ctipilot.ch

2026-07-15T0409Z-intel

One pipeline fire, in full · intel run of 2026-07-15 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-15/2026-07-15T0409Z-intel.md.

Run telemetry

2026-07-15T0409Z-intel intel prompt v3.24 publish ok
1h 33m duration 4 published 1 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Sonnet 5 (claude-sonnet-5)
Items returned
3
Duration
11m 49s
Tool calls
not reported
Cited sources
5 of 23 in slice
S2 Claude Sonnet 5 (claude-sonnet-5)
Items returned
1
Duration
13m 58s
Tool calls
not reported
Cited sources
1 of 24 in slice
S3 Claude Sonnet 5 (claude-sonnet-5)
Items returned
2
Duration
10m 17s
Tool calls
not reported
Cited sources
4 of 12 in slice
S4 Claude Sonnet 5 (claude-sonnet-5)
Items returned
6
Duration
16m 09s
Tool calls
not reported
Cited sources
4 of 9 in slice

Verification

unconfirmed CLEAN · waived: single CLEAN at iteration 5 (the 5-iteration cap); iteration 4 returned NEEDS_FI #1 NEEDS_FIXES · Claude Opus 4.8 · t=2 e=0 a=1 #2 NEEDS_FIXES · Sonnet 5 · t=1 e=1 a=0 #3 NEEDS_FIXES · Claude Opus 4.8 · t=1 e=0 a=0 #4 NEEDS_FIXES · Sonnet 5 · t=2 e=0 a=0 #5 CLEAN · Claude Opus 4.8 · t=0 e=0 a=0

Deep dive

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 3 findings (truth=2, editorial=0, advisory=1) · Claude Opus 4.8 · —

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
ABB T-MAC Plus 'affected' listed as 4.0-24 and 4.0-25; the CSAF product_status names 4.0-24 as known_affected and 4.0-25 as the fixed release. The 4.0-25 = affected claim is unsupported.Corrected all four T-MAC CVE records to affected 4.0-24 / fixed 4.0-25, and the summary/body/action line accordingly, confirmed against the CSAF product_status
F3
claim-not-supported
The 'whole home directories / SSH keys / password-manager database' replication claim was cited to GBHackers, but only The Register (also cited) supports it.Re-pointed that claim's citation to The Register; added GBHackers as a corroborating inline cite on the core exfiltration finding it does support, preserving th
F11
editorial-advisory
sourcing_note asserted 'no v4.0 vector was published' for the Rockwell CVE, contradicted by the advisory page (which carries a v4.0 base 10.0). Low materiality — both scores are 10.0.Removed the v4.0 claim; sourcing_note now states the base score 10.0 without asserting which CVSS versions the advisory publishes.

Iteration #2 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Sonnet 5 · —

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
The 'no fixed firmware' claim for the headline Rockwell CVE-2026-10577 (title, headline, summary, body, cves[0].status/fixed, action item) is false — the CSAF remediations array and Rockwell PSIRT SD1Corrected to fixed 3.011 throughout — title, headline, summary, body, cves[0].status=[patch-available]/fixed=3.011, tags (no-patch→patch-available), Defender ta
F5
missing-citation
The 'all cloud apps Conditional Access still applies to ROPC regardless of client_id' claim (summary + action item) is not stated by any of the three cited sources — Proofpoint supports only that per-Removed the uncited 'all cloud apps still applies' clause from the summary and the action item; kept the source-supported point that application-scoped Conditio

Iteration #3 NEEDS_FIXES · 1 finding (truth=1, editorial=0, advisory=0) · Claude Opus 4.8 · —

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
The entry claimed a public PoC for CVE-2026-55040 (title, summary, cves[0].status: [poc-public], tags), but the cited Rapid7 primary withholds it — Microsoft requested a 30-day stay on technical-detaiRemoved poc-public from status and tags; reframed the title/summary as a Pwn2Own-demonstrated chain whose PoC and technical details are under a 30-day disclosur

Iteration #4 NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Sonnet 5 · —

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
CVE-2026-58644 fixed field said 'July 2026 cumulative update', but MSRC's revision history states the patch shipped with the June 2026 cumulative update and the CVE was inadvertently omitted from JuneCorrected the 58644 fixed field to the June 2026 cumulative update with the provenance note; split the body sentence so 50522 (July) and 58644 (June patch, July
F4
hallucinated-fact
techniques[] carried T1078 (Valid Accounts), which does not match the CVE-2026-55040 mechanism (a JWT-forgery authentication bypass where no valid credential is ever used); T1606 (Forge Web CredentialReplaced T1078 with T1606 in techniques[]; T1190 retained for the deserialization-RCE exploitation vector. Both confirmed active in attack/enterprise-attack.jso

