Guide · Detection engineering

Our integrity contract

Why every Sigma rule on a13e.com carries provenance metadata, and how you can verify a rule actually matches what CloudSigma produces.

The contract

Every Sigma detection rule we publish on a13e.com is, today and on every future day, what CloudSigma actually produces when you give it the same input. If we publish a rule for CVE-X and you enter CVE-X into CloudSigma right now, you should get the same rule body back.

Two failure modes are unacceptable. Forward drift: we publish rule R, CloudSigma now emits R'. Reverse drift: we publish R-fake that CloudSigma never produced. Both are forms of lying to a security audience. We have built the system so that neither can happen silently.

Integrity levels

Every embedded rule shows its current integrity level on the page, next to the rule body.

L0 · Decorative
Rule body shown without any backing claim. We forbid this on a13e.com.
L1 · Manifest exists
The rule has a JSON manifest committed alongside the page. The manifest names the input that produced the rule, the CloudSigma generator + corpus version, and the SHA256 of the rule body. Anyone can fetch it, recompute the hash and confirm the body matches.
L2 · Signed
The manifest is DSSE-signed by CloudSigma's key. Tampering is detectable.
L3 · Round-trip verified
Every deploy, our build re-issues the recorded CloudSigma generation request and confirms the body still matches. Drift fails the build.
L4 · Continuously verified
Visitors can independently confirm a rule against CloudSigma's live verification mode via the Verify in CloudSigma button on every embedded rule.

Where we are

Today, every embedded rule is at L1 with the manifest committed and viewable. The Verify in CloudSigma deep-link is in place but the live verification mode on the CloudSigma side ships in our next phase. Until then, the button pre-fills the input so you can run the generation yourself and visually compare.

Production rules carry a green production badge: status stable in the CloudSigma corpus, level medium or higher, and they have passed the full Sigma validator pipeline plus Splunk backend conversion at build time.

Experimental rules carry an amber experimental badge with a tune-before-deploy callout. They are real CloudSigma output but the rule author has marked them experimental; you should review the falsepositives section against your environment before enabling.

Where no rule passes the bar, we do not embed a placeholder. We link out to CloudSigma instead.

Why we built this

Detection-engineering content has a specific hazard: the SigmaHQ rule format itself has no cryptographic provenance, no content hashing, no attestation. The author and date fields are descriptive, not verifiable. The rule marketplaces in the space (SOC Prime, Detection.fyi) ship rules with author attribution but no published round-trip verification protocol either.

Our integrity contract closes that gap for the rules we publish. The marketing position is plain: we do not ask to be trusted, we give you the means to verify.

If you find a drift between a rule we publish and what CloudSigma produces for the same input, that is a contract violation we want to know about. Email security@a13e.com or open an issue on the relevant CloudSigma rule. We will rotate the manifest, document the cause, and post-mortem in our quarterly transparency report.

← Back to Guides
Sources
  • SigmaHQ rule format, https://github.com/SigmaHQ/sigma
Last verified: 2026-04-24