Sphynx ActiveDefense Command Center

ACTIVE INCIDENT INC-24-0618-A CRITICAL

Ransomware Staging — Airline Gate Operations

"Sphynx detected a multi-stage intrusion attempt, triggered deception controls, isolated the endpoint, preserved evidence, and generated an audit-ready incident record — before lateral movement occurred."

✅ CONTAINED BEFORE LATERAL MOVEMENT Confidence: 94% (simulated)

Endpoint: AIRLINE-GATEOPS-WS014 Area: Gate Operations

Sphynx ActiveDefense Command Center | Helps enterprise security teams correlate endpoint, identity, deception, cloud, AI-agent, and SIEM signals into evidence-backed incident decisions.

Designed to complement existing security investments, support human-approved response workflows, and produce audit-ready records for regulated and mission-sensitive environments. Sphynx does not require replacing the customer's current security stack.

Active Incidents

1 CRITICAL

↑ Escalated

Mission Area

Gate Operations

Active targeting zone

Containment

✅ Complete

↓ No spread

Endpoint Risk

CRITICAL

↑ Score: 97

Identity Risk

Elevated

↑ Suspicious session

Business Impact

None Detected

↓ Ops unaffected

Approvals Pending

→ Awaiting command

Evidence Confidence

94%

↑ High integrity

Evidence used: Process tree ✓ Deception trigger ✓ Identity anomaly ✓ Network beacon ✓ Command fragment ✓

Incident Detail

Incident IDINC-24-0618-A

SeverityCRITICAL

MITRE TechniquesT1059.001 • T1486 • T1490

Deception TriggeredYes — Decoy payroll file

ContainmentEndpoint isolated | Egress blocked

Duration8m 12s from detection to isolation

Business Impact

✅ Gate downtime: Avoided

✅ Crew scheduling: Protected

✅ Customer outage: None

Mission Impact Cascade

💻

Endpoint

AIRLINE-GATEOPS-WS014

⚠ Compromised

→

⚙️

Ops System

Gate Management System

⚠ At Risk

→

✈️

Business Process

Flight Departures

✅ Protected

→

👥

Customer / Mission

Passenger Experience

✅ No Impact

Containment occurred at endpoint layer — downstream systems and mission outcomes protected

How Sphynx Adds Context Across Existing Security Signals

Signal	Traditional Tool	Sphynx Added Value	Why It Matters
Suspicious PowerShell	EDR alert	Correlated to deception file access	Proves intent, reduces false-positive risk
Privileged login	Identity alert	Mapped to mission system exposure	Shows business risk, not just a log entry
File access	File log	Identified decoy — legitimate users and approved processes should not access this asset	High-confidence signal: no legitimate process should access this asset
Network beacon	Firewall log	Linked to endpoint process and user session	Full kill chain, not isolated event
AI tool call	App log	Flagged autonomous secret-access risk	New attack surface most tools miss

Compliance & Framework Alignment

NIST CSF 2.0 — ALIGNED MITRE ATT&CK ✅ Zero Trust — ALIGNED CMMC* 🔵 FedRAMP* 🔵 SOC 2* 🔵 CISA Secure by Design — ALIGNED

* In progress — architecture aligned, certification planned

How It Works

Detect

Deception assets, endpoint telemetry, and identity signals are correlated in real time. When an attacker touches a decoy — something no legitimate user would access — Sphynx registers a high-confidence alert with full evidence context — legitimate users and approved processes should not access this asset under normal operating conditions.

Decide

AI synthesizes evidence into a confidence-scored incident with MITRE mapping, business-impact assessment, and recommended containment actions. Pre-authorized containment actions can execute under defined audited policy. Irreversible or high-impact actions, such as credential reset, session revoke, forensic release, or destructive cleanup, require explicit analyst approval.

Document

Every action is logged with who approved it, when, why, and against which policy rule. Draft audit packages, executive briefs, and STIX bundles can be generated for analyst/legal review before external use.

Confidence scores, alert counts, and timing values shown are illustrative for this simulated scenario.

