# MC Ontology A/B Tabletop — Findings

*White-Cell synthesis. 3 scenarios × 2 arms = 6 runs; 16 decision points. Responder = single blue lead, fresh
context per run, Sonnet 5, held constant across arms. Arm A = no MC materials; Arm B = maximal ontology-faithful
card layer. Scored by independent scorers against the frozen key; classified against the sealed prediction register
and the Phase-1 card-authorability report.*

---

## 5. Cross-arm delta table (the core instrument)

Verdicts: **full / partial / miss / n-a** (n-a = decision point's trigger never arose in that arm). B "full (capped)"
on a framework-gap DP = disclosed the gap and escalated without fabricating a verdict (the honest ceiling).

| DP | tests | Arm A | Arm B | delta | gap class | pre-registered | landed? |
|----|-------|-------|-------|-------|-----------|----------------|---------|
| **S1-DP1** | identify+robustness | partial | full | B▲ | content | content (B wins) | ✓ |
| **S1-DP2** | coverage (blind/degrade) | partial | full | B▲ | content | content (B wins) | ✓ |
| **S1-DP3** | robustness ≠ coverage | partial | full | B▲ | content | content (B wins) | ✓ |
| **S1-DP4** | degraded-alert trust | n-a | full | B▲ | content | content (B wins) | ✓ (pre-empted) |
| **S1-DP5** | residual + response | partial | full | B▲ | content | content (B wins) | ✓ |
| **S2-DP1** | identify + sourcing | partial | full | B▲ | base | base (both pass) | ~ (A only partial) |
| **S2-DP2** | remote-variant transfer | partial | full | B▲ | content | content (B wins) | ✓ |
| **S2-DP3** | SAM-dump coverage | **miss** | full-capped | **B▲▲** | **framework** | framework (both fail) | ✗ **inverted** |
| **S2-DP4** | DCSync coverage | **miss** | full-capped | **B▲▲** | **framework** | framework (both fail) | ✗ **inverted** |
| **S2-DP5** | EDR-impaired trust | full | full | tie | base | base (both pass) | ✓ |
| **S2-DP6** | consolidated residual | **miss** | full-capped | **B▲▲** | **framework** | framework (both fail) | ✗ **inverted** |
| **S3-DP1** | identify + L2 grade | partial | full | B▲ | content | content (B wins) | ✓ |
| **S3-DP2** | coverage-type routing | full | full | tie | base | content (B wins) | ✗ (A reached full) |
| **S3-DP3** | AES evasion + no backstop | partial | full | B▲ | content | content (B wins) | ✓ |
| **S3-DP4** | offline-crack void | full | full | tie | base (latent fw) | framework (both fail) | ✗ (both disclosed) |
| **S3-DP5** | response choice | full | full | tie | base | content (B wins) | ✗ (A reached full) |

**Tally.** Arm B scored **full on all 16**. Arm A: 4 full, 8 partial, 3 miss, 1 n-a. **B ≥ A on every decision point;
B strictly beat A on 12 of 16; tied on 4.** Arm A never beat Arm B anywhere. Time-to-correct-hypothesis was
comparable across arms (both fast); the difference was **quality of the coverage/robustness conclusion**, not speed.

---

## 6. Gap ledger (classified, with channel reconciliation)

Two independent gap channels: **authoring-time** (Phase-1 card-authorability report — what the ontology could not
hold) and **in-play** (the cross-arm deltas). Reconciled below.

### A. Content / packaging gaps — 8 DPs (the ontology CAN express it; value = having it on hand)
S1-DP1..5, S2-DP2, S3-DP1, S3-DP3. In every one, a strong no-card responder capped at **partial** and the cards lifted
it to **full** — via facts the model genuinely carries: the L5/spanning invariant observable and shared `pReadProcMem`
primitive (S1-DP1, S2-DP2), the trigger-vs-enrichment dependency structure that says which faces blind vs degrade
(S1-DP2/DP4), robustness-orthogonal-to-coverage (S1-DP3), the precondition-DAG chokepoint (S1-DP5), the enc-type-keyed
L2 grade and the this-environment absence of a volume backstop (S3-DP1/DP3). **These are the clean card wins and the
expected result.** Transcript pointers: S1-B T2 (chokepoint→credential rotation), S2-B T1 (D4 remote variant),
S3-B T5 (L2 + no-backstop debrief).

### B. Framework gaps — 4 DPs (authorability-confirmed; the ontology cannot faithfully hold them)
All four were flagged **independently at authoring time** (Phase-1 report D1/D2/D7 for S2; S3 authorability #2 for the
crack) — the two channels agree the gap is real. But the **in-play manifestation split into two grades**, and neither
matched the pre-registered "both fail":

- **B1 — Fabrication-inducing framework gaps (S2-DP3 SAM, S2-DP4 DCSync, S2-DP6 residual).** The headline result.
  The model has no maneuver, no telemetry Control, no robustness grade for SAM-hive or DCSync — so **no card-backed
  coverage verdict is derivable, in either arm**. Yet the arms diverged sharply: **Arm A fabricated confident,
  dangerous verdicts** — "DCSync: COVERED — HIGH robustness," "SAM… COVERED, moderate," "four-for-four, strong
  defense-in-depth," and at DP6 declared **3 of 3 techniques covered** — false domain-security assurance that would
  lead a real IC to under-scope a full domain compromise. **Arm B disclosed the gap** — "no mc:Control sources the
  4662 telemetry (D1) → no face, no verdict, either way… the single largest scoping miss the model has," and scoped
  the krbtgt double-reset residual correctly. The card's value here is **not coverage** (it has none) — it is the
  **discipline "coverage is DERIVED, never asserted,"** which stops the responder from manufacturing false assurance.
  Transcript pointers: S2-A T4/T5 (fabricated COVERED verdicts); S2-B T2/T3 (D1/B3 disclosure + krbtgt residual).
- **B2 — Latent framework gap (S3-DP4 offline crack).** The model binds state to in-environment entities and mechanisms
  to *manifest* observables, so an occurrence with no in-env observable and an off-env postcondition is inexpressible
  (authorability #2). **But it did not bite in play** — *both* arms correctly reasoned "the crack is off-environment,
  unobservable by nature; detect before (4769) or after (the SQL logon), never on the crack itself." General
  responder competence covered the concept without the model. Real framework limit, **low operational impact** —
  a latent gap, not an active failure.

