ISO 27001 Evidence Package
Entity: AstroPema AI LLC
Generated: 2026-03-09 20:10:30 UTC
Scope: Production web infrastructure
Domains: astropema.ai, astromap.ai, pemahosting.com, orneigong.org
Threat Level:
HIGH (score 6/8)
A.12.4 — Logging and Monitoring
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
Evidence
- Two-layer logging architecture operational:
- Layer 1 — Nginx edge: 4640 events logged over study period
- Layer 2 — Apache ML: 176264 events logged over 70-day period
- Combined unique hostile IPs detected: 2,779
- Log retention: PostgreSQL waf_verification database, continuous
- Log format: structured (IP, timestamp, verdict, MITRE tactic, pattern, URI, host)
- Automated ingestion: CNN-GRU IDS pipeline, Rust production binary
- Daily review: SOC notebook executed 2026-03-09
- Pattern database: 61 detection patterns, reviewed and updated
- Two-layer catch rate: Nginx 57.2%, Apache ML 77.1%, combined coverage confirmed empirically
A.12.6 — Management of Technical Vulnerabilities
Information about technical vulnerabilities of information systems shall be obtained in a timely fashion.
Evidence
- Vulnerability probe detection operational:
- WordPress core probes blocked: 877 hits in current window
- WordPress plugin exploits blocked: 101 hits (hellopress CVE)
- DevOps framework probes detected: 17 hits
- - Spring Cloud Gateway RCE (CVE-2022-22947): /actuator/gateway/routes
- - GeoServer RCE (CVE-2024-36401): /geoserver/web/
- - Jira/Confluence exploitation: /login.action, Maven path traversal
- URI taxonomy coverage: 10 attack categories, 704 unique URIs classified
- Coverage gaps identified: 52 uncategorized URIs flagged for review
- Apache-level URI blocking deployed 2026-03-09 across 4 non-WordPress domains
- Pattern velocity monitoring: daily baseline vs 7-day average
A.13.1 — Network Controls
Networks shall be managed and controlled to protect information in systems and applications.
Evidence
- Network security controls in production:
- Perimeter: Nginx edge proxy with rate limiting and pattern matching
- Application layer: Apache with ModSecurity CRS + custom ML detection
- Blocklist: ipset bad_ips with 3 IPs currently blocked
- Automated blocking: banqueue cron, threshold 20 hits, 1-min cycle
- Subnet analysis: 8 hostile /24 subnets identified, CDN overlap flagged
- Botnet detection: 9 botnets confirmed today, 36 active nodes
- Geographic monitoring: 6 countries in top attack sources
- ASN attribution: Microsoft Azure dominant (715 hits), Cloudflare proxied attacks identified
- Two-layer architecture: empirically validated, 95.2% of hostile IPs detected by Apache ML only
- MITRE ATT&CK mapping: 6 tactics, 11 techniques mapped
A.16.1 — Management of Information Security Incidents
Responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents.
Evidence
- Incident detection and response procedures operational:
- Daily SOC report: automated, generated 2026-03-09 20:10 UTC
- Threat level assessed: HIGH (score 6/8)
- New hostile IP detection: 29 new IPs in 24h window
- Multi-tactic escalation: 7 IPs flagged for priority review
- Pattern spike alerting: 1 pattern(s) above 3x baseline
- Threat actor profiling: 6 named profiles with RATING in study
- Campaign duration tracking: Kaplan-Meier survival analysis, 542 campaigns analyzed
- False positive rate: 0 confirmed false positives in current audit
- Incident archive: timestamped SOC reports saved to /tmp/soc_*.txt
- Evidence integrity: PostgreSQL audit trail, CNN-GRU detection provenance logged