three more KPI/KRI clusters. Regulatory-notification closes to CORE (#548), identity-&-access ships SKELETON + CORE (#549, #550), and vulnerability-handling & patch (CRA-family) ships SKELETON + CORE (#551, #552). All three now ride the same nightly orphan-CI cadence and arm at zero findings on the shipped catalogue.
-
Field note #93 — the per-cluster OCSF binding lint sweeps across four more KPI/KRI clusters (threat-intel & phishing SKELETON+CORE, incident-response SKELETON+CORE, on-call-rotation SKELETON+CORE, supply-chain-security SKELETON+CORE)
Ninety-third field note from the SecOps-NG Digital Commons: eight framework PRs widen the G-04 per-cluster OCSF source-data-shape binding lint across four more KPI/KRI clusters. Threat-intel & phishing ships SKELETON + CORE (#553, #554), incident-response ships SKELETON + CORE (#555, #556), on-call-rotation ships SKELETON + CORE (#557, #558), and supply-chain-security ships SKELETON + CORE (#559, #560). Four new clusters ride the nightly orphan-CI cadence; supply-chain arms at a zero-classified baseline until real bindings land.
-
Field note #94 — backup-recovery joins the OCSF binding ring (F-MET-BCR SKELETON + F-MET-OCSF-BCR SKELETON/CORE, framework PRs #561-#563)
Ninety-fourth field note from the SecOps-NG Digital Commons: three framework PRs open the backup-recovery KPI/KRI cluster with OCSF-armed metric definitions and wire its per-cluster OCSF source-data-shape binding lint into nightly orphan-CI. F-MET-BCR SKELETON authors four OCSF-armed metric entries against the shipped backup-recovery playbook (#561). F-MET-OCSF-BCR SKELETON adds the per-cluster binding lint (#562). F-MET-OCSF-BCR CORE lands the nightly orphan-CI wire-in (#563). Eleven KPI/KRI clusters now enforce their OCSF binding nightly on sibling orphan-CI lanes — the backup-recovery cluster closes the last major playbook cluster outside the OCSF binding ring.
-
Field note #95 — detection-engineering joins the OCSF binding ring (F-MET-OCSF-DETENG SKELETON + CORE, framework PRs #564-#565)
Ninety-fifth field note from the SecOps-NG Digital Commons: two framework PRs bring the detection-engineering KPI/KRI cluster fully inside the G-04 OCSF source-data-shape binding ring. F-MET-OCSF-DETENG SKELETON adds the per-cluster binding lint and pins the anchor metric to its detection-engineering playbook step (#564). F-MET-OCSF-DETENG CORE wires the assertion into nightly orphan-CI (#565). Twelve KPI/KRI clusters now enforce their OCSF binding nightly on sibling orphan-CI lanes.
-
Field note #88 — incident_management lands on NIS2 Art. 23(4) per-clause refs, closing the last G-02 orphan on the article
Eighty-eighth field note from the SecOps-NG Digital Commons: one framework PR wires playbook.incident_management@v1 directly into the per-clause playbook_refs for NIS2 Art. 23(4)(a) early-warning, 23(4)(b) incident-notification, and 23(4)(d) final-report — and retires the matching orphan-skip. The regulator-notification engine is now an auditable artifact on the public tree, reachable from each of the three §23(4) clauses it serves.
-
Field note #89 — the KPI/KRI catalogue gets OCSF-grounded: every posture and detection-latency metric now declares a source-data shape, enforced by nightly CI
Eighty-ninth field note from the SecOps-NG Digital Commons: seven framework PRs deepen determinism-coverage on the KRI margin (#533), land a CRA Art. 13(9) update-availability mapping row (#534), and walk the metrics catalogue from a bare KPI/KRI definition to a declared OCSF source-data-shape binding across posture (#535–#536), detection-latency (#537–#538), and a catalogue-wide guard (#539). The story is metrics you can actually feed from real telemetry.
-
Field note #90 — catalogue-wide OCSF binding closes its triplet, and the sovereignty cluster gains an UNKNOWN-residency residual-risk KRI
Ninetieth field note from the SecOps-NG Digital Commons: four framework PRs close the F-MET-OCSF-CATALOGUE triplet — the catalogue-wide OCSF source-data-shape binding guard now resolves every telemetry.ocsf.* ref against content/telemetry/ and rides the nightly orphan-CI lane (#540–#541) — and open F-MET-SOV in the sovereignty corner with a paired UNKNOWN-residency LM-endpoint exposure KRI plus its nightly pairing invariant (#542–#543).
-
Field note #85 — `asset_management` ships the full ring (G-01 25th-cookbook content-coverage milestone, three-target parity, NIS2 Art. 21(2)(i) and DORA Art. 8 co-anchored)
Eighty-fifth field note from the SecOps-NG Digital Commons: the `asset_management` lane on F-WF-ASSET flips Shipped. The full ring is on `main` — canonical CACAO playbook, deterministic primitives, three reference compile targets under byte-parity guards (n8n, Temporal, LangGraph), NIS2 Article 21(2)(i) anchor with DORA Article 8 co-anchored inbound, and the operator cookbook walkthrough. This is the twenty-fifth canonical CACAO playbook on the content side and reads against the G-01 content-coverage milestone.
-
Field note #86 — G-04 catalogue maturity hardens (determinism + sovereignty foundation_property back-fill) and F-WF-PATCH lands its deterministic primitives
Eighty-sixth field note from the SecOps-NG Digital Commons: five framework PRs land on the catalogue-maturity goal (G-04) and the patch_management workflow lane (F-WF-PATCH). The KPI/KRI catalogue's `foundation_property` requirement is back-filled across sixteen existing metric files, two new metric triplets close the thinnest determinism and sovereignty corners, the patch_management deterministic primitives package lands behind the canonical CACAO source, and the patch-application evidence stream picks up its first two catalogue entries.
-
Field note #87 — patch_management closes out (cookbook walkthrough) and lands on GDPR Art. 32(1)(b), orphan-CI green across CRA / DORA / GDPR / NIS2
Eighty-seventh field note from the SecOps-NG Digital Commons: two framework PRs land the patch_management cookbook walkthrough and wire asset_management plus patch_management onto the GDPR Art. 32(1)(b) per-clause mapping. Patch_management now ships with content, structure, metrics, mappings, three worked examples at byte-parity, an operator walkthrough, and a clause anchor under each of CRA, DORA, GDPR, and NIS2 — and the orphan-CI ring reads green across all four frameworks.
-
Field note #82 — `cyber_hygiene_training` closes the G-03 three-target worked-example ring, `ddos_response` lands end-to-end (playbook → 3 worked examples → CORE), `patch_management` opens; GDPR Article 32 picks up two more inbound citations
Eighty-second field note from the SecOps-NG Digital Commons: eleven PRs against the framework. PRs #498–#500 close the G-03 three-target worked-example parity ring on `cyber_hygiene_training`, finishing worked-example parity across all four NIS2 Article 21(2) basic-measures playbooks the project has driven through CORE so far. PRs #501–#505 land `ddos_response` end-to-end in one wave: the SKELETON CACAO playbook, three worked examples (Temporal, n8n, LangGraph) with byte-parity guards, and the CORE pass that pins D3FEND bindings and closes the DORA graph. PR #497 lands the F-MAP-GDPR CORE-3 per-clause mapping on Article 32(1)(a) encryption / pseudonymisation; PR #506 registers `ddos_response` and `cyber_hygiene_training` as inbound citations under the same Article 32 lane. PR #507 opens the next basic-measures playbook on the F-WF-PATCH lane: `patch_management` SKELETON, the NIS2 Article 21(2)(e) maintenance anchor.
-
Field note #83 — `patch_management` promotes to CORE and picks up its first two worked-example legs (n8n + Temporal), with the LangGraph end still open; F-MAP-CRA and F-MAP-DORA each walk a G-02 mapping-integrity closure
Eighty-third field note from the SecOps-NG Digital Commons: five PRs against the framework. PR #508 promotes the `patch_management` playbook from SKELETON to CORE — D3FEND bindings on each lifecycle step, `metric_refs` pins on the patch-latency and remediation-coverage KPIs, and the DORA graph closure under NIS2 Article 21(2)(e). PRs #509 and #510 land the first two worked-example legs on the same canonical CACAO source — n8n and Temporal — emitted deterministic under the G-03 byte-parity contract; the LangGraph end is still to land, so the three-target parity ring on `patch_management` is NOT yet closed (two of three legs). PR #511 binds `crypto_posture_management` to CRA Annex I §1(e) confidentiality on the F-MAP-CRA lane (G-02 graph closure on an external-contributor mapping). PR #512 repoints the F-MAP-DORA Article 11 availability-response control reference to `incident_handling_capability@v1` (G-02 KRI mapping integrity, red-CI fix).
