ctipilot.chSwitzerland · Europe · Public sector

Brief reference templates

This file is read by the daily and weekly Claude Code routines during their compose phase. It contains the canonical Markdown skeleton for each output and a worked-good § 2 fragment showing the technical-depth bar.

The substantive editorial / verification / state-update / publishing rules live in prompts/daily-cti-brief.md and prompts/weekly-summary.md — this file only contains the rendered shape of the published artefact.

Worked-good § 2 fragment (illustrative, not topic guidance)

This is the level of technical specificity every § 2 item must carry where the source supports it — exact vulnerable component path, technique class with MITRE ATT&CK IDs, exploitation prerequisites, affected and patched versions to vendor-stated precision, named campaign clusters, behavioural detection and hardening tied to the specificity (no IOCs, no rule code).

A supply-chain compromise injected a malicious post-install script into the fictitious npm @org/x-cli package across versions 4.2.7 → 4.3.1; the script invokes osascript on macOS / powershell.exe -enc on Windows to harvest browser cookie jars from each browser's per-profile cookie store on disk and exfiltrates them via DNS-over-HTTPS to an attacker-operated edge-serverless resolver — TLS-encrypted, blends with normal browser DNS-over-HTTPS traffic, evades classic egress proxies that don't terminate DoH (Vendor primary, YYYY-MM-DD). Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain and T1071.004 Application Layer Protocol: DNS. Detection concepts: alert on unsigned osascript / powershell.exe -enc invocations from node / npm / npx parent-process trees (Sysmon EID 1 + parent-image filter); inventory installed @org/* package versions across developer endpoints; block egress DoH resolvers other than the corporate ones at the firewall / SWG. Hardening: pin npm dependencies via lockfile + --ignore-scripts; require signed npm packages for the affected scope. Affected versions: 4.2.7 through 4.3.1; fixed in 4.3.2.

The example is purely illustrative — the actual item depth is whatever the linked primary source supports. Do not invent technical detail the source did not state. Better to write less than to fabricate plausible-sounding specifics (PD-1 in the daily prompt).

Daily brief reference template

# CTI Daily Brief — YYYY-MM-DD

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM ({model name}, model ID `{model-id}`) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** {model name} (`{model-id}`) · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v{N.M}

## 0. TL;DR
- {bullet with inline source link} (up to 5 bullets; six on a catch-up day)

## 1. Immediate Actions
(Render ONLY when an item meets criteria. On quiet days OMIT entirely — no heading.)

### {Short imperative title}
{2–4 sentence summary: what is happening and why it is critical right now.}
**What to do now:**
- {specific concrete action}

— *Source: [Primary source title](URL) · Tags: actively-exploited, zero-click, rce · Region: global · CVE: CVE-YYYY-NNNNN*

## 2. Active Threats, Trending Actors, Notable Incidents & Disclosures

### {Active threat or incident headline}
{3–6 sentence summary with inline source link(s) at point of claim.}
**Why it matters to us:** {one-line defender takeaway, or "Defender takeaway:" for incidents}

— *Source: [Primary report](URL) · Additional source: [Corroborating publication](URL) · Tags: nation-state, espionage, supply-chain, <nexus-tag-from-taxonomy-if-applicable> · Region: europe, switzerland · Sector: public-sector, finance*

## 3. Trending Vulnerabilities

### CVE-YYYY-NNNNN — {Vendor} {Product}: {one-line description}
{2–4 sentence summary: what it is, prerequisites, exploitation status, who it affects, what to do.}

— *Source: [Primary advisory](URL) · Tags: rce, zero-click, actively-exploited, cisa-kev · Region: global · CVE: CVE-YYYY-NNNNN · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, no-patch*

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-YYYY-NNNNN | … | … | … | … | … | … | [Link](url) |

## 4. Research & Investigative Reporting

### {Substantive primary report headline}
{One paragraph with inline link.}

— *Source: [Primary report](URL) · Tags: nation-state, espionage, identity, ai-abuse · Region: global*

## 5. Updates to Prior Coverage

> **UPDATE (originally YYYY-MM-DD):** {delta only — at least one inline source link.}
>
> — *Source: [The new publication](URL) · Tags: ransomware, data-breach · Region: europe*

(or: *No updates this run.*)

## 6. Deep Dive — {topic}

**Background.** {3–5 sentences if PD-10 applies, with inline links.}

{Incident narrative, ATT&CK mapping with links to MITRE pages, detection concepts in plain language, hardening / mitigation steps as cited. Inline-linked throughout. No IOCs. No rule code.}

— *Source: [Primary report](URL) · Additional source: [Corroborating advisory](URL) · Tags: rce, actively-exploited, nation-state, <nexus-tag-from-taxonomy-if-applicable> · Region: global · CVE: CVE-YYYY-NNNNN · CVSS: 9.3 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev*

## 7. Action Items

(Derived from this brief's content only. Generic advice does not belong here.)

