SPECTRA FIELD MANUAL
EN/IT
Safety

Safety Boundary

SPECTRA supports authorized red/blue exercises only. The boundary is not bureaucracy — it is what makes the framework defensible, testable, publishable and useful for real engagements.

The one hard block

The only hard block is destructive payloads — ransomware, wipers, data destroyers. Everything else within scope and Rules of Engagement is the red team’s job: exploits, credential access, lateral movement, exfiltration. The agent warns, explains the risk, and complies — the operator decides.

What SPECTRA never does

  • Delete, alter, rotate or hide logs
  • Tamper with audit trails
  • Perform destructive cleanup to evade detection
  • Disable EDR, SIEM, auditd, Sysmon or Defender
  • Create or instruct unauthorized persistence
  • Provide anti-forensics or instructions to hide compromise from defenders

Low and slow, honestly

Red OPSEC is modeled as noise/footprint budget and timing/technique choice — not as “invisible Red”. The goal is honest measurement: which signals were produced, which Blue saw, which were missed, which controls worked and which need improvement.

Evidence over assumption

A finding resolves to verified only when its references resolve against the evidence registry. A path without evidence is a hypothesis, and SPECTRA says so.