2026-07-15T0409Z-intel
One pipeline fire, in full · intel run of 2026-07-15 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-15/2026-07-15T0409Z-intel.md.
Run telemetry
- Items returned
- 3
- Duration
- 11m 49s
- Tool calls
- not reported
- Cited sources
- 5 of 23 in slice
- Items returned
- 1
- Duration
- 13m 58s
- Tool calls
- not reported
- Cited sources
- 1 of 24 in slice
- Items returned
- 2
- Duration
- 10m 17s
- Tool calls
- not reported
- Cited sources
- 4 of 12 in slice
- Items returned
- 6
- Duration
- 16m 09s
- Tool calls
- not reported
- Cited sources
- 4 of 9 in slice
Verification
Deep dive
—
Entries published (this run)
- CISA ICS batch (14 Jul): Rockwell 1715-AENTR unauthenticated debug-port takeover (CVE-2026-10577, CVSS 10.0, fixed in firmware 3.011) and a Swiss-vendor ABB T-MAC Plus auth chain (CVSS 9.9) vulnerability notable
- July Patch Tuesday follow-through: a SharePoint pre-auth JWT bypass from a Pwn2Own chain (CVE-2026-55040) and a pre-auth Dynamics 365 RCE Microsoft expects to be exploited (CVE-2026-55944) vulnerability high update
- Proofpoint: OAuth client ID spoofing validates stolen Entra ID credentials at scale without writing a successful sign-in log research notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 3 findings (truth=2, editorial=0, advisory=1) · Claude Opus 4.8 · —
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | ABB T-MAC Plus 'affected' listed as 4.0-24 and 4.0-25; the CSAF product_status names 4.0-24 as known_affected and 4.0-25 as the fixed release. The 4.0-25 = affected claim is unsupported. | Corrected all four T-MAC CVE records to affected 4.0-24 / fixed 4.0-25, and the summary/body/action line accordingly, confirmed against the CSAF product_status | |
| F3 claim-not-supported | — | The 'whole home directories / SSH keys / password-manager database' replication claim was cited to GBHackers, but only The Register (also cited) supports it. | Re-pointed that claim's citation to The Register; added GBHackers as a corroborating inline cite on the core exfiltration finding it does support, preserving th | |
| F11 editorial-advisory | — | sourcing_note asserted 'no v4.0 vector was published' for the Rockwell CVE, contradicted by the advisory page (which carries a v4.0 base 10.0). Low materiality — both scores are 10.0. | Removed the v4.0 claim; sourcing_note now states the base score 10.0 without asserting which CVSS versions the advisory publishes. |
Iteration #2 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Sonnet 5 · —
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | The 'no fixed firmware' claim for the headline Rockwell CVE-2026-10577 (title, headline, summary, body, cves[0].status/fixed, action item) is false — the CSAF remediations array and Rockwell PSIRT SD1 | Corrected to fixed 3.011 throughout — title, headline, summary, body, cves[0].status=[patch-available]/fixed=3.011, tags (no-patch→patch-available), Defender ta | |
| F5 missing-citation | — | The 'all cloud apps Conditional Access still applies to ROPC regardless of client_id' claim (summary + action item) is not stated by any of the three cited sources — Proofpoint supports only that per- | Removed the uncited 'all cloud apps still applies' clause from the summary and the action item; kept the source-supported point that application-scoped Conditio |
Iteration #3 NEEDS_FIXES · 1 finding (truth=1, editorial=0, advisory=0) · Claude Opus 4.8 · —
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | The entry claimed a public PoC for CVE-2026-55040 (title, summary, cves[0].status: [poc-public], tags), but the cited Rapid7 primary withholds it — Microsoft requested a 30-day stay on technical-detai | Removed poc-public from status and tags; reframed the title/summary as a Pwn2Own-demonstrated chain whose PoC and technical details are under a 30-day disclosur |
Iteration #4 NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Sonnet 5 · —
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | CVE-2026-58644 fixed field said 'July 2026 cumulative update', but MSRC's revision history states the patch shipped with the June 2026 cumulative update and the CVE was inadvertently omitted from June | Corrected the 58644 fixed field to the June 2026 cumulative update with the provenance note; split the body sentence so 50522 (July) and 58644 (June patch, July | |
| F4 hallucinated-fact | — | techniques[] carried T1078 (Valid Accounts), which does not match the CVE-2026-55040 mechanism (a JWT-forgery authentication bypass where no valid credential is ever used); T1606 (Forge Web Credential | Replaced T1078 with T1606 in techniques[]; T1190 retained for the deserialization-RCE exploitation vector. Both confirmed active in attack/enterprise-attack.jso |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-07-15T0409Z-intel · Claude Opus 4.8 · window 24 h · 4 entries published
Verification & coverage notes
Intraday fire; previous run 2026-07-14T2009Z-intel (~8 h gap, publish_status: ok). Window held at the 24 h floor. Four entries cleared the gate: three new (one OT/ICS vulnerability batch, one identity-tradecraft research item, one AI-dev-tool data-exposure incident) and one update to the 14 July Microsoft Patch Tuesday entry. None rated critical, no deep dive.
