Sunday, 12 July 2026
0 verified findings from 4 runs · the settled record for this UTC day, in the classic brief order.
Verification & coverage notes4 runs
2026-07-12T2009Z-intel · Claude Opus 4.8 · window 24 h · 0 entries published
Run 2026-07-12T2009Z-intel
Prompt version: v3.22. Intraday fire; gap 7.01 h since the previous run (2026-07-12T1308Z-audit, 13:08Z), window held to the 24 h floor. The last research fire was 2026-07-12T1210Z-intel (12:10Z), which itself returned zero, so this run targeted only the genuinely-new delta since ~2026-07-12T12:30Z and leaned on the 14-day dedup index (158 records / 541 store-wide CVEs already published).
Outcome — zero entries (healthy quiet Sunday-evening window)
All four research sub-agents ran to completion and each returned 0 items. This is a genuinely quiet ~7 h intraday delta on a Sunday evening, not a coverage miss: every essential CERT/PSIRT/KEV source's freshest content clusters at or before 2026-07-10, before the window, and every candidate any sub-agent surfaced either matched a prior-coverage record or failed the recency/relevance gate. A zero-entry intraday run is the expected outcome for a short, quiet window — publishing nothing is correct when nothing new clears the gate, and dedup guarantees more-frequent fires cut latency, never inflate volume.
What each domain covered
- S1 — active threats & trending vulns: full essential sweep (CISA KEV API, NCSC-NL RSS, ANSSI/CERT-FR, BSI WID-SEC, CERT-EU, CERT-PL, CISA advisories/directives, ENISA EUVD, NCSC-CH Security Hub, NCSC-UK) plus rotation standard sources (chrome-releases, oracle-cpu, watchTowr, GreyNoise, Project Zero, Claroty Team82, Horizon3.ai, MSRC, VulnCheck). Every essential source's freshest content clustered at ~2026-07-12T08:16Z (a batch of VulnCheck/GHSA disclosures with no confirmed in-the-wild exploitation — CVE-2026-61876 LuCI XSS, CVE-2026-56271 Flowise, CVE-2026-59260 OpenWrt luci-app-samba4 RCE, and Capgo/Crawl4AI issues) or on Fri 2026-07-10 — all before the ~12:30Z window start, and none clearing the beyond-the-patch-cycle bar. Two promising first-pass leads (CVE-2026-45659 SharePoint / Storm-2603 and CVE-2026-43499 "GhostLock" Linux rtmutex UAF) were confirmed already-published in the 14-day index. Oracle's next CPU is scheduled 21 July 2026 (nothing new). Targeted EN/DE WebSearch surfaced nothing additional in-window.
- S2 — home region & sector: exhaustive Swiss/EU sweep (NCSC-CH Im Fokus / Aktuelle Vorfälle / Security Hub, CERT-FR, BSI, CERT.at, CERT-EU, CERT-PL, ENISA, NCSC-NL, NCSC-UK, NCSC-IE) plus DACH research houses and Swiss press, plus 26 targeted DE/FR/IT/NL/EN searches across Swiss cantons, German municipalities, French collectivités/hôpitaux, Italian PA/ospedali, and EU energy/finance/telco. Every source's freshest item predated the window (across-the-board latest 2026-07-09/07-10). Five ongoing Swiss/EU stories already in the registry (Groupe 3R, CERT-LV/LVM, Odido, MedusaLocker Zurich Baudirektion, PDAG) were checked for in-window deltas — none beyond the 07-09/07-10 coverage already in-store.
