Merge pull request #177 from wrhalpin/claude/live-presentation-deck-tYlEP

Claude/live presentation deck t yl ep

Author: wrhalpin

docs/deck/index.html

@@ -392,7 +392,7 @@ <h2>AI Intel Review Queue</h2>
     </section>
 
     <section data-background="#1a1a1a">
-      <h2>Phase 4 — Control, Reasoning & Safety</h2>
+      <h2>Control, Reasoning & Safety</h2>
       <p style="font-size: 0.85em;">ExecutionContext, domain boundaries, hypothesis engine, agent governor, HITL</p>
       <ul style="font-size: 0.8em; margin-top: 1em;">
         <li><strong>ExecutionContext:</strong> Every operation stamped with context_id, domain, trust_level, workspace_id. Append-only execution_log. Full audit trail from connector call to report.</li>
@@ -403,6 +403,18 @@ <h2>Phase 4 — Control, Reasoning & Safety</h2>
       </ul>
     </section>
 
+    <section data-background="#1a1a1a">
+      <h2>GNATHunt — Detection Rules & Hunting</h2>
+      <p style="font-size: 0.85em;">Convert STIX to detection rules. Hunt packages. ATT&CK coverage mapping. Drift detection.</p>
+      <ul style="font-size: 0.8em; margin-top: 1em;">
+        <li><strong>STIX → Detection Rules:</strong> Malware/Campaign/Tool indicators → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule weight. Automated rule publication to EDL + SOC platform integrations.</li>
+        <li><strong>Hunt Packages:</strong> Bundled rules with metadata (adversary, campaign, techniques, severity). Importable into Splunk, Elastic, Chronicle, QRadar. Version control + diff tracking.</li>
+        <li><strong>ATT&CK Coverage Mapping:</strong> Every rule tagged with MITRE ATT&CK technique/sub-technique. Coverage heatmap by tactic. Gaps identified and prioritized.</li>
+        <li><strong>Drift Detection:</strong> Scheduled hunt job compares rule effectiveness (hit count, FP rate) against baseline. Drift >10% triggers analyst review. Rules auto-archived if no hits in 90 days.</li>
+        <li><strong>Integration:</strong> GNATHunt hooks into campaign tracking — when Campaign confirmed, emit detection rules + hunt package. Daily hunts run via FeedScheduler.</li>
+      </ul>
+    </section>
+
     <!-- ROLLOUT & ROADMAP SECTION (Slides 33-36) -->
     <section data-background="#1a1a1a">
       <h2>Security & CI</h2>
@@ -440,18 +452,6 @@ <h2>Deployment Architecture</h2>
       </ul>
     </section>
 
-    <section data-background="#1a1a1a">
-      <h2>GNATHunt — Detection Rules & Hunting</h2>
-      <p style="font-size: 0.85em;">Convert STIX to detection rules. Hunt packages. ATT&CK coverage mapping. Drift detection.</p>
-      <ul style="font-size: 0.8em; margin-top: 1em;">
-        <li><strong>STIX → Detection Rules:</strong> Malware/Campaign/Tool indicators → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule weight. Automated rule publication to EDL + SOC platform integrations.</li>
-        <li><strong>Hunt Packages:</strong> Bundled rules with metadata (adversary, campaign, techniques, severity). Importable into Splunk, Elastic, Chronicle, QRadar. Version control + diff tracking.</li>
-        <li><strong>ATT&CK Coverage Mapping:</strong> Every rule tagged with MITRE ATT&CK technique/sub-technique. Coverage heatmap by tactic. Gaps identified and prioritized.</li>
-        <li><strong>Drift Detection:</strong> Scheduled hunt job compares rule effectiveness (hit count, FP rate) against baseline. Drift >10% triggers analyst review. Rules auto-archived if no hits in 90 days.</li>
-        <li><strong>Integration:</strong> GNATHunt hooks into campaign tracking — when Campaign confirmed, emit detection rules + hunt package. Daily hunts run via FeedScheduler.</li>
-      </ul>
-    </section>
-
     <section data-background="#1a1a1a">
       <h2>All Roadmap Items Complete</h2>
       <p style="font-size: 0.85em;">✓ Every pending item has shipped — v1.9.0 complete</p>