16 KiB
16 KiB
Aegis — Feature Roadmap
Status: Phase 0 (Foundations) completed. Platform ready for new feature development.
Architecture: Clean Modular Monolith · 367+ tests · CI/CD · Zero tech debt
Vision
Aegis evolves in three stages:
- Operational Features (Phases 1-7) — Integrations, reporting, compliance, intelligence
- Detection Assurance Platform (Phases 8-14) — Every detection has lifecycle, ownership, measurable health, and the system proactively orchestrates revalidation
- Enterprise Readiness (Phase 14) — SSO/SAML and API keys for corporate deployment
Dependency Map
Phase 0 (DONE) ───────────────────────────────────────────────────
│ │
├──► Phase 1 (Jira + Tempo) │
│ │
├──► Phase 2 (Reporting) │
│ └──► Phase 6 (Analytics + Webhooks) │
│ └──► Phase 13 (Intelligent Alerts) │
│ ▲ │
├──► Phase 3 (Compliance) │
│ └──► Phase 7 (Multi-Channel Notifications) │
│ │
├──► Phase 4 (Intel Auto) │
│ └──► Phase 12 (Risk Intelligence) │
│ ▲ │
├──► Phase 5 (Advanced Operations) │
│ │
├──► Phase 8 (Detection Lifecycle) ──────────────────────── │
│ │ │
│ ├──► Phase 9 (Ownership & Daily Ops) │
│ │ ├──► Phase 10 (Attack Paths) │
│ │ └──► Phase 12 (Risk Intelligence) │
│ │ │
│ ├──► Phase 11 (Knowledge Management) │
│ │ │
│ └──► Phase 13 (Intelligent Alerts) │
│ │
└──► Phase 14 (Enterprise SSO + API Keys) │
Parallelism: Phases 1-7 and Phase 8 can run in parallel. Phases 9-13 are sequential on Phase 8. Phase 14 is independent.
Phase 1 — Jira + Tempo Integration
Dependencies: Phase 0 (done)
| Feature | Description | User Value |
|---|---|---|
| Jira Link Management | Associate any Aegis entity (test, technique, campaign) with a Jira ticket via bidirectional links | Traceability between security testing and project management |
| Jira Issue Search & Auto-creation | Search Jira from Aegis; auto-create tickets from tests/campaigns with pre-filled data | Eliminates context-switching and manual ticket creation |
| Jira Bidirectional Sync | Hourly background sync pulls Jira status/assignee/priority; push test results as Jira comments | Single pane of glass for both teams |
| Tempo Worklog Integration | Automatically log time to Tempo when tests complete, using Jira link | Accurate time tracking without manual entry |
| Internal Audited Worklogs | Immutable internal time registry with SHA256 integrity hash | Compliance-grade time audit trail |
| Frontend: Jira Panel + Worklog Timeline | React components for linking issues and viewing worklog history in detail views | Self-service Jira integration for all team members |
Phase 2 — Professional Reporting Engine
Dependencies: Phase 0 (done)
| Feature | Description | User Value |
|---|---|---|
| Report Template Engine | Jinja2-based HTML rendering with PDF (WeasyPrint) and DOCX (docxtpl) export | Professional branded reports for stakeholders |
| Purple Team Campaign Report | Executive summary, scope, techniques tested, critical findings, coverage evolution | Deliverable for management after every Purple Team exercise |
| Coverage & Executive Summary Reports | Coverage report, quarterly summary, technique detail — PDF/DOCX/HTML | Board-level reporting without spreadsheets |
| BI-Ready Analytics Endpoints | Flat JSON endpoints for coverage, tests, trends, operator metrics | Direct PowerBI/Tableau integration, zero ETL |
| Advanced Metrics | Coverage by tactic, never-tested techniques, avg validation time, detection trends | Operational KPIs for security leadership |
Phase 3 — Compliance & Security Hardening
Dependencies: Phase 0 (done)
| Feature | Description | User Value |
|---|---|---|
| Enhanced Audit Trail | IP address, user agent, SHA256 integrity hash, session ID on every audit entry | SOC2 / ISO 27001 audit compliance |
| Login Attempt Auditing | Record all login successes/failures with IP; constant-time comparison | Security monitoring and incident response |
| Password & Username Validation | Minimum 10 chars with complexity; reserved username blocking; character whitelist | Credential hardening |
| Extended Rate Limiting | Per-endpoint limits: sync 2/hr, writes 30/min, uploads 10/min, reports 5/min | DDoS and abuse protection |
| Data Classification & Retention | Labels (public/internal/sensitive/restricted) on tests, evidence, campaigns; automated retention | Data governance compliance |
Phase 4 — Automated Intelligence
Dependencies: Phase 0 (done)
| Feature | Description | User Value |
|---|---|---|
| OSINT Enrichment per Technique | Automatic CVE discovery via NVD API linked to ATT&CK techniques; weekly job | Proactive awareness of exploitable techniques |
| Stale Coverage Detection | Flag techniques with last validated test >12 months old; daily job | Prevents false sense of security from outdated validations |
Note: Stale detection is superseded by Phase 8's Decay Engine but serves as a functional stepping stone.
