@blamejs/exceptd-skills 0.12.13 → 0.12.15

package/skills/ai-c2-detection/skill.md

@@ -324,7 +324,8 @@ level: medium
 | ID | Source | Technique | C2 Relevance | Gap Flag — Which Detection Control Fails |
 |---|---|---|---|---|
 | AML.T0096 | ATLAS v5.1.0 | LLM API as covert C2 / LLM Integration Abuse | Direct: SesameOp encodes commands and exfiltrated data in prompt and completion fields against api.openai.com, api.anthropic.com, generativelanguage.googleapis.com. AI provider domain is the relay, not the attacker C2 endpoint. | NIST-800-53-SC-7 (Boundary Protection) — AI provider domains are allowlisted in most enterprise egress for legitimate developer and product use, so boundary inspection cannot distinguish benign developer prompts from C2-encoded prompts. See SC-7 entry in `data/framework-control-gaps.json` — real requirement is SDK-level prompt logging with identity binding, anomaly detection on prompt-shape and token-volume, and an allowlist that enumerates the sanctioned business reason per identity. Boundary-only SC-7 evidence is incomplete for any org with AI API access in production. |
-| AML.T0017 | ATLAS v5.1.0 | Develop Capabilities — including adversary use of inference APIs to develop/refine attack capability (and model exfiltration via inference API where applicable) | PROMPTFLUX queries public LLMs to generate per-execution evasion code; PROMPTSTEAL uses LLMs to prioritise exfiltration targets. The inference API is doing capability-development work for the adversary in real time. | NIST-800-53-SI-3 fails — there is no static signature for code generated per-event by a public LLM. NIST-800-53-SI-4 fails as commonly deployed — no AI-API behavioural baseline per process/identity. |
+| AML.T0017 | ATLAS v5.1.0 | Discover ML Model Ontology — adversary maps the deployed LLM's family, system-prompt structure, guardrail surface via inference-API probing | PROMPTFLUX queries public LLMs to generate per-execution evasion code; PROMPTSTEAL uses LLMs to prioritise exfiltration targets — both depend on first discovering what the target model will answer. The inference API is the discovery surface. | NIST-800-53-SI-3 fails — there is no static signature for code generated per-event by a public LLM. NIST-800-53-SI-4 fails as commonly deployed — no AI-API behavioural baseline per process/identity. |
+| AML.T0016 | ATLAS v5.1.0 | Obtain Capabilities: Develop Capabilities — adversary use of inference APIs to generate / refine malware, evasion, phishing payloads | PROMPTFLUX and PROMPTSTEAL both consume public LLMs as a real-time capability-development service. The inference API is doing weaponization work for the adversary. | NIST-800-53-SI-3 fails for the same reason. SC-7 boundary control treats the AI provider as allowlisted SaaS. |
 | T1071 | ATT&CK | Application Layer Protocol (C2) | AI C2 traffic is standard HTTPS REST to api.openai.com or equivalent. Application-protocol C2 detection that looks for DGA, unusual TLS, or beaconing does not fire. | SC-7 boundary control sees only the destination domain (allowlisted) — no protocol anomaly to alert on. Detection requires identity-bound prompt content inspection, which SC-7 as written does not require. |
 | T1102 | ATT&CK | Web Service (C2 via legitimate web service) | AI API endpoints are exactly the "legitimate web service used as C2" pattern that T1102 describes — but at scale and pre-allowlisted in nearly every enterprise. | SOC 2 CC7 anomaly-detection control: AI API traffic shares the SaaS blind spot — typically not baselined per process or identity. ISO 27001 A.8.16 monitoring activities: no guidance for AI-API-shaped traffic. |
 | T1568 | ATT&CK | Dynamic Resolution | AI provider responses can carry encoded instructions that dynamically determine the next-hop behaviour for the malware (effectively model-mediated dynamic resolution of the next attacker instruction). | No standard DNS-tunnelling or DGA detection applies — the "resolution" happens inside an HTTPS payload to a trusted endpoint. SC-7 cannot see it without SDK-level prompt + response logging. |
@@ -342,7 +343,11 @@ The threats in this skill are adversary TTPs and malware families rather than ve
 | PROMPTSTEAL | No — adversary malware family | Yes — public reporting on LLM-assisted exfiltration prioritisation and lateral-movement guidance | No | Yes — LLM is acting as the adversary's live intelligence analyst | Minimal — requires correlation of AI API calls with credential-access and file-access events. Possible to build in a SIEM; not a default rule pack. | None enterprise-subscribable. |
 | AI C2 — generic (T1071 / T1102 / T1568 over AI APIs) | No | Yes — research and red-team demonstrations across all major AI providers | No | Yes | Minimal — boundary controls treat AI provider domains as allowlisted SaaS; content-layer inspection requires TLS interception plus SDK-level prompt logging, which most orgs do not run. | Partial / inconsistent across providers. |
 
