ctipilot.ch
Sun · 12 Jul 2026
All daily briefs ↗
Daily brief · UTC day

Sunday, 12 July 2026

0 verified findings from 4 runs · the settled record for this UTC day, in the classic brief order.

Criticality
Verification & coverage notes4 runs

2026-07-12T2009Z-intel · Claude Opus 4.8 · window 24 h · 0 entries published

Run 2026-07-12T2009Z-intel

Prompt version: v3.22. Intraday fire; gap 7.01 h since the previous run (2026-07-12T1308Z-audit, 13:08Z), window held to the 24 h floor. The last research fire was 2026-07-12T1210Z-intel (12:10Z), which itself returned zero, so this run targeted only the genuinely-new delta since ~2026-07-12T12:30Z and leaned on the 14-day dedup index (158 records / 541 store-wide CVEs already published).

Outcome — zero entries (healthy quiet Sunday-evening window)

All four research sub-agents ran to completion and each returned 0 items. This is a genuinely quiet ~7 h intraday delta on a Sunday evening, not a coverage miss: every essential CERT/PSIRT/KEV source's freshest content clusters at or before 2026-07-10, before the window, and every candidate any sub-agent surfaced either matched a prior-coverage record or failed the recency/relevance gate. A zero-entry intraday run is the expected outcome for a short, quiet window — publishing nothing is correct when nothing new clears the gate, and dedup guarantees more-frequent fires cut latency, never inflate volume.

What each domain covered

  • S1 — active threats & trending vulns: full essential sweep (CISA KEV API, NCSC-NL RSS, ANSSI/CERT-FR, BSI WID-SEC, CERT-EU, CERT-PL, CISA advisories/directives, ENISA EUVD, NCSC-CH Security Hub, NCSC-UK) plus rotation standard sources (chrome-releases, oracle-cpu, watchTowr, GreyNoise, Project Zero, Claroty Team82, Horizon3.ai, MSRC, VulnCheck). Every essential source's freshest content clustered at ~2026-07-12T08:16Z (a batch of VulnCheck/GHSA disclosures with no confirmed in-the-wild exploitation — CVE-2026-61876 LuCI XSS, CVE-2026-56271 Flowise, CVE-2026-59260 OpenWrt luci-app-samba4 RCE, and Capgo/Crawl4AI issues) or on Fri 2026-07-10 — all before the ~12:30Z window start, and none clearing the beyond-the-patch-cycle bar. Two promising first-pass leads (CVE-2026-45659 SharePoint / Storm-2603 and CVE-2026-43499 "GhostLock" Linux rtmutex UAF) were confirmed already-published in the 14-day index. Oracle's next CPU is scheduled 21 July 2026 (nothing new). Targeted EN/DE WebSearch surfaced nothing additional in-window.
  • S2 — home region & sector: exhaustive Swiss/EU sweep (NCSC-CH Im Fokus / Aktuelle Vorfälle / Security Hub, CERT-FR, BSI, CERT.at, CERT-EU, CERT-PL, ENISA, NCSC-NL, NCSC-UK, NCSC-IE) plus DACH research houses and Swiss press, plus 26 targeted DE/FR/IT/NL/EN searches across Swiss cantons, German municipalities, French collectivités/hôpitaux, Italian PA/ospedali, and EU energy/finance/telco. Every source's freshest item predated the window (across-the-board latest 2026-07-09/07-10). Five ongoing Swiss/EU stories already in the registry (Groupe 3R, CERT-LV/LVM, Odido, MedusaLocker Zurich Baudirektion, PDAG) were checked for in-window deltas — none beyond the 07-09/07-10 coverage already in-store.
  • S3 — research & investigative reporting: full rotation slice (Qianxin X-Lab, Fox-IT, Seqrite, Sophos X-Ops, Sygnia, Volexity, Calif/Codex, SentinelLabs, DFIR Report, Horizon3.ai, Recorded Future Insikt, AhnLab ASEC, Citizen Lab, Cloudforce One) plus the research majors (Microsoft, GTIG/Mandiant, Talos, Unit 42, Check Point, ESET, Kaspersky Securelist, Proofpoint, Trend Micro) and OT/ICS labs (Dragos, Claroty Team82, Nozomi). Every candidate's true publication date clustered 2026-06-24 → 2026-07-10; several (ESET Threat Report H1 2026, CitrixBleed2→DragonForce STAC3725) are already in-store. Nothing cleared the recency gate.
  • S4 — incidents & disclosures: full slice (SEC EDGAR 8-K Item 1.05 full-text search, ransomware.live recent-victims filtered against CH/DE/AT/FR/IT/NL/BE/LU/LI × public-sector/healthcare/energy/finance/telco/water/transport, BleepingComputer, CNIL, DataBreaches.net, ICO-UK, Have I Been Pwned/Troy Hunt, CyberInsider) plus DE/FR native-language pivots. No item cleared the strict incidents/disclosures inclusion gate for the window.

