Safety Boundary
SPECTRA supports authorized red/blue exercises only. The boundary is not bureaucracy — it is what makes the framework defensible, testable, publishable and useful for real engagements.
The one hard block
The only hard block is destructive payloads — ransomware, wipers, data destroyers. Everything else within scope and Rules of Engagement is the red team’s job: exploits, credential access, lateral movement, exfiltration. The agent warns, explains the risk, and complies — the operator decides.
What SPECTRA never does
- Delete, alter, rotate or hide logs
- Tamper with audit trails
- Perform destructive cleanup to evade detection
- Disable EDR, SIEM, auditd, Sysmon or Defender
- Create or instruct unauthorized persistence
- Provide anti-forensics or instructions to hide compromise from defenders
Low and slow, honestly
Red OPSEC is modeled as noise/footprint budget and timing/technique choice — not as “invisible Red”. The goal is honest measurement: which signals were produced, which Blue saw, which were missed, which controls worked and which need improvement.
Evidence over assumption
A finding resolves to verified only when its references resolve against the evidence registry. A path without evidence is a hypothesis, and SPECTRA says so.