-**Interpretation:** there is no patch to apply because there is no vendor CVE. Mitigation is detection-architectural: SDK-level prompt logging with identity binding, AI-API behavioural baselining per process, correlation with credential/file/scan events, and an explicit allowlist that enumerates the sanctioned business reason per identity (per the SC-7 real_requirement in `data/framework-control-gaps.json`).
+**Interpretation:** there is no patch to apply because there is no vendor CVE for the SesameOp / PROMPTFLUX / PROMPTSTEAL class. Mitigation is detection-architectural: SDK-level prompt logging with identity binding, AI-API behavioural baselining per process, correlation with credential/file/scan events, and an explicit allowlist that enumerates the sanctioned business reason per identity (per the SC-7 real_requirement in `data/framework-control-gaps.json`).
+
+### LLM-Gateway Credential Theft as an AI-C2 Adjacent Class
+
+**CVE-2026-42208** — BerriAI LiteLLM Proxy Authorization-header SQL injection (CVSS 9.8 / CVSS v4 9.3 / CISA KEV-listed 2026-05-08, federal due 2026-05-29; in-wild exploitation evidence). LiteLLM is the open-source LLM-API gateway used in front of agent stacks, MCP-server fronts, and multi-model proxy deployments — exactly the egress hinge this skill's detection architecture treats as the credential boundary for hosted-model use. The proxy concatenated an attacker-controlled `Authorization` header value into a SQL query in the error-logging path, so a curl-able POST against `/chat/completions` with a SQL-injection payload returns the managed-credentials DB content without prior auth. Patched in 1.83.7+; temporary workaround `general_settings: disable_error_logs: true`. Detection-relevance for this skill: an AI-API egress baseline that records only outbound destinations misses the *inbound* SQL injection on the proxy itself; pair `D3-IOPR` (SDK-level prompt logging) with `D3-CSPP` payload profiling on the gateway's inbound request stream. Any organisation whose AI-API egress visibility treats the LLM gateway as "just a reverse proxy" will discover post-breach that the gateway held every downstream model-provider credential and was the actual covert exfiltration channel.
 
 ### RFC Transport Reality
 

package/skills/ai-risk-management/skill.md

@@ -65,7 +65,7 @@ AI governance moved from voluntary to mandatory between 2024 and 2026. The trans
 
 The gap on the ground is severe and the same in every jurisdiction the maintainers have spot-checked through Q2 2026: most organisations deploying LLMs, agents, RAG pipelines, and AI-augmented developer tooling have **zero governance artefact specific to AI**. They assume general security policies, the existing risk register, the existing vendor management programme, and the existing incident response playbook cover AI by inheritance. They do not. Concretely:
 
-- The risk register has no entry for prompt injection (AML.T0051), AI-as-C2 (AML.T0096), or AI-assisted exploit development against the organisation (AML.T0017).
+- The risk register has no entry for prompt injection (AML.T0051), AI-as-C2 (AML.T0096), or AI-assisted exploit development against the organisation (AML.T0016 + AML.T0017).
 - The vendor management programme treats AI providers as ordinary SaaS suppliers and accepts a SOC 2 Type II as evidence of AI-specific control adequacy — even though SOC 2 has no AI-specific criteria.
 - The incident response playbook does not enumerate AI-specific incident classes (model exfiltration, training-data poisoning, agent compromise via MCP server, RAG corpus contamination, AI vendor breach affecting derived embeddings).
 - The data inventory does not include vector embedding stores, model weights, or LLM prompt/response logs as classified data assets.
@@ -77,7 +77,7 @@ AI red-team activity has likewise shifted from voluntary research practice to go
 - NIST AI RMF MEASURE 2.5 expects organisations to assess AI risks during operation (`data/framework-control-gaps.json` → `NIST-AI-RMF-MEASURE-2.5`).
 - OWASP LLM Top 10 2025 (LLM01: Prompt Injection — `data/framework-control-gaps.json` → `OWASP-LLM-Top-10-2025-LLM01`) is treated by auditors as the working operational checklist where ISO/IEC 42001 is silent on technical specifics.
 
