ctipilot.ch

2026-W25-0aacfe65

One pipeline fire, in full · weekly run of 2026-06-22 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-22/2026-W25-0aacfe65.md.

Run telemetry

2026-W25-0aacfe65 weekly prompt v2.64
56m 49s duration 42 published 0 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
W1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
11
Duration
10m 53s
Tool calls
13 WebFetch12 WebSearch5 bridge
Cited sources
11 of 19 in slice
W2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
8
Duration
10m 48s
Tool calls
9 WebFetch14 WebSearch10 bridge
Cited sources
6 of 11 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 (1M context) · t=5 e=1 a=1 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=5 e=1 a=2 #3 NEEDS_FIXES · Anthropic Claude Opus 4.8 (1M context) · t=3 e=1 a=1 #4 CLEAN · Claude Sonnet 4.6 · t=0 e=0 a=0

Deep dive

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

1 added.

SourceChangeFrom → ToReason
cyberattaque-orgadded— → candidatein-window primary for NoName057(16) G7/Haute-Savoie DDoS; France-nexus EU public-sector hacktivist tracker

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://databreaches.net/bridge:url403 transport-403
persistent Cloudflare 403; no in-window article retrieved
none — rotation-priority gap

Bridge invocations (this run)

2 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

2 ok
  • bridge:ncsc-csh ×1
  • bridge:cisa-kev ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 7 findings (truth=5, editorial=1, advisory=1) · Claude Opus 4.8 · 6m 57s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
annual-periodic-reportsDORA Year 1 ICT-incident report (§7)
one-third figure
one-third is cross-border impact, not third-party-drivenreworded to cross-border impact; dropped §5 third-party echo fixed-clean
F4
hallucinated-fact
annual-periodic-reportsCheck Point Q1 2026 (§7)
EU ~20.7% of global victims
20.7% is healthcare-sector Genesis targeting, not EU-wideremoved the 20.7% EU figure fixed-clean
F5
missing-citation
research-threat-actorINC ransomware Germany #2 (§6)
Germany #2 globally
true per Emsisoft but Emsisoft not cited on §6 itemdropped the Germany #2 figure from §6 (retained in §7 where Emsisoft is cited) fixed-clean
F4
hallucinated-fact
research-threat-actorINC NHS victims (§6)
NHS Dumfries & Galloway / Alder Hey
named victims not in cited fetchable sourcesdropped specific victim names; reworded to sourced non-US/sector framing fixed-clean
F4
hallucinated-fact
long-running-campaignsSocGholish 1.4M sites (§8)
1.4M compromised WordPress sites
cited Proofpoint has over 100 servers / 14,971 sites, not 1.4Mreworded to over 100 servers and 14,971 sites remediated fixed-clean
F14
quantifier-without-source
multi-day-campaignsCouncil of Europe 'first' (§0,§2)
first European-institution victim
'first' not in cited sourcessoftened to 'only named to date per W1 assessment' / 'a European institution' fixed-clean
F11
editorial-advisory
multi-day-campaignsGTIG citation date (§2)
2026-06-17 vs fetched 11 June
date discrepancy; substance verifiesdropped explicit date from inline mention and footer fixed-clean

Iteration #2 NEEDS_FIXES · 8 findings (truth=5, editorial=1, advisory=2) · Claude Sonnet 4.6 · 5m 59s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
long-running-campaignsSocGholish clusters (§8)
five clusters
Proofpoint names seven clusters (adds GeoTDS, tdsshop)updated to seven clusters with full list fixed-clean
F3
claim-not-supported
policyEDPB template structure (§9)
120-field / 7 sections / 27 forms
structural specifics not in cited EDPB releaseremoved field/section/27-form specifics; kept sourced general framing fixed-clean
F3
claim-not-supported
policyNCSC-CH e-vignette (§9)
e-vignette email campaign
not in cited Wochenrückblick (QR letterbox only)removed e-vignette claim; paragraph reworded fixed-clean
F4
hallucinated-fact
research-threat-actorMastra 88 minutes (§6)
88 minutes
Microsoft states ~20-minute windowchanged to ~20-minute window fixed-clean
F4
hallucinated-fact
multi-day-campaignsKlue Sprout Social (§2)
Sprout Social
not in Klue/Huntress primariesremoved Sprout Social from victim list fixed-clean
F10
missed-angle
vuln-rollupRockwell ENISA companion (§3)
ENISA ICS guidance
did not check for ENISA companion EU-operator guidancenot pursued — minor missed angle, CISA+NCSC-CH coverage sufficient deferred
F11
editorial-advisory
multi-day-campaignsESET date (§2)
2026-06-19 vs 18 Jun
ESET article dated 18 Junecorrected to 2026-06-18 fixed-clean
F11
editorial-advisory
policyNCSC-CH paragraph coherence (§9)
post e-vignette removal
ensure paragraph reads coherentlyreworded paragraph to QR-only fixed-clean

Iteration #3 NEEDS_FIXES · 5 findings (truth=3, editorial=1, advisory=1) · Claude Opus 4.8 · 4m 24s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
research-threat-actorINC non-US/education (§6)
non-US targets; education
THN says 65%+ US victims, no education listedreframed around globally-relevant BYOVD tradecraft; stated majority-US victims; dropped education fixed-clean
F4
hallucinated-fact
policyNIS2/CER referral (§9)
29 April CER referral, seven states, 1 July agenda
cited sources don't support the CER-referral/seven-state/1-July specifics; Viktoria contradicts the agenda linestripped to defensible claims (transposition incomplete; France/Spain laggards; France not yet enacted; obligations not enforceable) fixed-degraded
F14
quantifier-without-source
research-threat-actorMastra 'around 13 June' (§6)
around 13 June
Microsoft dates publication 16-17 June; conflicts with first-covered 06-18changed to 'in the days before the 17 June disclosure' fixed-clean
F9
internal-inconsistency
long-running-campaignsSocGholish cluster count (§8/§6)
five vs seven
heading said five, body said sevenset heading to seven; dropped the number in §6 fixed-clean
F11
editorial-advisory
multi-day-campaignsStorm-2697 alias (§2)
Storm-2697
alias not in cited ESET/Record sourcesdropped the parenthetical alias from the §2 heading fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-W25-0aacfe65 · weekly · Claude Opus 4.8 · 42 entries published

