ctipilot.ch

2026-07-11T1210Z-intel

One pipeline fire, in full · intel run of 2026-07-11 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-11/2026-07-11T1210Z-intel.md.

Run telemetry

2026-07-11T1210Z-intel intel prompt v3.18 publish ok
44m 04s duration 2 published 0 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Sonnet 5 (claude-sonnet-5)
Items returned
2
Duration
12m 05s
Tool calls
12 WebFetch8 WebSearch28 bridge
Cited sources
2 of 18 in slice
S2 Claude Sonnet 5 (claude-sonnet-5)
Items returned
1
Duration
14m 40s
Tool calls
24 WebFetch15 WebSearch6 bridge
Cited sources
1 of 16 in slice
S3 Claude Sonnet 5 (claude-sonnet-5)
Items returned
0
Duration
9m 37s
Tool calls
14 WebFetch38 WebSearch9 bridge
Cited sources
0 of 12 in slice
S4 Claude Sonnet 5 (claude-sonnet-5)
Items returned
1
Duration
11m 46s
Tool calls
20 WebFetch22 WebSearch5 bridge
Cited sources
0 of 12 in slice

Verification

#1 CLEAN · Opus 4.8 · t=0 e=0 a=0

Deep dive

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

2 last_successful_fetch.

SourceChangeFrom → ToReason
anssi-frlast_successful_fetch2026-07-10 → 2026-07-11primary source for the three MOVEit Transfer CVEs (CERTFR-2026-AVI-0856)
mysites-gurulast_successful_fetch2026-07-10 → 2026-07-11primary source for Joomla RSFiles!/Phoca Download file-upload RCE; candidate, another contributing run recorded

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Bridge invocations (this run)

9 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

6 ok3 other
  • jina ×8
  • url ×1

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-07-11T1210Z-intel · Opus 4.8 · window 24 h · 2 entries published

Verification & coverage notes

Intraday fire, ~8 h after the previous run (2026-07-11T0409Z-intel). The 24 h window floor re-scanned a full day; the two published entries are the new, relevant delta the earlier fires today had not surfaced, both with primaries dated 2026-07-10. Quiet-window shape: four research streams surfaced five candidate items, two cleared the gate.