Borderline / recycled drops (recorded for recoverability)

  • borderline-drop: AMEOS (DACH hospital group) breach story — surfaced in S4's search as "July 2026" framing, but WebFetch resolved the underlying article to a 2026-07-23 → 2025-07-23 publication date (a full year old). Recycled, not in-window; dropped.
  • out-of-window: 2026-07-12T08:16Z GHSA/VulnCheck batch (CVE-2026-61876 LuCI XSS, CVE-2026-56271 Flowise, CVE-2026-59260 OpenWrt luci-app-samba4 RCE, Capgo/Crawl4AI) — S1; published before the ~12:30Z window start and none with confirmed in-the-wild exploitation or exposure-driven urgency, so none clears the beyond-the-patch-cycle bar even setting recency aside.
  • already-covered (dedup): CVE-2026-45659 SharePoint / Storm-2603; CVE-2026-43499 "GhostLock" Linux rtmutex UAF — S1; both confirmed present in the 14-day prior-coverage index, no material in-window delta.
  • stale (out-of-window, no in-window delta): Unit 42 "The Gentlemen" affiliate model; Recorded Future TAG-182/MarkiRAT; Nozomi Apex2/c2c Golang IoT botnet; Comparitech healthcare-ransomware H1 2026 — S3; all dated 2026-06-17 → 2026-07-10, before the window; The Gentlemen is already tracked in-store.
  • out-of-nexus / uncorroborated (S4): River Financial 8-K/A, Retelit, IFC-Eur / Breda Energia / Zidlochovice leak-site listings, Nayax / Accenture follow-ups — either already in the index, out-of-nexus with no clearing carve-out, or unconfirmed leak-site claims failing the fake-news guard.

State & self-check

  • Entities: none added.
  • CVEs: none added or changed.
  • Sources: one metadata edit — industrialcyber-co failure counter reset (1 → 0) and a recovery note appended: its transport block lifted this run (the /feed/ recipe returned HTTP 200 via the direct method after several runs of 403). source_health.py probed 157/157 sources in 114 s — 95 ok / 62 bridge-ok, zero actions flagged (no needs-bridge, no needs-demote).
  • Watchlists: the org profile configures no product/supplier watchlist, so the S1 product sweep and S4 supplier sweep are no-ops; no Watchlist: line is emitted.

Coverage window: intraday, gap 7.01 h (previous run 2026-07-12T1308Z-audit; previous research run 2026-07-12T1210Z-intel). Coverage gaps: inside-it-ch (403 on direct + jina — transport block, no demote; nothing missed, freshest Swiss/EU content 07-10); govcert-at CERT-Warnungen page (JS-gated, empty body via reader — recipe gap); msrc-blog (JS-hydrated landing, no dated post bodies — recipe candidate: jina pass or a structured MSRC releases subcommand); ncsc-uk reports-advisories listing (date-extraction gap on the listing page); dragos / claroty-team82 / nozominetworks / sophos-xops / recordedfuture-insikt (JS-rendered listings the reader did not hydrate into dated article lists — no structured feed/API subcommand exists for any in tools/fetch_source.py; recipe gaps, not transport failures). industrialcyber-co RESOLVED this run (feed recipe working again, transport block lifted).

