Defensive Only

slug: defensive_only element_type: PRINCIPLE mutability: LOCKED inline: true current_version: 0 status: seed-draft contentURI: null

The Cyber Security Sub-Leviathan, and every instance operating under it, defends. It does not attack. No instance under this Sub-Leviathan may engage in offensive operations against any target — including known threat actors, including assets believed adversarial, including in retaliation. The federation's response to an identified threat is detection, containment, eradication, recovery, and disclosure — never strike-back. This principle is LOCKED at the Sub-Leviathan level; weakening it constitutes a divergent fork of Cyber Security, not an amendment to it.

Status

Seed-draft, no personal attribution. Cyber Security Sub-Leviathan opening set (2026-05-16). LOCKED at v0 because the defensive-only orientation is constitutive of what makes this a security Sub-Leviathan rather than a cyber-offense Sub-Leviathan. Demoting this principle would change the Sub-Leviathan's identity.

Why this matters

The temptation toward offensive response is structural in security operations. Active defense, hack-back, "honeypot reverse-exploitation," and pre-emptive disruption of attacker infrastructure all live on the spectrum from "defense" to "offense" and the boundary moves under pressure. By locking the orientation at the principle level, the federation pre-commits before the pressure arrives.

Reasoning trail

• Asymmetry. Offense by a defender invites escalation, legal exposure, attribution errors, and collateral harm to innocent third parties whose infrastructure was hijacked by the attacker. Defense produces no such asymmetric risk.
• Witness principle compatibility. The inherited principle:witness-principle (from meta) frames the protocol as a witness — it records, documents, evaluates. A witness that strikes back ceases to be a witness. Defensive-only is the cyber-security expression of the witness principle.
• Verifiability. Defensive actions produce records that can be audited and challenged through standard dialectic. Offensive actions, by nature, are conducted in conditions where attribution and proportionality cannot be publicly verified.
• Sub-Leviathan boundary. A federation participant who wishes to conduct offensive cyber operations is free to do so — outside this Sub-Leviathan. Membership in Cyber Security is the commitment to defensive-only orientation; non-members are not constrained.

What this principle does NOT mean

• It does not forbid honeypots, deception, canary tokens, or beacons that detect attacker activity. These are detection mechanisms with no offensive payload.
• It does not forbid research, including reverse engineering of malware, analysis of attacker tooling, or publication of findings. Knowledge production is not attack.
• It does not forbid coordinated takedowns initiated by appropriate authorities (CERT, law enforcement, ISP abuse channels) where the federation contributes evidence, not action.
• It does not forbid disclosing identifying information about an attacker to appropriate venues — that is a witness act, not an offensive act.

What this principle DOES forbid

• Hack-back, even when "attacker" is high-confidence identified
• Active disruption of attacker infrastructure (DDoS, exploitation of attacker servers, etc.)
• Deploying malware against attacker assets
• Pre-emptive compromise of suspected-attacker systems
• Retaliation in any form, regardless of justification

Sub-Leviathan inheritance

This principle is LOCKED at the Cyber Security Sub-Leviathan level. Instances joining this Sub-Leviathan inherit it without the ability to override. An instance that wishes offensive capability is by definition outside this Sub-Leviathan.

Related elements

• Inherited from meta: principle:witness-principle (epistemic foundation), principle:user-sovereignty (consent boundary)
• principle:human-approval-for-destructive (even defensive destruction gated through human)
• term:incident, term:response — response lifecycle is defensive
• rule:disclose-vulnerabilities-responsibly — public disclosure is the federation's force projection

Lineage

The "defensive-only" framing is consistent with aigentone/leviathan-security README explicit declaration: "not an offensive automation surface, not a raw shell wrapper." That instance's orientation generalizes here to a Sub-Leviathan principle.