-The 2024–2026 disclosure record is unforgiving: vendor advisories from OpenAI, Anthropic, Google DeepMind, and Microsoft have published AI vulnerability disclosures spanning prompt-injection RCEs (CVE-2025-53773), MCP supply-chain RCEs (CVE-2026-30615), agentic-pipeline compromise patterns, and indirect-injection via retrieved content. An organisation with no governance artefact mapping these classes to internal use cases is not in a position to act on any of them.
+The 2024–2026 disclosure record is unforgiving: vendor advisories from OpenAI, Anthropic, Google DeepMind, and Microsoft have published AI vulnerability disclosures spanning prompt-injection-driven RCE (CVE-2025-53773, CVSS 7.8 / AV:L), local-vector MCP supply-chain RCE (CVE-2026-30615, CVSS 8.0 / AV:L), agentic-pipeline compromise patterns, and indirect-injection via retrieved content. An organisation with no governance artefact mapping these classes to internal use cases is not in a position to act on any of them.
 
 ---
 
@@ -113,7 +113,8 @@ Governance failure surfaces as exploitable threat. The TTPs below are the diagno
 |---|---|---|---|
 | AML.T0051 | LLM Prompt Injection | No prompt/response logging, no semantic monitoring, no AI use-case-level risk treatment decision | ISO/IEC 23894 clause 7 risk treatment register has no entry; OWASP LLM01 control unowned. CWE-1426 (improper validation of generative AI output) is the root-cause class. |
 | AML.T0096 | LLM Integration Abuse (covert C2) | No baseline of normal AI API traffic per principal; AI API egress treated as trusted internal traffic | NIST AI RMF MEASURE 2.5 not operationalised; SesameOp-class detection absent from SOC playbooks. |
-| AML.T0017 | Develop Capabilities (adversary AI-assisted exploit development) | No threat-intelligence ingestion path for AI-discovered vulnerabilities; patch SLAs sized for human-speed exploit development | EU AI Act Art. 9 RMS not iterating on the input that 41% of 2025 zero-days are AI-discovered (per `ai-attack-surface` and `zeroday-lessons.json`). |
+| AML.T0017 | Discover ML Model Ontology — adversary reconnaissance of deployed model family / guardrails | No inference-API rate / shape baseline; model-registry RBAC absent; system-prompt extraction queries undetected | NIST AI RMF MEASURE 2.5 not requiring per-identity inference monitoring; AIMS lacks a probing-detection control. |
+| AML.T0016 | Obtain Capabilities: Develop Capabilities (adversary AI-assisted exploit / payload development) | No threat-intelligence ingestion path for AI-discovered vulnerabilities; patch SLAs sized for human-speed exploit development | EU AI Act Art. 9 RMS not iterating on the input that 41% of 2025 zero-days are AI-discovered (per `ai-attack-surface` and `zeroday-lessons.json`). |
 
 Supporting weakness classes consumed from `data/cwe-catalog.json`:
 - **CWE-1426** — improper validation of generative AI output. The governance correlate: every AI use case must declare what output validation is performed and who owns it.
@@ -134,7 +135,7 @@ Adversary capability versus organisational governance maturity is the relevant a
 |---|---|---|---|
 | Low (off-the-shelf prompt injection per AML.T0051) | Exploitable today. Bypass rates >85% against SOTA defences (per `ai-attack-surface`). No detection. | Exploitable. Risk register names the threat; no detection or response capability deployed. | Detection latency: minutes-to-hours. Response playbook bound to incident class. |
 | Medium (AI-as-C2 per AML.T0096, SesameOp pattern) | Exploited last quarter by definition — no AI API logging, no baseline. | Detection-blind: AI traffic logged but no behavioural baseline. | Behavioural baseline + correlation with host activity per `ai-attack-surface` Step 4. |
-| High (AI-assisted exploit development per AML.T0017, Copy Fail-class) | Patch SLA structurally inadequate; live-patch capability absent. | Patch SLA sized for human-speed exploit development. | RWEP-driven prioritisation (`lib/scoring.js`), live-patch SLA <4h for KEV+PoC+AI-discovered class. |
+| High (AI-assisted exploit development per AML.T0016, Copy Fail-class) | Patch SLA structurally inadequate; live-patch capability absent. | Patch SLA sized for human-speed exploit development. | RWEP-driven prioritisation (`lib/scoring.js`), live-patch SLA <4h for KEV+PoC+AI-discovered class. |
 | Frontier (training pipeline poisoning, supply-chain compromise of model weights — AML.T0020 catalogue) | No AI supplier risk register; vendor SOC 2 accepted as adequate. | AI vendor register exists; no 4th-party (AI-of-AI) coverage. | EU AI Act Art. 10 data governance + Art. 72 adversarial testing operationalised; vendor adversarial-test attestations required contractually. |
 