-
Field note #84 — `patch_management` closes the G-03 three-target worked-example parity ring (LangGraph end lands), and the F-MAP-CRA lane binds the same playbook to Annex I §2 security-updates-rollout
Eighty-fourth field note from the SecOps-NG Digital Commons: two PRs against the framework close the `patch_management` lane. PR #513 lands the LangGraph worked example on the same canonical CACAO source the prior n8n and Temporal legs emit against — the G-03 three-target worked-example parity ring on `patch_management` now reads closed, with all three reference compile targets shipped under byte-parity guards. PR #514 binds `patch_management` to CRA Annex I §2 security-updates-rollout on the F-MAP-CRA lane, closing the documented CRA orphan on the playbook (G-02 graph closure).
-
Field note #78 — a four-playbook NIS2 Article 21(2) basic-measures SKELETON wave opens (business-continuity, cryptography, authentication, cyber-hygiene), and the F-MET FOUNDATION axis gets a per-property minimum-coverage floor
Seventy-eighth field note from the SecOps-NG Digital Commons: five PRs against the framework. Four SKELETON CACAO playbooks close NIS2 Article 21(2) playbook_refs orphans on the basic-measures cluster — backup_recovery on §(c), crypto_posture_management on §(h), mfa_secured_comms on §(j), and cyber_hygiene_training on §(g) — opening the SKELETON tier of the F-WF lane. A fifth PR hardens the F-MET G-04 catalogue with a per-property minimum-coverage floor on the FOUNDATION axis, upgrading the union-coverage CI guard from greater-than-zero anywhere to a per-property minimum across all four properties.
-
Field note #79 — the NIS2 Article 21(2) basic-measures cluster crosses from SKELETON to CORE on four playbooks in one window (crypto, backup-recovery, MFA, cyber-hygiene), and F-MAP-CRA closes the G-02 grace window to zero
Seventy-ninth field note from the SecOps-NG Digital Commons: five PRs against the framework. Four CORE waves promote the NIS2 Article 21(2) basic-measures playbooks — crypto_posture_management, backup_recovery, mfa_secured_comms, cyber_hygiene_training — from SKELETON to CORE with per-step D3FEND v1.0.0 bindings, OCSF Compliance Finding (2003) emissions, and DORA cross-graph closure on Articles 9, 12, and 13. A fifth PR drives the F-MAP-CRA G-02 orphan-CI grace window to zero by authoring the four matching CRA inbound mappings against Annex I §1(d/e/h) and Article 13(6) before the seven-day grace lapses.
-
Field note #80 — the NIS2 Article 21(2) basic-measures cluster grows portable worked examples on all three reference compile targets: `backup_recovery` closes G-03 three-target parity, `mfa_secured_comms` opens its parity lane on Temporal
Eightieth field note from the SecOps-NG Digital Commons: four PRs against the framework. Three PRs land worked examples on n8n, Temporal, and LangGraph for the `backup_recovery` playbook (NIS2 Art.21(2)(c), DORA Art.12) — closing the G-03 three-target compile parity contract from the same canonical CACAO source. A fourth PR opens the same parity lane on the `mfa_secured_comms` playbook (NIS2 Art.21(2)(j)) by shipping the Temporal worked example. Each worked example mirrors the canonical CACAO byte-for-byte, regenerates deterministically through the reference compilers, and carries a per-example byte-parity golden test.
-
Field note #81 — `crypto_posture_management` and `mfa_secured_comms` close G-03 three-target worked-example parity; `backup_recovery` picks up its GDPR Article 32(1)(c) restore-availability inbound citation
Eighty-first field note from the SecOps-NG Digital Commons: six PRs against the framework. Two PRs close the G-03 three-target compile-parity ring on `mfa_secured_comms` by landing the n8n and LangGraph worked examples alongside its already-shipped Temporal leg. Three PRs open and close the same ring on `crypto_posture_management` in one window, shipping Temporal, n8n, and LangGraph worked examples emitted deterministically from the same canonical CACAO source. A sixth PR lands the GDPR Article 32(1)(c) restore-availability inbound citation on the `backup_recovery` playbook on the F-G02 mapping lane. Each worked example mirrors the canonical CACAO byte-for-byte, regenerates deterministically through the reference compilers, and carries a per-example byte-parity golden test.
-
Field note #76 — the F-MET G-04 OCSF source-data-shape binding axis closes across the remaining executive-metrics clusters
Seventy-sixth field note from the SecOps-NG Digital Commons: seven PRs against the framework walk the OCSF source-data-shape binding axis across the remaining G-04 executive-metrics clusters — CRA / regulatory-clock, cloud-posture, corrective-action, coverage, phishing-efficacy, incident-response operational-SLA, and identity-compromise. Paired with the MTTD/MTTR latency bindings already announced in field note #75, every shipped KPI/KRI on the executive-metrics catalogue floor now declares its concrete OCSF event source on both the `.viz.md` sibling and the metric YAML `measurement.inputs[]` back-reference.
-
Field note #77 — the F-MET G-04 catalogue declares a required, audited FOUNDATION-property classification on every shipped KPI/KRI, and the F-MAP-CRA cross-reference red-CI gap closes
Seventy-seventh field note from the SecOps-NG Digital Commons: five PRs against the framework walk the executive-metrics catalogue (G-04) to a maturity milestone — every one of the forty-four shipped KPIs and KRIs now carries a required, audited foundation_property classification (auditability / determinism / sovereignty / operability), backed by a CI coverage guard, with the schema field promoted from optional to required. The same wave closes the last governance/process residual cluster on the OCSF source-data-shape binding axis and lands the six missing F-MAP-CRA control cross-reference files behind the recent NIS2/DORA/CRA/GDPR mapping wave.
-
Field note #72 — G-02 KRI orphan-closure reaches full four-framework coverage and the GDPR outbound overlay carries a complete Chapter V (Art. 44–49) personal-data-transfer block across every shipped playbook
Seventy-second field note from the SecOps-NG Digital Commons: the DORA mapping tree's SKELETON wave backlinks the last five playbooks against Art. 9/10/28 and an audited orphan skip retires the it_security_support_agent grace; the CRA supply-chain-security row closes inbound on Art. 13(4) component due-diligence; and the GDPR EXTEND-outbound pass lands a complete Chapter V (Art. 44–49) personal-data-transfer overlay on every shipped playbook's mappings.yaml — processor + identity egress, threat-intel / supply-chain sharing, regulator-submission egress, vuln / posture, and ops / support clusters. The G-02 KRI orphan-closure property is now structurally green across all four covered regimes (NIS2, DORA, CRA, GDPR) without leaning on the finalization grace window.
-
Field note #73 — the F-MET executive-metrics lane opens: breach-notification-clock-margin reaches CORE as the first GDPR operational KRI to bind OCSF + ship a committed reference visualisation, with detection_coverage and the MTTD detection-latency cluster scaffolded along the same pattern
Seventy-third field note from the SecOps-NG Digital Commons: the framework's executive-metrics / KPI-KRI lane (G-04) opens with a four-PR wave. The GDPR-operational-KRI scaffold lands a SKELETON entry for breach-notification-clock-margin against the Article 33 72-hour clock, and the same metric reaches CORE in the next PR by binding to an OCSF Incident Finding source-data shape and committing a reference visualisation as a sibling artifact. Two more SKELETON entries follow on the same pattern: detection_coverage binds OCSF Detection Finding and ships its reference viz, and the MTTD detection-latency cluster (mttd / mttd_phishing / mttd_ransomware) opens the catch-up wave on committed reference visualisations behind a lightweight presence-and-back-reference regression net.
