ctipilot.chSwitzerland · Europe · Public sector

Brief reference templates

This file is read by the daily and weekly Claude Code routines during their compose phase. It contains the canonical Markdown skeleton for each output and a worked-good § 2 fragment showing the technical-depth bar.

The substantive editorial / verification / state-update / publishing rules live in prompts/daily-cti-brief.md and prompts/weekly-summary.md — this file only contains the rendered shape of the published artefact.

Worked-good § 1 fragment (illustrative, not topic guidance)

This is the level of technical specificity every § 1 item must carry where the source supports it — exact vulnerable component path, technique class with MITRE ATT&CK IDs, exploitation prerequisites, affected and patched versions to vendor-stated precision, named campaign clusters, behavioural detection and hardening tied to the specificity (no IOCs, no rule code).

A supply-chain compromise injected a malicious post-install script into the fictitious npm @org/x-cli package across versions 4.2.7 → 4.3.1; the script invokes osascript on macOS / powershell.exe -enc on Windows to harvest browser cookie jars from each browser's per-profile cookie store on disk and exfiltrates them via DNS-over-HTTPS to an attacker-operated edge-serverless resolver — TLS-encrypted, blends with normal browser DNS-over-HTTPS traffic, evades classic egress proxies that don't terminate DoH (Vendor primary, YYYY-MM-DD). Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain and T1071.004 Application Layer Protocol: DNS. Detection concepts: alert on unsigned osascript / powershell.exe -enc invocations from node / npm / npx parent-process trees (Sysmon EID 1 + parent-image filter); inventory installed @org/* package versions across developer endpoints; block egress DoH resolvers other than the corporate ones at the firewall / SWG. Hardening: pin npm dependencies via lockfile + --ignore-scripts; require signed npm packages for the affected scope. Affected versions: 4.2.7 through 4.3.1; fixed in 4.3.2.

The example is purely illustrative — the actual item depth is whatever the linked primary source supports. Do not invent technical detail the source did not state. Better to write less than to fabricate plausible-sounding specifics (PD-1 in the daily prompt).

Daily brief reference template

# CTI Daily Brief — YYYY-MM-DD

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM ({your friendly model name}, model ID `{your canonical model-id}`) with parallel research and verification by sub-agents ({comma-separated friendly names of the distinct sub-agent models that returned this run — verbatim from each return's `**Model:**` line; collapse duplicates so the list shows each distinct model exactly once; append `; one sub-agent did not report its model` if any sub-agent's `**Model:**` line was absent}) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** {your friendly model name} (`{your canonical model-id}`) · **Sub-agents:** S1: {S1's friendly name} · S2: {S2's friendly name} · S3: {S3's friendly name} · S4: {S4's friendly name} · verify: {verifier's friendly name}[, {next iteration's verifier} …] · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v{N.M}

## 0. TL;DR
- {bullet with inline source link} (up to 5 bullets; six on a catch-up day)

> **Immediate Action — {short imperative title}.** {2–4 sentences: what is happening, why it is critical *right now*, what specific defender action is time-critical (emergency patch, isolation, credential rotation, emergency detection rule). Inline-link the primary source.}
>
> — *Source: [Primary source title](URL) · Tags: actively-exploited, zero-click, rce · Region: global · CVE: CVE-YYYY-NNNNN · Vector: zero-click · Auth: pre-auth · Status: exploited*

(Most days: omit the Immediate Action callout entirely. The TL;DR ends with its bullet list. The callout is for "stop reading and act now" items only — see prompt for the bar.)

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### {Active threat or incident headline}
{3–6 sentence summary with inline source link(s) at point of claim.}
**Why it matters to us:** {one-line defender takeaway, or "Defender takeaway:" for incidents}

— *Source: [Primary report](URL) · Additional source: [Corroborating publication](URL) · Tags: nation-state, espionage, supply-chain, <nexus-tag-from-taxonomy-if-applicable> · Region: europe, switzerland · Sector: public-sector, finance*

## 2. Trending Vulnerabilities

### CVE-YYYY-NNNNN — {Vendor} {Product}: {one-line description}
{2–4 sentence summary: what it is, prerequisites, exploitation status, who it affects, what to do.}

— *Source: [Primary advisory](URL) · Tags: rce, zero-click, actively-exploited, cisa-kev · Region: global · CVE: CVE-YYYY-NNNNN · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, no-patch*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-YYYY-NNNNN | … | … | … | … | … | … | [Link](url) |

## 3. Research & Investigative Reporting

### {Substantive primary report headline}
{One paragraph with inline link.}

— *Source: [Primary report](URL) · Tags: nation-state, espionage, identity, ai-abuse · Region: global*

## 4. Updates to Prior Coverage

### UPDATE: {short story title — what changed}

> **UPDATE (originally covered YYYY-MM-DD):** {first paragraph — the delta in one or two sentences, inline-link the primary source.}
>
> {Second paragraph if needed — additional new facts, named victims, deadlines, attribution.}
>
> — *Source: [The new publication](URL) · Tags: ransomware, data-breach · Region: europe · CVE: CVE-YYYY-NNNNN · Status: exploited, cisa-kev*

(or: *No updates this run.*)

## 5. Deep Dive — {topic}

**Background.** {3–5 sentences if PD-10 applies, with inline links.}

{Incident narrative, ATT&CK mapping with links to MITRE pages, detection concepts in plain language, hardening / mitigation steps as cited. Inline-linked throughout. No IOCs. No rule code.}

— *Source: [Primary report](URL) · Additional source: [Corroborating advisory](URL) · Tags: rce, actively-exploited, nation-state, <nexus-tag-from-taxonomy-if-applicable> · Region: global · CVE: CVE-YYYY-NNNNN · CVSS: 9.3 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev*

## 6. Action Items

(Derived from this brief's content only. Generic advice does not belong here.)