- S3 — research & investigative reporting: full rotation slice (Qianxin X-Lab, Fox-IT, Seqrite, Sophos X-Ops, Sygnia, Volexity, Calif/Codex, SentinelLabs, DFIR Report, Horizon3.ai, Recorded Future Insikt, AhnLab ASEC, Citizen Lab, Cloudforce One) plus the research majors (Microsoft, GTIG/Mandiant, Talos, Unit 42, Check Point, ESET, Kaspersky Securelist, Proofpoint, Trend Micro) and OT/ICS labs (Dragos, Claroty Team82, Nozomi). Every candidate's true publication date clustered 2026-06-24 → 2026-07-10; several (ESET Threat Report H1 2026, CitrixBleed2→DragonForce STAC3725) are already in-store. Nothing cleared the recency gate.
- S4 — incidents & disclosures: full slice (SEC EDGAR 8-K Item 1.05 full-text search, ransomware.live recent-victims filtered against CH/DE/AT/FR/IT/NL/BE/LU/LI × public-sector/healthcare/energy/finance/telco/water/transport, BleepingComputer, CNIL, DataBreaches.net, ICO-UK, Have I Been Pwned/Troy Hunt, CyberInsider) plus DE/FR native-language pivots. No item cleared the strict incidents/disclosures inclusion gate for the window.
Borderline / recycled drops (recorded for recoverability)
- borderline-drop: AMEOS (DACH hospital group) breach story — surfaced in S4's search as "July 2026" framing, but WebFetch resolved the underlying article to a 2026-07-23 → 2025-07-23 publication date (a full year old). Recycled, not in-window; dropped.
- out-of-window: 2026-07-12T08:16Z GHSA/VulnCheck batch (CVE-2026-61876 LuCI XSS, CVE-2026-56271 Flowise, CVE-2026-59260 OpenWrt luci-app-samba4 RCE, Capgo/Crawl4AI) — S1; published before the ~12:30Z window start and none with confirmed in-the-wild exploitation or exposure-driven urgency, so none clears the beyond-the-patch-cycle bar even setting recency aside.
- already-covered (dedup): CVE-2026-45659 SharePoint / Storm-2603; CVE-2026-43499 "GhostLock" Linux rtmutex UAF — S1; both confirmed present in the 14-day prior-coverage index, no material in-window delta.
- stale (out-of-window, no in-window delta): Unit 42 "The Gentlemen" affiliate model; Recorded Future TAG-182/MarkiRAT; Nozomi Apex2/c2c Golang IoT botnet; Comparitech healthcare-ransomware H1 2026 — S3; all dated 2026-06-17 → 2026-07-10, before the window; The Gentlemen is already tracked in-store.
- out-of-nexus / uncorroborated (S4): River Financial 8-K/A, Retelit, IFC-Eur / Breda Energia / Zidlochovice leak-site listings, Nayax / Accenture follow-ups — either already in the index, out-of-nexus with no clearing carve-out, or unconfirmed leak-site claims failing the fake-news guard.
State & self-check
- Entities: none added.
- CVEs: none added or changed.
- Sources: one metadata edit —
industrialcyber-cofailure counter reset (1 → 0) and a recovery note appended: its transport block lifted this run (the/feed/recipe returned HTTP 200 via the direct method after several runs of 403).source_health.pyprobed 157/157 sources in 114 s — 95ok/ 62bridge-ok, zero actions flagged (noneeds-bridge, noneeds-demote). - Watchlists: the org profile configures no product/supplier watchlist, so the S1 product sweep and S4 supplier sweep are no-ops; no
Watchlist:line is emitted.
Coverage window: intraday, gap 7.01 h (previous run 2026-07-12T1308Z-audit; previous research run 2026-07-12T1210Z-intel). Coverage gaps: inside-it-ch (403 on direct + jina — transport block, no demote; nothing missed, freshest Swiss/EU content 07-10); govcert-at CERT-Warnungen page (JS-gated, empty body via reader — recipe gap); msrc-blog (JS-hydrated landing, no dated post bodies — recipe candidate: jina pass or a structured MSRC releases subcommand); ncsc-uk reports-advisories listing (date-extraction gap on the listing page); dragos / claroty-team82 / nozominetworks / sophos-xops / recordedfuture-insikt (JS-rendered listings the reader did not hydrate into dated article lists — no structured feed/API subcommand exists for any in tools/fetch_source.py; recipe gaps, not transport failures). industrialcyber-co RESOLVED this run (feed recipe working again, transport block lifted).