-
Field note #74 — the F-MET G-04 reference-visualisation catch-up wave: nine PRs across MTTR, CRA Article 14, per-scenario MTTD/MTTR, identity-lifecycle, regulator-notification SLA, coverage, remediation-throughput, and phishing-detection close the .viz.md sibling-file property across the executive-metrics catalogue
Seventy-fourth field note from the SecOps-NG Digital Commons: the F-MET executive-metrics lane opened in the previous note moves from exemplar to coverage. Nine PRs land cluster-by-cluster .viz.md siblings across eight families — MTTR remediation-latency, CRA Article 14 regulatory-reporting clocks, per-scenario MTTD/MTTR variants, identity-lifecycle (JML + identity-compromise containment), regulator-notification SLA, coverage (cloud posture, on-call schedule, threat-intel feed), remediation-throughput (corrective-action close-rate/overdue + patch dissemination), and phishing-detection (simulation click-rate + suppression rate). The committed reference-visualisation property the regression net defends is now structurally honoured across the catalogue.
-
Field note #75 — the F-MET G-04 reference-visualisation pass closes at 44/44 across the executive-metrics catalogue and OCSF source-data-shape bindings begin landing on the MTTD/MTTR latency clusters
Seventy-fifth field note from the SecOps-NG Digital Commons: six PRs against the framework close the F-MET G-04 reference-visualisation property at forty-four of forty-four entries across the executive-metrics catalogue, then open the next catalogue-maturity step by landing OCSF source-data-shape bindings on the MTTD detection-latency and MTTR response-latency clusters. The detection-quality, corrective-action governance, incident-process integrity, and CLOSEOUT clusters finish the .viz.md sibling-file convention; the MTTD/MTTR OCSF bindings tie each latency KPI to a concrete OCSF event shape behind the row.
-
Field note #70 — F-WF-SCS supply-chain-security playbook flips to Shipped with three-target parity and a cookbook entry (NIS2 Article 21(2)(d))
Seventieth field note from the SecOps-NG Digital Commons: F-WF-SCS supply-chain-security lands as a full three-target playbook — n8n, Temporal, and LangGraph worked examples with byte-parity goldens on all three — plus a cookbook walkthrough and a ROADMAP flip to Shipped. The NIS2 Article 21(2)(d) supply-chain risk-management baseline is now portable, executable content that compiles into whichever orchestrator an operator already runs.
-
Field note #71 — F-MAP-GDPR mapping-closure wave lands and orphan-CI consolidates into one nightly matrix workflow (GDPR joins CRA, NIS2, DORA on the same enforced floor)
Seventy-first field note from the SecOps-NG Digital Commons: the F-MAP-GDPR mapping-closure wave lands on the framework — Art. 5, Art. 26/28, Art. 32, Art. 33/34 clusters authored across five per-clause CORE passes — the per-framework orphan-CI workflows collapse into a single matrix-driven nightly lane, and a pair of follow-on inbound/outbound closures arm the supply-chain-security row on NIS2 Art. 21(2)(d) and the incident_management row on DORA Art. 19(4). Standards coverage across the catalogue now spans four regulatory regimes — CRA, NIS2, DORA, GDPR — and is machine-checked on every push.
-
Field note #66 — F-SV-02 eIDAS 2.0 wallet integration pattern flips to Shipped with three-target parity closed, and F-G02 outbound cross-standard mappings overlay lane opens with the incident-family quartet complete on this pass
Sixty-sixth field note from the SecOps-NG Digital Commons: F-SV-02 eIDAS 2.0 wallet integration pattern lands its LangGraph CORE-FANOUT, closing three-target parity across n8n, Temporal, and LangGraph for a Pydantic-typed EU Digital Identity Wallet attestation input, and flips ROADMAP Proposed→Shipped on the sovereignty lane; F-G02 outbound cross-standard mappings overlay lane opens with SKELETON mappings.yaml overlays on the vuln_intake, identity_compromise, ransomware_containment, and incident_management playbooks — the incident-family quartet complete on this pass — cross-linking OSCAL / D3FEND / OCSF plus NIS2 / DORA / CRA / GDPR; the lane is opening, not complete, with the EXTEND surface and the F-WF / F-SV row fan-out still ahead.
-
Field note #67 — F-G02 outbound cross-standard mappings overlay wave closes out: the catalogue now reads fifteen of fifteen workflow playbooks each carrying an outbound mappings.yaml, the SKELETON pass on the lane is complete
Sixty-seventh field note from the SecOps-NG Digital Commons: the F-G02 outbound cross-standard mappings overlay lane lands eleven further SKELETON overlays across phishing_triage, data_exfil, cloud_misconfiguration, post_incident_review, codebase_vuln_management, iam_auditor, on_call_rotation, onboarding_offboarding_tracker, detection_engineering, infra_posture_management, and contractual_obligations_tracker; the catalogue now reads fifteen of fifteen workflow rows each carrying a mappings.yaml outbound overlay cross-linking OSCAL controls, D3FEND techniques, OCSF event classes, and the EU regulatory surfaces (NIS2 / DORA / CRA / GDPR); the SKELETON pass on the lane closes out on this wave and the next pass opens on the EXTEND surface and the sovereignty-lane fan-out.
-
Field note #68 — F-G02 outbound mappings overlay wave closes: every shipped playbook now carries a validated mappings.yaml, with a CI completeness guard standing behind it
Sixty-eighth field note from the SecOps-NG Digital Commons: the F-G02 outbound cross-standard mappings overlay wave closes on the framework with the executive_metrics and it_security_support_agent overlays landing, taking the shipped catalogue to every finalized playbook carrying a validated mappings.yaml outbound overlay; a new completeness CI guard fails the build if any finalized playbook lands without one; the SKELETON breadth pass on the lane is closed, the EXTEND depth pass and the inbound-closure work open as the next passes.
-
Field note #69 — F-MAP-CRA mapping-closure wave lands and the orphan-CI assertion generalises across CRA, NIS2, and DORA (standards coverage is now enforced, not aspirational)
Sixty-ninth field note from the SecOps-NG Digital Commons: the F-MAP-CRA mapping-closure wave lands on the framework — every finalized playbook now carries Cyber Resilience Act per-clause mappings, the orphan-CI assertion that started life on the CRA mapping tree is now generalised across CRA, NIS2, and DORA, and the F-G02 inbound-closure work begins to fill the DORA Article 6 and Article 9 gaps named in field note #68.
-
Field note #63 — F-WF-10 contractual-obligations tracker flips to Shipped across all three reference compile targets, pinning the contract-time surface of NIS2 Article 21(2)(d)
Sixty-third field note from the SecOps-NG Digital Commons: F-WF-10 lands the contractual-obligations tracker — supplier-contract obligation extraction, per-obligation review-schedule derivation, and a portable obligation-evidence artifact — at SKELETON, with per-target adapters and byte-parity goldens for n8n, Temporal, and LangGraph at CORE, and a ROADMAP flip to Shipped plus cookbook walkthrough at EXTEND closeout. The catalogue now carries both surfaces of NIS2 Article 21(2)(d) supply-chain security: the execution-time surface (F-CP-03) and the contract-time surface (F-WF-10), keyed distinctly and reconciled on the same supplier ref.
-
Field note #64 — F-WF-11 on-boarding/off-boarding tracker lands three-target CORE plus joiner/leaver KRIs, F-WF-12 IT-and-security support agent opens with SKELETON and n8n CORE on the F-CP-02 incidents stream
Sixty-fourth field note from the SecOps-NG Digital Commons: F-WF-11 on-boarding/off-boarding tracker closes its three-target CORE-FANOUT wave with byte-parity goldens on n8n, Temporal, and LangGraph and lands two joiner/leaver KRI catalogue entries on the access-evidence stream; F-WF-12 IT-and-security support agent opens with a SKELETON carrying an explicit human-handoff step plus a GDPR ROPA, and lands the n8n CORE-FANOUT (primitives, wire-up, byte-parity golden) — reusing the F-CP-02 incidents stream for the interaction-evidence artifact. ROADMAP closeouts pending on both rows.
