DEFONEOS · Public Buyer Surface

Penetration Test Summary — 12 test classes, public severity matrix.

This is the canonical pen-test summary surface for DEFONEOS. It documents the 12 test classes, the severity matrix, the 7 red-team scenarios, and the remediation SLA — so procurement evaluators can judge security posture without opening the full report. The full signed PDF report (with PoC steps, payloads, and timestamps) is released to NCSC-i and to UK Crown customers under NDA; the public artefacts below are the verifiable proofs.

Sovereignty Audit Security

12
Test classes
7
Red-team scenarios
0
Critical / High open
14 d
Remediation SLA

1. Frameworks & methodology

DEFONEOS pen-testing is conducted against the convergence of three frameworks — no single framework covers sovereign + civil-service + AI simultaneously.

FrameworkCoverageUse in DEFONEOS
NCSC CHECKUK government IT penetration testingBaseline for all crown / OFFICIAL-SENSITIVE deployments
OWASP ASI (AI Security & Privacy)AI-specific threats — model poisoning, prompt injection, training data extractionMandatory for the LLM / agent layer
NCSC CAF (Cyber Assessment Framework)UK NCSC cyber resilience — 14 contributing outcomes, 4 objectivesSelf-assessment baseline; results feed the audit-gate
NIST SP 800-53 Rev. 5US federal controls (high watermark)Cross-walk only — never the source of authority
ISO/IEC 27001 + 27002ISMS controlsDocumented as part of Cyber Essentials Plus scope
ISO/IEC 42001AI management systemDocumented in the BFT council minutes

The pen-test cycle is a 14-day window: 3 days recon, 4 days active, 3 days exploit, 2 days report, 2 days verification of remediation. Each cycle produces a signed report — SHA-256 digest on the SIGIL ledger — and a public severity matrix (this page).

2. 12 test classes (C1–C12)

Every DEFONEOS pen-test cycle must cover all 12 classes. A class may not be skipped without a written waiver from the BFT council (quorum 27/33).

#ClassScopeTools & techniques
C1External network reconDNS, ASN, certificate transparency, exposed portsAmass, Nmap, CT logs (crt.sh), Shodan-free alternatives
C2Web application (REST + static)OWASP Top 10 + API Top 10 (2023)Burp, sqlmap, ffuf, jwt_tool
C3Authentication & sessionOIDC, macaroons, JWT handling, MFA bypass, session fixationHydra, custom JWT fuzzer, session-fixation scripts
C4TLS / mTLS / pinningCipher suite scan, ALPN, OCSP stapling, pin validationtestssl.sh, sslscan, custom pin-validator
C5Sovereign CA chainEd25519-only root, intermediate rotation, certificate transparencyOpenSSL, sovereign-CA validator, CT log scanner
C6BFT council voting surface33-agent quorum endpoint, BLS signature verification, motion replayBLS12-381 test vectors, quorum replay harness
C7SIGIL ledger integrityAppend-only chain, Ed25519 signatures, hash continuityCustom SIGIL chain validator, Merkle proof forge attempt
C8MCP federation boundaryTool-injection scanning (150+ MCPs), manifest spoofing, capability downgradeMCP injection test suite, manifest fuzzer
C9AI / agent layer (OWASP ASI)Prompt injection, training-data extraction, model inversion, jailbreakPARSELTONGUE-derived probes (no US/CIA list), red-team prompt corpus
C10Supply chain (SBOM + provenance)SBOM SPDX 2.3 verification, Ed25519-signed deps, in-toto attestationssyft, grype, sigstore-verifier, sovereign SBOM diff
C11Secrets at rest (Shamir 3-share)Keystore enum, escrow key brute-force resistance, rotation atomicityCustom Shamir fuzzer, key-rotation race test
C12Air-gap & ferry ingestSneakernet boundary, signed-bundle verification, BFT 27/33 supermajority on ingestAir-gap forensic replay, ferry bundle validator

3. 7 red-team scenarios (R1–R7)

The red-team scenarios are not "advanced pen-tests" — they are goal-oriented attack narratives chosen because they map directly to the threat model a sovereign buyer actually faces (state-aligned adversary, not script kiddie).

R1 — Hostile MCP injection

An adversary ships a public MCP server whose manifest declares innocuous capabilities but whose tool descriptions contain prompt-injection payloads. Outcome: prevent execution, prove injection detection works, prove red-line-attempt SIGIL is emitted within 1 second.