2026-07-12T1308Z-audit · Opus 4.8 · 0 entries published
Verification & coverage notes
Duplicate-audit guard tripped — this fire stood down at Phase 0 (no audit passes run).
The most recent audit record on origin/main is runs/2026-07-11/2026-07-11T1435Z-audit.md (the operator-directed full-store intelligence-quality audit), started 2026-07-11T14:35:00Z. The gap from that anchor to this fire's start (2026-07-12T13:08:13Z) is 22.55 h — under the Phase 0 step-2 threshold of 72 h. This fire is a scheduled routine, not an explicit interactive operator directive, so the guard applies and the audit does not run: re-auditing now would re-sweep ground the full-store audit covered ~23 h ago against a window (2026-07-11T14:35Z → now) too thin to hold a week's worth of new signal, and the guard exists precisely to prevent that near-duplicate. This is the guard working as designed: an operator-directed full-store audit on Saturday, the scheduled weekly slot firing Sunday before a full week has elapsed.
No sub-agents were spawned; no truth passes, coverage re-sweeps, systemic review, or calibration ran. No entries recovered. The audit report is intentionally not written — there is no audit to report, and a report documenting a non-audit would manufacture content (A-INV-2). This run record is the mandatory artifact of the fire (A-INV-3, run-record-per-fire): it records that the fire happened, why it stood down, and what the next audit must pick up.
Pipeline-health snapshot (situational, not an audit finding). The scheduled intel cadence is running normally: two intel fires already published today — 2026-07-12T0409Z-intel and 2026-07-12T1210Z-intel, the latter publish_status: ok on origin/main. Nothing about the current pipeline state is operationally alarming; the stand-down is a cadence artifact, not a failure.
Carried forward to the next audit (nothing lost by standing down). The 2026-07-11 full-store audit's open items remain the next audit's duty:
- Fix-effectiveness checks for the v3.21 fixes that audit shipped (main-run wall-clock watchdog + overtaken-run re-dedup;
check_run.pyrunaway-duration and stale-publish_statusWARNs; dead-ATT&CK-id WARN→FAIL; CVE-id per-CVE-authority provenance rule; thencsc-ukdark-but-green recipe recovery). Each needs its behavior confirmed to have actually changed in the trailing window. - Watch item —
bd.zh.ch(Kanton Zürich Baudirektion) MedusaLocker leak-site listing: single-source, no victim statement or Swiss press pickup as of 07-11; squarely in-constituency; re-check for corroboration. - Watch item — Roundcube 1.6.17/1.7.2 security release (2026-07-05): no exploitation evidence at 07-11; a future Roundcube delta should reference this patch level given active Roundcube targeting (UNK_MassTraction) in-store.
- Operator recommendations (not shipped, carried until adopted or retired): (1) populate the org-profile product/supplier watchlists; (2) scheduler-side watchdog for container stalls / missing run records; (3) monthly priority-calibration review (the 37 %
highshare).
Monthly priority-calibration status. The 2026-07-11 report carries no ## Priority calibration heading, so the July calibration duty is still unmet — but it is not this fire's to discharge, because this fire ran no audit. The next audit that clears the duplicate guard (≥2026-07-14T14:35Z, and for a true weekly cadence the following Sunday) owns Phase 3b for July.
Verifier scope. Iteration 1 verifies this run record only (there are no entries): a cold reader confirms the duplicate-audit claim holds on disk — that runs/2026-07-11/2026-07-11T1435Z-audit.md is the latest -audit record on origin/main and the 22.55 h gap is under 72 h.
