Master Exposure Management.
“The adversary suffers when every path they take ends in a trap.”
Three days in, the Space Cybersecurity Operations and Resilience department you are building is no longer asking the departments for time; they are bringing it their work. Kestrel Orbital’s platform model, the threat catalogue, and the attack paths Satellite Design & Engineering walked with you yesterday all sit in one shared form. Today the circuit closes where it started: you sit down with the Security Operations Center to turn every path into a detection that fires and a playbook that runs. You drive the organization to continually enumerate the attack paths created by both exposed and isolated platform elements, and to work toward platform deception techniques. The signatures and playbooks you write today support Executive Order 14144’s detect-report-recover requirement and the NIS2 reporting deadlines: a 24-hour warning, a 72-hour notification, a one-month report.
DAY 4 START
Today you turn each attack path into a detection signature that fires on those data sources and a response playbook that runs when it fires. The Security Operations Center that briefed the threat sources on Day 2 now writes detections against the paths Satellite Design & Engineering drew on Day 3: each day’s work lands on the day before it. This is the detect-report-recover capability Executive Order 14144 requires, exercised inside the reporting deadlines NIS2 sets.
WRITE THE SIGNATURES & PLAYBOOKS
Six artifacts on the table. Security Operations runs the detections and acts on the alerts, and today the center lays its working reality on the table the same way Satellite Design & Engineering opened its artifacts yesterday: the six below, walked together for every attack path you cover today. Each one tells you something different about what Security Operations can see, how the center responds, and which signature designs will work in production.
What data streams Security Operations actually has visibility into: auth logs, network flow, EDR, T2 RF metrics, attestation.
Vendor-neutral detection rule format. Same rule deploys to Splunk, Elastic, Microsoft Sentinel without rewrite.
Existing IR playbooks Security Operations already runs. New signatures hook into the right one.
Current alert volume and triage practice. New signatures must fit the queue, not flood it.
What an on-call analyst can actually do in real time during a pass. Constrains what response steps are realistic.
Telemetry blind spots already documented. New signatures may not be possible until engineering closes a gap.
INCIDENT RESPONSE PREPARATION PROCESS
Inputs. Yesterday’s attack-path set against the telecommand path and a working session with Security Operations, building the detect-report-recover capability Executive Order 14144 requires inside the NIS2 reporting deadlines. Output. One AN-DET element per detection signature, written in vendor-neutral RootA format. Six steps, fixed order. Set LAYER (always AN). Verify the format is RootA. Set TAG (DET). Set ORDINAL. Enumerate the TDM (what structural elements the signature observes). Write the Description. Constraint. A signature that is vendor-locked or carries no TDM anchor is rejected.
AN-DET).00 (AN:DET:Detection Signature:00, AN:DET:Detection Signature:01, and so on); one ordinal per distinct detection signature.ROOTA, OPEN DETECTION LANGUAGE
RootA is an open public-domain detection-engineering language created by the SOC Prime team, released in 2023. It is a YAML wrapper that carries a native SIEM, EDR, XDR, or Data Lake query plus the metadata a defender needs to share that query: MITRE ATT&CK mapping, log-source declaration, references, threat-actor and campaign timeline, and tags. The companion tool Uncoder.IO converts a RootA rule into 65 query dialects across 45 technologies, including Splunk, Elastic, Microsoft Sentinel, Google Chronicle, CrowdStrike, QRadar, Sumo Logic, and others. We write every AN-DET in RootA so the detection portfolio you leave Friday with ports across every SIEM your organization runs today and every SIEM it will run tomorrow.
Public-domain license. No procurement gate, no vendor contract. A rule you write today is a rule a peer operator, such as a fellow Space-ISAC member, could pull tomorrow and run on a different SIEM with no rewrite.
Write the detection in whatever query language you already know (SPL, KQL, EQL, Carbon Black, Yara-L). RootA wraps it with metadata: name, severity, log source, MITRE techniques, references, tags.
Every RootA rule carries the ATT&CK techniques it covers as a first-class field. Pairs directly with the AN-ATT map from Day 3, so detection coverage is reviewable against attack paths, not just rule counts.
Uncoder.IO translates a RootA rule into the dialect your Security Operations Center actually runs. A SIEM migration becomes a translation pass over the portfolio, not a rewrite of every rule from scratch.