2026-07-12T1308Z-audit · Opus 4.8 · 0 entries published

Verification & coverage notes

Duplicate-audit guard tripped — this fire stood down at Phase 0 (no audit passes run).

The most recent audit record on origin/main is runs/2026-07-11/2026-07-11T1435Z-audit.md (the operator-directed full-store intelligence-quality audit), started 2026-07-11T14:35:00Z. The gap from that anchor to this fire's start (2026-07-12T13:08:13Z) is 22.55 h — under the Phase 0 step-2 threshold of 72 h. This fire is a scheduled routine, not an explicit interactive operator directive, so the guard applies and the audit does not run: re-auditing now would re-sweep ground the full-store audit covered ~23 h ago against a window (2026-07-11T14:35Z → now) too thin to hold a week's worth of new signal, and the guard exists precisely to prevent that near-duplicate. This is the guard working as designed: an operator-directed full-store audit on Saturday, the scheduled weekly slot firing Sunday before a full week has elapsed.

No sub-agents were spawned; no truth passes, coverage re-sweeps, systemic review, or calibration ran. No entries recovered. The audit report is intentionally not written — there is no audit to report, and a report documenting a non-audit would manufacture content (A-INV-2). This run record is the mandatory artifact of the fire (A-INV-3, run-record-per-fire): it records that the fire happened, why it stood down, and what the next audit must pick up.

Pipeline-health snapshot (situational, not an audit finding). The scheduled intel cadence is running normally: two intel fires already published today — 2026-07-12T0409Z-intel and 2026-07-12T1210Z-intel, the latter publish_status: ok on origin/main. Nothing about the current pipeline state is operationally alarming; the stand-down is a cadence artifact, not a failure.

Carried forward to the next audit (nothing lost by standing down). The 2026-07-11 full-store audit's open items remain the next audit's duty:

  • Fix-effectiveness checks for the v3.21 fixes that audit shipped (main-run wall-clock watchdog + overtaken-run re-dedup; check_run.py runaway-duration and stale-publish_status WARNs; dead-ATT&CK-id WARN→FAIL; CVE-id per-CVE-authority provenance rule; the ncsc-uk dark-but-green recipe recovery). Each needs its behavior confirmed to have actually changed in the trailing window.
  • Watch item — bd.zh.ch (Kanton Zürich Baudirektion) MedusaLocker leak-site listing: single-source, no victim statement or Swiss press pickup as of 07-11; squarely in-constituency; re-check for corroboration.
  • Watch item — Roundcube 1.6.17/1.7.2 security release (2026-07-05): no exploitation evidence at 07-11; a future Roundcube delta should reference this patch level given active Roundcube targeting (UNK_MassTraction) in-store.
  • Operator recommendations (not shipped, carried until adopted or retired): (1) populate the org-profile product/supplier watchlists; (2) scheduler-side watchdog for container stalls / missing run records; (3) monthly priority-calibration review (the 37 % high share).

Monthly priority-calibration status. The 2026-07-11 report carries no ## Priority calibration heading, so the July calibration duty is still unmet — but it is not this fire's to discharge, because this fire ran no audit. The next audit that clears the duplicate guard (≥2026-07-14T14:35Z, and for a true weekly cadence the following Sunday) owns Phase 3b for July.

Verifier scope. Iteration 1 verifies this run record only (there are no entries): a cold reader confirms the duplicate-audit claim holds on disk — that runs/2026-07-11/2026-07-11T1435Z-audit.md is the latest -audit record on origin/main and the 22.55 h gap is under 72 h.