2026-07-12T1210Z-intel · Claude Opus 4.8 · window 24 h · 0 entries published
Run 2026-07-12T1210Z-intel
Prompt version: v3.22. Intraday fire; gap 8.02 h since the previous run (2026-07-12T0409Z-intel), window held to the 24 h floor. Most of the 24 h had already been swept by the 04:09Z run (which itself returned zero), so this fire targeted only the genuinely-new delta since ~04:00Z 2026-07-12 and leaned on the dedup index (last 14 days, 158 records / 541 store-wide CVEs already published).
Outcome — zero entries (healthy quiet weekend window)
All four research sub-agents ran to completion. S1, S3 and S4 returned 0 items; S2 returned 2 items, both borderline and both dropped on triage (reasoning below). This is a genuinely quiet Sunday-midday 8-hour delta, not a coverage miss: every essential CERT/PSIRT/KEV source's freshest content clusters on Fri 2026-07-10, before the window, and every candidate either matched a prior-coverage record or failed the relevance/actionability gate. A zero-entry intraday run is the expected outcome for a short, quiet window — publishing nothing is correct when nothing new clears the gate, and dedup guarantees more-frequent fires reduce latency, never inflate volume.
What each domain covered
- S1 — active threats & trending vulns: full essential-tier sweep — CISA KEV API, ENISA EUVD (recent/criticals/exploited/lastvulnerabilities), NCSC-NL RSS, BSI/WID-SEC RSS, CERT-FR/ANSSI, NCSC-CH Security Hub API, CERT-EU, CERT-PL, CISA advisories/directives, NCSC-UK — plus watchTowr Labs and VulnCheck. A genuinely quiet Sat/Sun window; every essential source's newest item clusters on Fri 2026-07-10. One investigated-and-dropped false lead: VulnCheck/NVD showed Flowise (CVE-2026-56271) and Crawl4AI (CVE-2026-56259/56260/56265) records timestamped "published 2026-07-12", but the owning GitHub Security Advisories give true vendor-disclosure dates of 2026-04-16 / 2026-06-02 / 2026-06-04 — month-late NVD catalogue entries, correctly excluded as recycled rather than in-window.
- S2 — home region & sector: exhaustive Swiss/EU sweep (NCSC-CH im-Fokus/aktuelle-Vorfälle/Security Hub, CERT-FR avis + actualité, BSI WID-SEC, CERT.at, CERT-EU, CERT-PL, ENISA, NCSC-UK, NCSC-IE, GovCERT.at) plus DACH research houses and Swiss press (swisscybersecurity.net, inside-it.ch) and targeted DE/FR/EN WebSearches. All curated sources returned stable content but nothing published after ~2026-07-10. Two genuinely-new but out-of-window policy/regulatory items surfaced via WebSearch and were carried as borderline for the main agent's call — both dropped (see below).
- S3 — research & investigative reporting: full rotation slice (Fox-IT, Seqrite, Qianxin X-Lab, Sophos X-Ops, Sygnia, Volexity, SentinelLabs, DFIR Report, Recorded Future Insikt, AhnLab ASEC) plus the nine research majors (Talos, Unit 42, GTIG/Mandiant, ESET, Kaspersky Securelist, Microsoft Security, Check Point, Proofpoint, Trend Micro) and OT/ICS labs (Dragos, Claroty). Nothing published since ~04:00Z 2026-07-12. The freshest candidates — Unit 42's "The Gentlemen" affiliate-model deep dive (07-10 22:00 UTC) and Recorded Future's June 2026 CVE-landscape roundup (07-10) — fall just outside the window and add no materially-new defensive fact beyond prior coverage (The Gentlemen is already tracked via ESET's "Killing me gently" report and the Swiss-targeting weekly entry). Expected quiet-weekend outcome.
