K0NSULT // ai-truth/ipIII
k0nsult.cloud / ai-truth / ipIII / evidence-board / en

Evidence Board

๐Ÿ‡ต๐Ÿ‡ฑ Polski ๐Ÿ‡ฌ๐Ÿ‡ง English

The evidence layer of the system. Every incident exists operationally only to the extent that it is proven. The board sorts reports into columns by evidence status, maintains the chain of custody, and computes % GAP as a systemic-risk indicator โ€” the more claims without proof, the weaker the organization's audit and procedural position.

SIMULATION / demonstration data. All incident identifiers, evidence items, confidence values, and chain-of-custody entries on this page are illustrative (demo). They do not reflect real breaches. The evidence-status framework is methodical and production-grade โ€” the data within it is simulated.
Doctrine: claim โ‰ค proof

A claim about an incident cannot be "stronger" than the proof behind it. A report without evidence carries the status GAP, not CONFIRMED. Classification, priority, and legal reporting all inherit from the weakest evidentiary link.

REPORTโ†’EVIDENCEโ†’STATUSโ†’CLASSIFICATIONโ†’RISKโ†’PLAYBOOKโ†’VALIDATIONโ†’REPORT

Systemic risk indicator โ€” % GAP SIMULATION

Metric: the share of incidents without sufficient proof among all open cases. A high % GAP means the organization "sees" events but cannot document them โ€” a weak position before an auditor, a regulator, and in proceedings.

42
Open incidents
all evidence statuses
31%
% GAP (no proof)
13 / 42 โ€” alert threshold >25%
45%
% CONFIRMED
19 / 42 โ€” full proof
7
Awaiting verification
analyst queue

Bar: share of GAP in the incident portfolio. Operational goal: keep below 25% (amber threshold), below 10% (mature target).

Column board โ€” evidence status

GAP โ€” no proof 13

INC-2041 GAP P1Reported phishing against the lending team โ€” email/headers not collected.
INC-2038 GAP P2Suspected prompt injection in the assistant โ€” no prompt/response log.
INC-2033 GAP P2Signal of a "leak" from an external channel โ€” no data sample.

Weak evidence 3

INC-2040 MEDIA P1Media signal of a ransomware campaign in the sector โ€” no local IOCs.
INC-2036 PUBLIC P2Public claim of a vendor vulnerability โ€” unconfirmed in our environment.
INC-2029 DISPUTED P2Disputed DDoS alert โ€” possible WAF false positive.

CONFIRMED 19

INC-2044 CONFIRMED P0Credential theft โ€” 4625/4624 logs, session capture, IOC confirmed.
INC-2039 CONFIRMED P1Exploited CVE on the VPN gateway โ€” PCAP + version + patch diff.
INC-2031 CONFIRMED P2Misconfigured S3-like bucket โ€” policy snapshot + access audit.

Awaiting verification 7

EVD-5102 INTERNALSIEM log to correlate with INC-2041 โ€” awaiting an analyst.
EVD-5099 INTERNALPCAP 240 MB โ€” hash integrity check.
EVD-5093 INTERNALAgent prompt capture โ€” source and timestamp validation.

Chain of custody active

INC-2044 CONFIRMED4 transfers ยท hash consistent ยท no time gaps.
INC-2039 CONFIRMED3 transfers ยท analyst signature ยท integrity OK.
INC-2029 DISPUTED14-min gap in custody โ€” lowers evidentiary weight.

Evidence table (evidence_layer) SIMULATION

evidence_idincident_idtypeconfidencecollected_byvisibilitystatus
EVD-5110INC-2044auth log (4624/4625)96SOC-analyst-2internalCONFIRMED
EVD-5108INC-2044RDP session capture92DFIR-leadrestrictedCONFIRMED
EVD-5104INC-2039VPN gateway PCAP88NetSec-1internalCONFIRMED
EVD-5102INC-2041email headers41reporter@bankinternalAWAITING VERIFICATION
EVD-5099INC-2040article/OSINT28threat-intelpublicMEDIA
EVD-5093INC-2038agent prompt log35ai-safety-off.restrictedAWAITING VERIFICATION
EVD-5090INC-2029WAF metrics52SOC-analyst-1internalDISPUTED
โ€”INC-2033(no data sample)0โ€”โ€”GAP

confidence 0โ€“100: evidentiary weight = f(source type, custody integrity, reproducibility, correlation). Thresholds: <40 weak ยท 40โ€“74 partial ยท โ‰ฅ75 strong. An incident can only be CONFIRMED with at least one item โ‰ฅ75 and a consistent chain of custody.

Chain of custody โ€” sample record

The chain of custody documents every transfer of evidence: who, when, hash before/after, purpose. A time gap or hash mismatch lowers confidence and may move the incident to DISPUTED.

{
  "evidence_id": "EVD-5108",              // SIMULATION
  "incident_id": "INC-2044",
  "type": "rdp_session_capture",
  "sha256": "9f2a...c71e",
  "confidence": 92,
  "sealed": true,
  "chain_of_custody": [
    { "seq": 1, "ts": "2026-07-04T08:12:03Z", "actor": "SOC-analyst-2",
      "action": "collect", "from": "host WKS-114", "hash_after": "9f2a...c71e" },
    { "seq": 2, "ts": "2026-07-04T08:19:40Z", "actor": "DFIR-lead",
      "action": "transfer", "to": "evidence-vault-01", "hash_before": "9f2a...c71e",
      "hash_after": "9f2a...c71e", "integrity": "OK" },
    { "seq": 3, "ts": "2026-07-04T09:02:11Z", "actor": "Analyst-review",
      "action": "review", "verdict": "supports_incident", "confidence_delta": +6 },
    { "seq": 4, "ts": "2026-07-04T09:40:55Z", "actor": "Legal/DPO",
      "action": "legal_hold", "reason": "possible NIS2/GDPR reporting", "integrity": "OK" }
  ],
  "gaps": [],                              // no time gaps โ†’ weight preserved
  "status": "CONFIRMED"
}

Evidence board principles

1. No proof = GAP, not fact. A report without an artifact stays in the GAP column and cannot be raised above priority P2 without additional analyst justification.
2. Integrity > quantity. One item with a hash and a consistent custody chain weighs more than five unsigned screenshots.
3. Role-driven visibility. visibility (public/internal/restricted) decides who sees the artifact โ€” the Public Viewer never sees restricted items.
4. % GAP is a management metric. Reported to the Executive Overview as a measure of evidentiary maturity, not just an incident count.

Related

Legal Board โ†’

CONFIRMED evidence feeds decisions on reporting deadlines (AI Act art. 73, NIS2, GDPR art. 33/34). Framework/educational, not certification.

Response Board โ†’

Closing an action requires proof of remediation โ€” validated by evidence_id.

Incident Intake โ†’

A new report lands by default in the GAP column until evidence is collected.

Classification Engine โ†’

Classification inherits from the incident's weakest evidentiary link.