DEFONEOS · SECURITY ASSURANCE · PENETRATION TESTING
Third-Party Pen-Test Readiness Pack
A comprehensive guide for CREST and NCSC-approved third-party penetration testers to evaluate the DEFONEOS sovereign AI stack. Details scope, authorized access, communication protocols, and red-line invariants.
▣ STATIC-ONLY
▣ ED25519-SIGNED
▣ BFT-CONTENT-REVIEWED
▣ SIGIL-CHAIN-ANCHORED
▣ UK-SOVEREIGN
▣ CREST/NCSC ENGAGEMENT PENDING
1 · Introduction to Pen-Test Readiness
DEFONEOS is built with security as a foundational principle. This readiness pack ensures that external CREST or NCSC-approved penetration testing teams have all necessary information to conduct thorough and effective security assessments against our sovereign AI operating system. Our goal is to facilitate a transparent and comprehensive audit of the DEFONEOS stack.
2 · Scope of Engagement & Attack Surface
The standard pen-test scope for DEFONEOS includes:
- Web Application: All public-facing web surfaces, APIs (where applicable), and user authentication flows.
- Underlying Infrastructure: The sovereign VM substrate (excluding owner-gated bare metal), network configurations, and firewall rules.
- MCP Federation: Security of the Model Context Protocol (MCP) servers and their interconnections.
- Data Stores: Integrity and confidentiality of data at rest and in transit.
- AI Models: Robustness against adversarial inputs, prompt injection, and model evasion (within defined red lines).
Out of Scope (unless specifically agreed): Physical security of data centers, social engineering against DEFONEOS personnel, denial-of-service attacks beyond agreed-upon limits, supply chain attacks against third-party components not directly integrated into DEFONEOS.
3 · Authorized Access & Credentials
For pen-testing, authorized access will be provisioned with:
- Test Environment: A dedicated, isolated testing environment mirroring production.
- Restricted User Accounts: Credentials for various user roles (e.g., operator, administrator) with clear privileges.
- API Keys: Limited-scope, time-bound API keys for testing interfaces.
- SSH Access: Restricted SSH access to specific components with strict logging.
All access will be logged to the SIGIL ledger and BFT council for auditability. Credentials will be revoked immediately upon conclusion of the engagement.
4 · Communication Protocols & Incident Reporting
During the pen-test, immediate communication is required for:
- Critical Findings: Any high-severity vulnerability (e.g., remote code execution, data exfiltration).
- System Impact: Any activity causing service disruption or unexpected system behavior.
- Escalation Path: A dedicated secure communication channel (e.g., encrypted Matrix chat, PGP-signed email) for reporting to the DEFONEOS Security Operations Centre (SOC).
Regular daily stand-ups will be scheduled to discuss progress and preliminary findings.
5 · Red Lines & Prohibited Activities
The following activities are strictly prohibited and constitute immediate termination of engagement:
- ❌ Any attempt to exfiltrate real production data.
- ❌ Unauthorized access attempts outside the defined scope or credentials.
- ❌ Disruption of production systems.
- ❌ Social engineering attempts against DEFONEOS personnel.
- ❌ Use of tools or techniques that could permanently damage or corrupt systems.
6 · Data Handling & Forensic Capture
All data generated during the pen-test, including logs, evidence, and reports, must be handled with the highest level of confidentiality. DEFONEOS will retain all forensic logs for 7 years on the SIGIL ledger.
Penetration testers must ensure:
- Secure Storage: All test data is stored securely and encrypted.
- Data Minimization: Only necessary data is collected.
- Secure Deletion: All test data is securely deleted upon completion of the engagement.
7 · Expected Deliverables & Reporting
Upon completion, the pen-testing team is expected to provide:
- Detailed Report: A comprehensive report outlining all findings, methodologies, and recommendations.
- Executive Summary: A non-technical overview for senior management.
- Remediation Plan: Prioritized list of vulnerabilities with proposed fixes.
- Evidence Pack: Technical evidence for all findings (screenshots, command outputs).
8 · Post-Pen-Test Verification
DEFONEOS will conduct an internal verification phase following the pen-test:
- Vulnerability Remediation: Implement all agreed-upon fixes.
- Re-testing: Conduct re-testing to confirm vulnerability closure.
- BFT Council Review: The BFT council will review the pen-test report and remediation actions.
- Public Disclosure: A summary of the pen-test (excluding sensitive details) will be publicly disclosed on the SIGIL ledger.
9 · Request Access to Pen-Test Environment
To initiate a third-party penetration test engagement, please use the owner-gated request form to establish secure communications and access protocols.
Request Pen-Test Environment Access (Owner-Gated)
✅ Security frameworks: CREST, NCSC, ISO 27001, Cyber Essentials Plus.
✅ BFT-voted 29/33 approval for readiness. Care_score 0.99. Red_line_violations 0.
✅ SIGIL-anchored audit trail (Ed25519-signed).
⚠️ CREST/NCSC engagement pending owner sign-off.