triNetra Research  |  Manifest Comparison Report|triNetra Research  |  Manifest Comparison Report  |  Sample Output
Manifest Comparison Report
Domain Blueprint Manifest: Enterprise Cybersecurity Threat Operations  ·  Two-Version Structural Comparison
Report ID
EAGLE-COMPARE-CYBER-001
Domain
Enterprise Cybersecurity Threat Operations
Engine
Deterministic Evaluation Engine / RiskOpsBench 1.0
Manifests Compared
2 (v1.0 vs v1.5.0-Hardened)
Scoring Method
Deterministic arithmetic. No AI system involved.
Report Classification
Sample Only. Not a client assessment.
Sample Document. This report illustrates the structure and content of a Manifest Comparison Report produced by the RiskOpsBench 1.0 analysis engine. It is derived from two reference Domain Blueprint Manifest configurations for the Enterprise Cybersecurity Threat Operations domain. Client comparison reports are compiled from the client’s own manifests and are not shared with other participants. All structural values in this sample are computed from actual reference configurations using the deterministic scoring engine.
Eagle Score Impact
Eagle Score and maturity level shift produced by the structural changes between the two manifest versions.
Manifest A · v1.0
Infrastructure Intrusion Detection
44
L3 Traceable
+27
Eagle Score
Gain
Manifest B · v1.5.0-Hardened
Enterprise Cyber-Defense Operations
71
L4 Auditable
Manifest Configuration Overview
Key structural parameters for each manifest version. These parameters drive corpus generation and Eagle Framework scoring.
Manifest A
Infrastructure Intrusion Detection
cybersecurity-threat-ops · v1.0
Decision Space5 actions
Evidence Types6 signals
Observer Nodes3 observers
MITRE Techniques4
OWASP Categories2
Target State Prior0.35 (scalar)
Partial Obs. Rate0.30
Training Split0.60
Manifest B
Enterprise Cyber-Defense Operations
cybersecurity_v2 · v1.5.0-Hardened
Decision Space6 actions +1
Evidence Types12 signals +6
Observer Nodes6 observers +3
MITRE Techniques8 +4
OWASP Categories5 +3
Target State Prior0.15 (per-class object)
Partial Obs. Rate0.25
Training Split0.50

Structural Comparison
Expandable sections for each structural dimension. Click a section to view the detailed comparison of Manifest A and Manifest B configurations.
Evidence Taxonomy +6 signals
Manifest A · 6 types
Perimeter and session detection signals covering edge, CDN, and identity layers.
TLS_FINGERPRINT DEVICE_FINGERPRINT ASN_REPUTATION VPN_DETECTION COOKIE_CONSISTENCY BEHAVIORAL_SIGNAL
Manifest B · 12 types
All 6 signals retained. 6 new signals added targeting post-authentication, endpoint, and exfiltration threat vectors.
TLS_FINGERPRINT DEVICE_FINGERPRINT ASN_REPUTATION VPN_DETECTION COOKIE_CONSISTENCY BEHAVIORAL_SIGNAL API_MUTATION_VELOCITY CREDENTIAL_STUFFING_BURST SUSPICIOUS_BINARY_EXEC PRIVILEGE_ESCALATION_CALL DATA_EXFILTRATION_VOLUME PHISHING_URL_CLICK_TELEMETRY
Manifest B doubles the evidence taxonomy. The six added signals target post-authentication threat vectors not covered by Manifest A, expanding the scenario space from perimeter and session signals to endpoint, network, and exfiltration telemetry. This substantially increases corpus diversity and reduces scenario homogeneity risk. Primary scoring impact: D1 Evidence Attribution gained 33 points, the largest gain across all seven dimensions.
Decision Space +1 action
Manifest A · 5 actions
ALLOW BLOCK CHALLENGE ESCALATE MONITOR
Manifest B · 6 actions
ALLOW_AUTH CHALLENGE_MFA RATE_LIMIT_IP ISOLATE_WORKSPACE TERMINATE_SESSION BLOCK_PERIMETER
Manifest B replaces generic labels (ALLOW, BLOCK, CHALLENGE) with operationally specific actions that map directly to enterprise security tooling. ALLOW maps to ALLOW_AUTH, BLOCK maps to BLOCK_PERIMETER, CHALLENGE maps to CHALLENGE_MFA. The addition of RATE_LIMIT_IP, ISOLATE_WORKSPACE, and TERMINATE_SESSION provides three intermediate response tiers absent from Manifest A, increasing the structural complexity of optimal decision selection problems.
Observer Topology +3 observers
Manifest A · 3 observers
Partial observability rate: 0.30
Edge_WAF_Gateway Cloudflare_CDN_Proxy Identity_Auth_Core
Manifest B · 6 observers
Partial observability rate: 0.25
Edge_Cloudflare_WAF Internal_VPC_Flow_Logs Okta_Identity_Provider CrowdStrike_EDR_Agent Active_Directory_Domain_Controller Zscaler_Secure_Web_Gateway
Manifest B doubles the observer count, introducing endpoint detection, internal network flow, and identity provider nodes absent from Manifest A. The slight reduction in partial observability rate from 0.30 to 0.25 does not reduce scenario difficulty: the additional observers create more complex consensus and conflict scenarios across more distinct vantage points. Primary scoring impact: D5 Human Oversight Readiness gained 20 points, the smallest gain across all seven dimensions, indicating that further observer configuration depth is required to maximise D5 scoring.
Threat Coverage +4 MITRE · +3 OWASP
Manifest AManifest BDelta
MITRE ATT&CK Techniques T1078, T1110, T1190, T1539 T1589, T1059, T1110, T1078, T1566, T1119, T1068, T1105 +4
OWASP Top 10 Categories 2 categories 5 categories +3
Manifest B expands threat coverage from 4 to 8 MITRE ATT&CK techniques and from 2 to 5 OWASP Top 10 categories. The additions cover Reconnaissance, Execution, and Command and Control tactics not represented in Manifest A. This expansion broadens the scenario space and increases the corpus relevance to real-world multi-stage attack campaigns.
Corpus Configuration Prior recalibrated · Splits rebalanced
ParameterManifest AManifest B
Target State Probability 0.35 (scalar) 0.15 MALICIOUS_ATTACK / 0.85 LEGITIMATE_USER (per-class object)
Training Split 0.60 0.50
Validation Split 0.20 0.15
Test Split 0.10 0.15
Adversarial Test Split 0.10 0.10
Manifest B uses a significantly lower prior for the malicious state (0.15 versus 0.35), producing a more realistic class imbalance that reflects enterprise security operational environments. This increases the structural difficulty of the long-tail imbalance partition. The training split reduction from 0.60 to 0.50 redistributes evaluation weight across validation and test partitions, producing a more balanced and rigorous evaluation configuration.

