ctipilot.ch

2026-07-12T2309Z-weekly

One pipeline fire, in full · weekly run of 2026-07-12 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-12/2026-07-12T2309Z-weekly.md.

Run telemetry

2026-07-12T2309Z-weekly weekly prompt v3.22 publish ok
36m 51s duration 15 published 2 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
W1 Claude Sonnet 5 (claude-sonnet-5)
Items returned
5
Duration
12m 31s
Tool calls
28 WebFetch15 WebSearch2 bridge
Cited sources
8 of 13 in slice
W2 Claude Sonnet 5 (claude-sonnet-5)
Items returned
2
Duration
6m 20s
Tool calls
9 WebFetch12 WebSearch3 bridge
Cited sources
5 of 8 in slice

Verification

#? NEEDS_FIXES · Claude Opus 4.8 · t=2 e=0 a=0 #? CLEAN · Sonnet 5 · t=0 e=0 a=0

Deep dive

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Bridge invocations (this run)

2 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

2 other
  • fetch_source.py ncsc-csh recent ×1
  • fetch_source.py url ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #? NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Opus 4.8 · 8m 44s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
The e-government watering-hole strand was called 'an EU-facing espionage watering-hole' and counted among 'three of the five strands [with] a direct nexus', but the cited SentinelLabs source and the oRecharacterised the e-gov strand as a transferable-technique item and corrected the direct-nexus count from three to two (Swiss cantonal authority + Latvian sta
F4
hallucinated-fact
The summary listed CVE-2026-57827 inside the 'Confirmed exploited / KEV this week' Joomla parenthetical, but the body and the Joomla top-story state 57827/57828 were patched without confirmed exploitaDropped CVE-2026-57827 from the exploited/KEV parenthetical in the summary; the body already stated it correctly.

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-07-12T2309Z-weekly · weekly · Claude Opus 4.8 · 15 entries published

Weekly strategic run — 2026-W28 (2026-07-06 – 2026-07-12)

ATT&CK pin freshness

tools/attack_data.py --check: up to date — local v19.1 == upstream latest v19.1. No update required this run. Two operational-entry technique ids composed this week were mapped to their v19 survivors after the pin check (T1562.001 → T1685 "Disable or Modify Tools"; T1656 → T1684.001 "Impersonation").

Week in review (Phase 1)

57 operational entries across the ISO week (07-08: 11, 07-09: 21, 07-10: 16, 07-11: 9; 07-06/07-07/07-12 quiet), 13 high-priority, no critical. Working lists persisted to work/<run-id>/week-review.json. Duplicate-week guard: prior -weekly record (2026-07-05) covered W27; W28 not previously covered — cleared.

Strategic output (15 entries)

  • top-stories (2): Joomla third-party-extension file-upload RCE wave (on-fire, CH/EU public-sector, several exploited zero-days + KEV); confirmed ITW exploitation of exposed enterprise/edge software (ColdFusion KEV, CitrixBleed 2 → DragonForce IAB, Gitea escalated by NCSC-CH).
  • multi-day (1): M365 identity-attack convergence — device-code / AiTM PhaaS / ROPC spray / manager-impersonation vishing all sidestepping MFA + Conditional Access.
  • vuln-rollup (1): W28 CVE status trajectory (exploited/KEV set + public-exploit set + OT note); cves: [] by design — every CVE fully sourced in its referenced operational entry, so the roll-up avoids the cross-run CVE-dedup FAIL.
  • sector-patterns (2): government & public administration (CH/EU) targeting cluster (high); healthcare (CH nexus).
  • incidents-recap (1): third-party / cloud-account / vendor exposure drove the week's disclosures.
  • research (3): AI operationalised (from target to operator, deepening); identity & trust-primitive forgery (ADFS Machine DPAPI key recovery + Git signature malleability); threat-actor developments (Scattered Spider reclustering + China/Iran state-nexus edge/ORB/C2 tradecraft).
  • long-running (2): The Gentlemen (Storm-2697) status update (update_of W26); npm supply-chain wave status (jscrambler + injectivelabs).
  • policy (2): Netherlands NIS2 Senate passage → 15 Aug 2026 in force (update_of W27 slip story); FINMA post-quantum crypto guidance AM 05/2026.
  • looking-ahead (1): 2026-W28 outlook — items already in motion.