2026-07-12T1210Z-intel · Claude Opus 4.8 · window 24 h · 0 entries published

Run 2026-07-12T1210Z-intel

Prompt version: v3.22. Intraday fire; gap 8.02 h since the previous run (2026-07-12T0409Z-intel), window held to the 24 h floor. Most of the 24 h had already been swept by the 04:09Z run (which itself returned zero), so this fire targeted only the genuinely-new delta since ~04:00Z 2026-07-12 and leaned on the dedup index (last 14 days, 158 records / 541 store-wide CVEs already published).

Outcome — zero entries (healthy quiet weekend window)

All four research sub-agents ran to completion. S1, S3 and S4 returned 0 items; S2 returned 2 items, both borderline and both dropped on triage (reasoning below). This is a genuinely quiet Sunday-midday 8-hour delta, not a coverage miss: every essential CERT/PSIRT/KEV source's freshest content clusters on Fri 2026-07-10, before the window, and every candidate either matched a prior-coverage record or failed the relevance/actionability gate. A zero-entry intraday run is the expected outcome for a short, quiet window — publishing nothing is correct when nothing new clears the gate, and dedup guarantees more-frequent fires reduce latency, never inflate volume.

What each domain covered

  • S1 — active threats & trending vulns: full essential-tier sweep — CISA KEV API, ENISA EUVD (recent/criticals/exploited/lastvulnerabilities), NCSC-NL RSS, BSI/WID-SEC RSS, CERT-FR/ANSSI, NCSC-CH Security Hub API, CERT-EU, CERT-PL, CISA advisories/directives, NCSC-UK — plus watchTowr Labs and VulnCheck. A genuinely quiet Sat/Sun window; every essential source's newest item clusters on Fri 2026-07-10. One investigated-and-dropped false lead: VulnCheck/NVD showed Flowise (CVE-2026-56271) and Crawl4AI (CVE-2026-56259/56260/56265) records timestamped "published 2026-07-12", but the owning GitHub Security Advisories give true vendor-disclosure dates of 2026-04-16 / 2026-06-02 / 2026-06-04 — month-late NVD catalogue entries, correctly excluded as recycled rather than in-window.
  • S2 — home region & sector: exhaustive Swiss/EU sweep (NCSC-CH im-Fokus/aktuelle-Vorfälle/Security Hub, CERT-FR avis + actualité, BSI WID-SEC, CERT.at, CERT-EU, CERT-PL, ENISA, NCSC-UK, NCSC-IE, GovCERT.at) plus DACH research houses and Swiss press (swisscybersecurity.net, inside-it.ch) and targeted DE/FR/EN WebSearches. All curated sources returned stable content but nothing published after ~2026-07-10. Two genuinely-new but out-of-window policy/regulatory items surfaced via WebSearch and were carried as borderline for the main agent's call — both dropped (see below).
  • S3 — research & investigative reporting: full rotation slice (Fox-IT, Seqrite, Qianxin X-Lab, Sophos X-Ops, Sygnia, Volexity, SentinelLabs, DFIR Report, Recorded Future Insikt, AhnLab ASEC) plus the nine research majors (Talos, Unit 42, GTIG/Mandiant, ESET, Kaspersky Securelist, Microsoft Security, Check Point, Proofpoint, Trend Micro) and OT/ICS labs (Dragos, Claroty). Nothing published since ~04:00Z 2026-07-12. The freshest candidates — Unit 42's "The Gentlemen" affiliate-model deep dive (07-10 22:00 UTC) and Recorded Future's June 2026 CVE-landscape roundup (07-10) — fall just outside the window and add no materially-new defensive fact beyond prior coverage (The Gentlemen is already tracked via ESET's "Killing me gently" report and the Swiss-targeting weekly entry). Expected quiet-weekend outcome.
  • S4 — incidents & disclosures: full slice (ransomware.live, SEC EDGAR Item 1.05 full-text search, BleepingComputer, CNIL, CyberInsider, databreaches.net, ICO-UK, SecurityAffairs) plus native-language (DE/FR) and English pivots for Swiss/EU public-sector, healthcare, telco and finance breach signal. No item cleared the incident/disclosure inclusion gate for the window; three items investigated and dropped (below). Everything else surfaced (Council of Europe/ShinyHunters, RUAG/Akira, Deutsche Bank/Unsafe, Groupe 3R update, CNIL Free Mobile fine) was already in the 14-day index or well out of window with no in-window delta.

