This is the stable entry point for reusable security detection, triage, and review patterns. Read these cards before browsing the larger source-note archive when you need a compact, evidence-bounded defensive workflow.
Current extraction metric: 8 stable reusable security patterns extracted from 10 distinct supporting notes.
| Pattern | Primary implementation |
|---|---|
| Parser uncertainty | LogLens |
| Authentication burst triage | LogLens |
| Multi-user probing | LogLens |
| Alert deduplication | telemetry-lab |
| Bounded correlation | telemetry-lab |
| Repository baseline governance | repo-sentinel-lite |
| SBOM policy warning | sbom-diff-and-risk |
| Human verification boundary | telemetry-lab |
These cards remain useful but are not part of the featured stable set:
- SSH brute-force triage
- Sudo burst review
- Cooldown suppression
- IAM policy attachment review
- SBOM dependency diff review
| Maturity | Meaning |
|---|---|
draft |
Useful hypothesis; evidence or implementation bridge is still incomplete. |
reviewed |
Structurally reviewed and supported, but not yet promoted as a stable library entry. |
stable |
Evidence-bounded, linked to a core implementation, and supported by at least one source note. |
Every card records maturity and last_reviewed in front matter. The review
date must be a valid current or historical date; future provenance claims fail
validation.
Every card uses the same body fields:
- Signal
- Why it matters
- False-positive contexts
- Evidence limits
- Defensive next step
- Related implementation
- Supporting notes
The evidence-limits field is the claim boundary: a card should guide an investigation without turning a weak signal into an unsupported conclusion.
python scripts/check_pattern_library.py verifies that:
- every card has valid maturity metadata and the fixed section order
- every stable card links to an approved core implementation
- every stable card links to at least one source note under
notes/orTryHackMe/ - the featured set contains between six and eight stable cards
- every configured flagship case study links back to at least one pattern
- the extraction metric matches the current stable-card provenance graph
| Pattern area | Related project |
|---|---|
| Parsing and authentication | LogLens |
| Detection and human review | telemetry-lab |
| Repository governance | repo-sentinel-lite |
| Supply-chain review | sbom-diff-and-risk |