- S4 — incidents & disclosures: full slice (ransomware.live, SEC EDGAR Item 1.05 full-text search, BleepingComputer, CNIL, CyberInsider, databreaches.net, ICO-UK, SecurityAffairs) plus native-language (DE/FR) and English pivots for Swiss/EU public-sector, healthcare, telco and finance breach signal. No item cleared the incident/disclosure inclusion gate for the window; three items investigated and dropped (below). Everything else surfaced (Council of Europe/ShinyHunters, RUAG/Akira, Deutsche Bank/Unsafe, Groupe 3R update, CNIL Free Mobile fine) was already in the 14-day index or well out of window with no in-window delta.
Borderline drops (recorded for recoverability)
- borderline-drop: EU Commission expands the NIS2 CJEU referral to Ireland and the Netherlands (adds to France/Spain) — European Commission action dated 8 July 2026 (~4 days stale, outside the 24 h window; freshest reporting Tech Times 10 July, ~48 h). This is a genuine, uncovered delta on a policy thread the pipeline already tracks (entity
policy:eu-nis2-cjeu-referral-france-spain-2026), but it is strategic-horizon regulatory content — every NIS2/policy entry in the store is a weekly (strategic) entry, and intel runs produce operational-horizon signal only. It carries no 1–7-day patch/hunt/block/detect decision for a Tier 2/3 responder. Routed to the weekly run rather than published here. Caution flag for the weekly: a secondary source (Tech Times) framed the 8 July action as "the first time the Commission has escalated a failure to implement NIS2 to the court," which contradicts the pipeline's own June France/Spain coverage and must not be repeated as fact. - borderline-drop: Dutch DPA (Autoriteit Persoonsgegevens) Rapportage datalekken 2025 — national-DPA statistical retrospective published ~8 July 2026 (~4 days stale, outside window). Its headline findings (58% YoY rise in cyberattack-driven breaches, near-tripling of account-takeovers, AI-generated phishing, AiTM kits defeating SMS/push MFA) are real, but its actionable guidance — migrate to phishing-resistant FIDO2/WebAuthn, deploy behavioural account-takeover detection, reassess GDPR Art. 32, audit data-processor exposure — is generic best-practice already saturated in the store from primary tradecraft within the same 14-day window (
helix-data-extortion,forg365-m365-phaas,railway/lshiyM365 ATO, Huntress Conditional-Access analysis,unc1151-ghostwriter2FA-relay, Bluekit BitM). It is a YoY-statistics/awareness piece with no new operational decision for this constituency. Not published; the proposed report entity was not registered (no published entry references it). - borderline-drop: River Financial Corp (RVRF) 8-K/A (S4) — procedural amendment to a June ransomware incident at a small Alabama community bank; out-of-nexus, no transferable TTP.
- borderline-drop: Retelit SpA (Italian telecom) Qilin leak-site listing (S4) — no victim confirmation or independent journalism; fails the fake-news guard.
- borderline-drop: Dyhrberg AG (Switzerland) Deadlock leak-site listing (S4) — part of a suspicious bulk same-session posting of ~80 victims; no Swiss press or victim confirmation found; fails the fake-news guard and falls outside the window.
State & self-check
- Entities: none added.
- CVEs: none added or changed.
- Sources: no metadata edits this run.
source_health.pyprobed 157/157 sources in 104 s — allok/bridge-ok, zero actions flagged (noneeds-bridge, noneeds-demote). - Watchlists: the org profile configures no product/supplier watchlist, so the S1 product sweep and S4 supplier sweep are no-ops; no
Watchlist:line is emitted.
Coverage window: intraday, gap 8.02 h (previous run 2026-07-12T0409Z-intel). Coverage gaps: industrialcyber-co direct-URL + jina 403 (third consecutive run; documented working path = WordPress /feed/, transport block, no demote); govcert-at RSS empty (recipe candidate: stp.portal.bka.gv.at CERT.at warnings page); ncsc-uk / cert-eu / enisa / cert-at / ncsc-ch-focus / ncsc-ch-incidents all reached successfully but carried no in-window content (low weekend cadence).
