Skip to content

Building Your Twin

The digital twin starts empty and grows with every interaction. There are several ways to feed it, from zero-effort automatic enrichment to deliberate evidence gathering.

The .salient/ Directory

Conceptually, the twin is a directory of files — your organization's security identity:

.salient/
  profile.md          # Organization profile (stack, people, processes)
  facts/              # Mined facts from exercises, connectors, artifacts
  exercises/          # Exercise history and scores
  events/             # Security events and triage results
  connectors/         # Data synced from Okta, Entra ID, etc.
  artifacts/          # Uploaded documents (IR plans, policies, configs)

This structure is the foundation. The MCP server and /ttx skill operate on this directory, and the compiled twin (SIF) is produced from it.

Organization Profile

The profile is a markdown document describing your organization. Edit it directly in the Org Profile page in the UI, or through the API.

A useful starting profile includes:

## Organization
- Industry: Manufacturing
- Employees: 250
- IT Staff: 3 internal + MSP

## Security Stack
- EDR: CrowdStrike Falcon
- SIEM: Splunk Cloud
- IdP: Okta (SSO for ~40 apps)
- Email: Microsoft 365 + Defender

## IR Process
- Documented IR plan: Yes, last updated 2024-Q3
- On-call rotation: No formal rotation
- Escalation path: IT Lead → CISO → Legal

Start simple

You do not need a complete profile to begin. Even a few lines give the AI enough context to tailor exercises. The twin fills in gaps automatically through answer mining.

Evidence Gathering

The /ttx gather command walks you through a structured evidence collection:

/ttx gather

Claude asks about your security tools, team structure, IR procedures, backup processes, and vendor relationships. Every answer is mined for facts and added to the twin.

Artifact Uploads

Drag and drop documents into the UI to enrich the twin:

Format What Gets Extracted
PDF IR plans, policies, audit reports, compliance docs
CSV Asset inventories, user lists, vulnerability scans
JSON Config exports, API responses, tool outputs
Text/Config Firewall rules, network configs, runbooks

Size limit

Artifact uploads are capped at 5MB per file. For larger documents, extract the relevant sections.

The AI parses each document, extracts organizational facts, detects contradictions with existing twin knowledge, and indexes everything for semantic search.

Connector Data

Connectors pull verified telemetry directly from your tools:

  • Okta — users, MFA coverage, SSO applications, security logs
  • Entra ID — users, groups, privileged roles, conditional access policies, sign-in logs

Connector data carries the highest confidence level (verified) because it comes from the source system rather than human description.

Connector setup

Sibling MCP Enrichment

When Claude has access to other MCP servers (Gmail, Notion, Calendar), the /ttx enrich command orchestrates across all of them:

/ttx enrich

Security-relevant emails, policy documents from Notion, incident review calendar events — all flow into the twin automatically.

Sibling MCP Orchestration