R.CAUDLE · Riverman Research · Inquiry Rev 01 · 2026.05.16
On this page
  1. § 01Lines of inquiry
  2. § 02Working hypotheses
  3. § 03How I publish
  4. § 04Where this leads

Research · Open questions

The questions worth the time.Notes from the substrate.

Working in the open.

Most security research lives at the information layer because that's where the tooling already points. The substrate is where the unanswered questions are. Physics doesn't patch, controllers don't reboot on a maintenance window, and the failure modes that matter don't show up in a log. That's the work worth doing.

These are working notes, not conclusions. If something here reads as settled, I haven't pushed on it hard enough yet.

By River Caudle

§ 01 — Lines of inquiry

The questions I keep coming back to.

These are the threads I follow when the engagement work pauses. None of them are finished. Each is here because it resists the easy answer and because getting it wrong has a physical cost.

What I'm pulling on

  • Substrate failure — how control loops degrade before they fail, and what that looks like upstream.
  • Trust boundaries — where the OT/IT seam actually sits versus where the diagram says it does.
  • Change as risk — quantifying the cost of motion in systems that punish it.
  • Ownership decay — how operational capability erodes when nobody is measuring it.

Why these and not others

  • Physical stakes — the wrong answer moves something heavy.
  • Under-instrumented — the questions sit where the sensors don't.
  • Doctrine-bearing — answers here change how networks get built.
  • Unfashionable — slow, unglamorous, and therefore neglected.
"The substrate is where the unanswered questions are. The tooling just doesn't point there yet."

§ 02 — Working hypotheses

What I currently think, and why I'd drop it.

A hypothesis earns its place by being falsifiable. Each of these is paired with the condition that would make me abandon it. If I can't state that condition, it isn't research — it's a belief.

Current hypothesis

  • Substrate failures announce themselves before they cascade
  • Most OT incidents are ownership failures, not attacks
  • Change frequency predicts instability better than severity
  • Visibility gaps follow organizational seams, not technical ones

What would falsify it

  • Repeated cascades with no measurable precursor signal
  • Incident review showing attack origin dominates
  • Stable systems under high change, instability under low
  • Gaps clustering in technically uniform, well-owned zones

§ 03 — How I publish

Dated working notes, not premature claims.

Research that hides its uncertainty is marketing. I publish in the open, with the doubt left in. The difference between the two columns below is the difference between honest work and a press release.

Not this

  • A finding announced before it's tested
  • Conclusions with the uncertainty edited out
  • Numbers presented without their provenance
  • A claim that can't say what would disprove it

This

  • A dated note that says what I knew, when
  • The doubt left visible in the text
  • Method stated before the result
  • Every hypothesis paired with its falsifier

§ 04 — Where this leads

Inquiry feeds doctrine.

Research isn't separate from the rest of the work — it's the part where doctrine gets stress-tested before it ships. When a line of inquiry resolves, it surfaces in the writing, the position, and the frameworks. Follow the trail.

"These are working notes, not conclusions. The questions are the point."

Research · River Caudle · MMXXVI