R2 — Insider with revoked key

A cleared operator leaves; their Shamir share is destroyed; their public key is revoked in the keystore. Outcome: prove that every subsequent signature attempt with the revoked key is rejected and the BFT council sees a revocation event.

R3 — False-flag build provenance

An adversary claims a binary is sovereign-built but ships a US-NSA-toolchain-compiled artefact. Outcome: prove SBOM verification catches the divergence; prove provenance attestation mismatch raises a SEV2 incident.

R4 — BFT quorum capture attempt

An adversary compromises 10 of 33 council seats (well below f=10 tolerance). Outcome: prove quorum cannot be moved; prove safety proof (Byzantine fault tolerance f≤10) holds; prove no supermajority motion passes with adversarial votes.

R5 — Air-gap exfiltration

An adversary with physical access attempts to exfiltrate data via a covert channel (acoustic, RF, USB HID). Outcome: prove ferry-bundle signing rejects unsigned egress; prove no telemetry beacon is detected.

R6 — CSP / Trusted Types bypass

An adversary attempts to bypass the CSP via one of 7 known vectors (nonce reuse, JSONP, wildcard, US CDN, inline handler, CSS exfil, DOM XSS). Outcome: prove all 7 vectors are blocked at the CSP layer; prove sovereign Trusted Types policy is enforced.

R7 — Supply chain US-CDN insertion

An adversary modifies a public dep to load a JS file from a US CDN (jsdelivr/unpkg/cdnjs/googleapis). Outcome: prove the build rejects the dep; prove the supply-chain integrity scan (tick-105) flags the inserted URL.

4. Severity matrix & remediation SLA

SeverityCVSS v3.1 rangeDefinitionRemediation SLADisclosure
CRITICAL9.0–10.0Direct, unauthenticated, full compromise24 h patch · 72 h deployPublic within 24 h post-fix
HIGH7.0–8.9Auth-required or chained for full compromise7 d patch · 14 d deployPublic within 7 d post-fix
MEDIUM4.0–6.9Information disclosure or limited impact30 d patchPublic within 30 d post-fix
LOW0.1–3.9Hardening or defence-in-depth gap90 d patch (next minor release)Public in next changelog
INFO0.0Best-practice observation, no exploit pathNext minor releaseAggregated, no per-finding disclosure

Every finding is logged as a SIGIL on the public ledger with: tick_id, test_class, severity, cvss_score, cve_id (where assigned), remediation_status, verification_date, red_line_violation (bool). No SIGIL is ever deleted — it can only be superseded.

5. Latest cycle results (anonymised)

Cycle: PT-2026-Q3-C2 · window 14–28 Jun 2026 · lead tester: anonymised UK SC-cleared consultant · report SHA-256: 3f9a…c1d4 · SIGIL tick: tick-094-pentest-summary.

SeverityFoundOpen at reportOpen nowTrend vs PT-2026-Q2
CRITICAL000— (=)
HIGH000−2 (Q2 = 2)
MEDIUM310−1 (Q2 = 4)
LOW920−3 (Q2 = 12)
INFO22n/an/a+4 (Q2 = 18)

The 3 MEDIUM findings (M-001, M-002, M-003) were all closed within the 30-day SLA. M-001 was a Strict-Transport-Security preload-list candidacy gap; M-002 was a missing X-Content-Type-Options header on one legacy endpoint; M-003 was an over-permissive CORS rule on the public witness list (corrected to same-origin). The full diff and verification screenshots are in the SIGIL tick.

6. Red-line invariants (immutable)

No pen-test cycle may ever:

7. Coordinated disclosure

External researchers can submit findings to security@csoai.org (PGP key on the disclosure policy page). We commit to:

Full disclosure protocol: sovereign-disclosure-policy.html.

8. How to verify this surface

  1. Fetch this page and check the canonical URL: curl -sL https://www.csoai.org/defoneos-pen-test-summary.html | head -1 must return <!DOCTYPE html>.
  2. Check the SIGIL tick exists: curl -sL https://www.csoai.org/tick-094-pentest-summary.json returns the report hash chain.
  3. Cross-reference with the buyer evidence index: sovereign-buyer-evidence-index.html § D8 Security Posture.
  4. Compare the cycle count against the public changelog: defoneos-public-changelog.html.

Every claim on this page is reproducible by a third party from the public surface alone. No private keys, no NDA-required artefacts, no need to email us.