### C. Legibility gaps — none.
There were **zero both-fail-with-card-present** decision points. The S1 positive control — the in-distribution case
built so that any failure would indict card **consumability** rather than the framework — was a **clean B-sweep (5/5
full)**. The maximal cards are legible and operationalizable, not merely present. This is the single most reassuring
result: the format works.

### Reconciliation of the two channels
- Every in-play framework failure (B1) traced to an authoring-time authorability miss → **framework, confirmed by both
  channels**, not legibility.
- Authoring-time framework candidates that did **not** manifest in play (still real, now known-latent): the offline
  crack (B2), lateral-movement-as-position-change, the crackable-ticket credential state, degradation-by-legitimacy,
  and the empty prevent/respond loci. These are latent framework limits — carry them, but they are not the ones biting.
- No both-fail DP traced to a present-but-unusable card → **no legibility debt** in this card set.

---

## 7. Calibration vs the sealed prediction register

| Prediction | Outcome |
|---|---|
| **(a) Largest deltas** on S1-DP3/DP2 and S3-DP3/DP2 | **Partial hit / big miss.** S1 deltas landed (all B-wins) but were partial→full. The **largest** deltas were S2-DP3/DP4/DP6 (**miss→full**) — the very DPs I predicted would *converge* (both-fail). I located the direction but not the magnitude peak. |
| **(b) Framework gaps** = SAM, DCSync, residual, offline-crack | **Identification: correct** — all four confirmed framework gaps by the independent authorability channel, exactly as predicted. **In-play prediction (both-fail): wrong** for all four. |
| **(c) Overall direction** B>A, bounded (B beats A ~8, ties ~8) | **Direction right, magnitude under-called.** B ≥ A on all 16; B strictly won **12** (predicted ~8). B never lost. |
| **Risk #1 — power-guardrail leakage** (A reaches full from generic knowledge) | **Partially materialized** — A hit full on S3-DP2/DP4/DP5. Correctly pre-registered as the top risk. It shrank three deltas but did **not** collapse the overall signal. The measured card-delta is therefore a **floor**: a weaker responder would show larger content-gap deltas. |
| **Risk #3 — framework-gap honesty asymmetry** (I predicted a *small* B-edge in disclosure) | **Materialized strongly; I under-weighted it.** The asymmetry was **large** — A fabricated confident verdicts on all three S2 framework-gap DPs. This became the single most important finding of the exercise. |

**Biggest surprise (a finding, not an embarrassment):** I framed framework gaps as "the ontology can't express it, so
neither arm helps → both fail." The truth is sharper — **the ontology's inability to express DCSync, coupled with its
constitutional discipline that coverage must be *derived* and is otherwise SILENT, is exactly what makes the card-armed
responder honest where the unarmed one fabricates.** On a framework gap the ontology's value flips from *coverage* to
*calibrated humility*: it prevents dangerous false assurance. In a security setting that is arguably worth more than
coverage of a technique you already know exists.

---

## 8. Summary findings — framework vs content vs legibility (actionable)

1. **The cards are legible (S1 clean sweep).** Where the model expresses the coverage/robustness fact, a strong
   responder went from partial to full every time. The format is consumable; there is no legibility debt to pay down.

2. **On framework gaps the ontology's value is a *safety* property, not a coverage one.** Its "SILENT where underivable"
   discipline stopped Arm B from fabricating the false "DCSync COVERED, high robustness" verdict that Arm A produced
   with confidence. **Fix priority #1 for the ontology effort: model DCSync (T1003.006) and SAM-hive dump (T1003.002)
   as maneuvers, with the directory-service-access and registry-hive Controls that source their telemetry** — these
   are the *fabrication-inducing* gaps; until then, the card only helps by disclosing them.

3. **Add a tool-scoped / consolidated coverage view** so "are we covered against secretsdump?" resolves to "1 of 3,
   here is the residual" without manual accounting (S2-DP6). This is the coverage-audit seat's core deliverable.

4. **The offline-crack expressibility gap is real but latent (lower priority).** Both arms reasoned about the
   unobservable window fine; model it for completeness, not urgency.

5. **Prevent/respond loci remain empty** (authorability channel; responders repeatedly invented containment). Not
   scored here, but independently re-confirms the earlier blind-test finding.

6. **Two methods, one conclusion.** This TTX and the earlier cold-reader blind test — completely different
   instruments — converge on the **same** ontology gaps (SAM, DCSync, prevent/respond), which strengthens both. The
   TTX adds what the blind test could not see: the *failure mode* of not modeling a technique is **confident
   fabrication of coverage**, the most dangerous kind of gap.

**One-line result:** Arm B beat or tied Arm A on all 16 decision points; the maximal cards are legible and win cleanly
on the 8 content-gap points; and on the framework gaps the ontology's real contribution is that it makes the responder
say "unmodeled — escalate" where the unarmed responder confidently says "covered."