Alert Queue — 5 Active

Click alert to expand evidence

CRITICAL

Canary File Access + Ransomware Staging

Endpoint: AIRLINE-GATEOPS-WS014 | 09:44:02 | Confidence: 94% | CONTAINED

▲

Process Tree

explorer.exe (4821)
└─ winword.exe (7203)   — Office document
   └─ powershell.exe (9341) ⚠ SUSPICIOUS
      └─ cmd.exe (9412)
         └─ vssadmin.exe (9501) 🔴 CRITICAL

Commandpowershell.exe -enc [base64] | vssadmin Delete Shadows /All /Quiet

File touched\\FinanceShare\Payroll_Q3_Protected.xlsx DECOY ⚠

IdentityConcurrent session from unusual location

Network185.220.101.47:443 — Tor exit node — ASN60117

DeceptionDecoy asset accessed — HIGH confidence

MITRET1059.001 | T1486 | T1490

Actions taken✓ Deception trigger ✓ Endpoint isolated ✓ Egress blocked

FP Analysis: No legitimate process should access this decoy file. High-confidence malicious classification when deception assets are touched.

HIGH

C2 Beacon — Outbound HTTPS to Known Tor Exit

Endpoint: EXEC-WS-CORP-031 | 09:51:14 | Confidence: 87% | BLOCKED

▼

MITRET1071.001 — Application Layer Protocol: Web Protocols

Destination194.147.140.89:443 — Known C2 infrastructure — ASN51396

Processsvchost.exe → wscript.exe → powershell.exe (hidden window)

EgressBlocked at perimeter firewall

DeceptionNo decoy triggered — network IOC only

RecommendedIsolate endpoint | Check lateral movement path

HIGH

Privileged Account Anomaly — After-Hours Privileged Login

Endpoint: PAYMENTS-OPS-WS022 | 02:17:43 | Confidence: 81% | INVESTIGATING

▼

MITRET1078.003 — Valid Accounts: Local Accounts

Accountsvc-payments-admin

Source IP10.8.44.12 — not a registered admin workstation

DeceptionFake admin credential bait NOT touched — early-stage

RecommendedForce MFA re-auth | Review session commands

MEDIUM

DNS Tunneling — Suspicious High-Volume TXT Queries

Endpoint: LOGISTICS-NODE-017 | 10:02:31 | Confidence: 74% | BLOCKED

▼

MITRET1071.004 — Application Layer Protocol: DNS

Domaina1b2c3.exfil-relay.xyz — registered 3 days ago

Volume4,200 TXT queries in 4 minutes — anomalous baseline

EgressDNS blocked at resolver

DeceptionNo decoy triggered — network pattern only

MEDIUM

Sphynx AI Guard — AI Agent Secrets Access — Unauthorized Credential Scope

Endpoint: support-agent-prod-03 | 11:18:04 | Confidence: 88% | FLAGGED

▼

MITRET1552.001 — Credentials in Files

Agent IDsupport-agent-prod-03

Tool callread_secret("PROD_DB_PASSWORD") — outside permitted scope

DeceptionSynthetic API key accessed — TRIGGERED

Action takenTool call blocked | Agent session flagged for review

AI Risk Note: Autonomous AI agents with broad tool permissions represent an emerging attack surface. Sphynx monitors agent tool calls against permitted scopes and plants synthetic secrets to detect exfiltration attempts.

Incident Timeline

09:41:12User authenticated — normal location

09:43:08⚠ Suspicious PowerShell spawned from document

09:43:19🔴 Credential-access behavior — LSASS

09:44:02🪤 Canary file accessed — deception TRIGGERED

09:44:05📈 Risk raised to CRITICAL (score: 97)

09:44:11🚫 Network egress blocked — Tor exit node

09:44:19🔒 Endpoint ISOLATED

09:45:00👤 Related identity sessions flagged

09:46:10✅ Analyst approved credential reset

09:47:30📄 Executive summary generated

09:49:00📦 Audit record exported

Containment Status

Endpoint isolation✅ Complete

Session revoke⏳ Pending approval

Firewall block✅ Complete

Evidence package✅ Complete

SIEM export✅ Complete

Executive brief✅ Generated

Audit package✅ Exported

Pending Approvals

Force Credential Reset

Account: svc-gateops-admin — requires security lead sign-off

Release Forensic Package to DFIR

SHA-256 verified package — requires command authorization

AI Incident Summary

Multi-stage intrusion. Office macro spawned PowerShell → credential access (LSASS) → triggered deception file → ransomware staging (vssadmin).

Confidence94%

FP riskLow — simulated scenario

MITRE chainT1059.001 → T1003.001 → T1486 → T1490

Pre-authorized containment actions execute within defined, audited parameters. Irreversible actions require explicit analyst approval.

Export Incident Record

Demo exports shown as sample artifacts. Production exports are configurable by customer policy and integration scope.