  • Published (2): Joomla RSFiles!/Phoca Download file-upload RCE (CVE-2026-57827 unauth CVSS 10.0 / CVE-2026-57828 auth CVSS 9.0; high) — new members of the tracked Joomla-extension file-upload wave, cleared the gate on the wave's demonstrated rapid disclosure-to-KEV pattern and the pre-auth CVSS 10.0 exposure on widely-deployed municipal Joomla; and Progress MOVEit Transfer three CVEs (CVE-2026-10699 pre-auth SFTP DoS / CVE-2026-10698 admin table-scope bypass / CVE-2026-11903 stored XSS; notable) — a clearly-relevant, national-CERT-surfaced (CERT-FR) patch-prioritisation item for a notorious internet-facing MFT product in the profiled public-sector/finance sectors; severity doubt on a clearly-relevant item resolved toward include at the priority the cited facts support.
  • borderline-drop: Keycloak 26.7.0 (CVE-2026-9796/9689/9798/11986) — the EU public-sector reference IdP is squarely relevant, but these four are a routine monthly release with no exploitation, no public PoC and no vendor-published CVSS, single-sourced to the vendor release notes (the four CVEs' GitHub issue links 403'd on direct fetch and the reader), and dated 2026-07-09 (~60 h, outside the 24 h floor). Below the bar the vulnerability gate sets (action beyond the regular patch cycle) on sourcing and recency both; recoverable via an update if exploitation emerges.
  • out-of-window: CISA's forensic postmortem "Lessons from CISA's Cyber Incident" (the May GovCloud contractor credential leak) — surfaced as a candidate update on the store's existing May incident, but the primary was published 2026-06-09 (per Infosecurity Magazine, 2026-07-10), ~32 days stale. The 2026-07-08/10 trade-coverage wave (Infosecurity, SC Media, CyberScoop, Cybernews) is delayed pickup of a month-old CISA post, not a fresh CISA development, so there is no in-window delta to hang an update on — publishing it now would be the "month-old news as new" trap. The deep-read pinned this: jina metadata showed 2026-06-23 and the S4 stream reported 2026-07-09, but the authoritative date is 2026-06-09. Dropped on recency.
  • Dedup: both published items are genuinely new CVEs absent from the 14-day in-context window and the store-wide CVE index; the Joomla item cites the existing trend:joomla-extension-file-upload-rce-wave entity, whose summary was extended this run to record iCagenda, RSFiles! and Phoca as additional members (an entity-summary update, not a new entity — nothing added to the registry namespace). The research streams correctly excluded, without republishing, a long list of already-covered items today/this week (Zimbra, Gitea CVE-2026-20896, Cisco SD-WAN/ISE, BeyondTrust, Citrix NetScaler, Januscape, Langflow, Siemens SICAM 8, Sygnia AI-AWS, SentinelLabs e-gov watering hole, Talos wolfSSL batch, GigaWiper, GodDamn/PoisonX, ESET H1 report).
  • Verification / sourcing: Joomla item is multi-source (mySites.guru discoverer + RSJoomla! vendor advisory for RSFiles!; discoverer + vendor 6.1.3 fix + CVE-record assignment for Phoca). Resolved a Phoca CVSS discrepancy at deep-read: the mySites.guru post said the CVE was "pending" and rated it 7.7, but the authoritative CVE record (Joomla CNA) shows CVE-2026-57828 assigned at CVSS 4.0 9.0 — assigned after the blog; frontmatter uses the authoritative 9.0. MOVEit item's primary is the CERT-FR advisory; per-CVE CVSS/CWE/version detail corroborated against the Progress-assigned CVE records (verified on CVE.org, cited via the THREATINT mirror). Progress's own MOVEit community bulletin is a JS-only page that 401'd the reader this run, so it is not cited; a MOVEit version discrepancy (CERT-FR 2026.0.2 vs CVE metadata 2026.0.1 for the 2026.x branch) is flagged in the entry — defenders verify against their build.
  • Fake-news / recency guards that fired in research (correctly excluded): a ~40-victim "Deadlock" EU ransomware leak-site mass-listing (incl. a Czech municipality and a Swiss manufacturer), a MedusaLocker claim against a Zurich cantonal Baudirektion (bd.zh.ch) domain, and French/Mayotte commune leak-site claims — all unverified leak-site relays with no victim confirmation or high-reliability journalism; two recycled-news traps (a January-2025 RTS Swiss federal-administration story and a June-2025 Fondation Radix story still indexed as if current); and out-of-window items (Accenture breach 3 days stale, EU NIS2/CJEU referral — flagged for the weekly). The bd.zh.ch cantonal item is flagged for a targeted internal check in a future run given the deployment's own Zurich nexus.
  • Priority: no critical and no high-for-notification beyond the Joomla item's high (pre-auth CVSS 10.0 RCE within an actively-exploited wave, on infrastructure widely deployed across the constituency's municipal web estate — genuinely TL;DR-worthy patch-now signal). No deep dive: no candidate cleared the bar (deep_dives_today was 0; no active in-the-wild exploitation with constituency exposure to justify long-form treatment, and no depth manufactured to fill the slot).
  • ATT&CK: mapped against the pinned dataset (v19.1) — Joomla T1190/T1505.003; MOVEit T1190/T1499.004/T1059.007; all validated active, each naming a behavior the body describes.
  • Coverage gaps: cert-eu (feed stale, freshest advisory 2026-06-10); ncsc-uk (freshest ~2026-04-07, index returned only a JS shell); cert-pl (freshest 2026-06-12, quiet); jpcert (in-window items low-severity single-vendor, below the bar); vulncheck, watchtowr, exodus-intelligence, calif-codex, xlab-qianxin, seqrite-labs, sophos-xops, sansec-research, volexity, fox-it-blog, sygnia (all reachable, no in-window content); industrialcyber-co (persistent anti-bot block on article pages via WebFetch AND the reader, feed-only reachable — flagged 7+ runs, classed handled by source_health via its recipe, a 403 never demotes). None are unrecovered transport failures that cost published coverage.
  • Essential-coverage: missed=cisa-advisories, cisa-directives (the active-threats stream swept CISA KEV via the bridge fetcher but did not confirm a fetch of the CISA advisories/directives feeds this run; both were quiet on the previous fire ~8 h ago and cisa-advisories last returned 200 with no in-window addition — no evidence of an emergency advisory missed, but recorded as an essential miss for the next run's rotation).
  • Watchlist: no products/suppliers configured — sweep is a no-op (S1 products 0/0, S4 suppliers 0/0); parseable line omitted per policy.
  • source_health.py: 157/157 probed in 50 s (95 ok, 62 bridge-ok), zero UNSOLVED — no repair orders this run.

← Operations dashboard · day page 2026-07-11 · run-record contract: docs/pipeline.md