- Verification loop — 5 iterations, ending on a single CLEAN at the cap (fail-open). This was a data-heavy run (two multi-CVE vulnerability entries built from CISA CSAF and MSRC OData), and the cold-reader loop earned its keep: iterations 1–4 each surfaced genuine, converging truth defects, all remediated, and iteration 5 (Opus) returned CLEAN on a full cold read. Because iteration 4 was NEEDS_FIXES, the confirming double-CLEAN would have needed a sixth iteration beyond the 5-cap, so the run publishes on the single CLEAN as a documented fail-open (
verification.confirmation_waived). The defect pattern is instructive for future runs: three of the seven findings were CSAF/MSRC-transcription misses on the two vulnerability entries — the ABB T-MAC affected-vs-fixed version status (iter1), the Rockwell CVE-2026-10577 fixed firmware 3.011 that I had wrongly called "no fix" (iter2), and CVE-2026-58644's fix having shipped in the June (not July) cumulative update (iter4) — each caught because the verifier read the CSAFproduct_status/remediationsarrays and the MSRC revision history rather than only the product names and summary notes. Lesson recorded to memory: when composing an ICS/CSAF or MSRC vulnerability entry, extract affected/fixed status from the structuredproduct_status/remediations/revision fields, not from the human-readable summary.
- No critical, no deep dive. The strongest severity candidate — Rockwell CVE-2026-10577 (CVSS 10.0, unauthenticated) — has no known in-the-wild exploitation, no public PoC, and targets an OT device that should already sit behind network segmentation, so it ships at
notable, notcritical. No candidate offered published exploitation mechanics to justify the long-form deep-dive treatment; depth was not manufactured.
- CISA ICS batch consolidation. S1 and S2 independently surfaced the same 14 July CISA ICS advisory batch (four advisories); published as a single consolidated
vulnerabilityentry. Facts (CVE ids, CVSS v3.1 scores, CWE classes, affected-version ranges) were transcribed from the machine-readable CSAF JSON for each advisory, not from the web pages.verification: single-source-national-cert— each item traces to one CISA advisory (a government-authority disclosure republishing the vendor PSIRT); no independent second source. The Edgenius "Copy Fail" CVE (CVE-2026-31431) in that batch was already covered in May 2026 as the generic kernel flaw, so it was kept out of the entry'scves[]and framed in the body as a previously-disclosed flaw now named against a specific Swiss-vendor product; the genuinely-new content is CVE-2026-10577 (Rockwell) and the ABB T-MAC Plus chain (CVE-2025-14771–14774).
- Microsoft Patch Tuesday follow-through (update). The 14 July Patch Tuesday entry covered the two KEV-listed exploited zero-days; S1 surfaced four further high-severity July CVEs with pre-auth risk. Published as one
update_ofdelta: the SharePoint Pwn2Own JWT auth-bypass CVE-2026-55040 (public Rapid7 PoC, chained RCE half unpatched until August), the pre-auth Dynamics 365 deserialization RCE CVE-2026-55944 (Microsoft "Exploitation More Likely"), and two Site-Owner SharePoint deserialization RCEs (CVE-2026-50522/58644). CVSS/exploitability transcribed per-CVE from the MSRC OData API. Noted discrepancy: CVE-2026-50522/58644 carry a base CVSS vector of PR:N but Microsoft's FAQ describes Site-Owner-authenticated exploitation — recorded as post-auth on the FAQ basis, flagged in the entry's sourcing note.
