SPECTRA FIELD MANUAL
EN/IT
DISTRIBUTED EXERCISE · spectra-duel-adjudication

Duel Mode

Run a real Red vs Blue exercise across two machines. Each side keeps its own evidence ledger; an impartial Referee correlates the two and scores the result — detection latency, coverage, misses — on evidence alone.

/spectra-duel-adjudication
MACHINE ARed opsactions ledger
MACHINE BBlue opsdetections ledger
→ offline broker →
REFEREECorrelate & scorescorecard
HOW IT WORKS

Three moves

01

Separate

Red and Blue run on separate machines. Each writes a role-local, append-only JSONL ledger of what it did or saw — no shared state, no peeking.

02

Exchange

A Red/Blue broker exchanges offline, signed JSON bundles between the separated machines — checksum + schema + event verified, deduplicated. No sockets, no remote agents, no host modification.

03

Adjudicate

The Referee correlates Red actions with Blue detections across the timeline and produces a scorecard. Credit is awarded only where the ledger proves it — agent prior knowledge of the Red plan never counts.

THE SCORECARD
Detection latencySeverity coverageTechnique missesMitigation credit

A score without evidence is opinion, not adjudication. Detection must be evidenced by Blue telemetry; misses distinguish absent telemetry, unanalyzed telemetry, failed detection and failed correlation. A useful scorecard improves the next exercise — it does not merely declare a winner.

OFFLINE BY DESIGN

The broker is file-based: no sockets, no listeners, no remote agents, no host modification. The Blue Live Adapter ingests defensive telemetry read-only. Distribution is the point — neither side trusts the other’s claims, only the correlated evidence.