# Module 6 Rubric

## Artifact

detection engineering packet with threat model, false-positive analysis, and triage workflow focused on adversarial behavior and evasion: Run a tabletop evasion analysis.

| Criterion | Excellent | Satisfactory | Needs Revision |
|-----------|-----------|--------------|----------------|
| Problem framing | Decision, stakeholders, affected population, and constraints are explicit and coherent. | Decision and stakeholders are named, but some constraints are thin. | The work jumps to tools or conclusions without a clear decision frame. |
| Evidence and method | Uses lab evidence or equivalent analysis correctly; compares a baseline with an alternative; explains limits. | Provides evidence and some comparison, but limits or assumptions are incomplete. | Evidence is asserted without reproducible analysis or baseline comparison. |
| Domain reasoning | Connects results to AI in Threat Detection with accurate terminology and realistic operational implications. | Uses relevant terminology but misses some operational implications. | Reasoning is generic and could apply to almost any AI course. |
| Risk and governance | Identifies technical, human, governance, and deployment risks with concrete mitigations. | Identifies major risks but mitigations are vague. | Risks are missing, generic, or treated as afterthoughts. |
| Communication | Recommendation is concise, defensible, and understandable to SOC analyst, detection engineer, incident commander, and business system owner. | Recommendation is understandable but not fully defended. | Recommendation is unclear, unsupported, or overclaims what the evidence proves. |

## Minimum Completion Standard

A passing submission must include a runnable or inspectable evidence artifact, a baseline comparison, at least two failure modes, one mitigation per failure mode, and a specific next-action recommendation.