ctipilot.ch

2026-05-08-migrated

One pipeline fire, in full · intel run of 2026-05-08 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-08/2026-05-08-migrated.md.

Run telemetry

2026-05-08-migrated intel prompt v2.25
duration 17 published 0 updates
unknown (unknown) main agent
S1 absent

No record for this sub-agent.

S2 absent

No record for this sub-agent.

S3 absent

No record for this sub-agent.

S4 absent

No record for this sub-agent.

Verification

0 iterations · 0 residuals (legacy scalar · per-iteration breakdown not recorded)

Deep dive

2026-05-08/ivanti-epmm-cve-2026-5787-cve-2026-6973-pre-auth-certificate

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-08-migrated · unknown · 17 entries published

Included — two or more independent sources verified:

  • CVE-2026-5787 / CVE-2026-6973 (Ivanti EPMM): Ivanti blog + NVD + The Hacker News
  • CVE-2026-32202 (Windows Shell): Microsoft MSRC + NVD (CISA KEV calendar confirmed)
  • Die Linke / Qilin: Heise Online (primary German tech publication) + party victim statement
  • Eurail breach: NOS Nieuws (Dutch public broadcaster) + Dutch DPA statement

Included — national CERT / authority single-source carve-out (Prime Directive 5):

  • Polish ABW water OT advisory (ABW = national security agency advisory)
  • CERT-FR CERTFR-2026-ACT-016 agentic AI advisory (France national CERT)
  • GLPI CERTFR-2026-AVI-0551 (CERT-FR)

Included — single-source threat intelligence (elevated on source quality and operational relevance):

  • MuddyWater Chaos ransomware false-flag campaign (Deep Instinct threat intelligence report; included given confirmed Iran-nexus TTP and European targeting; treat with standard single-source caution)
  • Amazon SES BEC technique (Kaspersky Securelist, 2026-05-04; outside 72 h developing window, included as first coverage with age noted; treat with standard single-source caution)

Updates from prior coverage:

  • CVE-2026-0300 (deep-dived 2026-05-07): update only; no re-brief of underlying vulnerability
  • Canvas/Instructure (first covered 2026-05-06): update with confirmed scope expansion

Deferred — verification insufficient:

  • IBM X-Force Annual Report 2026: publication date could not be independently verified; deferred to next issue
  • CVE-2026-21509 / CVE-2026-21514 / CVE-2026-21513 (Office Protected View chain): CVE-2026-21509 confirmed as January 2026 KEV entry with deadline already passed (2026-02-16); not new content; excluded
  • CallPhantom Android apps: India/APAC primary focus; insufficient Swiss/EU nexus
  • ETTP Belgium / SafePay: single ransomware leak-site claim; no victim confirmation
  • TCLBANKER: explicitly dropped in 2026-05-07 brief; no new development in window

Unmatched action items (migrated)

  • MuddyWater / Teams BEC: Audit Microsoft Teams external-access settings; review recent external-user remote-session grants; hunt for Teams-initiated remote sessions followed by cloud service sign-ins from new IPs
  • Amazon SES phishing: Review email gateway logs for high volumes of messages from Amazon SES IP ranges (205.251.x.x, 199.255.x.x); verify no SES API keys are exposed in S3 buckets or public repositories
  • Canvas / Instructure: Institutions using Canvas should document and assess GDPR Article 33/34 notification obligations; May 12 extortion deadline creates a secondary breach-reporting trigger
  • OT operators (water / energy): Review IT/OT network segmentation posture against Dragos findings (81% flat); confirm manual override procedures are documented and tested for all HMI-controlled processes

Migrated from briefs/2026-05-08.md (v2).

← Operations dashboard · day page 2026-05-08 · run-record contract: docs/pipeline.md