Previously the CTF (Context Triage Framework) required a massive man hour to customize and install for new clientele. Adopting an install process that gathers existing documentation from a client into a private LLM with our seed information is proving wildly successful.
| Install | # of Use Cases | Document Library Size | Time to First Run | Time to Trusted Run |
| Prototype | 10 | 10MB | 4 months | 7 months |
| 1st Client | 7 | 2KB | 3 months | 9 months |
| 2nd Client | 13 | 17MB / 10MB | 2 months | 6 months |
| 3rd Client | 12 | 12MB / 5 MB | 2 months | 4 months |
The install we have 4 complete so far. In each the number of Use Cases was tracked from our content library. Client’s 2 and 3 required the development of new Use Cases to cover specific technologies in the client’s security stack.
The Document Library Size
This has two volumes. The total size of documents comprising the agreed processes and responses. A second volume is how much of the library is already built into the CTF. This becomes an important part of evolving the Framework as previously the seed document was a series of content pieces that could be shared, and referenced in the CTF. It may be more important to figure and track how many documents themselves but as the CTF uses and re-uses smaller pieces of content for reference and walk thru’s – counting full documents didn’t seem to be valuable.
Time to First Run
This is an important milestone for the project installs. It’s the first time all components are successfully working as a single unit. To get there we have to have the document scripts working to catalogue and retrieve notes and processes. The detection and anomaly engine working and successfully outputting the formatted data. Triage and Assistant notebooks are successfully matched and applied. Finally, those notebooks are ran against the data and must produce valid and correct entries for triage processes and having followed those processes with proper output of documentation. All of which is validated to a level of trust – not by us the installers but by the client analysts.
Time to Trusted Run
This milestone has not happened without all detection processes, notebooks and documents loaded into the system. Where multiple runs across different alerts and scenarios have been observed and validated by the client analysts. This run usually marks for the initial load full SIEM and SOAR interactions. From alert detection, to production of commentary/triage evidence to automated remediation.