Borderline drops (recorded for recoverability)

  • borderline-drop: EU Commission expands the NIS2 CJEU referral to Ireland and the Netherlands (adds to France/Spain) — European Commission action dated 8 July 2026 (~4 days stale, outside the 24 h window; freshest reporting Tech Times 10 July, ~48 h). This is a genuine, uncovered delta on a policy thread the pipeline already tracks (entity policy:eu-nis2-cjeu-referral-france-spain-2026), but it is strategic-horizon regulatory content — every NIS2/policy entry in the store is a weekly (strategic) entry, and intel runs produce operational-horizon signal only. It carries no 1–7-day patch/hunt/block/detect decision for a Tier 2/3 responder. Routed to the weekly run rather than published here. Caution flag for the weekly: a secondary source (Tech Times) framed the 8 July action as "the first time the Commission has escalated a failure to implement NIS2 to the court," which contradicts the pipeline's own June France/Spain coverage and must not be repeated as fact.
  • borderline-drop: Dutch DPA (Autoriteit Persoonsgegevens) Rapportage datalekken 2025 — national-DPA statistical retrospective published ~8 July 2026 (~4 days stale, outside window). Its headline findings (58% YoY rise in cyberattack-driven breaches, near-tripling of account-takeovers, AI-generated phishing, AiTM kits defeating SMS/push MFA) are real, but its actionable guidance — migrate to phishing-resistant FIDO2/WebAuthn, deploy behavioural account-takeover detection, reassess GDPR Art. 32, audit data-processor exposure — is generic best-practice already saturated in the store from primary tradecraft within the same 14-day window (helix-data-extortion, forg365-m365-phaas, railway/lshiy M365 ATO, Huntress Conditional-Access analysis, unc1151-ghostwriter 2FA-relay, Bluekit BitM). It is a YoY-statistics/awareness piece with no new operational decision for this constituency. Not published; the proposed report entity was not registered (no published entry references it).
  • borderline-drop: River Financial Corp (RVRF) 8-K/A (S4) — procedural amendment to a June ransomware incident at a small Alabama community bank; out-of-nexus, no transferable TTP.
  • borderline-drop: Retelit SpA (Italian telecom) Qilin leak-site listing (S4) — no victim confirmation or independent journalism; fails the fake-news guard.
  • borderline-drop: Dyhrberg AG (Switzerland) Deadlock leak-site listing (S4) — part of a suspicious bulk same-session posting of ~80 victims; no Swiss press or victim confirmation found; fails the fake-news guard and falls outside the window.

State & self-check

  • Entities: none added.
  • CVEs: none added or changed.
  • Sources: no metadata edits this run. source_health.py probed 157/157 sources in 104 s — all ok/bridge-ok, zero actions flagged (no needs-bridge, no needs-demote).
  • Watchlists: the org profile configures no product/supplier watchlist, so the S1 product sweep and S4 supplier sweep are no-ops; no Watchlist: line is emitted.

Coverage window: intraday, gap 8.02 h (previous run 2026-07-12T0409Z-intel). Coverage gaps: industrialcyber-co direct-URL + jina 403 (third consecutive run; documented working path = WordPress /feed/, transport block, no demote); govcert-at RSS empty (recipe candidate: stp.portal.bka.gv.at CERT.at warnings page); ncsc-uk / cert-eu / enisa / cert-at / ncsc-ch-focus / ncsc-ch-incidents all reached successfully but carried no in-window content (low weekend cadence).