RESOURCES · specification: roota.io · repository: github.com/UncoderIO/RootA · translator: uncoder.io · community: discord.gg/socprime
THE ROOTA SIGNATURE FOR AN-DET:00, FIELD BY FIELD
This is the full an-det-00-anomalous-console-auth.yml as it ships in the course rule pack. It defends AN:ATT:Attack Path:00 (operator-console credential theft) using the four Available rows from yesterday’s source inventory. Each numbered badge in the signature maps to a numbered card on the left, so you can read the rule top-to-bottom and see what every field is for. Same ten fields for every other AN-DET; only the values change.
AN-DET-00 Anomalous console authentication.author, severity, type, class, status, date. Tells Security Operations who wrote it, how serious it is, and whether it is production-ready.product: identity + category: authentication targets identity-provider logs across any SIEM.selection_* per row of yesterday’s source inventory. Four Available sources, four selections: console target, failure burst, impossible travel, unknown source.USER SEGMENT SIGNATURES & PLAYBOOKS
Each row is one AN-DET element written with Security Operations. Each signature covers one or more steps of an attack path from yesterday; the TDM names the structural element the signature observes; the format is vendor-neutral RootA so the rule ports across detection platforms. Path steps with no observable telemetry become declared coverage gaps and go back to engineering as work to do.
ROOTA PACK browse all 14 rules · ↓ an-det-roota-pack.zip
| ID | AN-DET ETEN |
|---|---|
AN:DET:Detection Signature:00 |
Anomalous console authentication: detects repeated failed logins or first-time-from-IP successes against operator console workstations, suggesting credential stuffing or phishing.
COVERS
AN:ATT:Attack Path:00 (Console credential theft)TDM
AST:HW:Hardware:04 (console workstation) authentication logs; SVC:CP:Control Plane:13 console-ops audit streamFORMAT RootA , vendor-neutral source-agnostic rule.
SOURCE MITRE ATT&CK T1110 (Brute Force) and T1078 (Valid Accounts) detection guidance.
COVERAGE Full , observable in standard auth-log telemetry.
|
AN:DET:Detection Signature:01 |
End-user application binary integrity: detects modified end-user application binaries or unexpected file-write events against the displayed mission product on operator workstations.
COVERS
AN:ATT:Attack Path:01 (End-user app tampering)TDM
AST:SW:Software:08 (end-user app SW) file-integrity stream; SVC:DP:Data Plane:02 (mission product display) auditFORMAT RootA.
SOURCE MITRE ATT&CK T1565 (Data Manipulation); SolarWinds detection retrospectives (CISA AA20-352A).
COVERAGE Full , observable via file-integrity monitoring.
|
GROUND SEGMENT SIGNATURES & PLAYBOOKS
Each row is one AN-DET element written with Security Operations. Each signature covers one or more steps of an attack path from yesterday; the TDM names the structural element the signature observes; the format is vendor-neutral RootA so the rule ports across detection platforms. Path steps with no observable telemetry become declared coverage gaps and go back to engineering as work to do.
ROOTA PACK browse all 14 rules · ↓ an-det-roota-pack.zip
| ID | AN-DET ETEN |
|---|---|
AN:DET:Detection Signature:02 |
Management-plane abuse: detects firmware-push operations from the modem management interface outside maintenance windows, or following a VPN-appliance authentication anomaly.
COVERS
AN:ATT:Attack Path:02 (Long-dwell ground-network intrusion , KA-SAT-style)TDM
SVC:CP:Control Plane:09 (ground ACA) audit; AST:DA:Data:02 (patch binaries) deployment log; AST:SW:Software:03 (patch deployment SW) execution logFORMAT RootA.
SOURCE Viasat post-incident report (30 March 2022); CISA AA22-110A; SentinelLabs AcidRain analysis.
COVERAGE Full , observable via VPN auth logs + patch-pipeline audit.
|
AN:DET:Detection Signature:03 |
Operator credential anomaly: detects sign-ins to mission ops console from new geolocations, impossible-travel patterns, or anomalous time-of-day for the operator’s shift.
COVERS
AN:ATT:Attack Path:03 (Operator credential theft)TDM
AST:DA:Data:01 (ACA credentials) authentication audit; SVC:CP:Control Plane:09 (ground ACA) sign-in streamFORMAT RootA.
SOURCE MITRE ATT&CK T1078 (Valid Accounts) detection guidance.
COVERAGE Full , observable in identity-provider telemetry.
|
AN:DET:Detection Signature:04 |
Out-of-pattern command authority usage: detects commanding workstation usage outside the operator’s normal hours, commands issued without peer review tags, or sequences inconsistent with the active mission profile.
COVERS
AN:ATT:Attack Path:04 (Privileged insider misuse)TDM
AST:HW:Hardware:04 (console HW) usage stream; SVC:CP:Control Plane:13 (console ops) command auditFORMAT RootA.