  • Items flagged [SINGLE-SOURCE] this week: HCRG Care Group breach (§ 4; single HIPAA-focused outlet, no independent corroboration in-window); Amazon One Medical ShinyHunters 8.8 TB claim (§ 2; victim confirmed a legacy-storage breach but the data-volume figure is attacker-asserted and unverified). National-authority single sources covered by the verification carve-out: EDPB Article 33 template (§ 9; EDPB primary), CRA SRP reporting (EC Digital Strategy / ENISA primaries), NCSC-CH Week 24 Wochenrückblick (NCSC-CH primary), G7 CWG declaration (ANSSI host primary). Check Point State of Ransomware Q1 2026 (§ 7) is vendor telemetry, corroborated by Emsisoft. Tolerated single/aggregator-source items (check_brief.py WARNs, accepted): the § 8 SocGholish status-update rests on a single Proofpoint research-lab primary (acceptable — Proofpoint is the disclosing analyst); the § 3 FortiSandbox status-update is corroborated only by two aggregators (Security Affairs, Help Net Security) reflecting the still-unconfirmed-by-Fortinet exploitation report (reduced confidence on the exploitation claim accordingly).
  • Contradiction (resolved in favour of the primary): the 06-17 daily framed PAN-OS CVE-2026-0257 as an "exploitation wave with Impacket post-compromise," but the cited Unit 42 primary states "No post-access behavior or lateral movement has been identified as of this time." The weekly uses Unit 42's wording in § 3 — active exploitation confirmed, downstream lateral movement not yet observed by the primary. The Impacket detail may originate from a secondary (Rapid7/Arctic Wolf) report not re-verified this run.
  • Items dropped from this week's roll-up: VerdantBamboo / UNC5221 BRICKSTORM (Volexity 2026-06-04, out of the 8-day window and already consolidated in the W24 weekly — no fresh in-window delta); Velvet Ant "Operation Highland" (Sygnia 2026-06-11; already consolidated in the W24 weekly § long-running, no fresh delta this week beyond what W24 carried); Prinz Eugen ransomware (06-19 daily deep-dive; new Go family with a French public-sector victim but a single-day item with no cross-day weekly delta — may resurface if it acquires more EU victims); single-day daily items not meeting W-PD-1 (Rokarolla Android banker, the crypto clipboard-hijacker VirusTotal-reputation abuse, the Microsoft USB-LNK Tor worm, UpdraftPlus/phpBB/Zammad patch-only items beyond the § 3 roundup line).
  • Reduced-confidence items: the NoName057(16) G7/Haute-Savoie DDoS attribution (§ 9) rests on the group's Telegram self-claim with no independent technical corroboration in-window (W2 assessed MEDIUM); the Kodak and One Medical breach-volume figures are attacker-asserted.
  • Sub-agents: both W1 (threat-actor/research/report horizon) and W2 (policy horizon) returned within budget; both ran on Claude Sonnet 4.6. Timestamp anomaly: W1's return-line and findings.W1.yaml report ended_at=2026-06-21T23:52:00Z / duration_seconds=2694, which disagrees with W1's on-disk .ended_at checkpoint (23:17:59Z) and the wall-clock observed by the main agent (both W-checkpoints present by ~23:18Z). The checkpoint/observed time was used for the run log; the self-reported 45-minute duration is implausible against the observed ~11-minute run.
  • Verification: 4 iterations, model-rotated (iter 1 Claude Opus 4.8 → NEEDS_FIXES truth=5; iter 2 Claude Sonnet 4.6 → NEEDS_FIXES truth=5, all 7 iter-1 remediations confirmed; iter 3 Claude Opus 4.8 → NEEDS_FIXES truth=3; iter 4 Claude Sonnet 4.6 → CLEAN). All findings were truth-class accuracy corrections — sub-agent-asserted specifics that did not trace to the cited primaries on independent re-fetch — and every one was remediated before publish: DORA "one-third" reframed from third-party to cross-border impact; Check Point EU-% figure removed (it was healthcare-sector, not EU-wide); INC ransomware victim geography corrected (majority-US, not non-US) and unverifiable NHS victim names dropped; SocGholish figures aligned to Proofpoint (over 100 servers / 14,971 sites / seven residual clusters); EDPB template structural specifics and the NCSC-CH e-vignette claim removed as unsourced; Mastra publish-window and Klue victim-list corrected; the NIS2/CER item stripped to source-supportable claims. Residual count: 0 (clean publish at iteration 4).
  • Coverage gaps: databreaches-net (persistent HTTP 403, rotation-priority); inside-it-ch (Cloudflare 403, persistent); finma-ch (no in-window guidance — quiet); ofcom-bakom (no in-window publication — quiet); ncsc-ch-week-25 (Week 25 Wochenrückblick not yet published, HTTP 404 as of run end); acronis-tru (HTTP 403, content recovered via The Hacker News); bleepingcomputer (HTTP 403 on two articles, recovered via secondary sourcing).

Source: run state · Tags: verification-notes · Region: global

Migrated from briefs/weekly/2026-W25.md (v2).

← Operations dashboard · day page 2026-06-22 · run-record contract: docs/pipeline.md