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-07-15T0409Z-intel · Claude Opus 4.8 · window 24 h · 4 entries published

Verification & coverage notes

Intraday fire; previous run 2026-07-14T2009Z-intel (~8 h gap, publish_status: ok). Window held at the 24 h floor. Four entries cleared the gate: three new (one OT/ICS vulnerability batch, one identity-tradecraft research item, one AI-dev-tool data-exposure incident) and one update to the 14 July Microsoft Patch Tuesday entry. None rated critical, no deep dive.

  • Verification loop — 5 iterations, ending on a single CLEAN at the cap (fail-open). This was a data-heavy run (two multi-CVE vulnerability entries built from CISA CSAF and MSRC OData), and the cold-reader loop earned its keep: iterations 1–4 each surfaced genuine, converging truth defects, all remediated, and iteration 5 (Opus) returned CLEAN on a full cold read. Because iteration 4 was NEEDS_FIXES, the confirming double-CLEAN would have needed a sixth iteration beyond the 5-cap, so the run publishes on the single CLEAN as a documented fail-open (verification.confirmation_waived). The defect pattern is instructive for future runs: three of the seven findings were CSAF/MSRC-transcription misses on the two vulnerability entries — the ABB T-MAC affected-vs-fixed version status (iter1), the Rockwell CVE-2026-10577 fixed firmware 3.011 that I had wrongly called "no fix" (iter2), and CVE-2026-58644's fix having shipped in the June (not July) cumulative update (iter4) — each caught because the verifier read the CSAF product_status/remediations arrays and the MSRC revision history rather than only the product names and summary notes. Lesson recorded to memory: when composing an ICS/CSAF or MSRC vulnerability entry, extract affected/fixed status from the structured product_status/remediations/revision fields, not from the human-readable summary.
  • No critical, no deep dive. The strongest severity candidate — Rockwell CVE-2026-10577 (CVSS 10.0, unauthenticated) — has no known in-the-wild exploitation, no public PoC, and targets an OT device that should already sit behind network segmentation, so it ships at notable, not critical. No candidate offered published exploitation mechanics to justify the long-form deep-dive treatment; depth was not manufactured.
  • CISA ICS batch consolidation. S1 and S2 independently surfaced the same 14 July CISA ICS advisory batch (four advisories); published as a single consolidated vulnerability entry. Facts (CVE ids, CVSS v3.1 scores, CWE classes, affected-version ranges) were transcribed from the machine-readable CSAF JSON for each advisory, not from the web pages. verification: single-source-national-cert — each item traces to one CISA advisory (a government-authority disclosure republishing the vendor PSIRT); no independent second source. The Edgenius "Copy Fail" CVE (CVE-2026-31431) in that batch was already covered in May 2026 as the generic kernel flaw, so it was kept out of the entry's cves[] and framed in the body as a previously-disclosed flaw now named against a specific Swiss-vendor product; the genuinely-new content is CVE-2026-10577 (Rockwell) and the ABB T-MAC Plus chain (CVE-2025-14771–14774).
  • Microsoft Patch Tuesday follow-through (update). The 14 July Patch Tuesday entry covered the two KEV-listed exploited zero-days; S1 surfaced four further high-severity July CVEs with pre-auth risk. Published as one update_of delta: the SharePoint Pwn2Own JWT auth-bypass CVE-2026-55040 (public Rapid7 PoC, chained RCE half unpatched until August), the pre-auth Dynamics 365 deserialization RCE CVE-2026-55944 (Microsoft "Exploitation More Likely"), and two Site-Owner SharePoint deserialization RCEs (CVE-2026-50522/58644). CVSS/exploitability transcribed per-CVE from the MSRC OData API. Noted discrepancy: CVE-2026-50522/58644 carry a base CVSS vector of PR:N but Microsoft's FAQ describes Site-Owner-authenticated exploitation — recorded as post-auth on the FAQ basis, flagged in the entry's sourcing note.
  • Recency exception (documented): Proofpoint OAuth client ID spoofing. The Proofpoint disclosure is dated 2026-07-13 — just outside this run's 24 h window but inside the 72 h developing window. It was not covered by any prior run (checked against the 14-day prior-coverage index) and is a significant, actionable Entra ID detection-evasion technique (credential-validity oracle via ROPC + spoofed client_id; blank application-name log evasion; the load-bearing fix is blocking the ROPC grant type). Carried as first coverage of developing signal rather than dropped, on the completeness principle that a relevant, previously-unpublished item is a reader blind spot; event_date records the 2026-07-13 disclosure date.