2026-07-12T0409Z-intel · Claude Opus 4.8 · window 24 h · 0 entries published
Run 2026-07-12T0409Z-intel
Prompt version: v3.21. Intraday fire; gap 8.0 h since the previous run (2026-07-11T2009Z-intel), window held to the 24 h floor. Most of the 24 h had already been swept by the 20:09Z run, so this fire targeted only the genuinely-new delta since ~20:00Z 2026-07-11 and leaned on the dedup index (last 14 days, 93 CVEs / 81 entity keys already published).
Outcome — zero entries (healthy quiet window)
All four research sub-agents (S1–S4) returned 0 items. This is a genuinely quiet Sunday-night 8-hour delta, not a coverage miss: every source's freshest item either exactly matched a prior-coverage record or predated the ~20:00Z 2026-07-11 window start by two or more days. A zero-entry intraday run is the expected outcome for a short, quiet window — publishing nothing is correct when nothing new clears the relevance/actionability gate. Per the dedup discipline, more frequent fires reduce latency, never inflate volume: the day's home-region, vulnerability, incident, and research signal was already carried by the 2026-07-11 runs.
What each domain covered
- S1 — active threats & trending vulns: every essential source reached — CISA KEV (catalog itself last updated 2026-07-10T17:00Z, ~35 h before this run; its 10 most-recent additions all already published, dated 2026-07-08…07-10), ENISA EUVD (exploited/criticals/latest), NCSC-NL, NCSC-CH Security Hub, CERT-FR, BSI CERT-Bund, CERT-EU, CERT-PL, CISA advisories/directives, NCSC-UK — plus Cisco PSIRT, Keycloak, VulnCheck, watchTowr, Exodus, 0patch, Censys, JPCERT/JVN, Apple, Synacktiv, Sansec, Flatt, Microsoft Security Blog/MSRC. Nothing new in window; WebSearch cross-checks for "actively exploited"/"exploited in the wild" surfaced only already-covered or out-of-window items.
- S2 — home region & sector: exhaustive Swiss/EU sweep (NCSC-CH CSH/im-fokus/aktuelle-vorfälle, CERT-FR, BSI WID, NCSC-NL, CERT-EU, CERT-PL, NCSC-UK, CERT.at, NCSC-IE, CNIL, plus DACH-region research houses) and 8 native-language (DE/FR) + English WebSearch queries. All CERT feeds top out 2026-07-09/07-10 (pre-window). The CERT-PL UNC1151/Ghostwriter Gmail-2FA-relay item matched the already-published
2026-07-09/unc1151-ghostwriter-gmail-realtime-2fa-phishingentry exactly. Two French-language leads (a Pays du Mont-Blanc ISP-outage incident dated 07-09; a NIS2/BSI-deadline vendor-promo piece dated 07-08) were fetched and dropped as too old / thin single-source vendor marketing. - S3 — research & investigative reporting: swept all nine named research majors (Microsoft TI, Google GTIG/Mandiant, Cisco Talos, Unit 42, Check Point, ESET, Kaspersky Securelist, Proofpoint, Trend Micro) plus the full S3 slice and OT/ICS supplements (Dragos, Claroty Team82, Nozomi, watchTowr). Talos' newest post is 07-09; Unit 42/ESET/Check Point/Kaspersky/Proofpoint all 07-06…07-10 and already covered; Mandiant's "Ghost in the Database" ADFS Machine-DPAPI Golden-SAML research is dated 07-07 (5 days stale, out of window). Two WebSearch leads (a PamStealer re-report and JADEPUFFER) traced to items already covered on 2026-07-04.
