ctipilot.ch

2026-W24-bd5a7519

One pipeline fire, in full · weekly run of 2026-06-14 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-14/2026-W24-bd5a7519.md.

Run telemetry

2026-W24-bd5a7519 weekly prompt v2.60
22m 52s duration 28 published 0 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
W1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
8m 13s
Tool calls
8 WebFetch18 WebSearch5 bridge
Cited sources
8 of 15 in slice
W2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
9m 42s
Tool calls
12 WebFetch15 WebSearch9 bridge
Cited sources
2 of 15 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 · t=4 e=0 a=1 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=2 e=0 a=0

Deep dive

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://databreaches.net/bridge:url403 transport-403
persistent Cloudflare 403; no specific in-window article identified
none — rotation-priority gap
sophos-xopshttps://news.sophos.com/en-us/feed/bridge:feedwebsearch503 transport-5xx
recurring 503; no in-window Sophos content found
none — no in-window content
inside-it-chhttps://www.inside-it.ch/webfetchbridge:urlwebsearch403 transport-403
Cloudflare managed challenge; bridge returned no body
none — NCSC-CH bridge covered Swiss items

Bridge invocations (this run)

2 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

2 ok
  • bridge:ncsc-csh.recent ×1
  • bridge:url ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #2 cap-breach

Cap-breach iteration recorded no per-finding detail. The dashboard cannot show WHAT the verifier flagged. See .claude/agents/cti-verification.md § Findings summary for the contract.

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-W24-bd5a7519 · weekly · Claude Opus 4.8 · 28 entries published

  • Items flagged [SINGLE-SOURCE] this week: CrowdStrike 2026 Technology Threat Landscape Report (§ 6; vendor telemetry, directionally valid, no independent corroboration); APT28 tradecraft evolution (§ 7; Sekoia TDR sole source — reported as the actor's TTPs, attributed to the reporting, not asserted as new incidents); Check Point IKEv1 CVE-2026-50751 (§ 1; vendor PSIRT advisory is the canonical primary for the vendor's own product); Splunk CVE-2026-20253 (§ 3; Splunk advisory); SAP NetWeaver CVE-2026-44748 (§ 3; Onapsis analysis of SAP's HotNews note); WinRAR CVE-2025-8088 (§ 3; Trend Micro research). The § 8 Germany CRA bill (Bundestag), ENISA SBOM report, and EDPB Article 33 template are single-source from the disclosing government/EU body itself (carve-out applies). The § 2 Chaotic Eclipse Patch-Tuesday round-up is sourced to news aggregators (BleepingComputer, SecurityWeek) because patch-day reporting is inherently aggregator-led — reduced confidence on exact CVE-to-codename mapping, though the patched/unpatched split is corroborated across both. National-CERT / national-authority single sources covered by the verification carve-out: Germany CRA implementation bill (§ 8; Deutscher Bundestag primary), ENISA SBOM Adoption State of Play (§ 8; ENISA primary), NCSC-CH G7 Évian advisory (§ 8/§ 9; NCSC-CH primary), MariaDB CVE-2026-49261 (§ 3; NCSC-CH Security Hub primary, corroborated by MariaDB documentation). VerdantBamboo (§ 7) is now multi-source (Volexity primary + The Hacker News corroboration) and Velvet Ant (§ 7) leads with a verified-live The Hacker News relay because the Sygnia "Operation Highland" page returns automated-UA blocks (Imunify360/Cloudflare) — the page is likely reachable from a human browser.
  • Items dropped from this week's roll-up: 2026-06-07 overlap-day items belonging to the W23 window (Chrome 149 / CVE-2026-10881, FFmpeg AI-found zero-days / CVE-2026-39210, polyfill[.]io reactivation, Stripe-API Magecart, WeTransfer steganographic loader) — covered in the W23 cycle, no new in-window development; FIFA World Cup 2026 / Ghost Stadium PhaaS (tournament kicked off 11 June, no new primary research and no confirmed infrastructure attack in-window); TA4922 and Gamaredon (no new in-window development beyond W23 coverage — W1); OceanLotus/APT32 FireAnt supply-chain, JDY botnet, The Gentlemen ransomware (fully resolved in dailies, no weekly-qualifying delta); single-day research items not meeting W-PD-1 (Teams external-chat phishing, AI-brand-impersonation malware delivery, cloud-logging defense-evasion, Entra Agent ID OBO abuse, Imperva/Varonis OpenClaw prompt-injection, Agentjacking, Google v. "Outsider" PhaaS) — these were operationally useful in the dailies but are not cross-day patterns or horizon shifts.
  • Contradictions: none unresolved this run.
  • Reduced-confidence items: Atomic Arch AUR compromised-package count (§ 2) — reporting ranges from 900 (PrivacyGuides) to ~1,500 (end-of-day 12 June); W1 assessed this MEDIUM confidence. The delivery-mechanism change (bun install js-digest) is the verified detail; the exact count is approximate.
  • Sub-agents: both W1 (long-horizon) and W2 (policy) returned within budget. W1 reported its findings.W1.yaml ended-timestamp consistent with its return; W2's findings.W2.yaml carries an internal ended-timestamp that disagrees with its return-line timestamp — the authoritative **Timestamps:** return line (started 23:10:31Z, ended 23:20:13Z) was used for the run log.
  • Verification: 2 iterations (iter 1 Claude Opus 4.8 → NEEDS_FIXES, truth=4 all remediated: Splunk RCE-overstatement, stale NIS2 corroborating link, Novo Nordisk data-category over-itemisation, Atomic Arch count/Shai-Hulud attribution; iter 2 Claude Sonnet 4.6 → NEEDS_FIXES, truth=2 both remediated: ENISA SBOM consumption-gap reframed as the brief's inference rather than the report's stated finding, Coupang root cause corrected to key theft by a former employee). Residuals: 2 — published via the low-defect early-exit path (iteration-2 truth+editorial ≤ 2 with no broken-URL/hallucination findings; both residual findings were nonetheless remediated before publish rather than carried).
  • Coverage gaps: databreaches-net (persistent HTTP 403, rotation-priority); sophos-xops (HTTP 503, persistent); inside-it-ch (Cloudflare 403, persistent); finma (no in-window guidance — quiet); ofcom-bakom (no in-window cyber publication — quiet); us-treasury-ofac (no in-window cyber sanctions action — quiet); cnil-fr (no in-window enforcement — quiet); ico-uk (no new in-window action — quiet).

Source: run state · Tags: verification-notes · Region: global

Migrated from briefs/weekly/2026-W24.md (v2).

← Operations dashboard · day page 2026-06-14 · run-record contract: docs/pipeline.md