SOURCE MITRE ATT&CK T1078.003 (Local Accounts); NIST SP 800-53 PS-7 monitoring guidance.
COVERAGE Partial , depends on robust per-operator behavior baselines.
|
AN:DET:Detection Signature:05 |
Lateral movement to mission control: detects east-west network flows from operator-network hosts to mission-control hosts that fall outside the documented allow-list.
COVERS
AN:ATT:Attack Path:05 (Lateral movement to mission control)TDM
Network flow telemetry between operator-network and mission-control segments; SVC:CP:Control Plane:13 (console ops) connection auditFORMAT RootA.
SOURCE MITRE ATT&CK TA0008 (Lateral Movement) detection patterns.
COVERAGE Full , observable via network flow logs.
|
AN:DET:Detection Signature:06 |
Mass encryption / file-system anomaly: detects high-rate write-and-rename operations against launch-control or patch-deployment hosts, with low entropy on original files and high entropy on renamed ones.
COVERS
AN:ATT:Attack Path:06 (Ransomware against launch infrastructure)TDM
SVC:CP:Control Plane:10 (launch control) file-system audit; AST:DA:Data:02 (patch binaries) integrity stream; AST:SW:Software:03 (patch deployment SW) auditFORMAT RootA.
SOURCE CISA Stop Ransomware advisories; MITRE ATT&CK T1486 (Data Encrypted for Impact).
COVERAGE Full , observable via EDR + file-integrity monitoring.
|
LINK SEGMENT SIGNATURES & PLAYBOOKS
Each row is one AN-DET element written with Security Operations. Each signature covers one or more steps of an attack path from yesterday; the TDM names the structural element the signature observes; the format is vendor-neutral RootA so the rule ports across detection platforms. Path steps with no observable telemetry become declared coverage gaps and go back to engineering as work to do.
ROOTA PACK browse all 14 rules · ↓ an-det-roota-pack.zip
| ID | AN-DET ETEN |
|---|---|
AN:DET:Detection Signature:07 |
Sustained noise-floor anomaly: detects elevated noise across the uplink or downlink bands beyond expected environmental thresholds, sustained for longer than incidental atmospheric events.
COVERS
AN:ATT:Attack Path:07 (Jamming campaign)TDM
SVC:HY:Hybrid:02 (T2 tracking) RF metrics; AST:SI:Signal:00 (uplink/downlink waveforms) SNR + BER streamFORMAT RootA.
SOURCE ITU interference-reporting guidance; SPARTA SPACE-T1429 (Disrupt) detection guidance.
COVERAGE Full , observable via T2 telemetry.
|
AN:DET:Detection Signature:08 |
Replay-and-spoof anomaly: detects command-waveform sequences with valid authentication tags but anomalous timing relative to the established command cadence, or session keys appearing in unexpected locations.
COVERS
AN:ATT:Attack Path:08 (Replay-and-spoof on uplink)TDM
SVC:CP:Control Plane:05 (link ACA) authentication audit; SVC:CP:Control Plane:09 (ground ACA) key-material audit; AST:SI:Signal:00 (uplink waveform) command-timing streamFORMAT RootA.
SOURCE SPARTA SPACE-T1428 (Replay Attacks) detection guidance.
COVERAGE Partial , requires established command-cadence baseline.
|
AN:DET:Detection Signature:09 |
Downlink interception is largely passive and cannot be detected from the link itself. Signature watches for adversary follow-on activity that suggests collection occurred (e.g., disclosure of intercepted content).
COVERS
AN:ATT:Attack Path:09 (Downlink interception)TDM
OSINT collection monitoring; threat-intel feeds for leaked mission-product mentionsFORMAT RootA + external watch.
SOURCE SPARTA SPACE-T1427 (Eavesdropping on Communications) , mitigation guidance emphasizes encryption rather than detection.
COVERAGE Gap , primary detection signal does not exist on the link; engineering work is to encrypt the downlink and to instrument follow-on disclosure monitoring.
|
SPACE SEGMENT SIGNATURES & PLAYBOOKS
Each row is one AN-DET element written with Security Operations. Each signature covers one or more steps of an attack path from yesterday; the TDM names the structural element the signature observes; the format is vendor-neutral RootA so the rule ports across detection platforms. Path steps with no observable telemetry become declared coverage gaps and go back to engineering as work to do.