- Recency exception (documented): Proofpoint OAuth client ID spoofing. The Proofpoint disclosure is dated 2026-07-13 — just outside this run's 24 h window but inside the 72 h developing window. It was not covered by any prior run (checked against the 14-day prior-coverage index) and is a significant, actionable Entra ID detection-evasion technique (credential-validity oracle via ROPC + spoofed client_id; blank application-name log evasion; the load-bearing fix is blocking the ROPC grant type). Carried as first coverage of developing signal rather than dropped, on the completeness principle that a relevant, previously-unpublished item is a reader blind spot;
event_daterecords the 2026-07-13 disclosure date.
- borderline-drop: ESET UEFI shim bypass (CVE-2026-8863/10797) — S3 surfaced ESET's WeLiveSecurity write-up, but these exact CVEs and the same ESET research are already covered by entries/2026-07-14/eset-forgotten-uefi-shims-secure-boot-bypass.md with no material new delta. Dropped as a duplicate (a non-update entry sharing those CVE ids would fail the dedup gate).
- borderline-drop: four law-enforcement / legal-milestone items (S4). The Vastaamo hacker's finalised sentence + wanted notice (Finland), the DOJ Media Land / ML.Cloud bulletproof-hosting indictment (already OFAC-sanctioned Nov 2025), the Spanish Policía Nacional €140M BEC/fraud-network takedown, and the UK NCA charges over the Russian Coms caller-ID-spoofing platform (already taken down 2024). All are genuine news with EU nexus, but none changes what a Tier 2/3 responder patches, hunts, blocks or detects in the next 7 days — they carry only generic, non-finding-derived lessons (money-mule onboarding signals, BPH-ASN blocking, STIR/SHAKEN vishing awareness). Consistent with the 2026-07-14T2009Z run, which dropped the same Russian Coms story. Better suited to the weekly strategic lens than an operational intel entry.
- borderline-drop: D1R Synopsys/Bosch/ARM breach claim — an unconfirmed ransomware leak-site claim now actively debunked (Synopsys's own investigation found no evidence; the posted "proof" was traced to a public-domain document). Fails the fake-news guard, which requires victim disclosure or high-reliability corroboration for leak-site claims. Already dropped by the prior 2026-07-14T2009Z run on the same grounds; publishing a debunked non-incident adds no operational value.
- Single-source / carve-out items: the CISA ICS batch (
single-source-national-cert, A2) and the Proofpoint research item (multi-sourceby outlet count but credibility 2 — single-origin research re-reported by Help Net Security and The Hacker News). The xAI Grok item ismulti-source(The Register + GBHackers, with xAI's own silent fix and Musk's deletion pledge corroborating the behavior), credibility 2.
- Operational issue — jina reader proxy down all run (operator action needed). All three configured r.jina.ai reader API keys returned HTTP 402 (balance exhausted) throughout the run, reported independently by S2, S3 and S4. Every
jina/urlbridge call fell back to direct-fetch (mostly successful) or the anonymous tier (sometimes 401). Impact this run was limited — the CISA CSAF mirror and MSRC OData API are jina-independent, and direct fetches covered the rest — but any source whose only working transport is the jina reader (WAF/JS-only hosts such as group-ib and intel471, both coverage gaps this run) is currently unreachable until the reader credit is topped up. This is an operator-side billing issue, not a per-source failure: no source was demoted on this basis.
- source_health.py deferred this cycle. With all jina-reader keys returning HTTP 402, a full source-health probe would misclassify every jina-only transport (WAF/JS-only hosts) as dead and churn false
needs-bridge/needs-demoteflags intostate/source_health.json. Skipped deliberately to avoid polluting the health snapshot with artifacts of a transient operator-side outage; the previous snapshot carries forward. Re-run once the reader credit is restored. No source was demoted this run.
- Watchlist: no product or supplier watchlist is configured for this deployment — the product and supplier sweeps are no-ops; the sector/region lens was applied throughout (it is what carried the CISA ICS batch on its energy/water nexus and the ABB Swiss-vendor angle).
- Coverage gaps: group-ib, intel471 (WAF/JS-only listings reachable only via the jina reader, which was down — no in-window items recoverable); ncsc-uk, cisa-advisories general listing (JS-rendered search widgets — the ICS-advisories sub-path server-renders and was used instead); cert-pl, cert-fr avis feed (quiet / stale-cached through ~10–12 July); govcert-at (empty feed); sans-ics (listing without article bodies); cnil-fr, ico-uk, sec-disclosures-edgar, us-treasury-ofac, troyhunt, cyberinsider — fetched, no in-window nexus content.
← Operations dashboard · run-record contract: docs/pipeline.md