Corporate Security
Corporate security teams govern Capsem through signed profiles, enforcement packs, detection packs, telemetry configuration, and runtime evidence.
What To Configure
Section titled “What To Configure”| Area | Where |
|---|---|
| Profile governance | Corporate Deployment |
| Profile format and pins | Profile Format |
| Signed catalog rollout | Profile Catalogs |
| Realtime blocking | Enforcement |
| Detection and forensic search | Detection Format |
| VM health and metrics | VM Health |
| Telemetry extension rules | Extending Telemetry |
| Admin CLI workflows | capsem-admin |
Enforcement Versus Detection
Section titled “Enforcement Versus Detection”Enforcement is synchronous and can allow, block, ask, or rewrite. Detection is finding generation and forensic analysis. Detection findings are attached to the resolved event before telemetry/logging/export sinks, but they do not silently become blocking decisions.
Runtime operators can validate, compile, backtest, install, list, delete, and
inspect stats through /enforcement/* and /detection/*. Corp admins can
validate and backtest packs offline with capsem-admin before publishing them
through signed profiles.
Evidence
Section titled “Evidence”Backtest and hunt return aggregate counts plus up to 100 matched event rows by default. Rows are deduplicated by evidence signature to show diversity. Local evidence is full-fidelity for users who can access Capsem. Export/support bundle redaction is an explicit separate flow.