The evidence layer of the system. Every incident exists operationally only to the extent that it is proven. The board sorts reports into columns by evidence status, maintains the chain of custody, and computes % GAP as a systemic-risk indicator โ the more claims without proof, the weaker the organization's audit and procedural position.
confidence values, and chain-of-custody entries on this page are illustrative (demo). They do not reflect real breaches. The evidence-status framework is methodical and production-grade โ the data within it is simulated.
A claim about an incident cannot be "stronger" than the proof behind it. A report without evidence carries the status GAP, not CONFIRMED. Classification, priority, and legal reporting all inherit from the weakest evidentiary link.
Metric: the share of incidents without sufficient proof among all open cases. A high % GAP means the organization "sees" events but cannot document them โ a weak position before an auditor, a regulator, and in proceedings.
Bar: share of GAP in the incident portfolio. Operational goal: keep below 25% (amber threshold), below 10% (mature target).
| evidence_id | incident_id | type | confidence | collected_by | visibility | status |
|---|---|---|---|---|---|---|
EVD-5110 | INC-2044 | auth log (4624/4625) | 96 | SOC-analyst-2 | internal | CONFIRMED |
EVD-5108 | INC-2044 | RDP session capture | 92 | DFIR-lead | restricted | CONFIRMED |
EVD-5104 | INC-2039 | VPN gateway PCAP | 88 | NetSec-1 | internal | CONFIRMED |
EVD-5102 | INC-2041 | email headers | 41 | reporter@bank | internal | AWAITING VERIFICATION |
EVD-5099 | INC-2040 | article/OSINT | 28 | threat-intel | public | MEDIA |
EVD-5093 | INC-2038 | agent prompt log | 35 | ai-safety-off. | restricted | AWAITING VERIFICATION |
EVD-5090 | INC-2029 | WAF metrics | 52 | SOC-analyst-1 | internal | DISPUTED |
โ | INC-2033 | (no data sample) | 0 | โ | โ | GAP |
confidence 0โ100: evidentiary weight = f(source type, custody integrity, reproducibility, correlation). Thresholds: <40 weak ยท 40โ74 partial ยท โฅ75 strong. An incident can only be CONFIRMED with at least one item โฅ75 and a consistent chain of custody.
The chain of custody documents every transfer of evidence: who, when, hash before/after, purpose. A time gap or hash mismatch lowers confidence and may move the incident to DISPUTED.
{
"evidence_id": "EVD-5108", // SIMULATION
"incident_id": "INC-2044",
"type": "rdp_session_capture",
"sha256": "9f2a...c71e",
"confidence": 92,
"sealed": true,
"chain_of_custody": [
{ "seq": 1, "ts": "2026-07-04T08:12:03Z", "actor": "SOC-analyst-2",
"action": "collect", "from": "host WKS-114", "hash_after": "9f2a...c71e" },
{ "seq": 2, "ts": "2026-07-04T08:19:40Z", "actor": "DFIR-lead",
"action": "transfer", "to": "evidence-vault-01", "hash_before": "9f2a...c71e",
"hash_after": "9f2a...c71e", "integrity": "OK" },
{ "seq": 3, "ts": "2026-07-04T09:02:11Z", "actor": "Analyst-review",
"action": "review", "verdict": "supports_incident", "confidence_delta": +6 },
{ "seq": 4, "ts": "2026-07-04T09:40:55Z", "actor": "Legal/DPO",
"action": "legal_hold", "reason": "possible NIS2/GDPR reporting", "integrity": "OK" }
],
"gaps": [], // no time gaps โ weight preserved
"status": "CONFIRMED"
}
visibility (public/internal/restricted) decides who sees the artifact โ the Public Viewer never sees restricted items.CONFIRMED evidence feeds decisions on reporting deadlines (AI Act art. 73, NIS2, GDPR art. 33/34). Framework/educational, not certification.
Closing an action requires proof of remediation โ validated by evidence_id.
A new report lands by default in the GAP column until evidence is collected.
Classification inherits from the incident's weakest evidentiary link.