InfraFabric External Review Pack — Single File
This is a single-file bundle intended for review environments that cannot reliably fetch multiple URLs.
Links
- Pack (this file): https://infrafabric.io/static/pack/dwJFRSJqjWTwKOwXqc8YYmlC.md
- Review pack (links only): https://infrafabric.io/static/review/dwJFRSJqjWTwKOwXqc8YYmlC.md
- Dossier (rendered): https://infrafabric.io/static/dossier/dwJFRSJqjWTwKOwXqc8YYmlC
- Dossier (download Markdown): https://infrafabric.io/static/dossier/dwJFRSJqjWTwKOwXqc8YYmlC/download
- if.trace receipt page: https://infrafabric.io/static/trace/dwJFRSJqjWTwKOwXqc8YYmlC
- Source (download): https://infrafabric.io/static/source/7e5ea672506577a27106bb13147d3c8e5429914c75f7fb150c0e5b792f9f28f6.pdf
Alternate host mirror (same paths)
- Pack (this file): https://git.infrafabric.io/static/pack/dwJFRSJqjWTwKOwXqc8YYmlC.md
- Review pack: https://git.infrafabric.io/static/review/dwJFRSJqjWTwKOwXqc8YYmlC.md
- Dossier: https://git.infrafabric.io/static/dossier/dwJFRSJqjWTwKOwXqc8YYmlC
- Trace: https://git.infrafabric.io/static/trace/dwJFRSJqjWTwKOwXqc8YYmlC
Review instructions (portable)
Hard rules:
- 100% factual: every non-trivial claim must be tagged [SOURCE]/[DOSSIER]/[TRACE]/[INFERENCE]. If unverified, say “unverified” and stop.
- Vendor-neutral: critique deployment conditions + org behaviors, not vendor intent/competence.
- Mirror discipline: follow the dossier’s section order; do not invent a new structure.
Deliverables:
A) 5–10 bullets: what works / what doesn’t (tag each)
B) Scorecard (0–5): mirror integrity, layout fidelity, humor discipline, mermaid value, if.trace demo value, CTA stealth
C) Section-by-section critique (mirror headings): what’s mirrored, what’s missing, what feels templated/repeated
D) Vendor-safe conclusion rewrite: success conditions / traps / questions-to-ask-vendor
E) Unified diff patches against the current Dave bible (e.g., IF_DAVE_BIBLE_v2.0.md) and generator rules
if.trace receipt (portable extract)
{
"id": "75cea0f7-a7e0-4cab-8a82-1139f0b27128",
"status": "done",
"createdAt": "2025-12-27T17:39:25.200Z",
"originalFilename": "TUE_Cloud_AquaSecurity_SaaS_Platform.pdf",
"style": "if.dave.v1.7",
"sourceSha256": "7e5ea672506577a27106bb13147d3c8e5429914c75f7fb150c0e5b792f9f28f6",
"outputSha256": "9dd13755754cfd29163f11ad85c18fe0b7088901928965c26c439113cc79f4e1",
"warnings": ""
}
Shadow dossier (Markdown)
---
BRAND: InfraFabric.io
UNIT: RED TEAM (STRATEGIC OPS)
DOCUMENT: SHADOW DOSSIER
CLASSIFICATION: EYES ONLY // DAVE
---
# [ RED TEAM DECLASSIFIED ]
## PROJECT: 75CEA0F7-A7E0-4CAB-8A82-1139F0B27128-MIRROR
### SOURCE: 75CEA0F7-A7E0-4CAB-8A82-1139F0B27128-PDF
**INFRAFABRIC REPORT ID:** `IF-RT-DAVE-2025-1227`
> NOTICE: This document is a product of InfraFabric Red Team.
> It exposes socio-technical frictions where incentives turn controls into theater.
**[ ACCESS GRANTED: INFRAFABRIC RED TEAM ]**
**[ STATUS: OPERATIONAL REALISM ]**
## Solution Brief
### The Aqua Platform SaaS Edition Key Benefits
> Shadow dossier (mirror-first).
>
> Protocol: IF.DAVE.v1.7
> Citation: `if://bible/dave/v1.7`
> Source: `75cea0f7-a7e0-4cab-8a82-1139f0b27128.pdf`
> Generated: `2025-12-27`
> Source Hash (sha256): `7e5ea672506577a27106bb13147d3c8e5429914c75f7fb150c0e5b792f9f28f6`
## Key benefits Save time and management overhead Support your data residency requirements The core infrastructure and services of the The Aqua Platform SaaS Edition is deployed Aqua Platform are deployed and maintained in multiple regions around the world, including by Aqua, saving you precious time and northern Virginia, US (North America), Singapore resources. Upgrades, updates, and bug fixes (Asia Pacific) and Frankfurt, Germany (Europe). are automatically and continually applied for all Each region operates as an independent Aqua components except the enforcers at the instance of the Aqua Platform, and all customer workload level. data remains physically in that region.
