ctipilot.ch

2026-07-09T0409Z-intel

One pipeline fire, in full · intel run of 2026-07-09 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-09/2026-07-09T0409Z-intel.md.

Run telemetry

2026-07-09T0409Z-intel intel prompt v3.11
1h 28m duration 10 published 0 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Opus 4.8 (claude-opus-4-8)
Items returned
4
Duration
13m 15s
Tool calls
20 WebFetch6 WebSearch17 bridge
Cited sources
4 of 25 in slice
S2 Claude Opus 4.8 (claude-opus-4-8)
Items returned
2
Duration
12m 15s
Tool calls
3 WebFetch9 WebSearch24 bridge
Cited sources
2 of 17 in slice
S3 Claude Opus 4.8 (claude-opus-4-8)
Items returned
5
Duration
9m 40s
Tool calls
12 WebFetch6 WebSearch24 bridge
Cited sources
4 of 25 in slice
S4 Claude Opus 4.8 (claude-opus-4-8)
Items returned
1
Duration
6m 38s
Tool calls
7 WebFetch6 WebSearch11 bridge
Cited sources
2 of 10 in slice

Verification

#? NEEDS_FIXES · Claude Opus 4.8 · t=2 e=1 a=1 #? NEEDS_FIXES · Claude Opus 4.8 · t=1 e=1 a=0 #? NEEDS_FIXES · Claude Opus 4.8 · t=3 e=0 a=1 #? CLEAN · Claude Opus 4.8 · t=0 e=0 a=0

Deep dive

2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

1 last_successful_fetch=2026-07-09 (fetched, quiet-but-authoritative) · 1 last_successful_fetch=2026-07-09 (used — GhostApproval) · 1 last_successful_fetch=2026-07-09 (used — Januscape) · 1 last_successful_fetch=2026-07-09 (used — Git malleability) · 1 last_successful_fetch=2026-07-09 (used — UNC1151) · 1 last_successful_fetch=2026-07-09 (used — Plesk) · 1 last_successful_fetch=2026-07-09 (used — ADFS deep dive) · 1 last_successful_fetch=2026-07-09 (used — Cavern Manticore) · 1 last_successful_fetch=2026-07-09 (used — ESET Threat Report H1 2026) · 1 last_successful_fetch=2026-07-09 (used — Nayax 6-K) · 1 last_successful_fetch=2026-07-09 (used — Nayax corroboration) · 1 notes appended — CERT-FR fetch_source feed returns oldest-first; recheck ordering when assessing freshness (self-evolution follow-up).

SourceChangeFrom → ToReason
cisa-kevlast_successful_fetch=2026-07-09 (fetched, quiet-but-authoritative)— → —
wiz-bloglast_successful_fetch=2026-07-09 (used — GhostApproval)— → —
bleepingcomputerlast_successful_fetch=2026-07-09 (used — Januscape)— → —
hackernewslast_successful_fetch=2026-07-09 (used — Git malleability)— → —
cert-pllast_successful_fetch=2026-07-09 (used — UNC1151)— → —
ccb-belgiumlast_successful_fetch=2026-07-09 (used — Plesk)— → —
mandiant-gtiglast_successful_fetch=2026-07-09 (used — ADFS deep dive)— → —
checkpoint-researchlast_successful_fetch=2026-07-09 (used — Cavern Manticore)— → —
esetlast_successful_fetch=2026-07-09 (used — ESET Threat Report H1 2026)— → —
sec-disclosures-edgarlast_successful_fetch=2026-07-09 (used — Nayax 6-K)— → —
databreaches-netlast_successful_fetch=2026-07-09 (used — Nayax corroboration)— → —
anssi-frnotes appended — CERT-FR fetch_source feed returns oldest-first; recheck ordering when assessing freshness (self-evolution follow-up)— → —

