# PREDICTION REGISTER — SEALED before any responder run

*White Cell's calibration bet. Written after freezing the pre-registrations, before Phase 1 cards touch a
responder. Not shown to responders. Scored against actual results in Phase 5. Do not edit to fit results.*

Frozen: 2026-07-11, before Phase 1. 16 decision points across S1 (5), S2 (6), S3 (5).

## (a) Where I expect the largest Arm-B-over-Arm-A delta
Ranked, highest expected delta first. Deltas concentrate on **content-gap** DPs whose FULL criterion is an
environment-specific coverage/robustness fact a card carries but generic knowledge cannot derive.

1. **S1-DP3 (robustness ≠ coverage; SHARPEST).** A generic responder will likely say "L5, still covered" or
   "EDR down, so no" without separating evasion-resistance from live-firing. The card makes the orthogonality
   explicit. Predict A=miss/partial, B=full → largest single delta.
2. **S1-DP2 (which detections blind vs degrade; HEADLINE).** Assigning blind/blind/degraded to cred/encrypt/exfil
   *with the trigger-vs-enrichment reason* is not derivable generically. Predict A=partial, B=full.
3. **S3-DP3 (AES evasion + no backstop).** Generic knowledge yields "AES evades"; only the card asserts THIS env
   has no volume-based L4/L5 backstop. Predict A=partial, B=full.
4. **S3-DP2 (control-type routing).** A tends to assume the host EDR covers the chain; the card routes ticket-req
   to the DC-SIEM and flags the SQL-EDR logon face degraded-by-legitimacy. Predict A=partial, B=full.
5. **S1-DP1, S1-DP4, S3-DP1, S3-DP5, S2-DP2** — content-gaps with a PARTIAL floor A can reach from technique
   knowledge; B earns FULL via the env-specific rung. Moderate deltas.

**Aggregate delta prediction:** B strictly beats A on ~7–9 of the 11 content-gap DPs; ties (both partial-or-full)
on the rest.

## (b) Which scenario needs I expect to classify as FRAMEWORK gaps
Pre-registered framework-gap DPs (expect **both arms fail** to produce a card-backed coverage/robustness verdict;
each traces to an authoring-time authorability miss):
- **S2-DP3 — SAM/registry-hive dump (T1003.002).** No maneuver, no registry-hive primitive, no Control sourcing
  that telemetry → no derivable verdict.
- **S2-DP4 — DCSync/domain replication (T1003.006).** No maneuver, no directory-service-access Control, no
  robustness for the 4662 replication GUID. The invariant is a legitimate RPC, not a memory read.
- **S2-DP6 — consolidated residual across the three techniques.** Authored coverage = 1 of 3; the full residual
  (incl. krbtgt exposure) is not derivable from either arm.
- **S3-DP4 — offline off-environment crack.** State binds to in-environment entities and mechanisms to *manifest*
  observables; an occurrence with no in-env observable and an off-env postcondition is inexpressible. The model
  cannot distinguish "unobservable by nature" from "notCovered because BLIND." The subtler headline gap.

**Latent framework gaps** I expect Phase-1 authoring to hit even where I did NOT score a DP on them (so they show
in the authorability channel, not necessarily the in-play channel): prevent-side empty (no Credential Guard/RunAsPPL/
ASR/WDAC), respond-side empty (no isolate/disable/rotate/evict) — these bound the containment ACTION across all three
scenarios; BYOVD-load as its own maneuver/target (S1); lateral-movement-as-position-change and the crackable-ticket
credential state and degradation-by-legitimacy (S3). I predict the S3 degradation-by-legitimacy gap is the one most
likely to cause a faithful Arm-B card to be subtly WRONG (show the SQL-EDR logon face as `live` when it is really an
un-actionable "benign-indistinguishable" — a case the four-valued faceStatus can't hold).

## (c) Predicted overall direction of effect
- **B > A overall**, but bounded. Net over 16 DPs I predict: **B beats A on ~8 DPs, ties on ~8** (the 4 framework-gap
  both-fail + ~2 base-competence both-pass + ~2 content-gap both-partial/both-full).
- **The diagnostic shape matters more than the count:** B's *failures* should cluster exactly on the 4 framework-gap
  DPs, and B's *wins* on the content-gap DPs — a clean separation that lets the framework-vs-content split be read
  straight off the cross-arm table. S1 (in-distribution) should be near-clean B-wins; if it is NOT, that indicts
  card LEGIBILITY, which is the single most informative possible surprise.

## Risk register (threats to the experiment's validity — pre-registered)
1. **Power-guardrail leakage (most likely confound).** A strong LLM in Arm A may reach FULL on content-gap DPs from
   generic competence, collapsing the delta. My bet: A hits the **PARTIAL ceiling** (names the technique, "AES evades",
   "rotate creds") but misses the env-specific FULL criteria. **If Arm A scores FULL on S1-DP2/DP3 or S3-DP3 without
   cards, that is a genuine finding** (either the DP lacked headroom, or base competence exceeds the cards' marginal
   value here).
2. **Legibility risk.** Arm B may fail to consult or operationalize a card that IS present → a both-fail on a
   *content-gap* DP = a **legibility gap**, not a framework gap. Most likely on S1 (dense coverage cards) if the
   responder treats them as noise. I predict low incidence (< 2 DPs).
3. **Framework-gap honesty asymmetry.** On S2-DP3/4/6 and S3-DP4, "both fail" means neither produces real coverage.
   But B's card may explicitly say "unmodeled path," so B may **disclose the gap** more reliably than A → a small
   B-edge in *honesty* even with zero underlying capability. I will score these as *capped-full = discloses + escalates,
   does not fabricate*; I predict B reaches capped-full more often than A, and that a **fabricated verdict (asserting
   coverage the model can't support) is the real miss** — more likely in A (no card to anchor the "silent" honesty),
   but possible in B if the responder over-reads the cards.
4. **Adjudication drift.** Mitigated by the frozen resolution tables; the risk is unanticipated blue actions. Default
   rule (adjudicate conservatively from ground truth, log the improvisation) applied identically to both arms.

**Headline bet in one line:** Arm B beats Arm A on the content-gap decision points of all three scenarios, the two
arms converge on the four framework-gap decision points, and the framework gaps that bite in play are exactly the
ones the Phase-1 card-authorability report will have flagged independently — SAM, DCSync, and the offline crack.