- **Patch {product} immediately** if exposed — see CVE-YYYY-NNNNN above. Mitigation: {steps}. References: [{link}](#item-slug).
- **Hunt for {behaviour}** in EDR / SIEM. Detection concept: …

— *Source: {primary advisory or research} · Tags: actively-exploited, rce · Region: global*

## 8. Verification Notes

- Items dropped: {list with reason — including CVEs that didn't clear § 3}.
- Single-source items: {list, with the source named}.
- Items included with reduced confidence (only aggregator source available): {list}.
- Contradictions: {list}.
- Sub-agents that didn't return on time: {names + coverage scope missed}.
- Coverage gaps: source-id (reason); source-id (reason); source-a, source-b — not fetched in this run.

Weekly summary reference template

# CTI Weekly Summary — YYYY-Www ({Mon DD} – {Sun DD}, YYYY)

> **AI-generated content notice.** This weekly summary was produced autonomously by an LLM ({model name}, model ID `{model-id}`) executing the prompt at `prompts/weekly-summary.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. All facts are linked inline to public sources or to the underlying daily briefs in this repository. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** {model name} (`{model-id}`) · **Audience:** SOC management, IR, Threat Hunting · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v{N.M}

## 0. Week at a glance

- **{Inaction-=-incident headline}** — {one-line state} ([daily](briefs/YYYY-MM-DD.md), [primary](URL))
- **{Cross-day chain}** — {what changed this week}
- (5–8 bullets total)

## 1. Highest-impact events — what's on fire if no one acted

### {Item title}

**If you did nothing this week:** {one-line operational reality — what's currently breaking, who's currently being exploited, what deadline has passed}.

{2–4 paragraph technical recap with inline source links. Where relevant, link back to the specific daily brief that first covered it and to the primary technical write-up.}

— *Source: [Vendor PSIRT advisory](URL) · [Research blog with technical analysis](URL) · [Daily brief](briefs/YYYY-MM-DD.md) · Tags: actively-exploited, pre-auth, rce, cisa-kev · Region: global · CVE: CVE-YYYY-NNNNN · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

## 2. Multi-day campaigns and chains

### {Campaign name}

{Single consolidated section showing what was known at the start of the week, what changed each day, where it stands now.}

— *Source: [Vendor analysis](URL) · [Daily brief — first coverage](briefs/YYYY-MM-DD.md) · Tags: actively-exploited, supply-chain · Region: global*

## 3. Vulnerability roll-up

| CVE | Product | Status | Patched | KEV | First brief | Source |
|---|---|---|---|---|---|---|
| CVE-YYYY-NNNNN | … | Active ITW \| KEV-added \| PoC-public \| Patched \| Disclosure-only | … | … | [briefs/YYYY-MM-DD.md](briefs/YYYY-MM-DD.md) | [Vendor PSIRT](url) |

### CVE-YYYY-NNNNN — {Vendor} {Product}: {one-line description}

{Short paragraph. Status this week vs. status when first covered.}

— *Source: [Vendor PSIRT](URL) · [Research blog](URL) · Tags: rce, actively-exploited, cisa-kev · Region: global · CVE: CVE-YYYY-NNNNN · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

## 4. Sector & victim patterns

### {Sector}

{One paragraph with inline links. Where a Swiss / European public-sector area saw meaningful activity, call it out explicitly.}

— *Source: [Evidence link](URL) · Tags: ransomware, organized-crime · Region: europe · Sector: healthcare*

## 5. Incidents & disclosures recap

### {Notable incident}

{Roll-up of a notable publicly-disclosed security incident. Cross-cutting theme noted, regulatory follow-up if any.}

— *Source: [Victim disclosure](URL) · [Regulator notice](URL) · Tags: data-breach, ransomware · Region: europe · Sector: telco*

## 6. Annual / periodic threat reports

### {Report name}

{Cross-finding synthesis a Swiss / European public-sector SOC needs. Each finding gets a citation. Do not repeat findings the dailies already absorbed.}

— *Source: [Report PDF or vendor blog](URL) · Tags: nation-state, espionage · Region: global*

## 7. Long-running campaigns — status update

### {Campaign name}

{One short paragraph per campaign with current state and outstanding questions.}

— *Source: [Latest publicly-reported development](URL) · Tags: nation-state, <nexus-tag-from-taxonomy-if-applicable> · Region: global*

## 8. Policy & regulatory horizon

### {Policy item}

{What changed and what defenders need to do differently.}

— *Source: [Regulator publication](URL) · Tags: law-enforcement, eu-nexus · Region: europe*

## 9. Looking ahead — what to watch next week

A focused, justified list. **Not predictions** — items already in motion.

- **{Item}** — {one-line rationale citing what is in motion}. ([Source](URL); [Daily brief](briefs/YYYY-MM-DD.md))

## 10. Verification & coverage notes

- Items still flagged `[SINGLE-SOURCE]` from the week.
- Items dropped from this week's roll-up that may resurface (briefly explain why dropped).
- Contradictions across sources that remain unresolved.
- Items included with reduced confidence (only aggregator source available).
- Sub-agents that didn't return on time: {names + coverage scope missed}.
- Verification iterations: N · residuals: N (Phase 3.5 telemetry).
- Coverage gaps: source-id (reason); source-id (reason); source-a, source-b — not fetched in this run.