 Reference incident inputs to the matrix: vendor advisories from Anthropic, OpenAI, Google DeepMind, Microsoft across 2024–2026; the emergent agentic-attack patterns observed through 2025–2026 disclosed in coordinated-vulnerability programmes per `coordinated-vuln-disclosure`; the AI-as-C2 evidence base referenced in `ai-c2-detection`; the prompt-injection-RCE and MCP-RCE CVE evidence referenced in `ai-attack-surface`.

package/skills/api-security/skill.md

@@ -78,7 +78,7 @@ APIs are now the integration substrate of every non-trivial system. The mid-2026
 
 1. **AI-API rate-limit abuse / denial-of-wallet** — a stolen API key or compromised internal service burns the organisation's spend cap on a model endpoint. GPT-class and Claude-class token costs at production volume run to five-to-six figures per day per workload — a key exfiltrated on Friday and abused over a weekend is a real budget event.
 2. **Prompt-injection-as-C2** — user-controlled content reaches an LLM-fronted internal API and exfiltrates data through the model's response channel (the model becomes the covert C2 channel). Hand-off to `ai-c2-detection` for SesameOp-class detection patterns.
-3. **Model extraction via inference rate (AML.T0017)** — high-volume queries against a hosted model are used to reconstruct the model's behaviour or training data. Detected at egress only by per-identity rate-and-shape monitoring, not by request count alone.
+3. **Model extraction via inference rate (AML.T0017 — Discover ML Model Ontology)** — high-volume queries against a hosted model are used to reconstruct the model's behaviour, system prompt, guardrail surface, or training-data signal. Detected at egress only by per-identity rate-and-shape monitoring, not by request count alone.
 
 **MCP transport runs over HTTP/SSE.** Anthropic's **Model Context Protocol** (MCP) — the de-facto agent-to-tool protocol adopted across the industry through 2025 — uses HTTP and Server-Sent Events as its transport. That means MCP traffic is API traffic and inherits every API attack surface: auth, rate limiting, schema validation, BOLA on tool calls, SSRF if a tool fetches URLs. Hand-off to `mcp-agent-trust` for MCP-specific semantics; the API-security posture is foundational.
 
@@ -125,7 +125,7 @@ APIs are now the integration substrate of every non-trivial system. The mid-2026
 | T1078 | Valid Accounts | Stolen API token / OAuth refresh token / leaked service-account key reused against the API; key-exfil-then-abuse pattern dominant for AI-API rate-limit abuse | CWE-287, CWE-200 | Partial — NIST-800-53-AC-2 manages account lifecycle but not per-object authz, not key rotation cadence for AI-API keys |
 | T1567 | Exfiltration Over Web Service | Sensitive data egressed via a legitimate API channel — AI-API response stream as covert C2; OAuth-token-scoped exfil over the org's own API | CWE-200, CWE-918 | Missing — no framework mandates per-identity egress baselining; D3-NTA is the operational control (see Defensive Countermeasure Mapping) |
 | AML.T0096 | AI Service Exploitation (AI-API as covert C2) | LLM API used as a covert command-and-control / exfil channel — prompt content carries instructions; response carries staged data | CWE-77, CWE-200 | Missing in NIST/ISO; hand-off to `ai-c2-detection` |
-| AML.T0017 | Model Extraction via Inference API | High-volume queries against a hosted model used to reconstruct behaviour / training data | CWE-200 | Missing — detected only by per-identity rate-and-shape monitoring at egress |
+| AML.T0017 | Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal) | High-volume queries against a hosted model used to reconstruct behaviour, guardrail surface, or training-data signal | CWE-200 | Missing — detected only by per-identity rate-and-shape monitoring at egress |
 
 CWE root-causes referenced as a set (per `cwe_refs` in frontmatter): CWE-287 (Improper Authentication), CWE-862 (Missing Authorization — BFLA root cause), CWE-863 (Incorrect Authorization — BOLA root cause), CWE-918 (SSRF — API7), CWE-200 (Information Exposure — BOPLA contributor), CWE-352 (CSRF — cookie-auth APIs + WebSocket CSWSH), CWE-22 (Path Traversal — API parameter sinks), CWE-77 (Command Injection — API parameter to shell), CWE-1188 (Insecure Default Initialization — default-open API state).
 