  • borderline-drop: ESET UEFI shim bypass (CVE-2026-8863/10797) — S3 surfaced ESET's WeLiveSecurity write-up, but these exact CVEs and the same ESET research are already covered by entries/2026-07-14/eset-forgotten-uefi-shims-secure-boot-bypass.md with no material new delta. Dropped as a duplicate (a non-update entry sharing those CVE ids would fail the dedup gate).
  • borderline-drop: four law-enforcement / legal-milestone items (S4). The Vastaamo hacker's finalised sentence + wanted notice (Finland), the DOJ Media Land / ML.Cloud bulletproof-hosting indictment (already OFAC-sanctioned Nov 2025), the Spanish Policía Nacional €140M BEC/fraud-network takedown, and the UK NCA charges over the Russian Coms caller-ID-spoofing platform (already taken down 2024). All are genuine news with EU nexus, but none changes what a Tier 2/3 responder patches, hunts, blocks or detects in the next 7 days — they carry only generic, non-finding-derived lessons (money-mule onboarding signals, BPH-ASN blocking, STIR/SHAKEN vishing awareness). Consistent with the 2026-07-14T2009Z run, which dropped the same Russian Coms story. Better suited to the weekly strategic lens than an operational intel entry.
  • borderline-drop: D1R Synopsys/Bosch/ARM breach claim — an unconfirmed ransomware leak-site claim now actively debunked (Synopsys's own investigation found no evidence; the posted "proof" was traced to a public-domain document). Fails the fake-news guard, which requires victim disclosure or high-reliability corroboration for leak-site claims. Already dropped by the prior 2026-07-14T2009Z run on the same grounds; publishing a debunked non-incident adds no operational value.
  • Single-source / carve-out items: the CISA ICS batch (single-source-national-cert, A2) and the Proofpoint research item (multi-source by outlet count but credibility 2 — single-origin research re-reported by Help Net Security and The Hacker News). The xAI Grok item is multi-source (The Register + GBHackers, with xAI's own silent fix and Musk's deletion pledge corroborating the behavior), credibility 2.
  • Operational issue — jina reader proxy down all run (operator action needed). All three configured r.jina.ai reader API keys returned HTTP 402 (balance exhausted) throughout the run, reported independently by S2, S3 and S4. Every jina / url bridge call fell back to direct-fetch (mostly successful) or the anonymous tier (sometimes 401). Impact this run was limited — the CISA CSAF mirror and MSRC OData API are jina-independent, and direct fetches covered the rest — but any source whose only working transport is the jina reader (WAF/JS-only hosts such as group-ib and intel471, both coverage gaps this run) is currently unreachable until the reader credit is topped up. This is an operator-side billing issue, not a per-source failure: no source was demoted on this basis.
  • source_health.py deferred this cycle. With all jina-reader keys returning HTTP 402, a full source-health probe would misclassify every jina-only transport (WAF/JS-only hosts) as dead and churn false needs-bridge/needs-demote flags into state/source_health.json. Skipped deliberately to avoid polluting the health snapshot with artifacts of a transient operator-side outage; the previous snapshot carries forward. Re-run once the reader credit is restored. No source was demoted this run.
  • Watchlist: no product or supplier watchlist is configured for this deployment — the product and supplier sweeps are no-ops; the sector/region lens was applied throughout (it is what carried the CISA ICS batch on its energy/water nexus and the ABB Swiss-vendor angle).
  • Coverage gaps: group-ib, intel471 (WAF/JS-only listings reachable only via the jina reader, which was down — no in-window items recoverable); ncsc-uk, cisa-advisories general listing (JS-rendered search widgets — the ICS-advisories sub-path server-renders and was used instead); cert-pl, cert-fr avis feed (quiet / stale-cached through ~10–12 July); govcert-at (empty feed); sans-ics (listing without article bodies); cnil-fr, ico-uk, sec-disclosures-edgar, us-treasury-ofac, troyhunt, cyberinsider — fetched, no in-window nexus content.

← Operations dashboard · run-record contract: docs/pipeline.md