- S4 — incidents & disclosures: full slice worked (ICO-UK, CNIL, EDPB, OFAC recent-actions, CISA news, Dark Reading, CyberScoop, Industrial Cyber, Le Monde Informatique, Troy Hunt, ransomware.live, Security Affairs, Help Net Security, CyberInsider, Malwarebytes, databreaches.net) plus SEC EDGAR — both the structured 8-K item-1.05 subcommand (2026-07-08…07-12: one hit, River Financial Corp 8-K/A, out of window + no CH/EU nexus, dropped) and a full-text search for "cybersecurity incident" across all 8-K forms 2026-07-10…07-12 (zero hits). Every curated source's newest item topped out at 2026-07-11T19:31Z, before the window start.
Borderline drops (S4 near-misses — recorded for recoverability)
- borderline-drop: Qilin ransomware leak-site claim vs. Retelit SpA (Italian telco) — leak-site attack-date 2026-07-11T13:34Z with the site's own
discoveredtimestamps topping out at 15:25Z 07-11 (before the ~20:00Z window start), and no victim statement or Admiralty A/B journalism corroboration found via targeted Italian-language search. Dropped on both recency and the fake-news gate (bare leak-site claim). - borderline-drop: "Dutch police trace Odido telco cyberattack to suspected local accomplice" (databreaches.net / The Record, 07-11) — later syndication of the same 8–9 July Dutch police disclosure already fully captured in
2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution; no material new fact beyond a minor "servers seized" detail, so not a genuineupdate_ofdelta. - borderline-drop: Italian ACN / CSI Piemonte Qilin-campaign advisories — both trace to a CSIRT Italia bulletin (BL01/260528) published 29 May 2026; stale despite a misleading
Sun, 12 Jul 2026fetch-time artifact on one page's metadata (confirmed via in-body "Pubblicato il" dates).
Coverage gaps (informational — no hard fetch failures)
- ncsc-uk: the HTML reports-advisories listing served a stale/cached render (top item dated 2026-04-07) to both WebFetch and the jina reader. The source record already documents the working recovery path — the combined
all-rss-feed.xmlfeed (fresh, verified 2026-07-11) — which S1 did not use this run. No record change needed; the recipe is current. - horizon3-ai: JS-hydrated (Bricks builder) listing with posts loaded via AJAX, not present server-side. Sparse CVE-driven cadence (weeks between posts) is documented as normal; a
/feed/or/wp-json/wp/v2/postsprobe is a future recipe improvement, not a failure. - sophos-xops / watchtowr: RSS feeds returned empty via jina; sites reachable (200). Drilled HTML listings where possible. Informational.
- industrialcyber-co: S3 hit 403 on the direct URL; the documented path is the WordPress
/feed/RSS endpoint, andsource_health.pyconfirmed the source bridge-ok this run. 403 is a transport block and never demotes; failure counter was already reset 2026-07-11.
State & self-check
- Entities: none added.
- CVEs: none added or changed.
- Sources: one metadata-drift fix —
calif-codexgained an explicitrss_url(seesources_changed).source_health.pyprobed 157/157 sources in 51 s, allok/bridge-ok, zero actions flagged (noneeds-bridge, noneeds-demote). - Watchlists: the org profile configures no product/supplier watchlist, so the S1 product sweep and S4 supplier sweep are no-ops; no
Watchlist:line is emitted.
Coverage window: intraday, gap 8.0 h (previous run 2026-07-11T2009Z-intel). Essential-coverage: missed=enisa — S2 did not attempt the ENISA news source (https://www.enisa.europa.eu/news) this run; ENISA's EU Vulnerability Database (enisa-euvd) WAS fetched by S1 (200). ENISA news publishes at a low cadence and no in-window ENISA item was surfaced by adjacent EU-CERT coverage; re-attempt next run. Coverage gaps: ncsc-uk HTML listing stale-cached (recovery path = all-rss-feed.xml, documented); horizon3-ai JS-hydrated listing (recipe improvement candidate); sophos-xops/watchtowr empty RSS (sites reachable); industrialcyber-co direct-URL 403 (use /feed/, transport block, no demote).