Add exploit protection strategy and rationale

Author: Andres Maqueo

docs/exploit-protection.md

@@ -0,0 +1,98 @@
+\# Exploit Protection Strategy
+
+
+
+\## Objective
+
+This document describes the rationale behind the current exploit protection
+
+configuration and the decision to rely on system defaults.
+
+
+
+\## Current State
+
+System-wide exploit mitigations are configured using Windows default settings.
+
+
+
+This includes:
+
+\- DEP
+
+\- ASLR
+
+\- CFG
+
+\- SEHOP
+
+\- Heap protections
+
+
+
+No explicit overrides are applied at this time.
+
+
+
+\## Rationale
+
+The baseline prioritizes:
+
+\- Platform integrity
+
+\- Code execution prevention
+
+\- Hardware-backed trust
+
+
+
+Exploit protection hardening is intentionally deferred to avoid:
+
+\- Application compatibility issues
+
+\- Increased operational complexity
+
+\- False sense of security without proper testing
+
+
+
+\## Risk Consideration
+
+Relying on system defaults accepts residual risk related to:
+
+\- Memory corruption exploits in trusted applications
+
+\- Post-exploitation techniques within allowed binaries
+
+
+
+These risks are partially mitigated by:
+
+\- Hypervisor-enforced code integrity (HVCI)
+
+\- Application control (WDAC)
+
+\- Attack Surface Reduction rules
+
+
+
+\## Future Hardening Path
+
+Exploit protection may be incrementally hardened by:
+
+\- Enabling system-wide DEP and ASLR enforcement
+
+\- Applying per-process mitigations for high-risk applications
+
+\- Auditing exploit mitigation impact before enforcement
+
+
+
+\## Architectural Position
+
+Exploit protection is treated as a secondary containment layer,
+
+not as a primary security boundary.
+
+
+