@@ -147,7 +147,7 @@ CWE root-causes referenced as a set (per `cwe_refs` in frontmatter): CWE-287 (Im
 | API10 Unsafe Consumption of Third-Party APIs | Burp, custom integration fuzz | Egress allowlist; per-third-party threat model | Yes — agentic frameworks chain via third-party trust | Variable; transitive RCE chains via consumed AI-API or SaaS API are high | Emergent class through 2025–2026; AI-API consumption dominant subtype |
 | AI-API rate-limit abuse / denial-of-wallet | Stolen-key abuse scripts; trivial automation | Per-identity + per-cost-unit egress quotas; budget alarms | Yes — fully automated | Direct USD loss — measurable per incident | High when keys leak; common via committed secrets, third-party breach, browser-extension exfil |
 | AML.T0096 prompt-injection-as-C2 | Custom payload corpora; Promptfoo, Garak | Output guardrails, egress baselining (D3-NTA) | Yes — adaptive injection succeeds >85% against SOTA guardrails per 2026 meta-analysis | Emergent category | Active operational reality; hand-off to `ai-c2-detection` |
-| AML.T0017 model extraction | High-volume inference scripts; query-shape diversity tooling | Per-identity rate-and-shape monitoring at egress | Yes — agentic query diversification | Emergent | Active in adversarial-ML research; bleeding into production where hosted models expose probability vectors |
+| AML.T0017 Discover ML Model Ontology (inference-API probing) | High-volume inference scripts; query-shape diversity tooling | Per-identity rate-and-shape monitoring at egress | Yes — agentic query diversification | Emergent | Active in adversarial-ML research; bleeding into production where hosted models expose probability vectors |
 
 ---
 

package/skills/attack-surface-pentest/skill.md

@@ -78,11 +78,11 @@ Every enterprise now has outbound HTTPS to one or more LLM providers (OpenAI, An
 
 ### 3. MCP servers as RCE surface
 
-CVE-2026-30615 (Windsurf MCP, CVSS 9.8) is the canonical example: a malicious MCP server executes arbitrary code in the AI assistant's context with zero user interaction. 150M+ affected downloads. Every developer workstation with an MCP-aware client (Cursor, VS Code + Copilot, Windsurf, Claude Code, Gemini CLI) is potentially a network of unsigned-package RCE vectors that no traditional asset inventory enumerates. ATLAS AML.T0010 (ML Supply Chain Compromise).
+CVE-2026-30615 (Windsurf MCP, CVSS 8.0 / AV:L / RWEP 35) is the canonical example: a malicious MCP server drives code execution in the AI assistant's context via attacker-controlled HTML processed by the MCP client. 150M+ combined downloads across MCP-capable assistants share the architectural surface. Every developer workstation with an MCP-aware client (Cursor, VS Code + Copilot, Windsurf, Claude Code, Gemini CLI) is potentially a network of unsigned-package RCE vectors that no traditional asset inventory enumerates. ATLAS AML.T0010 (ML Supply Chain Compromise).
 
 ### 4. Prompt-injection footprint
 
-Any system that feeds external content (PR descriptions, support tickets, web-retrieved docs, calendar events, email bodies, RAG-retrieved chunks) into an LLM prompt is in scope (ATLAS AML.T0051). CVE-2025-53773 (GitHub Copilot, CVSS 9.6) showed prompt injection achieving RCE via a developer tool. 2026 meta-analysis: adaptive prompt injection succeeds against SOTA defenses at >85%. Pen testers must enumerate the prompt-injection footprint as a first-class asset class.
+Any system that feeds external content (PR descriptions, support tickets, web-retrieved docs, calendar events, email bodies, RAG-retrieved chunks) into an LLM prompt is in scope (ATLAS AML.T0051 / AML.T0054). CVE-2025-53773 (GitHub Copilot YOLO-mode RCE, CVSS 7.8 / AV:L / RWEP 30) showed prompt-injection coercion flipping `chat.tools.autoApprove: true` and converting subsequent tool calls into shell execution via developer-side IDE interaction. 2026 meta-analysis: adaptive prompt injection succeeds against SOTA defenses at >85%. Pen testers must enumerate the prompt-injection footprint as a first-class asset class.
 