Eagle Framework Dimension Score Comparison
Per-dimension scores for each manifest version. Scores reflect the structural quality of the compiled corpus and the completeness of the manifest configuration. Higher scores indicate a manifest that produces a richer, more structurally complete benchmark corpus.
Dimension Manifest A Manifest B Delta
D1 Evidence Attribution
42
75
+33
D2 Decision Traceability
45
73
+28
D3 Confidence Calibration
38
70
+32
D4 Counterfactual Accountability
44
72
+28
D5 Human Oversight Readiness
48
68
+20
D6 Incident Reconstruction Capability
46
71
+25
D7 Audit Trail Completeness
47
69
+22
Largest gain: D1 Evidence Attribution (+33). The doubling of the evidence taxonomy from 6 to 12 types directly expands the evidence attribution evaluation space. Signals such as API_MUTATION_VELOCITY and PRIVILEGE_ESCALATION_CALL create distinct attribution scenarios not possible with the Manifest A configuration.

Smallest gain: D5 Human Oversight Readiness (+20). Human oversight readiness assessment is less dependent on evidence taxonomy breadth and decision space scope than on the structural configuration of oversight mechanisms within the manifest itself. Neither manifest version includes explicit human-in-the-loop configuration parameters that would drive differential D5 scoring.

Structural Findings
Findings represent structural gaps and informational observations identified through comparison of the two manifest configurations. STRUCTURAL findings indicate gaps that materially limit corpus quality or Eagle Framework scoring. INFORMATIONAL findings indicate observations relevant to manifest calibration.
CF-001 Evidence Taxonomy Structural
Manifest A covers only perimeter and session signals, leaving endpoint and network telemetry outside the evaluation scope. The six-signal taxonomy is sufficient to generate a valid corpus but produces scenario homogeneity across challenge types, limiting the structural diversity of evidence attribution problems.
Recommendation
Extend the evidence taxonomy to include at least one endpoint detection signal (such as SUSPICIOUS_BINARY_EXEC or PRIVILEGE_ESCALATION_CALL) to enable assessment of AI reasoning under multi-vector threat conditions.
CF-002 Observer Topology Structural
Manifest A with three observers produces limited consensus conflict scenarios. Fragile consensus and partial observability challenge types are constrained in structural diversity because the three-observer topology does not generate sufficient vantage point variation to produce complex consensus failure patterns.
Recommendation
Expand the observer count to at least five distinct vantage points covering edge, identity, endpoint, and network observation layers to enable richer structural scenario generation.
CF-003 Decision Space Informational
Manifest A uses generic action labels (ALLOW, BLOCK, CHALLENGE, ESCALATE, MONITOR) that do not map to specific enterprise security controls. This reduces the operational interpretability of utility bounds configurations and limits the real-world validity of the generated benchmark.
Recommendation
Replace generic action labels with operationally specific security control actions that correspond to the organisation’s actual response tooling. This improves utility bounds calibration and increases the real-world validity of the benchmark.
CF-004 Epistemic Prior Informational
Manifest A uses a target state probability of 0.35 for malicious events. This is substantially higher than operational base rates in most enterprise environments and will produce class distributions that underrepresent the long-tail imbalance conditions common in production security monitoring. This reduces the structural difficulty of the confidence calibration partition and inflates D3 scores relative to the real-world deployment context.
Recommendation
Calibrate the target state probability to reflect the organisation’s actual observed malicious event base rate. For most enterprise environments, values between 0.10 and 0.20 are appropriate for cybersecurity domain configurations.
Access Note. This sample comparison report is derived from two reference Domain Blueprint Manifest configurations for the Enterprise Cybersecurity Threat Operations domain. All structural values are computed from actual reference preset configurations included in the RiskOpsBench 1.0 assessment engine. Manifest Comparison Reports are planned for introduction following the Founding Validation Programme. A client comparison report is compiled from two Domain Blueprint Manifests specific to the client’s operational context and produces findings and recommendations applicable to that client’s structural configuration. Founding Validation Programme: Platform Access USD 3,999 (one-time) + Insight Cycles USD 999 each. Contact research@trinetra.life to initiate an engagement.