This is **Key benefits Save time and management overhead Support your data residency requirements The core infrastructure and services of the The Aqua Platform SaaS Edition is deployed Aqua Platform are deployed and maintained in multiple regions around the world, including by Aqua, saving you precious time and northern Virginia, US (North America), Singapore resources. Upgrades, updates, and bug fixes (Asia Pacific) and Frankfurt, Germany (Europe). are automatically and continually applied for all Each region operates as an independent Aqua components except the enforcers at the instance of the Aqua Platform, and all customer workload level. data remains physically in that region.** (notably: 2015, 2022): the part where we agree in principle. The red-team ask is that we also agree on what blocks, what warns, and who owns the exception path.
> **The Dave Factor:** The plan becomes the status update, and the status update becomes the plan.
> **Countermeasure:** Name one owner, one gate, and one stop condition that blocks, not "raises awareness."
> The problem isn't intent. The problem is intent without an enforceable gate (anchors: 2015, 2022) — so we can make the control visible and keep it unenforceable.
We can call it "simplification" (2015) as long as it fits on a slide; the moment it's enforceable, it becomes "complexity — so we can circle back next sprint with a merge-blocking rule."
## Action Pack (Operational)
This appendix turns the mirror into Monday-morning work: owners, gates, stop conditions, and evidence artifacts.
Keep it generic and auditable; adapt to your tooling without inventing fake implementation details.
### Control Cards
#### Key benefits Save time and management overhead Support your data residency requirements The core infrastructure and services of the The Aqua Platform SaaS Edition is deployed Aqua Platform are deployed and maintained in multiple regions around the world, including by Aqua, saving you precious time and northern Virginia, US (North America), Singapore resources. Upgrades, updates, and bug fixes (Asia Pacific) and Frankfurt, Germany (Europe). are automatically and continually applied for all Each region operates as an independent Aqua components except the enforcers at the instance of the Aqua Platform, and all customer workload level. data remains physically in that region.
- **Control objective:** Prevent the dilution risk described in "Key benefits Save time and management overhead Support your data residency requirements The core infrastructure and services of the The Aqua Platform SaaS Edition is deployed Aqua Platform are deployed and maintained in multiple regions around the world, including by Aqua, saving you precious time and northern Virginia, US (North America), Singapore resources. Upgrades, updates, and bug fixes (Asia Pacific) and Frankfurt, Germany (Europe). are automatically and continually applied for all Each region operates as an independent Aqua components except the enforcers at the instance of the Aqua Platform, and all customer workload level. data remains physically in that region." by turning guidance into an enforceable workflow.
- **Gate:** Governance
- **Owner (RACI):** Security + Engineering Leadership
- **Stop condition:** No "phased rollout" without exit criteria and an explicit decision owner.
- **Evidence artifact:** decision_log + rollout_milestones + stop_condition_text
### Backlog Export (Jira-ready)
1. [Governance] Key benefits Save time and management overhead Support your data residency requirements The core infrastructure and services of the The Aqua Platform SaaS Edition is deployed Aqua Platform are deployed and maintained in multiple regions around the world, including by Aqua, saving you precious time and northern Virginia, US (North America), Singapore resources. Upgrades, updates, and bug fixes (Asia Pacific) and Frankfurt, Germany (Europe). are automatically and continually applied for all Each region operates as an independent Aqua components except the enforcers at the instance of the Aqua Platform, and all customer workload level. data remains physically in that region.: define owner, gate, and stop condition
- Acceptance: owner assigned; stop condition documented and approved.
- Acceptance: evidence artifact defined and stored (machine-generated where possible).
- Acceptance: exceptions require owner + expiry; expiry is enforced automatically.
### Policy-as-Code Appendix (pseudo-YAML)
```yaml
gates:
pr:
- name: "risk scanning"
stop_condition: "block on high severity (or unknown)"
evidence: "scan_event_id + policy_version"
access:
- name: "assistant enablement"
prerequisite: "device baseline + local scan signal"
stop_condition: "deny when signals missing"
evidence: "access_grant_event + prerequisite_check"
runtime:
- name: "tool-use"
prerequisite: "allowlist + validation"
stop_condition: "block disallowed actions"
evidence: "execution_log_id + allowlist_version"
exceptions:
expiry_days: 14
require_owner: true
require_reason: true
evidence:
freshness_days: 30
require_hash: true
Annex (inferred diagrams)
Inferred diagrams: InfraFabric Red Team synthesis (no new factual claims).
Evidence drift loop (inferred)
flowchart TD A["Control intent"] --> B["Manual evidence requested"] B --> C["Artifact produced"] C --> D["Dashboard goes green"] D --> E["Exceptions accumulate"] E --> F["Definition of #34;compliance#34; shifts"] F --> B
Exception stasis (inferred)
stateDiagram-v2 [*] --> Requested Requested --> PendingReview: "needs alignment" PendingReview --> PendingReview: renewal PendingReview --> Approved: silence Approved --> Approved: "temporary" extension
InfraFabric Red Team Footer: RED-TEAM Shadow Dossiers for socio-technical friction analysis: https://infrafabric.io Standard Dave Footer: This document is intended for the recipient only. If you are not the recipient, please delete it and forget you saw anything. P.S. Please consider the environment before printing this email.