-
Field note #65 — F-WF-12 IT-and-security support agent flips to Shipped with three-target parity, F-WF-11 on-boarding/off-boarding tracker closes out, and F-SV-02 eIDAS 2.0 wallet attestation pattern opens on the sovereignty lane
Sixty-fifth field note from the SecOps-NG Digital Commons: F-WF-12 IT-and-security support agent lands its Temporal and LangGraph CORE-FANOUT siblings with byte-parity goldens, flips ROADMAP to Shipped, and reconciles worked-example READMEs (NIS2 Art.21(2)(b)); F-WF-11 on-boarding/off-boarding tracker EXTEND-closeout flips Proposed→Shipped and lands a cookbook entry (NIS2 Art.21(2)(i)); F-SV-02 eIDAS 2.0 wallet integration pattern opens on the sovereignty lane with a SKELETON typed input model for the EU Digital Identity Wallet attestation, plus n8n and Temporal CORE-FANOUT — LangGraph target still ahead, so the row is opening, not Shipped.
-
Field note #58 — detection-engineering ships across three targets with byte-parity goldens, and iam-auditor opens its SKELETON
Fifty-eighth field note from the SecOps-NG Digital Commons: F-WF-04 detection-engineering closes a full three-target CORE wave (n8n + Temporal + LangGraph rule-lifecycle + per-rule effectiveness snapshots) with EXTEND-goldens locking byte-parity, and F-WF-08 iam-auditor opens a capability-inventory SKELETON next to its GDPR data-flow doc.
-
Field note #59 — the lawful-basis guard covers all seven GDPR sections, and codebase-vuln-management closes its three-target CORE wave across n8n, Temporal, and LangGraph
Fifty-ninth field note from the SecOps-NG Digital Commons: F-GD-02 EXTEND closes the lawful-basis guard against the full seven-section GDPR data-flow template with a drift check, and F-WF-07 codebase-vuln-management closes its three-target CORE wave across n8n, Temporal, and LangGraph with byte-parity goldens on every target and one shared disclosure-timeline emitter producing byte-identical evidence records.
-
Field note #60 — codebase-vuln-management and iam-auditor both flip to Shipped, and the NIS2 Article 21 control-family row fills out across access-control and human-resources-security
Sixtieth field note from the SecOps-NG Digital Commons: F-WF-07 codebase-vuln-management flips to Shipped on the ROADMAP, F-WF-08 iam-auditor closes its three-target CORE wave and flips to Shipped, and the NIS2 Article 21(2) control-family row now reads end-to-end across risk management and business continuity, incident handling, vulnerability handling and disclosure, and access-control and human-resources-security — with F-WF-06 infrastructure-posture opening its SKELETON behind the closed waves.
-
Field note #61 — infrastructure-posture management closes its three-target CORE wave and flips to Shipped, reading the continuous variant of the posture-audit lane against NIS2 Article 21(2)(a)
Sixty-first field note from the SecOps-NG Digital Commons: F-WF-06 infrastructure-posture management closes its CORE wave across n8n, Temporal, and LangGraph behind a single canonical playbook, lands the posture-evidence schema and three byte-parity goldens, gets its cookbook walkthrough, and flips on the ROADMAP — reading as the scheduled re-execution variant of the F-WF-02 posture-audit lane and filling the continuous-posture column of NIS2 Article 21(2)(a).
-
Field note #62 — F-SV-03 DORA Article 19 technical-incident report variant flips to Shipped across all three reference compile targets, with byte-parity goldens pinning the four-milestone reporting chain
Sixty-second field note from the SecOps-NG Digital Commons: F-SV-03 lands the DORA Article 19(4) technical-incident report variant — schema + field-derivation mapping at SKELETON, shared emitter + per-target adapters for n8n, Temporal, and LangGraph at CORE, and a ROADMAP flip to Shipped with cookbook walkthrough at CLOSEOUT. Twelve worked report artifacts (four milestones × three targets) replay byte-identically across targets per variant, with the Article 19 reporting-chain invariant pinned at the emitter.
-
Field note #55 — F-WF-09 auditor-bundle graduates from SKELETON to a three-target CORE-FANOUT with vuln-intake and incident-management worked examples, F-CP-07 wires its Temporal access emitter into the incident-management bundle write-path with an EXTEND-drift SKELETON behind it, and F-CP-06 effectiveness evidence stream opens with the full SCHEMA → CORE-FANOUT → per-target byte-parity goldens sequence and a NIS2 Art. 21(2)(f) mapping stub
Fifty-fifth field note from the SecOps-NG Digital Commons: two composing lanes from the 2026-06-17/18 wave. F-WF-09 compliance-evidence auditor-bundle graduates from the SKELETON the last note read into a three-target CORE-FANOUT — the collector fans out to n8n, Temporal, and LangGraph — with two worked examples behind it (vuln-intake across all three targets, and incident-management with a byte-parity golden). The F-CP-07 access stream lands a SKELETON wiring its Temporal access emitter into the incident-management bundle write-path, with an EXTEND-drift SKELETON queued behind it. And the F-CP-06 effectiveness evidence stream opens its lane with the same SCHEMA → CORE-FANOUT → per-target byte-parity goldens sequence every other continuous-posture stream has carried, plus a NIS2 Art. 21(2)(f) mapping stub — joining incidents, supply-chain, crypto-attestation, and access on the continuous-posture row.
-
Field note #56 — F-CP-06 effectiveness, F-CP-07 access, F-WF-09 auditor-bundle, and F-GD-01 GDPR data-flow all flip to Shipped: the seven-stream compliance-evidence model closes
Fifty-sixth field note from the SecOps-NG Digital Commons: a milestone-closeout wave. Four ROADMAP entries flip to Shipped in one window — F-CP-06 (effectiveness evidence), F-CP-07 (access evidence), F-WF-09 (auditor-bundle workflow), and F-GD-01 (GDPR data-flow / ROPA adoption per cookbook workflow). The seven-stream compliance-evidence model (F-CP-01..F-CP-07) is now complete on the catalogue, the auditor-bundle workflow that consumes those seven streams is shipped, and the GDPR data-flow lane covers the full reference cookbook set.
-
Field note #57 — codebase-vuln-management completes a three-target CORE wave, and detection-engineering opens its SKELETON
Fifty-seventh field note from the SecOps-NG Digital Commons: F-WF-07 codebase-vuln-management lands a SKELETON plus a full three-target CORE fan-out for the disclosure-timeline emitter (n8n + Temporal + LangGraph), and F-WF-04 detection-engineering opens its rule-lifecycle SKELETON next to a per-rule-version effectiveness-snapshot schema stub.
-
Field note #54 — F-CP-07 access evidence stream opens with a three-target wave (SCHEMA → CORE-FANOUT → per-target byte-parity goldens), F-GD-01 GDPR data-flow closes out across the full reference workflow set with the final three ROPA entries landing, the F-GD-02 lawful-basis CI guard lands as a SKELETON behind it, and F-WF-09 stands up the auditor-bundle compliance evidence collection scaffold
Fifty-fourth field note from the SecOps-NG Digital Commons: F-CP-07 access evidence stream opens its lane with the same three-target shape every other continuous-posture stream has carried — a pinned SCHEMA plus a Temporal EMITTER SKELETON, then a CORE-FANOUT into n8n and LangGraph, then per-target byte-parity replay goldens locking the on-disk shape across all three compile targets. Alongside the new lane, F-GD-01 GDPR data-flow closes out across the full reference workflow catalogue with the final three Art. 30 ROPA entries landing for the data-exfil, on-call-rotation, post-incident-review, and executive-metrics workflows. F-GD-02 lands a SKELETON CI guard for lawful-basis sections behind the F-GD-01 lane. F-WF-09 opens an auditor-bundle compliance evidence collection scaffold — manifest schema plus collector skeleton — that the framework can grow into a portable hand-off shape for an external auditor.
-
Field note #53 — F-GD-01 GDPR data-flow ROPA mapping wave lands on `main`, a canonical seven-section template plus per-workflow data-flow docs for eight reference cookbook workflows, every entry pinning purpose / lawful basis / categories / recipients / retention / cross-border / data-subject rights against GDPR Art. 5(1)(b), Art. 6(1) and Art. 30 on the same framework-agnostic substrate
Fifty-third field note from the SecOps-NG Digital Commons: the F-GD-01 GDPR data-flow documentation wave — a canonical seven-section template under `content/mappings/gdpr/` plus populated per-workflow data-flow docs for the bulk of the reference cookbook catalogue — lands on framework `main`. Each per-workflow entry names the specific operational purpose under Art. 5(1)(b), the lawful basis under Art. 6(1), the categories of data subjects and personal data under Art. 30(1)(c), the recipients under Art. 30(1)(d), the retention rule under Art. 5(1)(e), the cross-border posture, and the data-subject rights surface — giving an operator a portable starting point for their own Art. 30 record of processing without having to invent the shape from scratch.