Phase 5 — Advanced Operational Management
Dependencies: Phase 0 (done)
| Feature | Description | User Value |
|---|---|---|
| Mature Composite Scoring | Recency decay factor (1.0 recent → 0.2 if >1yr); DB-persisted configurable weights | Scores reflect actual security posture, not just test count |
| Coverage Evolution & History | Enhanced snapshots with tactic breakdown, stale/never-tested counts; temporal comparison | Track security improvement over months/quarters |
Phase 6 — BI Analytics + Webhooks
Dependencies: Phase 2
| Feature | Description | User Value |
|---|---|---|
| Webhook System | Configurable outbound HTTP on events (test validated, campaign completed, MITRE sync) with HMAC signatures | Real-time integration with Slack, Teams, SOAR, SIEM |
| Webhook Management | CRUD for configs; failure tracking; auto-disable on repeated failures | Self-service integrations for ops team |
Phase 7 — Multi-Channel Notifications
Dependencies: Phase 3
| Feature | Description | User Value |
|---|---|---|
| Email Notifications | SMTP-based dispatch for critical events (test validated, campaign completed, new MITRE techniques) | Reach team members not actively in the platform |
| Per-User Notification Preferences | Configurable preferences per user: email on test validated, campaign completed, etc. | Users control their notification volume |
Phase 8 — Detection Lifecycle Management (DLM)
Dependencies: Phase 0 (done). Can run in parallel with Phases 1-7.
This is the transformational phase — Aegis evolves from MITRE tracker to Detection Assurance Platform.
| Feature | Description | User Value |
|---|---|---|
| Detection Assets | First-class entities for SIEM/EDR/Sigma/YARA/SPL/KQL rules with content hashing, version tracking, log source tracking | Every detection rule is a managed, versioned asset |
| Detection-Technique Mapping | N:M between detection assets and ATT&CK techniques with coverage type and confidence | Know exactly which detections cover which techniques |
| Detection Validations | Immutable records with expiry dates, environment snapshots, integrity hashes | Every detection has a "quality stamp" with an expiration date |
| Decay Engine | Configurable policies per platform/tactic; daily recalculation using recency, coverage, health, diversity factors | Automated detection of degrading security posture |
| Technique Confidence Scores | Composite 0-100 score with 4 factors and risk factor identification | Quantified confidence in detection capability per technique |
| Infrastructure Change Tracking | Log SIEM/EDR updates, parser changes, log source changes; auto-invalidate affected detections | No more silent detection failures after infrastructure changes |
| Configurable Decay Policies | Different decay rates for different platforms, asset types, or tactics | Policy flexibility for different risk appetites |
| DLM Dashboard | Health distribution, confidence distribution, expiring validations, infrastructure changes | Single-view detection health for CISO / SOC Manager |
Phase 9 — Ownership & Daily Operations
Dependencies: Phase 8
| Feature | Description | User Value |
|---|---|---|
| Technique & Detection Ownership | Owner, backup owner, and team on every technique and detection rule | Clear accountability for every detection gap |
| Bulk Ownership Assignment | Assign by tactic, platform, or team; orphan detection report | Quick onboarding of ownership model |
| Revalidation Queue | Auto-generated prioritized queue from expired validations, infra changes, OSINT, MITRE updates | Analysts know exactly what to work on each day |
| Analyst Dashboard | Personalized daily view: pending revalidations, expiring validations, active tests, infra changes | "My workday" in one API call |
Phase 10 — Attack Paths & Advanced Purple Team
Dependencies: Phases 8, 9
| Feature | Description | User Value |
|---|---|---|
| Attack Path Modeling | Chained attack scenarios (Initial Access → Execution → Persistence → Lateral Movement → Exfiltration) as first-class entities | Model realistic adversary behavior, not isolated techniques |
| Step-by-Step Execution | Execute attack paths step-by-step with detection tracking at each stage | Measure where in the kill chain detection fails |
| Collaborative Timeline | Real-time Red/Blue action recording with timestamps for MTTD/MTTR | Precise detection and response time measurement |