Sphynx Active Defense: We plant controlled tripwires across your environment — decoy files, synthetic credentials, honeypot shares, and fake secrets. We observe attacker behavior and create high-confidence evidence before damage spreads. Legitimate users and approved processes should not access these assets under normal operating conditions. When deception assets are triggered, Sphynx raises confidence substantially and gives analysts stronger evidence than a generic alert. Legitimate users and approved processes should not access these assets — but analysts confirm before acting.

Deception Asset Status

🪤

Decoy Payroll File

TRIGGERED

09:44:02 — INC-24-0618-A

🔑

Fake Admin Credential

● MONITORING

No access in 72h

🗝

Synthetic API Key

TRIGGERED

11:18:04 — AI agent event

📂

Honey SMB Share

TRIGGERED

09:43:55 — enumeration

🗄

Decoy DB Record

● MONITORING

No access in 7d

✈

Airline Ops File

TRIGGERED

09:44:02 — same attacker

💳

Fake Payment Routing

● MONITORING

No access in 14d

🏷

Fake Logistics Manifest

TRIGGERED

09:58:14 — secondary session

Without Deception Controls

❌ "Something suspicious happened" — maybe
❌ High false positive rate — alert fatigue
❌ Long investigation to confirm malicious
❌ Attacker may move laterally before detection
❌ Evidence may be incomplete or contaminated

With Sphynx Deception Layer

✅ "Deception asset accessed — strong evidence of unauthorized behavior"
✅ High-confidence signal — deception assets no legitimate user should touch
✅ Evidence-linked classification with analyst review queue
✅ Containment triggered before lateral movement
✅ Complete audit-ready evidence package

Total Assets

Triggered

Evidence Captured

False Positives (simulated scenario)

Incident Decision Record — INC-24-0618-A

Time	Actor	Action	Rationale	Policy Rule	NIST Function	Evidence
09:44:02	Sphynx AI	Triggered deception alert	Decoy file accessed — unauthorized behavior strongly indicated	P-DEC-001	DETECT	Decoy trigger + process tree
09:44:19	Sphynx policy engine — pre-approved containment policy	Endpoint isolated	Ransomware staging confirmed — executed under pre-authorized containment policy within defined parameters	P-CONT-002	RESPOND	MITRE T1486 + deception
09:46:10	J. Martinez (Analyst)	Approved credential reset	Verified session anomaly and LSASS access — justified	P-IDEN-003	RESPOND	Analyst sign-off logged
09:47:30	Sphynx AI	Executive brief generated	Automated reporting per IR playbook	P-RPT-001	RESPOND	AI-assisted, analyst reviewed

NIST Cybersecurity Framework 2.0 — Sphynx Mapping

GOVERN

✅ IR policy automation

✅ Approval workflows enforced

✅ Human-in-loop controls

IDENTIFY

✅ Asset inventory (endpoints)

✅ Risk scoring

✅ MITRE technique mapping

PROTECT

✅ Network egress control

✅ Identity MFA enforcement

✅ RBAC on approvals

DETECT

✅ Deception layer (high-confidence signals)

✅ Behavioral correlation

✅ AI confidence scoring

RESPOND

✅ Automated containment

✅ Human-approved actions

✅ Audit trail per decision

RECOVER

✅ Evidence preservation

✅ DFIR package export

✅ Lessons-learned record

AI Governance Controls

Control	Description	Status
Human in the loop	All high-impact AI actions require human approval	✅ Enforced
Confidence thresholds	AI recommendations include confidence score and FP estimate	✅ Enforced
Explainability	AI conclusions are designed to include supporting evidence chains where applicable	✅ Design
Audit logging	AI-assisted recommendations logged with timestamp, source context, and model/version metadata where configured	✅ Design
Scope limits	AI agents restricted to defined tool scopes; violations flagged	✅ Enforced
Bias review	Quarterly review of alert distribution across asset types	🔵 Planned Q3
Model versioning	Model ID logged per decision for reproducibility	✅ Enforced
Data minimization	Only signals needed for detection ingested	✅ Enforced
Red team schedule	Adversarial testing of AI detection models	🔵 Planned Q4

Compliance Posture

NIST CSF 2.0 — ALIGNED MITRE ATT&CK — ALIGNED CISA Secure by Design — ALIGNED CMMC L2 — ARCHITECTURE SUPPORT FedRAMP Moderate — PATH EVALUABLE FOR GOV DEPLOYMENTS SOC 2 Type II — PLANNED

Architecture support = Sphynx is designed to generate evidence and audit records that may support these control areas. Certification requires formal assessment by an accredited third party. Planned = certification pathway identified; formal assessment not yet complete.

