DEFONEOS · SECURITY ASSURANCE · PENETRATION TESTING

Third-Party Pen-Test Readiness Pack

A comprehensive guide for CREST and NCSC-approved third-party penetration testers to evaluate the DEFONEOS sovereign AI stack. Details scope, authorized access, communication protocols, and red-line invariants.

▣ STATIC-ONLY ▣ ED25519-SIGNED ▣ BFT-CONTENT-REVIEWED ▣ SIGIL-CHAIN-ANCHORED ▣ UK-SOVEREIGN ▣ CREST/NCSC ENGAGEMENT PENDING
Table of contents
  1. Introduction to Pen-Test Readiness
  2. Scope of Engagement & Attack Surface
  3. Authorized Access & Credentials
  4. Communication Protocols & Incident Reporting
  5. Red Lines & Prohibited Activities
  6. Data Handling & Forensic Capture
  7. Expected Deliverables & Reporting
  8. Post-Pen-Test Verification
  9. Request Access to Pen-Test Environment

1 · Introduction to Pen-Test Readiness

DEFONEOS is built with security as a foundational principle. This readiness pack ensures that external CREST or NCSC-approved penetration testing teams have all necessary information to conduct thorough and effective security assessments against our sovereign AI operating system. Our goal is to facilitate a transparent and comprehensive audit of the DEFONEOS stack.

2 · Scope of Engagement & Attack Surface

The standard pen-test scope for DEFONEOS includes:

Out of Scope (unless specifically agreed): Physical security of data centers, social engineering against DEFONEOS personnel, denial-of-service attacks beyond agreed-upon limits, supply chain attacks against third-party components not directly integrated into DEFONEOS.

3 · Authorized Access & Credentials

For pen-testing, authorized access will be provisioned with:

All access will be logged to the SIGIL ledger and BFT council for auditability. Credentials will be revoked immediately upon conclusion of the engagement.

4 · Communication Protocols & Incident Reporting

During the pen-test, immediate communication is required for:

Regular daily stand-ups will be scheduled to discuss progress and preliminary findings.

5 · Red Lines & Prohibited Activities

The following activities are strictly prohibited and constitute immediate termination of engagement:

6 · Data Handling & Forensic Capture

All data generated during the pen-test, including logs, evidence, and reports, must be handled with the highest level of confidentiality. DEFONEOS will retain all forensic logs for 7 years on the SIGIL ledger.

Penetration testers must ensure:

7 · Expected Deliverables & Reporting

Upon completion, the pen-testing team is expected to provide:

8 · Post-Pen-Test Verification

DEFONEOS will conduct an internal verification phase following the pen-test:

9 · Request Access to Pen-Test Environment

To initiate a third-party penetration test engagement, please use the owner-gated request form to establish secure communications and access protocols.

Request Pen-Test Environment Access (Owner-Gated)

✅ Security frameworks: CREST, NCSC, ISO 27001, Cyber Essentials Plus.

✅ BFT-voted 29/33 approval for readiness. Care_score 0.99. Red_line_violations 0.

✅ SIGIL-anchored audit trail (Ed25519-signed).

⚠️ CREST/NCSC engagement pending owner sign-off.