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
industrialcyber-cohttps://industrialcyber.co/webfetchbridge:urlbridge:jina403 transport-403
Standing Cloudflare-class block reproduced even via the jina reader proxy (S3). Known recurring transport block, not source death — no demotion (403 rule).
No OT/ICS-specific in-window item confirmed via alternate routes; flagged for a future run to find an alternate OT/ICS source or recipe. Standing recipe gap.
cisa-advisorieshttps://www.cisa.gov/news-events/cybersecurity-advisorieswebfetchbridge:urlbridge:jina200 unstructured-listing
JS-rendered filter/listing shell returned only the filter UI, no advisory list items, on direct fetch and jina reader (S1). No structured bridge listing endpoin
CISA KEV catalog (structured API) fetched successfully — no new KEV additions since catalogVersion 2026.07.07, so exploitation ground-truth is covered; a non-KE
cisa-directiveshttps://www.cisa.gov/news-events/directiveswebfetchbridge:urlbridge:jina200 unstructured-listing
Same JS-rendered filter/listing shell as cisa-advisories; no structured bridge endpoint (S1). No in-window directive signal found via cross-checks.
Cross-checked BleepingComputer/Hacker News for any CISA-directive story in-window — none. Recipe gap unchanged.

Bridge invocations (this run)

5 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

5 other
  • ×5

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #? NEEDS_FIXES · 4 findings (truth=2, editorial=1, advisory=1) · Claude Opus 4.8 · 10m 38s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
evidence[0] quote ('Attackers who obtain the active private key can forge SAML assertions for any user in a federated environment') was not a verbatim substring of the Mandiant page; claim source-accuReplaced evidence[0] with the verbatim Mandiant string ('Successfully obtaining this active key allows an attacker to forge valid SAML assertions for any user,
F4
hallucinated-fact
The Bank-of-Lithuania / EEA / Switzerland nexus facts (the entry's inclusion basis) were absent from all three cited sources, and 'across the EEA, including Switzerland' is geographically wrong (SwitzMain agent re-fetched Nayax's own licensing announcement (nayax.com/news/payment-institute-license/, confirms Bank-of-Lithuania PI licence + '23 million enterpr
F17
?
classification.reliability: A exceeded the source's own tier (mandiant-gtig reliability=B in sources.json).Set classification.reliability: B to match the mandiant-gtig source tier.
F11
editorial-advisory
Workflow-internal policy shorthand leaked into reader-facing text: 'per PD-9 … not a re-summary target' (ESET body) and 'per PD-6' (Nayax sourcing_note).Reworded both without the PD references ('a single reference entry for ESET's semi-annual H1/H2 report cadence'; 'reported as an attributed claim, not as fact')

Iteration #? NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Opus 4.8 · 7m 18s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F12
single-source-flag-missing
verification: multi-source, but both cited references (WeLiveSecurity report + the GlobeNewswire item, which is ESET's own press release) are ESET's first-hand statement, not independent corroborationChanged verification to single-source and added a sourcing_note noting both references are ESET's own first-hand statement (expected shape for a named vendor's
F4
hallucinated-fact
evidence[2] spliced two source sentences across an inserted ellipsis not present in the original, so it was not a strict verbatim substring (facts accurate).Main agent re-fetched the Sygnia page and replaced evidence[2] with the exact contiguous verbatim text ('multiple attacker-created artifacts were framed as part

Iteration #? NEEDS_FIXES · 4 findings (truth=3, editorial=0, advisory=1) · Claude Opus 4.8 · 8m 20s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
The stable backport version list (6.1.177/6.6.144/6.12.95/6.18.38/7.1.3) was in no cited source — BleepingComputer lacks it, V4bel gives only the commit range, kernel.org is the mainline commit with nMain agent re-fetched V4bel repo (gives vulnerable range 2032a93d66fa 2010-08-01 -> fix 81ccda30b4e8 2026-06-16 only). Removed the unsourced version list from f
F3
claim-not-supported
CVSS 9.9 + vector attributed to Plesk's advisory, which carries no CVSS — the score is on the co-cited CCB advisory.Main agent re-fetched both advisories: CCB carries 'CVE-2026-48614: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)'; Plesk carries the version table (affect
F4
hallucinated-fact
evidence[2] (SACL/Event-ID-4663 quote) was an ellipsis-splice, not a contiguous verbatim substring.Replaced with the exact contiguous Mandiant text ('Configure object access auditing via SACLs on C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\ and C:\\
F11
editorial-advisory
Plesk/CCB source-date ambiguity (CCB advisory 2026-07-08 vs Plesk 2026-07-03) — advisory only.No change needed; both dates are stated correctly on their respective sources and in the entry's sources[] (Plesk 2026-07-03, CCB 2026-07-08); event_date 2026-0