Government / DoD Note: Sphynx is designed for zero-trust-aligned, mission-sensitive environments and generates audit records consistent with CMMC and NIST 800-171 evidence requirements. Architecture support only. Not represented as FedRAMP, CMMC, or DoD authorized unless formally assessed and certified by an accredited third-party assessor (3PAO / C3PAO).

Audit Package Export

Demo exports shown as sample artifacts. Production exports are configurable by customer policy and integration scope.

Sphynx Secure-by-Design

We hold Sphynx to the same secure-by-design principles we help customers achieve. Sphynx is designed around CISA Secure-by-Design principles: human oversight required for all consequential actions, complete audit logging, minimal privilege by default, and transparent AI governance.

Identity & Access

🔐

MFA / SSO

Supported — required in production deployments

👥

RBAC

Analyst, admin, auditor, executive roles — production design

📋

Audit Log

Tamper-evident audit logging for security-relevant sessions and administrative actions

🔍

Admin Review

Quarterly privileged access review

Data Protection

🔒

Encryption at Rest

Encryption at rest — deployment-model dependent

🛡

In Transit

TLS in transit — enforced per deployment config

🏢

Tenant Separation

Tenant isolation — required production control; implementation depends on deployment model

🗑

Data Minimization

Designed to minimize PII exposure — configurable redaction per policy

Operational Controls

Control	Implementation	Status
Vulnerability management	Dependency scanning and patch management program — cadence deployment-dependent	📋 Production Design
Penetration testing	Security testing program defined; third-party assessment status provided separately upon request	📋 Defined
SIEM / logging	Centralized log aggregation — retention configurable per deployment	📋 Production Design
Incident response plan	IRP framework defined — review cadence customer/deployment dependent	📋 Defined
Business continuity	BCP framework defined — RTO targets deployment-dependent	📋 Defined
Backup & recovery	Backup and recovery architecture — implementation deployment-dependent	📋 Production Design
Change management	Production change review and rollback policy — production design	📋 Production Design
Employee security training	Security awareness program — status provided separately upon request	📋 Defined

AI Governance

Principle	Implementation	Status
Human oversight	Irreversible high-impact actions (credential reset, forensic release, session revoke) require explicit analyst approval. Pre-authorized containment policies (endpoint isolation, egress block) execute within defined, audited parameters.	✅ Design
Transparency	Every AI recommendation includes confidence, evidence, and MITRE mapping	✅ Enforced
Scope limits	AI agents operate within defined tool scopes — violations flagged immediately	✅ Enforced
Audit trail	AI conclusions are designed to include supporting evidence chains where applicable; model version and context logged per configuration	✅ Design
Adversarial testing	Regular red-teaming of AI detection logic	🔵 Planned Q4

Compliance Posture

CISA Secure by Design — ALIGNED NIST CSF 2.0 — ALIGNED Zero Trust Architecture ✅ SOC 2 Type II 🔵 Planned FedRAMP Moderate 🔵 Architecture can be assessed for future authorization

🔓 Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in Sphynx systems, please report it to security@sphynxaisolutions.com. We aim to acknowledge reports within 24 hours and prioritize critical issues for expedited review and remediation. We will not pursue legal action against good-faith researchers operating within our disclosure policy.

Enterprise Buyer Overview

This section answers the operational questions enterprise procurement, compliance, security leadership, and SOC teams ask before evaluating a new security platform. All capabilities shown use simulated telemetry. Production capabilities, integrations, certifications, and control enforcement depend on deployment scope and formal validation.

Integration Status — Your Existing Stack

Sphynx complements existing EDR, XDR, SIEM, SOAR, identity, and cloud-security investments — does not require replacing your current stack.