 ### 5. RAG corpora and embedding stores
 
@@ -126,7 +126,7 @@ Pen testers must emulate both classical and AI-class chains. The table below map
 
 | Phase | Classical TTP (ATT&CK v17) | AI-Class TTP (ATLAS v5.1.0) | Framework Gap Flag |
 |---|---|---|---|
-| Reconnaissance | T1595 (Active Scanning) — implied by T1190 setup | AML.T0000 (Search Open Technical Databases) — model card / dataset / API endpoint discovery | NIST 800-115 §3.x recon guidance is network-only |
+| Reconnaissance | T1595 (Active Scanning) — implied by T1190 setup | AML.TA0002 (Reconnaissance tactic) — model card / dataset / API endpoint discovery, system-prompt probing | NIST 800-115 §3.x recon guidance is network-only |
 | Initial Access | T1190 (Exploit Public-Facing Application) | AML.T0051 (LLM Prompt Injection) — entered via PR description, support ticket, retrieved doc | OWASP WSTG covers webapp; not prompt-injection as entry vector |
 | Initial Access | T1133 (External Remote Services) | AML.T0010 (ML Supply Chain Compromise) — malicious MCP server installed by developer | PTES scoping templates do not require MCP server enumeration |
 | Execution | T1059 (Command and Scripting Interpreter) | AML.T0051 → tool-use call invoking shell/code execution in agent context | NIS2 Art.21 patch-mgmt language assumes binary exploit; semantic-input exploit lives outside |
@@ -146,8 +146,8 @@ Pen testers select tooling based on real exploit availability. The matrix below
 | Vulnerability | CVSS | RWEP | CISA KEV | Public PoC | AI-Discovered/Accelerated | Live-Patchable | Pen Tester Use |
 |---|---|---|---|---|---|---|---|
 | CVE-2026-31431 (Copy Fail Linux kernel LPE) | 7.8 | 90 | Yes | Yes — 732-byte deterministic exploit | Yes (AI-discovered in ~1 hour) | Yes (kpatch / livepatch) | Post-exploit privilege escalation in unpatched Linux hosts; reliable, no race condition |
-| CVE-2025-53773 (GitHub Copilot prompt-injection RCE) | 9.6 | 91 | No (not enterprise infra in KEV sense) | Yes — demonstrated PoC | Yes (AI tooling generates injection payloads) | No (requires Copilot update + prompt hardening) | Initial access via PR descriptions, support tickets, retrieved docs; emulate AML.T0051 |
-| CVE-2026-30615 (Windsurf MCP RCE) | 9.8 | 94 | No | Partial — concept demonstrated | No | No (requires Windsurf patch) | Lateral movement to developer workstations via malicious MCP server; emulate AML.T0010 |
+| CVE-2025-53773 (GitHub Copilot YOLO-mode RCE) | 7.8 | 30 | No (not enterprise infra in KEV sense) | Yes — demonstrated PoC | Yes (AI tooling generates injection payloads) | Yes (SaaS push / IDE update) | Initial access via PR descriptions, support tickets, retrieved docs; emulate AML.T0051 / AML.T0054 |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial — concept demonstrated | No | Yes (IDE update) | Lateral movement to developer workstations via malicious MCP server; emulate AML.T0010 |
 | CVE-2026-43284 (covered in fuzz/memory-safety skill) | see `data/cve-catalog.json` | see `data/cve-catalog.json` | see `data/exploit-availability.json` | see `data/exploit-availability.json` | see `data/cve-catalog.json` | see `data/cve-catalog.json` | Memory-corruption chain context — refer to that skill for exploitation detail |
 | CVE-2026-43500 (covered in supply-chain skill) | see `data/cve-catalog.json` | see `data/cve-catalog.json` | see `data/exploit-availability.json` | see `data/exploit-availability.json` | see `data/cve-catalog.json` | see `data/cve-catalog.json` | Supply chain compromise context — refer to that skill for exploitation detail |
 | SesameOp (AI-as-C2 technique, no CVE — adversary tradecraft) | N/A (technique, not vulnerability) | N/A | N/A | Yes — ATLAS-documented adversary pattern (AML.T0096) | Yes | N/A | Emulate covert AI-API C2 during adversary emulation; verifies whether egress monitoring catches AML.T0096 |