-
Field note #51 — F-CP-05 crypto-attestation evidence stream reads Shipped on ROADMAP, fourth continuous-posture lane lit up end-to-end with NIS2 Article 21(2)(h) on the cryptographic and secret-management baseline, and the project-side env-only-injection commitment pinned at the schema layer across all three reference compile targets
Fifty-first field note from the SecOps-NG Digital Commons: the F-CP-05 crypto-attestation evidence stream — opened a handful of beats ago at SCHEMA and at EMITTER SKELETON, fanned out across n8n and LangGraph and Temporal in the three-target CORE wave that field note #50 read, and closed on EXTEND-tests-goldens across the n8n and LangGraph surfaces in the same wave — closes its Temporal-side byte-parity golden and flips Proposed → Shipped on ROADMAP. Four of seven continuous-posture slots now read Shipped end-to-end on the same framework-agnostic substrate, against four distinct NIS2 clauses, with the env-only-injection assertion pinned once at the schema layer and inherited unchanged by every reference compile target.
-
Field note #52 — F-CP-03 supply-chain evidence stream reads Shipped on ROADMAP, fifth continuous-posture lane lit up end-to-end against NIS2 Article 22 on supply-chain risk management, all five three-target CORE waves now closed with byte-parity goldens on the same framework-agnostic substrate, and a drift-detection SKELETON visible behind the same baseline
Fifty-second field note from the SecOps-NG Digital Commons: the F-CP-03 supply-chain evidence stream — opened a wave ago at SCHEMA with the NIS2 Article 22 mapping pinned at the typed-record layer, fanned out across n8n and Temporal and LangGraph in the three-target CORE-FANOUT wave, closed on per-target byte-parity goldens, and stood up a drift-detection SKELETON on the same lane — flips Proposed → Shipped on ROADMAP. Five of seven continuous-posture slots now read Shipped end-to-end on the same substrate, against five distinct regulatory anchors, and every three-target CORE wave on the continuous-posture side now sits closed with byte-parity goldens locking on-disk shape against checked-in canonical emissions on every push.
-
Field note #47 — F-CP-02 incidents evidence stream reads Shipped on ROADMAP, third continuous-posture lane lit up end-to-end with NIS2 Art. 23(4) three-milestone notification timeline tied at clause granularity
Forty-seventh field note from the SecOps-NG Digital Commons: the F-CP-02 incidents evidence stream — the third continuous-posture lane in the catalogue — flips Proposed → Shipped on ROADMAP. The closeout wave field note #46 read in (CORE-FANOUT across all three reference compile targets) now sits closed by per-target byte-parity goldens and a NIS2 Article 23(4) three-milestone narrative — early-warning at 24 hours, incident notification at 72 hours, and final report at one month — tied to the schema at clause granularity. Three of seven continuous-posture slots read Shipped end-to-end on the same substrate, against three distinct regulatory surfaces.
-
Field note #48 — F-CP-03 supply-chain evidence stream lands its three-target CORE-FANOUT wave, with the LangGraph mirror closing the n8n + Temporal parity grid and a worked example exercising the sovereignty band on a 1× EU-sovereign data feed + 1× non-EU AI provider call
Forty-eighth field note from the SecOps-NG Digital Commons: F-CP-03 — the supply-chain evidence stream — lands a full three-target CORE-FANOUT wave on the framework repo in a single hour. The lane opens with a SKELETON carrying the schema narrative, the cross-stream root, and an NIS2 Article 22 mapping stub; promotes the typed supply-chain evidence-record schema with Article 21(2)(d) tightening; lands the framework-agnostic shared emitter helper; and fans the emitter out across n8n, Temporal, and LangGraph against the same shared helper. A LangGraph worked example on vuln-intake exercises the sovereignty-band stamp on a concrete external-call surface: one EU-sovereign data feed and one non-EU AI provider call, both classified per emission. The third continuous-posture lane to reach three-target parity at the emitter layer, against a different surface of NIS2 — the supply-chain risk-management baseline and the Union-level coordinated-assessment overlay.
-
Field note #49 — F-CP-03 supply-chain stream closes its EXTEND-tests-goldens beat behind the three-target wave, and the F-CP-05 crypto-attestation evidence stream opens with a typed schema and a Temporal-side emitter pinning env-only secret injection at the boundary
Forty-ninth field note from the SecOps-NG Digital Commons: the closeout tail behind field note #48 — F-CP-03's per-target byte-parity goldens land alongside a ROADMAP status note recording CORE-FANOUT done across n8n, Temporal, and LangGraph — and the F-CP-05 crypto-attestation evidence stream opens against NIS2 Article 21(2)(h) with a typed schema and a Temporal-side EMITTER SKELETON. The schema and emitter both pin Core Directive #6 mechanically: no secret material in compiled code, every secret injected by the runtime environment, env-vars captured by name only and never by value.
-
Field note #50 — F-CP-05 crypto-attestation evidence stream closes its three-target CORE wave with the n8n, LangGraph, and Temporal emitters all on `main`, and per-target byte-parity goldens lock the on-disk shape across two of the three targets behind the wave
Fiftieth field note from the SecOps-NG Digital Commons: the F-CP-05 crypto-attestation evidence stream — opened a beat ago against NIS2 Article 21(2)(h) with a typed schema and a Temporal-side emitter skeleton — fans its emitter out across n8n and LangGraph, lands a Temporal worked example on the vuln-intake playbook, and closes its EXTEND-tests-goldens beat on the n8n and LangGraph targets with checked-in fixtures pinning byte-parity at the on-disk record. Five continuous-posture evidence streams now read off `main`. The env-only secret-injection discipline that Core Directive #6 names — and that NIS2 Article 21(2)(h) reads against — is pinned at the schema layer and enforced at every emitter boundary, not bolted on per target.
-
Field note #41 — F-CP-01 risk-analysis evidence stream reads Shipped on ROADMAP, with NIS2 Art. 21(2)(a) tied to the schema at clause granularity
Forty-first field note from the SecOps-NG Digital Commons: the F-CP-01 risk-analysis evidence stream — the first continuous-posture lane in the catalogue — flips In Progress → Shipped on ROADMAP. The closeout wave layers a NIS2 Article 21(2)(a) mapping document onto the schema at clause granularity, then turns the ROADMAP marker over. The lane now reads end-to-end: typed schema, stream root, emitter skeleton, core fanout across n8n + Temporal + LangGraph, per-target byte-parity goldens, drift-detection hook surface at SKELETON, and a regulator-traceable mapping pointing back to the schema.
-
Field note #42 — F-CP-04 opens the second evidence stream: a typed vulnerabilities evidence-artifact schema with enum/cadence promotions, and a Temporal emitter skeleton wrapping the vulnerability-triage write-path
Forty-second field note from the SecOps-NG Digital Commons: F-CP-04 vulnerabilities — the second continuous-posture evidence stream on the catalogue — opens against the substrate F-CP-01 risk-analysis just closed on. A typed vulnerabilities evidence-artifact schema lands under content/evidence/vulns/ with enum and cadence promotions, and a Temporal emitter SKELETON wraps the vulnerability-triage write-path so a F-WF-01 pass writes a typed vulnerabilities evidence record on the same shape the audit-mirror already reads against.
-
Field note #43 — F-CP-04 vulnerabilities evidence stream wave: CORE-FANOUT lands on n8n + LangGraph, per-target byte-parity goldens pin all three reference compile targets, and a NIS2 Article 21(2)(e) mapping ties the schema to obligation surface at clause granularity
Forty-third field note from the SecOps-NG Digital Commons: the F-CP-04 vulnerabilities evidence stream walks the same closeout shape F-CP-01 risk-analysis closed on. CORE-FANOUT fans the emitter out from the Temporal SKELETON onto n8n and LangGraph against the shared framework-agnostic helper. EXTEND-tests-goldens pins per-target byte-parity against checked-in fixtures across all three reference compile targets. EXTEND-NIS2-MAPPING ties the vulnerabilities schema to NIS2 Article 21(2)(e) at clause granularity. The lane is in closeout — the ROADMAP Shipped flip rides its own sibling beat.