Priority calibration: high reserved for the four genuinely week-defining items (Joomla wave, exploited edge/enterprise, M365 identity convergence, CH/EU government targeting); no critical — no single stop-and-act weekly item this week, bar unchanged.

Verification & coverage notes

  • Weekly dedup (replaces PD-8). Dedup ran against W27 (2026-07-05) and W26 (2026-06-29) strategic entries. Items already consolidated returned only as fresh deltas: Netherlands NIS2 as update_of the W27 slip entry (Senate now passed, hard date fixed); The Gentlemen as update_of the W26 long-running entry (Unit 42 full profile). The AI-as-operator arc (W27 multi-day) returns only as new-this-week specific research (Sygnia, Friendly Fire, Armored Likho, PraisonAI, comment-stuffing), not a re-list. W1 found no qualifying new movement on ShinyHunters/UNC6240, FortiBleed, DragonForce/CitrixBleed (beyond dailies) or Operation Endgame — checked, not padded.
  • Already-operational, referenced not re-summarised. W1 surfaced the Mandiant ADFS and Sygnia AWS items as fresh, but both were already published operationally on 07-09; they are synthesised into the research entries by reference (with new lens), never re-summarised. The ESET Threat Report H1 2026 (07-09 annual-report) is referenced once, not re-summarised.
  • Single-source items. The Scattered Spider reclustering rests on a single primary (Group-IB) with no independent second source yet — carried as single-source, attributed to Group-IB as an analytical model, not settled fact. The Gentlemen status delta is single-source (Unit 42); the cited Expel EDR-disable zero-day is a third-party claim relayed by Unit 42, not independently confirmed (flagged in the entry and the outlook).
  • Coverage gaps. jina universal-reader (tools/fetch_source.py jina) returned HTTP 402 "JINA_API_KEY balance exhausted" on every call across BOTH sub-agents this run — a system-wide outage, not a per-source failure. Every source whose recipe leans on the jina fallback rung (e.g. coe.int, cisa-directives direct-403 hosts) was degraded to direct-fetch/WebSearch only. W2 covered the affected policy questions via WebSearch with no material item lost; Council of Europe Second Additional Protocol status unchanged (2 of 5 ratifications). W1 listed recordedfuture-insikt (JS-shell landing page, needs a bridge/RSS recipe) and sekoia (301 → sekoia.com/blog, url needs updating) as reachable-but-degraded — deferred to a daily run rather than edited this run to avoid sources.json churn during the jina outage. Operator action: the jina API key needs a top-up or rotation (https://jina.ai/api-dashboard/) — until then, every jina-fallback source is degraded across all routines.
  • Source health. tools/source_health.py probed 157/157 sources (95 ok, 56 bridge-ok, 3 bridge-blocked). Three UNSOLVED needs-demote flags — ccn-cert-es, reliaquest, mysites-guru — are all attributable to the same jina-402 outage above, not to dead recipes: mysites.guru and reliaquest both fetched successfully as primary sources in this week's daily entries (the Joomla wave and Helix entries cite them), so their content is demonstrably reachable and the failure is the jina fallback rung being balance-exhausted this run. Demoting healthy sources on a transient key-balance outage would violate the standing "a transport/anti-bot block never demotes" rule, so no demotion was applied; the operator-side jina key top-up clears all three. sources_changed: [].
  • check_run.py --pre-verify and the Phase 5.7 verifier loop results are recorded in the verification block above once run.

← Operations dashboard · day page 2026-07-12 · run-record contract: docs/pipeline.md