package/skills/cloud-security/skill.md

@@ -136,7 +136,7 @@ Cloud is where AI runs. Every consequential AI service — OpenAI, Anthropic, Go
 | Cloud-facing application | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | API Gateway / Load Balancer / managed-WAF-bypass; managed-database exposure (RDS / SQL DB / Cloud SQL public IP); container-registry public image abuse; Lambda / Cloud Functions / Azure Functions endpoint exploit | NIST 800-53 SC-7 perimeter assumption inadequate; CSA CCM AIS-04 and IVS-08 partial; CWE-1188 (Insecure Default Initialization) |
 | Cloud-credential exposure | T1552 — Unsecured Credentials (incl. T1552.001 Files, T1552.005 Cloud Instance Metadata API, T1552.007 Container API) | ATT&CK Enterprise | IMDSv1 SSRF on EC2 / GCE; static cloud credentials in git / images / env vars; container API and kubeconfig theft; workload-identity-federation trust-policy abuse | CWE-798 (hardcoded credentials), CWE-200; NIST 800-53 IA-5 method-neutral |
 | AI model registry / cloud-hosted model | AML.T0010 — ML Supply Chain Compromise | ATLAS v5.1.0 | Bedrock / SageMaker custom model from poisoned upstream; Azure ML model registry tampering; Vertex Model Garden mirror tampering; HF model pulled into Bedrock / SageMaker / Vertex with weights backdoor | CSA CCM CCC-09 (vendor / supply chain) silent on model-supply-chain specifics; SLSA / in-toto / Sigstore for models still maturing |
-| Cloud inference API abuse / model extraction | AML.T0017 — Develop Adversarial ML Attack Capabilities (closest existing ATLAS mapping for inference-API abuse against cloud-hosted endpoints) | ATLAS v5.1.0 | Programmatic query of Bedrock / Azure OpenAI / Vertex endpoint to extract model behaviour, training-data inference, system-prompt leakage | No cloud-specific ATLAS control mapping for inference-API rate-limit / anomaly detection; chain to `ai-attack-surface` |
+| Cloud inference API abuse / model extraction | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal against cloud-hosted endpoints); AML.T0016 — Obtain Capabilities: Develop Capabilities (downstream weaponization) | ATLAS v5.1.0 | Programmatic query of Bedrock / Azure OpenAI / Vertex endpoint to extract model behaviour, training-data inference, system-prompt leakage | No cloud-specific ATLAS control mapping for inference-API rate-limit / anomaly detection; chain to `ai-attack-surface` |
 
 **Note on ATT&CK Enterprise cloud-platform sub-techniques.** ATT&CK Enterprise has cloud-platform-specific matrices (IaaS, SaaS, Office 365, Azure AD / Entra ID, Google Workspace). T1078.004 (Cloud Accounts), T1552.005 (Cloud Instance Metadata API), T1552.007 (Container API), T1190 with cloud-service variants, T1530 with managed-storage variants are the most operationally relevant. The frontmatter pins the parent IDs; analysis should descend to the sub-technique appropriate to the cloud(s) in scope.
 

package/skills/compliance-theater/skill.md

@@ -43,8 +43,8 @@ The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is
 The defining mid-2026 reality is that an organization can pass a clean ISO 27001:2022, SOC 2 Type II, or PCI DSS 4.0 audit while remaining exposed to KEV-listed deterministic LPEs and zero-interaction RCEs. The contrast cases drive every theater pattern below:
 
 - **CVE-2026-31431 (Copy Fail)** — Linux kernel LPE, CISA KEV, AI-discovered in approximately one hour, deterministic 732-byte public PoC, no race condition. An organization with an A.8.8 / SI-2 / PCI 6.3.3 program that meets the framework's "appropriate timescale" language (commonly 30 days for High) is *passing the audit* during the active-exploitation window. This is the canonical Patch Management Theater case. Catalog entry: `data/cve-catalog.json`.
-- **CVE-2026-30615 (Windsurf MCP zero-interaction RCE)** — 150M+ affected downloads. An organization's CC9 / SA-12 / A.5.19 vendor management program rated as "operating effectively" by an auditor typically has zero coverage of MCP servers running in developer environments. The vendor-management control passes the audit and provides no control surface for the attack class. Catalog entry: `data/cve-catalog.json`.
-- **CVE-2025-53773 (GitHub Copilot prompt-injection RCE)** — CVSS 9.6. An organization's SOC 2 CC6 access control program is rated "passed" while prompt injection executes attacker-chosen actions using the AI service account's authorized identity. The audit evidence (IAM reviews, access logs with no unauthorized events) is correct and complete; it provides zero signal about the intrusion.
+- **CVE-2026-30615 (Windsurf MCP local-vector RCE)** — CVSS 8.0 / AV:L / RWEP 35. 150M+ combined downloads across MCP-capable assistants share the architectural surface. An organization's CC9 / SA-12 / A.5.19 vendor management program rated as "operating effectively" by an auditor typically has zero coverage of MCP servers running in developer environments. The vendor-management control passes the audit and provides no control surface for the attack class. Catalog entry: `data/cve-catalog.json`.
+- **CVE-2025-53773 (GitHub Copilot YOLO-mode RCE)** — CVSS 7.8 / AV:L / RWEP 30. An organization's SOC 2 CC6 access control program is rated "passed" while prompt injection coerces the AI assistant into flipping `chat.tools.autoApprove: true` and converting subsequent tool calls into shell execution under the AI service account's authorized identity. The audit evidence (IAM reviews, access logs with no unauthorized events) is correct and complete; it provides zero signal about the intrusion.
 