- **Patch {product} immediately** if exposed — see CVE-YYYY-NNNNN above. Mitigation: {steps}. References: [{link}](#item-slug).
- **Hunt for {behaviour}** in EDR / SIEM. Detection concept: …

— *Source: {primary advisory or research} · Tags: actively-exploited, rce · Region: global*

## 7. Verification Notes

- Items dropped: {list with reason — including CVEs that didn't clear § 2}.
- Single-source items: {list, with the source named}.
- Items included with reduced confidence (only aggregator source available): {list}.
- Contradictions: {list}.
- Sub-agents that didn't return on time: {names + coverage scope missed}.
- Coverage gaps: source-id (reason); source-id (reason); source-a, source-b — not fetched in this run.

Weekly summary reference template

# CTI Weekly Summary — YYYY-Www ({Mon DD} – {Sun DD}, YYYY)

> **AI-generated content notice.** This weekly summary was produced autonomously by an LLM ({your friendly model name}, model ID `{your canonical model-id}`) with parallel research and verification by sub-agents ({comma-separated friendly names of the distinct sub-agent models that returned this run — verbatim from each return's `**Model:**` line; collapse duplicates so the list shows each distinct model exactly once}) executing the prompt at `prompts/weekly-summary.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. All facts are linked inline to public sources or to the underlying daily briefs in this repository. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** {your friendly model name} (`{your canonical model-id}`) · **Sub-agents:** W1: {W1's friendly name} · W2: {W2's friendly name} · verify: {verifier's friendly name}[, ...] · **Audience:** SOC management, IR, Threat Hunting · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v{N.M}

## 0. Week at a glance

- **{Inaction-=-incident headline}** — {one-line state} ([daily](briefs/YYYY-MM-DD.md), [primary](URL))
- **{Cross-day chain}** — {what changed this week}
- (5–8 bullets total)

## 1. Highest-impact events — what's on fire if no one acted

### {Item title}

**If you did nothing this week:** {one-line operational reality — what's currently breaking, who's currently being exploited, what deadline has passed}.

{2–4 paragraph technical recap with inline source links. Where relevant, link back to the specific daily brief that first covered it and to the primary technical write-up.}

— *Source: [Vendor PSIRT advisory](URL) · [Research blog with technical analysis](URL) · [Daily brief](briefs/YYYY-MM-DD.md) · Tags: actively-exploited, pre-auth, rce, cisa-kev · Region: global · CVE: CVE-YYYY-NNNNN · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

## 2. Multi-day campaigns and chains

### {Campaign name}

{Single consolidated section showing what was known at the start of the week, what changed each day, where it stands now.}

— *Source: [Vendor analysis](URL) · [Daily brief — first coverage](briefs/YYYY-MM-DD.md) · Tags: actively-exploited, supply-chain · Region: global*

## 3. Vulnerability roll-up

| CVE | Product | Status | Patched | KEV | First brief | Source |
|---|---|---|---|---|---|---|
| CVE-YYYY-NNNNN | … | Active ITW \| KEV-added \| PoC-public \| Patched \| Disclosure-only | … | … | [briefs/YYYY-MM-DD.md](briefs/YYYY-MM-DD.md) | [Vendor PSIRT](url) |

### CVE-YYYY-NNNNN — {Vendor} {Product}: {one-line description}

{Short paragraph. Status this week vs. status when first covered.}

— *Source: [Vendor PSIRT](URL) · [Research blog](URL) · Tags: rce, actively-exploited, cisa-kev · Region: global · CVE: CVE-YYYY-NNNNN · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

## 4. Sector & victim patterns

### {Sector}

{One paragraph with inline links. Where a Swiss / European public-sector area saw meaningful activity, call it out explicitly.}

— *Source: [Evidence link](URL) · Tags: ransomware, organized-crime · Region: europe · Sector: healthcare*

## 5. Incidents & disclosures recap

### {Notable incident}

{Roll-up of a notable publicly-disclosed security incident. Cross-cutting theme noted, regulatory follow-up if any.}

— *Source: [Victim disclosure](URL) · [Regulator notice](URL) · Tags: data-breach, ransomware · Region: europe · Sector: telco*

## 6. Annual / periodic threat reports

### {Report name}

{Cross-finding synthesis a Swiss / European public-sector SOC needs. Each finding gets a citation. Do not repeat findings the dailies already absorbed.}

— *Source: [Report PDF or vendor blog](URL) · Tags: nation-state, espionage · Region: global*

## 7. Long-running campaigns — status update

### {Campaign name}

{One short paragraph per campaign with current state and outstanding questions.}

— *Source: [Latest publicly-reported development](URL) · Tags: nation-state, <nexus-tag-from-taxonomy-if-applicable> · Region: global*

## 8. Policy & regulatory horizon

### {Policy item}

{What changed and what defenders need to do differently.}

— *Source: [Regulator publication](URL) · Tags: law-enforcement, eu-nexus · Region: europe*

## 9. Looking ahead — what to watch next week

A focused, justified list. **Not predictions** — items already in motion.

- **{Item}** — {one-line rationale citing what is in motion}. ([Source](URL); [Daily brief](briefs/YYYY-MM-DD.md))

## 10. Verification & coverage notes

- Items still flagged `[SINGLE-SOURCE]` from the week.
- Items dropped from this week's roll-up that may resurface (briefly explain why dropped).
- Contradictions across sources that remain unresolved.
- Items included with reduced confidence (only aggregator source available).
- Sub-agents that didn't return on time: {names + coverage scope missed}.
- Verification iterations: N · residuals: N (Phase 3.5 telemetry).
- Coverage gaps: source-id (reason); source-id (reason); source-a, source-b — not fetched in this run.