First Observed In The Wild
Pre-registered signatures, transparency-log anchored, published within a week of first fleet observation.
What FOITW is
When a sophisticated AI agent attack technique is published in research — a paper, a talk, a CVE — there is a window between disclosure and the first time the technique appears in the wild. Whoever first observes the technique in the wild with reproducible evidence and a credible pre-registration earns the canonical timestamp.
FOITW is OpenA2A's mechanism for that. We pre-register signatures for the techniques we are watching, publish the catalog with cryptographic timestamps, and run our continuous honeypot fleet against incoming traffic. When a signature fires, we publish within a week.
The pre-registration catalog
Every technique we watch for has a catalog entry. Each entry specifies:
- The Threat Matrix technique it maps to.
- The original research it derives from (paper, talk, or CVE).
- A registration timestamp anchored in the registry transparency log.
- The signature itself — a deterministic match expression or a NanoMind-Trap classifier reference with its decision threshold. Classifier thresholds are fixed at registration time. Adjusting the threshold post-hoc would invalidate the pre-registration claim, so we forbid it.
The catalog itself is published at /methodology/foitw/catalog. Publishing the catalog establishes the "we were watching for this" timestamp.
Publication SLAs
| Stage | SLA |
|---|---|
| Draft post | 72 hours from first signature fire |
| Reviewed publication | 7 days from first signature fire |
| Catalog update | Same commit as publication |
If a draft cannot land within seventy-two hours (e.g., the observation needs ARIAred reproduction), publication is delayed up to two weeks with a public delay notice posted on day seven.
Cross-property promotion
When a signature fires for the first time, we check the firing property against the emitting property. If a canary token was emitted on property A and resolved on property B, the agent saw the canary URL on A and chose to fetch it from B — a cross-property reasoning event. These are the rarest and most diagnostic signals in the fleet, and they are automatically prioritized over single-property fires when the publication queue has multiple posts pending.
Reproducibility
Every FOITW post includes a SQL query (or filter expression) that, when run against the public Registry telemetry export bundle, reproduces the first-fire event. A defender can verify our claim independently within thirty minutes.
If the export bundle has not yet caught up to include the cited event (the bundle is published with a lag), the post explicitly notes the date when verification will become possible.
What FOITW does not do
- We do not claim to be the first operational use of a technique. We claim to be the first published reproducible observation. Operational use may have predated our fire.
- We do not weaponize or distribute exploit code. Posts describe the technique; PoC code (if any) goes through the ARIAdesk disclosure pipeline.
- We do not bypass responsible disclosure. If a fire reveals a previously-undisclosed vulnerability in a third-party system, that goes through the ninety-day coordinated-disclosure process before any FOITW post mentions it.
- We do not retroactively claim observations. A signature must have been registered with a transparency-log anchor predating the first-fire timestamp.