2026-07-12T0409Z-intel · Claude Opus 4.8 · window 24 h · 0 entries published

Run 2026-07-12T0409Z-intel

Prompt version: v3.21. Intraday fire; gap 8.0 h since the previous run (2026-07-11T2009Z-intel), window held to the 24 h floor. Most of the 24 h had already been swept by the 20:09Z run, so this fire targeted only the genuinely-new delta since ~20:00Z 2026-07-11 and leaned on the dedup index (last 14 days, 93 CVEs / 81 entity keys already published).

Outcome — zero entries (healthy quiet window)

All four research sub-agents (S1–S4) returned 0 items. This is a genuinely quiet Sunday-night 8-hour delta, not a coverage miss: every source's freshest item either exactly matched a prior-coverage record or predated the ~20:00Z 2026-07-11 window start by two or more days. A zero-entry intraday run is the expected outcome for a short, quiet window — publishing nothing is correct when nothing new clears the relevance/actionability gate. Per the dedup discipline, more frequent fires reduce latency, never inflate volume: the day's home-region, vulnerability, incident, and research signal was already carried by the 2026-07-11 runs.

What each domain covered

  • S1 — active threats & trending vulns: every essential source reached — CISA KEV (catalog itself last updated 2026-07-10T17:00Z, ~35 h before this run; its 10 most-recent additions all already published, dated 2026-07-08…07-10), ENISA EUVD (exploited/criticals/latest), NCSC-NL, NCSC-CH Security Hub, CERT-FR, BSI CERT-Bund, CERT-EU, CERT-PL, CISA advisories/directives, NCSC-UK — plus Cisco PSIRT, Keycloak, VulnCheck, watchTowr, Exodus, 0patch, Censys, JPCERT/JVN, Apple, Synacktiv, Sansec, Flatt, Microsoft Security Blog/MSRC. Nothing new in window; WebSearch cross-checks for "actively exploited"/"exploited in the wild" surfaced only already-covered or out-of-window items.
  • S2 — home region & sector: exhaustive Swiss/EU sweep (NCSC-CH CSH/im-fokus/aktuelle-vorfälle, CERT-FR, BSI WID, NCSC-NL, CERT-EU, CERT-PL, NCSC-UK, CERT.at, NCSC-IE, CNIL, plus DACH-region research houses) and 8 native-language (DE/FR) + English WebSearch queries. All CERT feeds top out 2026-07-09/07-10 (pre-window). The CERT-PL UNC1151/Ghostwriter Gmail-2FA-relay item matched the already-published 2026-07-09/unc1151-ghostwriter-gmail-realtime-2fa-phishing entry exactly. Two French-language leads (a Pays du Mont-Blanc ISP-outage incident dated 07-09; a NIS2/BSI-deadline vendor-promo piece dated 07-08) were fetched and dropped as too old / thin single-source vendor marketing.
  • S3 — research & investigative reporting: swept all nine named research majors (Microsoft TI, Google GTIG/Mandiant, Cisco Talos, Unit 42, Check Point, ESET, Kaspersky Securelist, Proofpoint, Trend Micro) plus the full S3 slice and OT/ICS supplements (Dragos, Claroty Team82, Nozomi, watchTowr). Talos' newest post is 07-09; Unit 42/ESET/Check Point/Kaspersky/Proofpoint all 07-06…07-10 and already covered; Mandiant's "Ghost in the Database" ADFS Machine-DPAPI Golden-SAML research is dated 07-07 (5 days stale, out of window). Two WebSearch leads (a PamStealer re-report and JADEPUFFER) traced to items already covered on 2026-07-04.
  • S4 — incidents & disclosures: full slice worked (ICO-UK, CNIL, EDPB, OFAC recent-actions, CISA news, Dark Reading, CyberScoop, Industrial Cyber, Le Monde Informatique, Troy Hunt, ransomware.live, Security Affairs, Help Net Security, CyberInsider, Malwarebytes, databreaches.net) plus SEC EDGAR — both the structured 8-K item-1.05 subcommand (2026-07-08…07-12: one hit, River Financial Corp 8-K/A, out of window + no CH/EU nexus, dropped) and a full-text search for "cybersecurity incident" across all 8-K forms 2026-07-10…07-12 (zero hits). Every curated source's newest item topped out at 2026-07-11T19:31Z, before the window start.