ROOTA PACK browse all 14 rules · ↓ an-det-roota-pack.zip
| ID | AN-DET ETEN |
|---|---|
AN:DET:Detection Signature:10 |
Out-of-pattern bus commanding: detects sequences against ADCS/EPS/FTS that fall outside the active mission profile, or commands that would violate documented safe-mode rules.
COVERS
AN:ATT:Attack Path:10 (Destructive bus attack)TDM
SVC:HY:Hybrid:00 (C&DH) command-acceptance audit; SVC:CP:Control Plane:00 (ADCS), 02 (EPS), 03 (FTS) command streamsFORMAT RootA + on-ground commanding audit.
SOURCE SPARTA SPACE-T1029 (Disrupt) detection guidance.
COVERAGE Partial , on-board telemetry limits real-time visibility; ground-side commanding audit fills most of the gap.
|
AN:DET:Detection Signature:11 |
Unauthorized FSW state change: detects unexpected mode transitions or configuration writes on the OBC that were not initiated by an authorized ground command.
COVERS
AN:ATT:Attack Path:11 (Command-path integrity attack)TDM
AST:HW:Hardware:06 (OBC/OBDH) state audit; AST:SW:Software:06 (C&DH FSW) configuration-write log; SVC:CP:Control Plane:01 (space-side crypto) auditFORMAT RootA + ground-side correlation.
SOURCE SPARTA SPACE-T1014 (Software Modification) detection guidance.
COVERAGE Partial , depends on on-board telemetry richness.
|
AN:DET:Detection Signature:12 |
Firmware-hash mismatch at boot: detects firmware images whose measured hash does not match the signed expected value at boot or after an update.
COVERS
AN:ATT:Attack Path:12 (Supply-chain firmware compromise)TDM
AST:FW:Firmware:00 (FTS), 01 (OBC), 02 (payload) boot-attestation streamFORMAT RootA + on-board attestation.
SOURCE NIST SP 800-193 (Platform Firmware Resilience); SolarWinds (2020) post-incident detection retrospectives.
COVERAGE Full , if measured-boot / attestation is implemented; otherwise a gap.
|
AN:DET:Detection Signature:13 |
Payload-data integrity mismatch: detects mission-product whose downlinked hash does not match the on-board signature computed before transmission, indicating tampering between the instrument and the downlink encryptor.
COVERS
AN:ATT:Attack Path:13 (Payload-data tampering)TDM
SVC:DP:Data Plane:00 (mission data plane) integrity stream; SVC:DP:Data Plane:01 (payload data plane) signature auditFORMAT RootA + cryptographic verification at the ground.
SOURCE SPARTA SPACE-T1059 (Modify On-Board Values); standard end-to-end integrity guidance.
COVERAGE Full , if end-to-end signing is implemented; otherwise a gap.
|
DAY 4 COMPLETE · FOURTEEN DETECTIONS AND FOURTEEN PLAYBOOKS
One signature per observable path step, plus one playbook per path. Every signature is written in vendor-neutral RootA so it ports across detection tooling, and the same neutrality makes each rule runnable by a peer operator: the form the organization’s policy-gated Space ISAC contributions ride on. Path steps with no observable telemetry are declared coverage gaps and go back to engineering as work to do.
| ID | Description | Covers |
|---|---|---|
AN:DET:Detection Signature:00 |
Anomalous console authentication: detects repeated failed logins or first-time-from-IP successes against operator console workstations, suggesting credential stuffing or phishing. | AN:ATT:Attack Path:00 (Console credential theft) |
AN:DET:Detection Signature:01 |
End-user application binary integrity: detects modified end-user application binaries or unexpected file-write events against the displayed mission product on operator workstations. | AN:ATT:Attack Path:01 (End-user app tampering) |
AN:DET:Detection Signature:02 |
Management-plane abuse: detects firmware-push operations from the modem management interface outside maintenance windows, or following a VPN-appliance authentication anomaly. | AN:ATT:Attack Path:02 (Long-dwell ground-network intrusion , KA-SAT-style) |
AN:DET:Detection Signature:03 |
Operator credential anomaly: detects sign-ins to mission ops console from new geolocations, impossible-travel patterns, or anomalous time-of-day for the operator’s shift. | AN:ATT:Attack Path:03 (Operator credential theft) |
AN:DET:Detection Signature:04 |
Out-of-pattern command authority usage: detects commanding workstation usage outside the operator’s normal hours, commands issued without peer review tags, or sequences inconsistent with the active mission profile. | AN:ATT:Attack Path:04 (Privileged insider misuse) |
AN:DET:Detection Signature:05 |
Lateral movement to mission control: detects east-west network flows from operator-network hosts to mission-control hosts that fall outside the documented allow-list. | AN:ATT:Attack Path:05 (Lateral movement to mission control) |
AN:DET:Detection Signature:06 |