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-07-09T0409Z-intel · Claude Opus 4.8 · window 24 h · 10 entries published

Verification & coverage notes

Window. Intraday fire, gap 8 h from the previous run (2026-07-08T2009Z-intel). Window held at the 24 h floor (developing window 72 h). Dedup ran against the full 14-day prior_coverage.json (140 records, incl. the 2026-07-08 run and the W27 weekly) plus the store-wide CVE index. No in-window intel/ drops — no S5 spawned. No watchlists configured — no Watchlist: line, product/supplier sweeps are no-ops (S1 products checked=0, S4 suppliers checked=0).

Volume note. 10 entries on an 8 h intraday fire is larger than a typical intraday window, and it reflects genuinely-new, never-before-published signal — not cadence inflation (dedup confirmed every entry is new). Three items are developing-window first-coverage the prior 64 h-window run did not surface: Januscape (source 2026-07-07, ~30 h), the Mandiant ADFS Golden SAML write-up (2026-07-07, ~38 h), and Cavern Manticore (2026-07-06, ~40 h). All three are outside the strict 24 h window but inside the 72 h developing window and were never covered by any prior run; they are published as first-coverage of significant developing stories with event_date set to the true source date, per PD-7. The remaining seven are fresh 2026-07-08 items.

GhostApproval de-duplication. Both S1 and S3 independently surfaced Wiz's GhostApproval. Merged into one entry using S1's richer multi-source corroboration (Wiz + AWS GHSA-6v3r-4p5c-mrp5 + Cursor GHSA-3v8f-48vw-3mjx). Reported faithfully incl. Anthropic Claude Code's "outside our threat model" response and its v2.1.32 symlink warning — no sanitisation of a finding that names the producing vendor's own product.

Deep dive. mandiant-adfs-machine-dpapi-golden-saml-key-recovery (identity-infra) — selection criterion 3 (substantive new technical analysis with actionable public detail). Category rotation-fresh: the last identity-infra deep dive was Keycloak (2026-06-28, >7 days). window24h.deep_dives_today was 0 at run start. One deep dive this fire. Background paragraph (PD-10) cites the 2017 CyberArk Golden SAML disclosure and Mandiant's earlier UNC2452 ADFS work.

Single-source / carve-outs.

  • UNC1151/Ghostwriter Gmail 2FA phishing — single-source-national-cert (CERT Polska / NASK, Admiralty A, for its own jurisdiction).
  • Sygnia AI-orchestrated AWS intrusion — single-source (Sygnia, Admiralty B); the AI-orchestration read is Sygnia's assessment from tempo/artefacts, framed as assessed not proven (credibility: 3).
  • Cavern Manticore — single-source (Check Point Research, Admiralty B); Israel-targeted, included on transferable technique class (PD-11 d) + same-actor-class relevance (Iran MOIS also targets EU public sector) (credibility: 3).
  • Nayax — victim's own SEC Form 6-K is the fact base (victim-disclosure carve-out) + DataBreaches.net/Calcalistech corroboration → multi-source; "The Syndicate"'s 1B-record/100TB/~1yr figures reported as an unverified attributed leak-site claim per PD-6, with the internal contradiction against the "immediately contained" filing surfaced explicitly (credibility: 3).

borderline-drop: CVE-2026-11405 (Tenda router httpd hidden backdoor) — CVSS 9.8, CERT/CC VU#213560, but Tenda is a consumer/SMB router brand with no Swiss/EU public-sector or critical-infrastructure nexus; generic hardcoded-backdoor lesson, not a product the constituency runs, no novel transferable TTP. Out of scope per the PD-11 scope gate (doubt about relevance-to-constituency resolves to drop). Recoverable if it turns up in a constituency estate.

