CC7.2 · D4 · f1
evidence/monitoring-policy.md — Atlas Cloud security monitoring and anomaly detection policy defining SIEM requirements, alert SLAs, log review, and alert tuning proceduresevidence/siem-coverage-report.json — Q4 2025 SIEM coverage report showing 18 of 20 services integrated, with details on the 2 non-integrated servicesevidence/alert-response-log.csv — Q4 2025 alert response log with 45 alerts, response times, and resolution detailsevidence/exception-register.csv — Security exception register documenting approved exceptions including the legacy batch reconciler decommission exemptionevidence/uptime-report-q4.md — System uptime statistics for Q4 2025 — operational metrics not directly relevant to monitoring control effectiveness [noise]evidence/change-advisory-board-schedule.md — Change Advisory Board meeting schedule and statistics — change management process not directly relevant to monitoring controls [noise]| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | red_herring | medium | Legacy batch reconciler not integrated with SIEM The SIEM coverage report shows legacy-batch-reconciler (AC-SVC-020) is not integrated with the SIEM. This appears to be a monitoring gap — a production service without security monitoring. However, th... |
| F-002 | gap | high | New microservice deployed 47 days without SIEM integration The real-time-collab-service (AC-SVC-019) was deployed to production on November 15, 2025. As of December 31, 2025 — 47 calendar days later (approximately 33 business days) — the service has not been ... |
| F-003 | gap | medium | Two critical alert SLA breaches during Q4 The alert response log shows 2 Critical-severity alerts where the 15-minute response SLA was missed: ALT-Q4-044 (Tor exit node connection, responded in 19 minutes — 4 minutes late, team occupied with ... |
| F-004 | gap | medium | No evidence of monthly alert tuning reviews The monitoring policy Section 4.3 requires monthly alert tuning reviews covering false positive rates, threshold adjustments, new detection rules, and documentation in the 'Alert Rule Change Log.' The... |
| F-005 | gap | medium | No evidence of daily log review documentation The monitoring policy Section 5 requires daily log reviews by the Security Operations team covering alert summaries, authentication anomalies, high-privilege activity, and data access patterns. Sectio... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 89% | 100% | 80% | 89% | 4/4 | 5 |
| Opus 4.7 | Anthropic | 67% | 100% | 50% | 67% | 4/4 | 8 |
| GPT-5.5 | OpenAI | 67% | 75% | 60% | 67% | 3/4 | 5 |
| GPT-4.1 | OpenAI | 20% | 25% | 17% | 20% | 1/4 | 6 |
| Haiku 4.5 | Anthropic | 42% | 100% | 27% | 42% | 4/4 | 15 |
| GPT-4o | OpenAI | 20% | 25% | 17% | 20% | 1/4 | 6 |