harbor-ato — help-desk vishing + MFA-reset takeover

what this proves

1. every primary engine produces deterministic, fixture-locked output — verified by npm run check:flagship (728/728 fleet · 8 for this scenario).
2. every output is generated 100% locally in your browser — export IdP and audit logs, never upload tenant data.
3. password spray, SIM swap ICCID change, MFA push fatigue, password reset, and hidden external mailbox forward surface without uploading evidence.

primary engines locked to this fixture

1. 01okta-log-analyzer→
2. 02o365-audit-log-parser→
3. 03office365-audit-log-analyzer→
4. 04microsoft365-audit-log-analyzer→
5. 05mail-rule-parser→
6. 06password-spray-detector→
7. 07credential-artifact-scanner→
8. 08sim-swap-artifact-forensic-detector→

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for ato — no upload.

download the synthetic evidence

MIT-licensed, fully synthetic. includes Okta system log, unified audit log, mailbox rules export, security evt spray csv, browser session dump, and carrier SIM swap log.

built deterministically from scripts/fixtures/build-harbor-ato.mjs. seed: harbor-ato:v1.

methodology

ato is spray → IdP → SIM swap → UAL → rules → endpoint creds. walk password spray detector → okta log analyzer → sim swap artifact detector → audit log parsers → mail rule parser → credential artifact scanner. read the full account takeover (ATO) guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across password spray, SIM swap, MFA fatigue, password reset, and hidden mailbox forward — still zero upload.