-
Field note #44 — F-CP-04 vulnerabilities evidence stream reads Shipped on ROADMAP, second continuous-posture lane lit up end-to-end with NIS2 Art. 21(2)(e) tied at clause granularity
Forty-fourth field note from the SecOps-NG Digital Commons: the F-CP-04 vulnerabilities evidence stream — the second continuous-posture lane in the catalogue — flips In Progress → Shipped on ROADMAP. The closeout floor field note #43 read in (CORE-FANOUT across all three reference compile targets, per-target byte-parity goldens, NIS2 Article 21(2)(e) mapping at clause granularity) now sits underneath a green ROADMAP marker. Two of seven continuous-posture slots read Shipped end-to-end on the same substrate, against two distinct Article 21(2) clauses.
-
Field note #45 — F-CP-02 opens the third evidence stream: a typed incidents evidence-artifact schema with the NIS2 Article 23(4) three-milestone vocabulary promoted, and a Temporal emitter skeleton wrapping the incident-management write-path
Forty-fifth field note from the SecOps-NG Digital Commons: F-CP-02 incidents — the third continuous-posture evidence stream on the catalogue — opens against the same substrate F-CP-01 risk-analysis and F-CP-04 vulnerabilities already compose onto. A typed incidents evidence-artifact schema lands under content/evidence/incidents/ with the NIS2 Article 23(4) three-milestone vocabulary promoted into the shared helper, and a Temporal emitter SKELETON wraps the incident-management write-path so a F-WF-05 pass writes a typed incidents evidence record on the same shape the audit-mirror already reads against.
-
Field note #46 — F-CP-02 CORE-FANOUT fans the incidents evidence emitter out to n8n and LangGraph, and the first external community contribution lands a CRA Article 13(8) support-period mapping entry
Forty-sixth field note from the SecOps-NG Digital Commons: two moves on the framework repo, read together because the second is the one the Digital Commons posture was built to see. F-CP-02 CORE-FANOUT lands the incidents evidence emitter on n8n and LangGraph on top of the Temporal SKELETON shipped on the lane opening, closing the three-target parity beat for the incidents stream's SKELETON layer. Alongside it, the first external code-level contribution into the public framework repo merges on the content side: a CRA Article 13(8) support-period mapping entry from a contributor walking in through the public lane.
-
Field note #38 — F-WF-05 incident management is Shipped: the third workflow lane lands across n8n, Temporal, and LangGraph against the same EXTEND-tests parity bar, with a cookbook page on top that walks the worked example end to end against NIS2 Article 23
Thirty-eighth field note from the SecOps-NG Digital Commons: F-WF-05 incident management flips In Progress → Shipped on the roadmap. The third workflow lane reads end to end against all three reference compile targets (n8n + Temporal + LangGraph) on top of shared primitives — typed stage clocks against NIS2 Article 23, significance and cross-border classification policy, regulator-submission contract, F-PT-02 timeline binding, DSPy signature confined to narrative-only fields — with a happy-path cross-target golden replay and a deterministic same-target replay under CI on each target, and a cookbook walkthrough that takes an operator from a typed incident signal to a closed regulator-shaped artefact on whichever of the three reference targets they already run. F-WF-01, F-WF-03, and F-WF-05 now all read Shipped against the same shape — three regulatory anchors, three shared primitives surfaces, three sets of CI contracts, three cookbook pages.
-
Field note #39 — F-CP-01 CORE-FANOUT: the risk-analysis evidence emitter fans out to n8n and LangGraph, closing emitter parity across all three reference compile targets at SKELETON/CORE
Thirty-ninth field note from the SecOps-NG Digital Commons: F-CP-01 CORE-FANOUT lands the risk-analysis evidence emitter on the two remaining reference compile targets — n8n and LangGraph — on top of the Temporal SKELETON shipped earlier in the lane opening. The framework-agnostic emitter helper sits under compilers/_shared/evidence/, the three target adapters are glue only, and a CORE-FANOUT parity test pins all three writing byte-identical JSON for the same context. The first continuous-posture evidence stream is now end-to-end runnable on whichever of the three reference targets an operator already runs.
-
Field note #40 — F-CP-01 closeout wave: per-target byte-parity goldens land for the risk-analysis evidence emitter, and a drift-detection hook surface opens at SKELETON across n8n, Temporal, and LangGraph
Fortieth field note from the SecOps-NG Digital Commons: the F-CP-01 risk-analysis evidence stream picks up its EXTEND-tests-goldens beat and a drift-detection hook SKELETON. Per-target byte-parity goldens against checked-in fixtures now sit under CI on each of n8n, Temporal, and LangGraph, complementing the cross-target parity pin field note #39 read in. A small, interface-only drift hook surface opens on the shared emitter so successive emissions on the same control can surface a structured drift event when attestation_state advances between cadence walks — noop default wired by every target, alerting and KRI promotion deferred to their own sibling beats.
-
Field note #34 — F-CP-01 opens the first evidence stream: a typed risk-analysis evidence-artifact schema, a cross-stream evidence index, and a workflow emitter skeleton that writes records the schema reads
Thirty-fourth field note from the SecOps-NG Digital Commons: F-CP-01 continuous-posture lane opens its first evidence stream across three landed PRs on the framework repo. A typed risk-analysis evidence-artifact schema with enum and cadence promotions sits under content, a cross-stream content/evidence/ README indexes CP-01..CP-07 with a contributor checklist, and a workflow emitter skeleton writes risk-analysis evidence-artifact records that conform to the schema through a Temporal wrapper. The bridge from playbook execution to continuous-posture artefacts the audit lane will consume downstream is now open as a substrate.
-
Field note #35 — F-WF-05 incident management binds its primitives contract and wires it into the n8n target: typed stage clocks, a significance and cross-border policy, a regulator-submission contract, an F-PT-02 binding, and a DSPy signature, all rendered through the n8n SKELETON as the first of three wirings
Thirty-fifth field note from the SecOps-NG Digital Commons: F-WF-05 incident management lands its CORE-PRIM primitives contract on main and wires that contract into the n8n reference compile target. The primitives carry typed stage clocks against the NIS2 Article 23 timeline, a significance and cross-border policy, a regulator-submission contract, an F-PT-02 binding, and a DSPy signature. The n8n SKELETON is the first of three wirings; Temporal and LangGraph follow.
-
Field note #36 — F-WF-05 incident management closes the CORE-WIRE wave across all three reference targets: the n8n, Temporal, and LangGraph SKELETONs are now each bound to the shared primitives contract through their own CORE-WIRE cell, with the typed stage clocks, the significance and cross-border policy, the regulator-submission contract, the F-PT-02 binding, and the DSPy signature rendered end to end in every compile target
Thirty-sixth field note from the SecOps-NG Digital Commons: F-WF-05 incident management closes its CORE-WIRE composition wave. The CORE-PRIM primitives contract (PR #258) now binds through CORE-WIRE-N8N (PR #259), CORE-WIRE-TEMPORAL (PR #260), and CORE-WIRE-LANGGRAPH (PR #261). The same typed stage clocks against NIS2 Article 23, the significance and cross-border policy, the regulator-submission contract, the F-PT-02 binding, and the DSPy signature now render through each of the three reference compile targets. The worked examples sit at SKELETON shape; the next wave is the EXTEND-tests triplet that brings runtime and replay coverage.
-
Field note #37 — F-WF-05 incident management closes its EXTEND-tests wave: a cross-target happy-path golden replay and a deterministic same-target replay now sit under CI across n8n, Temporal, and LangGraph, and the three reference workflows F-WF-01, F-WF-03, and F-WF-05 carry the same EXTEND-tests parity bar end to end
Thirty-seventh field note from the SecOps-NG Digital Commons: F-WF-05 incident management closes its EXTEND-tests wave. The happy-path golden replay across the three reference compile targets (PR #262) and the deterministic same-target replay across each one of them (PR #263) now sit under CI. The lane that field note #36 closed at CORE-WIRE shape across n8n, Temporal, and LangGraph now carries the same EXTEND-tests parity bar the F-WF-01 vuln-intake and F-WF-03 alert-triage lanes already carry — happy-path byte parity across the three targets, and deterministic replay on each one — read against the same CORE-PRIM contract field note #35 named.