borderline-drop: PDAG (Psychiatrische Dienste Aargau) cantonal-healthcare mailbox-takeover / phishing-relay — a real Swiss home-region public-sector/healthcare incident (S2 lead; main-agent spot-check confirmed the inside-it.ch RSS lead but the article URL 403'd on direct, jina and bridge transports, and no PDAG statement URL or second source surfaced). Dropped on two grounds: single-source (inside-it.ch, Admiralty C news) with no independently-fetchable victim/CERT primary to satisfy two-source or a carve-out, and modest technical depth — generic BEC mailbox-takeover → spam/phishing relay with no root cause, TTP, or new action beyond the already-covered M365 mailbox-takeover pattern. Recoverable if a fuller disclosure (PDAG statement / NCSC-CH pickup) lands.

out-of-window drops (S-agent level). S3: CrowdStrike prompt-injection post and Seqrite Operation DragonReturn — listing-page dates misaligned with true Published-Time metadata (2026-05-20 and 2026-06-26 respectively); excluded once confirmed out of window. S2: a "Swiss federal administration DDoS" WebSearch lead was recycled Jan-2025 news (radiolac.ch) — discarded as a recency trap. S1: Exodus msi.dll LPE write-up covers CVE-2025-27727 (patched April 2025) — retrospective, low current urgency, dropped.

Coverage gaps: cisa-advisories, cisa-directives, cisa-news (JS-shell listing pages; no structured bridge endpoint — KEV API covered exploitation ground-truth, a non-KEV in-window advisory may have been missed); cert-eu (feed stale to 2026-06-10, 200 OK not a transport failure); industrialcyber-co (standing 403/Cloudflare block, jina reader also blocked — no demotion); zimperium-zlabs, aikido-security (SPA nav-chrome only via jina — need a structured listing/sitemap recipe); jpcert (not fetched — time budget, no evidence of a missed in-window item); calif-codex, vulncheck, socket-dev-blog RSS empty via jina (HTML fallback showed nothing newer in-window / cross-domain items left to S3/S4).

Essential-coverage: missed=cisa-advisories, cisa-directives (JS-shell listing pages unreadable via current bridge recipes; KEV API — the exploitation ground-truth for both — fetched successfully, so no new exploited-flaw signal was missed).

Verification loop: 4 iterations (1 Opus, 2 alt-slot, 3 Opus, 4 alt-slot) → CLEAN on iteration 4. Iteration 1 found 4 (2 truth incl. 2 F4, 1 editorial F17, 1 advisory); iteration 2 found 2 (1 F12 editorial, 1 F4 truth); iteration 3 found 4 (3 truth: F4 Januscape version list, F3 Plesk CVSS attribution, F4 Mandiant quote-splice; 1 advisory); iteration 4 CLEAN. All remediations traced to sources re-fetched during the fix cycle. No entries dropped by verification.

AI-content transparency — verifier model rotation did NOT take effect this run. The prompt rotates verifiers Opus (odd) / Sonnet (even, cti-verification-alt). All four verifier spawns — including iterations 2 and 4, the alt-slot Sonnet-pin — reported **Model:** Claude Opus 4.8 (claude-opus-4-8) from the authoritative CLAUDE_FRIENDLY_NAME/CLAUDE_MODEL_ID env vars. The iteration 4 verifier explicitly flagged the discrepancy. In this cloud container the env vars appear to pin every spawn to Opus 4.8 regardless of the agent definition's model: frontmatter, so model diversity across iterations was not achieved (iteration 2 was recorded verbatim as Opus 4.8, corrected from an initial mis-assumption of Sonnet). Operator follow-up: confirm whether the routine container is meant to honour per-agent model frontmatter or whether the Opus pin is intentional; the rotation's blind-spot-catching benefit is currently a no-op.

Self-evolution follow-up (noted, not actioned this run): CERT-FR (anssi-fr) fetch_source.py feed returns items oldest-first; a default N=20 surfaces stale entries instead of the latest bulletin. Note appended to the source record; a bridge-tooling fix (reverse/most-recent-first ordering for CERT-FR feeds) is a candidate for a future run.

← Operations dashboard · day page 2026-07-09 · run-record contract: docs/pipeline.md