| Kill Chain Metrics | Auto-calculated detection rate, MTTD, furthest step reached without detection | Quantified Purple Team exercise results |
Phase 11 — Knowledge Management
Dependencies: Phase 8
| Feature | Description | User Value |
|---|---|---|
| Playbooks per Technique | Attack, detect, investigate, respond, hunt — Markdown, versioned, with tools and prerequisites | Institutional knowledge capture; onboarding accelerator |
| Lessons Learned | Immutable records linked to tests, campaigns, attack paths: what happened, root cause, fix | Continuous improvement loop |
Phase 12 — Risk Intelligence & Recommendations
Dependencies: Phases 4, 8, 9
| Feature | Description | User Value |
|---|---|---|
| Technique Risk Score | Multidimensional: exploitability, threat frequency, detection gap, staleness, tactic severity | Prioritize by actual risk, not just coverage status |
| Automated Recommendations | Prioritized actions: uncovered critical techniques, silent detections, orphan rules, tactic gaps | Intelligent prioritization out of the box |
Phase 13 — Intelligent Operational Alerts
Dependencies: Phases 6, 8, 9, 12
| Feature | Description | User Value |
|---|---|---|
| Rule-Based Operational Alerts | Configurable rules evaluated hourly; multi-channel dispatch (in-app, email, webhook) | Proactive detection of operational issues |
| Pre-configured Alert Rules | Stale critical techniques, EDR update pending revalidation, new uncovered MITRE techniques, coverage regression, validation expiry wave | Operational intelligence out of the box |
Phase 14 — Enterprise Readiness (SSO + API Keys)
Dependencies: Phase 0 (done)
| Feature | Description | User Value |
|---|---|---|
| API Key Management | Scoped API keys for BI tools, SOAR, scripts; SHA256-hashed; shown once on creation | Secure automated integrations without sharing user credentials |
| SSO / SAML 2.0 | Single Sign-On via SAML 2.0 with any IdP (Okta, Azure AD, etc.) | Enterprise authentication; eliminates password management |
Phase Summary
| Phase | Name | Dependencies |
|---|---|---|
| DONE | ||
| 1 | Jira + Tempo | Phase 0 |
| 2 | Professional Reporting | Phase 0 |
| 3 | Compliance & Security | Phase 0 |
| 4 | Automated Intelligence | Phase 0 |
| 5 | Advanced Operations | Phase 0 |
| 6 | Analytics + Webhooks | Phase 2 |
| 7 | Multi-Channel Notifications | Phase 3 |
| 8 | Detection Lifecycle (DLM) | Phase 0 |
| 9 | Ownership & Daily Ops | Phase 8 |
| 10 | Attack Paths & Purple Team | Phases 8, 9 |
| 11 | Knowledge Management | Phase 8 |
| 12 | Risk Intelligence | Phases 4, 8, 9 |
| 13 | Intelligent Alerts | Phases 6, 8, 9, 12 |
| 14 | Enterprise SSO + API Keys | Phase 0 |
Recommended Additional Features
| # | Feature | Rationale | Suggested Phase |
|---|---|---|---|
| A1 | Role-customizable dashboard | CISO sees executive metrics, Red Tech sees pending tests | Phase 5 |
| A2 | ATT&CK Navigator layer import/export | Teams already use Navigator externally | Phase 2 |
| A3 | Approval workflow for scoring weight changes | Prevent unsupervised config changes | Phase 3 |
| A4 | Custom tags and fields | Every org has its own taxonomy | Phase 5 |
| A5 | Bulk operations | Validate/reject multiple tests at once, mass campaign assignment | Phases 5, 9 |
| A6 | Markdown in descriptions | Technicians want to format procedures | Phase 11 |
| A7 | Detection Rule Git Sync | Sync rules from corporate Git repo | Phase 8 |
| A8 | Confidence overlay on heatmap | Heatmap shows coverage + confidence as second layer | Phase 8 |
| A9 | Auto Detection Gap → Ticket pipeline | Red breaks something → auto-queue item → assign to Blue | Phase 10 |
| A10 | Navigator export with Confidence | Export layer including confidence level per technique | Phase 8 |
| A11 | Comparative Attack Path Results | Compare same path executed on different dates | Phase 10 |
| A12 | SLA Tracking for Detection Gaps | Measure time from gap to rule implementation | Phase 13 |
New Python Dependencies by Phase
| Phase | Package | Purpose |
|---|---|---|
| 1 | atlassian-python-api |
Jira REST API |
| 1 | tempo-api-python-client |
Tempo worklog API |
| 2 | weasyprint |
HTML → PDF |
| 2 | docxtpl |
DOCX template rendering |
| 11 | markdown, Pygments |
Markdown rendering + syntax highlighting |
| 14 | python3-saml |
SAML 2.0 SSO |