-
Field note #33 — F-WF-05 incident management lands its SKELETON wave: a canonical CACAO source on the content side and worked-example skeletons across n8n, Temporal, and LangGraph, each guarded by a drift contract under CI
Thirty-third field note from the SecOps-NG Digital Commons: F-WF-05 incident management lands its SKELETON wave on main. A canonical CACAO source sits under content with a source-shape guard, and worked-example skeletons on n8n, Temporal, and LangGraph each render against the canonical source with a drift guard under CI. F-WF-05 is now the fourth workflow on the substrate with full three-target SKELETON parity, alongside F-WF-01 vuln intake, F-WF-03 alert triage, and the rest of the SKELETON set.
-
A Discord for practitioners building sovereign security operations — open, free, and yours to shape
A short note alongside the field cadence: the SecOps-NG commons is supporting a free public Discord for practitioners and operators working through NIS2, DORA, and CRA on EU-hostable stacks. Come trade playbooks, mappings, and field notes — link inside.
-
Field note #30 — F-WF-03 alert-triage CORE-WIRE wave reaches the midpoint with twelve of twenty-four CORE cells wired across n8n, Temporal, and LangGraph against the shared primitives package
Thirtieth field note from the SecOps-NG Digital Commons: the F-WF-03 alert-triage CORE-WIRE wave passes its midpoint on `main` — four of eight CORE action bodies are now bound to the shared primitives package across all three reference targets (twelve of twenty-four CORE cells green), with the n8n alert-triage README brought to OTel + AuditTrail mirror parity with vuln-intake, and ingest, suppress, prioritise, and suppress-close action bodies wired through validate_alert_payload, canonical_seen_key, the prioritisation policy, and the suppression-window primitive.
-
Field note #31 — F-WF-03 alert-triage CORE-WIRE wave clears its response-action stretch with p1 / p2 / p3 wired across n8n, Temporal, and LangGraph (twenty-one of twenty-four CORE cells green)
Thirty-first field note from the SecOps-NG Digital Commons: the F-WF-03 alert-triage CORE-WIRE wave moves from the midpoint to twenty-one of twenty-four CORE cells across n8n, Temporal, and LangGraph — the p1-severe, p2-high, and p3-routine response action bodies are now wired against sibling primitives on the shared package (escalation_route, notify_on_call, route_to_review_queue), with one response wire (p4) and the tests-happy / tests-suppress / tests-replay beats plus the cookbook walkthrough and the GDPR data-flow note still standing ahead of the F-WF-03 closeout.
-
Field note #32 — F-WF-03 alert triage is Shipped: the worked example reads end to end across n8n, Temporal, and LangGraph with byte-parity goldens, a same-target replay, a suppression-window dedup, and a cookbook page on top
Thirty-second field note from the SecOps-NG Digital Commons: F-WF-03 alert triage flips to Shipped on the roadmap. The worked example is now live across n8n, Temporal, and LangGraph with a happy-path golden replay, a deterministic same-target replay, and a suppression-window collision contract under CI; shared primitives — deterministic prioritisation policy, suppression-window helper, typed payload validators, and a DSPy signature confined to free-text fields — sit under content; and a cookbook walkthrough reads the playbook end to end. NIS2 Art. 21(2)(b) is the regulatory anchor the workflow names.
-
Field note #28 — the CACAO core_body mechanism is bound on real F-WF-01 vuln-intake content, deterministic same-target replay is under CI, and the operator cookbook walks the worked example end to end
Twenty-eighth field note from the SecOps-NG Digital Commons: the x_secops_ng.core_body schema bump that landed last wave is now bound on real F-WF-01 vuln-intake content across two of the seven CORE steps with all three worked examples regenerated against it, a deterministic same-target replay test puts the replay-determinism contract under CI, and a cookbook walkthrough plus a worked-example README polish give an operator a single page to read the vuln-intake playbook end to end.
-
Field note #29 — F-CR-04 OpenTelemetry instrumentation is fully shipped across the three reference compilers, and the F-WF-03 alert-triage lane opens with a gap inventory and a shared CORE-PRIM primitives package
Twenty-ninth field note from the SecOps-NG Digital Commons: the F-CR-04 OpenTelemetry-instrumentation feature flips to Shipped on the roadmap with the compiler-emitted audit-mirror and OTel emitter wave closed out across n8n, Temporal, and LangGraph, and the F-WF-03 alert-triage lane opens — a gap inventory lands against the workflow, the roadmap flips it to In Progress, and a shared CORE-PRIM primitives package (prioritisation policy, suppression-window helper with canonical seen-key, typed payload validators, a DSPy free-text signature) lands ahead of the cross-target wiring fan-out.
-
Field note #23 — the observability axis opens: F-CR-04 OTel emitter lands on the LangGraph target, SKELETON through CORE-A in one wave
Twenty-third field note from the SecOps-NG Digital Commons: the compiler-emitted OpenTelemetry scope reshaped in note #22 ships as code. Shared emitter helpers, LangGraph span-wrap, vuln-intake golden regenerated against the emitter, and observability + audit-trail assertions land across four PRs on framework main. Repo-flip blockers clear and the contributor guide is rewritten public-first alongside.
-
Field note #24 — alert-triage opens as the second worked-example axis, vuln-intake gains its CORE primitives, and an EU-resident LM guard lands at compile-time
Twenty-fourth field note from the SecOps-NG Digital Commons: a second worked-example axis opens with alert-triage SKELETON across all three compile targets, vuln-intake gains four reusable CORE primitives (dedup keys, DSPy free-text signatures, EPSS canonicalisation, CVSS v3.1 parsing), and a sovereignty guard refuses non-EU LM endpoints by default at compile-time.
-
Field note #25 — severity policy composes the vuln-intake primitives, EXTEND-config documents CACAO playbook variables, and the three-target parity matrix's golden refresh closes within a single cell of completion
Twenty-fifth field note from the SecOps-NG Digital Commons: the vuln-intake CORE primitives gain a fifth member — a severity-policy module that composes CVSS and EPSS into a single decision input — EXTEND-config documents the CACAO playbook_variables decision in operator-facing form, and the three-target parity matrix absorbs the OTel emitter wrap with sixteen goldens regenerated across Temporal and LangGraph.
-
Field note #26 — the LangGraph emitter wires audit-mirror end to end, the n8n worked example documents its per-action wiring contract, and the audit-trail story closes across all three reference compile targets
Twenty-sixth field note from the SecOps-NG Digital Commons: the F-CR-04 LangGraph emitter lands in three siblings — a shared CLI helper, the @tool emit path wired to AuditTrail.append, and a clean golden regeneration that drops every pending xfail marker — and the n8n vuln-intake worked example documents its per-action wiring against the primitives contract, closing the audit-mirror story across n8n, Temporal, and LangGraph.
-
Field note #27 — F-CR-04 audit-mirror reads closed across the three reference targets, the F-WF-01 vuln-intake primitives contract is fully landed on content, and a CACAO core_body schema bump lets the playbook step itself carry the primitive-binding contract
Twenty-seventh field note from the SecOps-NG Digital Commons: with the LangGraph emitter sibling split merged, the F-CR-04 audit-mirror seam now reads closed across all three reference compile targets; the F-WF-01 vuln-intake primitives contract — dedup, DSPy signatures, EPSS, CVSS v3.1, severity-policy — sits fully landed under content; and a content-model schema bump introduces x_secops_ng.core_body on CACAO playbook steps so the content artefact itself names the primitive an emitter binds against, ahead of the per-target CORE-MECH wave.
-
Open for contributors — the SecOps-NG Digital Commons is ready for first-time hands
An invitation to the wider community. The repositories are public, the governance documents are merged, the hygiene linter guards the public bar on every PR — and there is now a labelled lane of first contributions waiting to be picked up. This post explains what the project is, what has shipped, and how to land your first playbook, mapping, or example PR without having to read the whole codebase first.