Borderline drops (S4 near-misses — recorded for recoverability)

  • borderline-drop: Qilin ransomware leak-site claim vs. Retelit SpA (Italian telco) — leak-site attack-date 2026-07-11T13:34Z with the site's own discovered timestamps topping out at 15:25Z 07-11 (before the ~20:00Z window start), and no victim statement or Admiralty A/B journalism corroboration found via targeted Italian-language search. Dropped on both recency and the fake-news gate (bare leak-site claim).
  • borderline-drop: "Dutch police trace Odido telco cyberattack to suspected local accomplice" (databreaches.net / The Record, 07-11) — later syndication of the same 8–9 July Dutch police disclosure already fully captured in 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution; no material new fact beyond a minor "servers seized" detail, so not a genuine update_of delta.
  • borderline-drop: Italian ACN / CSI Piemonte Qilin-campaign advisories — both trace to a CSIRT Italia bulletin (BL01/260528) published 29 May 2026; stale despite a misleading Sun, 12 Jul 2026 fetch-time artifact on one page's metadata (confirmed via in-body "Pubblicato il" dates).

Coverage gaps (informational — no hard fetch failures)

  • ncsc-uk: the HTML reports-advisories listing served a stale/cached render (top item dated 2026-04-07) to both WebFetch and the jina reader. The source record already documents the working recovery path — the combined all-rss-feed.xml feed (fresh, verified 2026-07-11) — which S1 did not use this run. No record change needed; the recipe is current.
  • horizon3-ai: JS-hydrated (Bricks builder) listing with posts loaded via AJAX, not present server-side. Sparse CVE-driven cadence (weeks between posts) is documented as normal; a /feed/ or /wp-json/wp/v2/posts probe is a future recipe improvement, not a failure.
  • sophos-xops / watchtowr: RSS feeds returned empty via jina; sites reachable (200). Drilled HTML listings where possible. Informational.
  • industrialcyber-co: S3 hit 403 on the direct URL; the documented path is the WordPress /feed/ RSS endpoint, and source_health.py confirmed the source bridge-ok this run. 403 is a transport block and never demotes; failure counter was already reset 2026-07-11.

State & self-check

  • Entities: none added.
  • CVEs: none added or changed.
  • Sources: one metadata-drift fix — calif-codex gained an explicit rss_url (see sources_changed). source_health.py probed 157/157 sources in 51 s, all ok/bridge-ok, zero actions flagged (no needs-bridge, no needs-demote).
  • Watchlists: the org profile configures no product/supplier watchlist, so the S1 product sweep and S4 supplier sweep are no-ops; no Watchlist: line is emitted.

Coverage window: intraday, gap 8.0 h (previous run 2026-07-11T2009Z-intel). Essential-coverage: missed=enisa — S2 did not attempt the ENISA news source (https://www.enisa.europa.eu/news) this run; ENISA's EU Vulnerability Database (enisa-euvd) WAS fetched by S1 (200). ENISA news publishes at a low cadence and no in-window ENISA item was surfaced by adjacent EU-CERT coverage; re-attempt next run. Coverage gaps: ncsc-uk HTML listing stale-cached (recovery path = all-rss-feed.xml, documented); horizon3-ai JS-hydrated listing (recipe improvement candidate); sophos-xops/watchtowr empty RSS (sites reachable); industrialcyber-co direct-URL 403 (use /feed/, transport block, no demote).