◈ Demo ◉ Planned ✓ Available ⚙ Custom Status reflects connector roadmap — availability confirmed during engagement scoping

CrowdStrike Falcon

Ingest endpoint alerts; add deception confirmation layer to Falcon detections

◈ Demo

Microsoft Defender / Sentinel

Correlate Defender alerts; export enriched incident records and KQL hunt queries to Sentinel

◉ Planned

SentinelOne

Ingest S1 threat intelligence and endpoint telemetry; add deception confirmation

◉ Planned

Splunk

Push enriched incident timelines, decision records, and MITRE-mapped evidence to Splunk indexes

◈ Demo

IBM QRadar

Send enriched offense records with deception context and analyst decision trail

◉ Planned

Microsoft Entra ID / Azure AD

Add user session, privilege, and identity-risk context to incident decisions

◉ Planned

Okta

Session, MFA, and privilege context correlated with endpoint and deception signals

◉ Planned

ServiceNow / Jira

Auto-create and update incident tickets with evidence-linked decision records

◈ Demo

Palo Alto XSOAR / Cortex

Hand off human-approved containment actions to SOAR playbooks for execution

◉ Planned

AWS Security Hub / GuardDuty

Correlate cloud workload and access-risk findings with endpoint and identity signals

◉ Planned

Archer / ServiceNow GRC

Export evidence packages and decision records for compliance and audit review

◉ Planned

Custom / On-Prem Connectors

Air-gapped, mission-specific, or proprietary stack integrations scoped per engagement

⚙ Custom

Deployment Models

Model	Use Case
SaaS	Standard enterprise deployment
Private Cloud	Regulated enterprise environments with data sovereignty requirements
On-Premises	Banking, defense, and critical infrastructure environments
Air-Gapped Architecture	Mission-sensitive and disconnected environments
Hybrid	Cloud console with local collectors at the edge

Deployment options are subject to customer security requirements, integration scope, and formal architecture review.

Data Handling & Privacy

Sphynx is designed to minimize data exposure by ingesting only required security telemetry, applying configurable redaction, enforcing role-based access, and retaining records according to customer policy.

Data Area	Control
Customer telemetry	Configurable retention per customer policy
Secrets & credentials	Redacted from logs and exports by design
AI prompts / tool calls	Logged according to customer governance policy
AI outputs / recommendations	Evidence-linked and reviewable by analysts
Sensitive files	Not stored unless explicitly configured
Tenant data	Separated by customer / tenant in production deployments
Exports	Role-controlled; configurable by policy
Admin actions	Designed to be audited in tamper-evident records (validated at architecture review)

Security of the Sphynx Platform

Enterprise buyers ask: who watches the watcher? The following controls apply to the Sphynx platform itself.

Control	Status
MFA / SSO	Supported / integration-dependent
RBAC	Analyst, admin, auditor, and executive roles
Audit logs	Admin and analyst actions recorded in tamper-evident log
Encryption in transit	TLS — enforced per deployment configuration
Encryption at rest	Deployment-model dependent
Tenant separation	Required production control; implementation depends on deployment model
Secrets handling	No hardcoded credentials; environment-variable and vault patterns
Penetration testing	Security testing program defined; third-party status provided on request
Vulnerability disclosure	Responsible disclosure channel: security@sphynxaisolutions.com
Admin access	Logged, restricted, and auditable

Control status reflects design intent and demo implementation. Production control enforcement is validated during customer architecture review.

Enterprise Review Questions

Buyer Question	Sphynx Answer
Does this replace our EDR?	No. Sphynx complements and correlates existing EDR, XDR, SIEM, and identity tools — it does not replace them.
Does it take autonomous destructive actions?	No. Sphynx does not take uncontrolled destructive actions. Pre-authorized containment actions, such as endpoint isolation or egress block, can execute under customer-defined policy. Irreversible or high-impact actions — credential reset, session revoke, forensic release, or destructive cleanup — require explicit analyst approval.
Can it run on-prem?	Architecture supports on-premises and air-gapped deployments. Scope confirmed during formal architecture review.
Does it store sensitive data?	Data ingestion, retention, and redaction are configurable by customer policy and deployment model.
Can we audit AI recommendations?	AI-assisted recommendations are designed to be evidence-linked and retained in tamper-evident decision records (design intent; validated at architecture review).
Can it export to our SIEM or ticketing system?	Designed for integration with SIEM, SOAR, ticketing, and GRC platforms. Integration scope confirmed per engagement.
Is this FedRAMP / CMMC certified?	Not currently authorized. Architecture aligns with CMMC and NIST 800-171 evidence requirements. Certification status stated separately when applicable.
How do we control what analysts can see or do?	Role-based access controls separate analyst, admin, auditor, and executive permissions. All actions are audit-logged.
What does the sales / evaluation process look like?	Contact demo@sphynxaisolutions.com to schedule a technical architecture review and scoped evaluation.