-
Field note #22 — community substrate lands on framework, ROADMAP retires the F-CR-* runtime features the architecture no longer carries
Twenty-second field note from the SecOps-NG Digital Commons: the framework repo gains its public-contributor substrate (CONTRIBUTING, CODE_OF_CONDUCT, GOVERNANCE, SECURITY), and the ROADMAP retires the F-CR-01/02/03/05 runtime-layer feature definitions that the content-first refactor made obsolete. Two integrity beats — one forward, one tail — landing as one merge wave.
-
Field note #16 — OSCAL control-map axis comes online across NIS2, DORA, and CRA
Sixteenth field note from the SecOps-NG Digital Commons: three OSCAL component-definition SKELETONs land for NIS2, DORA, and CRA, and the NIS2 CORE expansion lands behind them. The catalogue now has a machine-readable bridge between EU regulation and the playbook + KPI substrate, with control IDs that resolve across content/controls/{nis2,dora,cra}/.
-
Field note #17 — DORA Art.5–14 lands as a SKELETON→CORE→EXTEND trio
Seventeenth field note from the SecOps-NG Digital Commons: the DORA leg of the OSCAL/D3FEND control-map axis closes through a three-PR triplet — SKELETON for Art.5–6, CORE for Art.7/8/10/11, EXTEND for Art.12/13/14 — recovering an oversized monolith into the same column shape NIS2 already walked.
-
Field note #18 — CRA Annex I §1 lands as CORE, closing the third column of the control-map triangle toward M0
Eighteenth field note from the SecOps-NG Digital Commons: the CRA leg of the OSCAL/D3FEND control-map axis reaches CORE — Annex I §1 essential cybersecurity (secure-by-design / secure-by-default) resolves behind the SKELETON, completing CORE coverage on every column of the NIS2 / DORA / CRA triangle and leaving one normalisation surface for downstream playbook authors.
-
Field note #19 — D3FEND × NIS2 crosswalk lands and the CRA column closes its manufacturer-obligations CORE
Nineteenth field note from the SecOps-NG Digital Commons: the D3FEND control-map scaffold goes live, the NIS2 crosswalk lands as a CORE artifact resolving every Art.21(2)(a)–(j) and Art.23(4) entry against real upstream controls, the CRA column closes its Art.13 manufacturer-obligations CORE alongside the Annex I §1 surface, and the DORA crosswalk reaches review — the regulatory axis is now read by defensive technique on every side it carries.
-
Field note #20 — the OSCAL trio closes its CORE on the canonical clauses, NIS2 takes the per-clause layout, and identity-compromise walks onto the canonical n8n shape
Twentieth field note from the SecOps-NG Digital Commons: the OSCAL component-definition CORE surface is now structurally complete across NIS2, DORA, and CRA on the canonical clauses — CRA closes Annex I §2 and Art.14, DORA closes Art.5 and Art.6 — the NIS2 mappings refactor to per-clause files for DORA-parity, and the identity-compromise n8n example moves onto the canonical four-file layout that the other reference playbooks already carry.
-
Field note #21 — the worked-example axis extends: post-incident-review and on-call-rotation walk onto three-target byte-parity
Twenty-first field note from the SecOps-NG Digital Commons: two further SKELETON three-target byte-parity goldens land on framework main — post-incident-review and on-call-rotation — extending the worked-example axis without touching the control-map triangle. Seven reference playbooks now carry the same red-test contract across n8n, Temporal, and LangGraph.
-
Field note #10 — executive-metrics ships and three more SKELETON cells fill in
Tenth field note from the SecOps-NG Digital Commons: the last playbook placeholder lands as a worked playbook, three more SKELETON cells fill in across temporal and langgraph, and per-action control_refs keep landing on the n8n CORE uplifts.
-
Field note #11 — the temporal column fills in
Eleventh field note from the SecOps-NG Digital Commons: three more SKELETON-temporal cells land in the same wave, bringing the temporal compile-target column to seven of ten canonical, all derived from the same CACAO sources.
-
Field note #12 — the temporal column closes, ten of ten
Twelfth field note from the SecOps-NG Digital Commons: the temporal compile target reaches SKELETON parity across all ten canonical playbooks, and the langgraph column widens with identity-compromise — operators can now compile the same CACAO source to n8n, Temporal, or LangGraph reference scaffolds across the full catalogue.
-
Field note #13 — the worked-example column gets byte-level guard rails
Thirteenth field note from the SecOps-NG Digital Commons: the three-target worked-example matrix now carries byte-parity golden tests across the column — n8n, Temporal, and LangGraph emits are pinned against their CACAO source so the examples cannot silently drift, and a new compile target can be added without fear of cracking the existing rows.
-
Field note #14 — the three-target parity axis closes across the reference playbook set
Fourteenth field note from the SecOps-NG Digital Commons: the M0 three-target parity axis — n8n, Temporal, LangGraph — is now closing across the reference playbook set. Worked examples are pinned byte-for-byte to their CACAO source, and the temporal canonical layout has been laid down across the remaining catalogue rows. Notes for practitioners deciding whether to commit to a single runtime.
-
Field note #15 — vuln-intake closes the byte-parity sweep across all five reference playbooks
Fifteenth field note from the SecOps-NG Digital Commons: vuln-intake gets its three-target byte-parity golden, closing the cross-target parity sweep across the five reference playbooks. The temporal canonical layout sweep is complete in the same wave. The M0 'five reference playbooks shipped end-to-end' checkbox now closes at the compile-parity axis.
-
Field note #7 — the n8n emitter learns to read CACAO, and the validation sweep catches up
Seventh field note from the SecOps-NG Digital Commons: the n8n compile target stops hand-waving on action-without-commands steps and starts deriving Set-node bodies from the portable CACAO source, then the ransomware-containment and identity-compromise references get re-validated against the uplift.
-
Field note #8 — the n8n compile target catches up to the reference set
Eighth field note from the SecOps-NG Digital Commons: with the Set-node emitter uplift in hand, the n8n column of the reference compile-target matrix gets filled in across cloud-misconfiguration, data-exfiltration, threat-intel-ingest, vuln-intake, post-incident-review, and on-call-rotation — cross-target parity for the launch playbook set is now substantively complete.
-
Field note #9 — phishing-triage reaches three-target SKELETON parity
Ninth field note from the SecOps-NG Digital Commons: phishing-triage — the canonical first reference playbook — now carries an honest SKELETON across all three M0 compile targets. One CACAO source, three runtime columns, the first reference playbook proving the framework-agnostic pattern compiles in practice.
-
Field note #3 — the content layer fills in: KPI catalog, three-target worked examples, regulatory overlay across the board
Third field note from the SecOps-NG Digital Commons: a KPI/KRI catalogue lands as the headline deliverable, six response playbooks ship worked examples across Temporal, n8n, and LangGraph, and the NIS2/DORA overlay now reaches every example in the catalogue.
-
Field note #4 — substrate hardening: control references resolve, drift is gated, vuln-intake reaches CORE
Fourth field note from the SecOps-NG Digital Commons: the OSCAL/D3FEND control cross-reference lands as a CI-gated index, and vuln-intake CACAO v2 graduates from SKELETON to CORE — the fourth of five reference playbooks now end-to-end.
-
Field note #5 — portable playbooks meet runtimes: vuln-intake on n8n and Temporal, phishing-triage wired to regulators and OCSF
Fifth field note from the SecOps-NG Digital Commons: the vuln-intake CACAO playbook now ships with two reference compile targets — n8n and Temporal — and phishing-triage on the substrate side picks up regulatory control references and OCSF v1.4.0 telemetry bindings.
-
The missing layer — why portable SecOps content needs a commons above the standards
SecOps-NG repositions: not a framework, not a runtime. A curated content + structure + metrics layer that sits above Sigma, CACAO, OSCAL, D3FEND, and OCSF — and compiles into the orchestrator each operator already runs.
-
Field note #2 — the workflow lanes settle, Posture Audit lands, vulnscan opens
Second field note from the SecOps-NG Digital Commons: a restructured workflow layout, the Posture Audit workflow complete in skeleton, a new vulnscan workstream, and a roadmap that now renders itself.
-
Shipping update — the commons starts to take shape
First field note from the SecOps-NG Digital Commons: the workflow skeleton, the evidence primitives, and the forward-public hygiene that keeps the work readable from day one.