Mass encryption / file-system anomaly: detects high-rate write-and-rename operations against launch-control or patch-deployment hosts, with low entropy on original files and high entropy on renamed ones. | AN:ATT:Attack Path:06 (Ransomware against launch infrastructure) |
AN:DET:Detection Signature:07 |
Sustained noise-floor anomaly: detects elevated noise across the uplink or downlink bands beyond expected environmental thresholds, sustained for longer than incidental atmospheric events. | AN:ATT:Attack Path:07 (Jamming campaign) |
AN:DET:Detection Signature:08 |
Replay-and-spoof anomaly: detects command-waveform sequences with valid authentication tags but anomalous timing relative to the established command cadence, or session keys appearing in unexpected locations. | AN:ATT:Attack Path:08 (Replay-and-spoof on uplink) |
AN:DET:Detection Signature:09 |
Downlink interception is largely passive and cannot be detected from the link itself. Signature watches for adversary follow-on activity that suggests collection occurred (e.g., disclosure of intercepted content). | AN:ATT:Attack Path:09 (Downlink interception) |
AN:DET:Detection Signature:10 |
Out-of-pattern bus commanding: detects sequences against ADCS/EPS/FTS that fall outside the active mission profile, or commands that would violate documented safe-mode rules. | AN:ATT:Attack Path:10 (Destructive bus attack) |
AN:DET:Detection Signature:11 |
Unauthorized FSW state change: detects unexpected mode transitions or configuration writes on the OBC that were not initiated by an authorized ground command. | AN:ATT:Attack Path:11 (Command-path integrity attack) |
AN:DET:Detection Signature:12 |
Firmware-hash mismatch at boot: detects firmware images whose measured hash does not match the signed expected value at boot or after an update. | AN:ATT:Attack Path:12 (Supply-chain firmware compromise) |
AN:DET:Detection Signature:13 |
Payload-data integrity mismatch: detects mission-product whose downlinked hash does not match the on-board signature computed before transmission, indicating tampering between the instrument and the downlink encryptor. | AN:ATT:Attack Path:13 (Payload-data tampering) |
DAY 4 COMPLETE
What you built today. Fourteen AN-DET elements written in vendor-neutral RootA with Security Operations, plus one IR playbook per attack path. 2 USER, 5 GROUND, 3 LINK, 4 SPACE. Where telemetry could see the path step, the signature ships; where it could not, the gap is declared and handed back to engineering as work to close. The signature, its path, its threat, and the element it watches now share one identifier chain any of the three departments can follow unaided. The set feeds Executive Order 14144’s detect-report-recover requirement inside the NIS2 reporting deadlines.
Your role here. Incident-response preparedness is the fourth of the five functions where a Full Spectrum professional drives change, and you don’t have to be the security operations analyst, the detection author, or the spacecraft engineer to lead it. Security Operations, Satellite Operations, and Satellite Design & Engineering can sometimes be provided by separate organizations, and an incident crosses every one of them at once. Your job is to build the cross-functional team and agree the signatures and playbooks before the incident, so each organization knows its part. That is what makes this function a deliberate point of insertion for transforming how those organizations respond together.
Updated CNSS policy for national security space systems (CNSSP No. 12 / CNSSI 1200, Aug. 2025) now requires real-time on-board intrusion detection and prevention and patch management for on-board and ground-segment software, written into procurement contracts. As Aerospace Corp.’s Brandon Bailey told CyberSat 2025: “if you build services or capabilities that support national security missions, [these requirements] apply to you.” Source: Air & Space Forces Magazine, Nov. 19, 2025.

DAY 4 COMPLETE
You wrote a signature and a playbook for every path with the Security Operations Center, the evidence behind the organization’s detect-report-recover duties. Tomorrow, Day 5 brings all three departments to one table and shrinks and hardens the exposure that keeps recurring.
ADVERSARY
MANAGEMENT.
Day 4 done. Tomorrow (Day 5 / Mod 05 · Adversary Management), you write the resilience measures that take options away from the adversary across Security Operations, Satellite Operations, and Satellite Design & Engineering, the continuity and backup protections the mandates expect for command and control.
A multiple-choice exam aligned with Module 04 KSAT areas. Drawn at random from a question bank covering Function FOUR's taxonomy element (AN-DET), its TARGET attachment (TDM), and the production flow into the next function. Exam scaffolding wired in next iteration.