 In each case, a real-world public exploit produced by current adversary TTPs renders a passing audit non-informative about actual security posture. The seven theater patterns below codify the most common recurrences of this pattern.
 
@@ -57,7 +57,7 @@ Compliance theater is the operational shadow of framework lag. Per-framework lag
 | Framework | Control | Lag (what the control language does not cover) |
 |---|---|---|
 | SOC 2 | CC6 (Logical and Physical Access) | Logical-access language was drafted for human-controlled accounts and machine identities in traditional IAM. It does not cover prompt injection as an access control bypass: the AI service account is authorized, monitored, and within least-privilege scope; the attacker's intent travels through the model's context window and never appears in access logs. See CVE-2025-53773. |
-| ISO 27001:2022 | A.8.8 (Management of Technical Vulnerabilities) | "Appropriate timescales" is undefined; auditor practice typically reads as 30 days for High / 90 days for Medium. The language does not operationalize the CISA KEV class. For CVE-2026-31431 these timescales mean active exploitation during the "compliant" remediation window. |
+| ISO 27001:2022 | A.8.8 (Management of Technical Vulnerabilities) | "Appropriate timescales" is undefined; auditor practice typically reads as 30 days for High / 90 days for Medium. The language does not operationalize the CISA KEV class. For CVE-2026-31431 (KEV-listed 2026-05-01, federal due 2026-05-15) these timescales mean active exploitation during the "compliant" remediation window. |
 | PCI DSS 4.0 | 6.3.3 (Patches) | The one-month critical-patch window predates AI-assisted exploit development. For any CVE with CISA KEV listing and a public PoC, the one-month window is an exploitation-acceptance window, not a security window. |
 | SOC 2 | CC7 (System Operations) | Anomaly detection guidance has no baseline for AI API traffic, AI-as-C2 (SesameOp), or PROMPTFLUX behavioral patterns. The control passes the audit with no AI-relevant detection surface. |
 | ISO 27001:2022 | A.5.19 / A.5.20 (Supplier relationships) | Drafted for SaaS and outsourced-service vendors. Does not cover MCP servers as third-party code executing inside the developer environment, nor LLM API providers as data processors for sensitive prompt content. |
@@ -78,11 +78,11 @@ Each theater pattern below maps to one or more attacker TTPs in `data/atlas-ttps
 |---|---|---|
 | Patch Management Theater (Pattern 1) | T1068 (Exploitation for Privilege Escalation), T1203 (Exploitation for Client Execution) | Public PoC + KEV + AI-accelerated weaponization compresses the exploitation window inside the SLA |
 | Network Segmentation Theater — IPsec (Pattern 2) | T1190 (Exploit Public-Facing Application) targeting the IPsec kernel subsystem | The control's cryptographic mechanism is the attack surface |
-| Access Control Theater — AI Agents (Pattern 3) | AML.T0051 (LLM Prompt Injection), AML.T0054 (Craft Adversarial Data — NLP), T1059 (Command and Scripting Interpreter) | Authorized service account executes attacker-chosen actions; no identity boundary is crossed |
+| Access Control Theater — AI Agents (Pattern 3) | AML.T0051 (LLM Prompt Injection), AML.T0054 (LLM Jailbreak), T1059 (Command and Scripting Interpreter) | Authorized service account executes attacker-chosen actions; no identity boundary is crossed |
 | Incident Response Theater — AI Pipeline (Pattern 4) | AML.T0020 (Poison Training Data), AML.T0096 (LLM Integration Abuse as C2), AML.T0010 (ML Supply Chain Compromise) | Detection triggers do not exist, so documented IR procedures have no input |
 | Change Management Theater — AI Models (Pattern 5) | AML.T0018 (Backdoor ML Model), AML.T0020 | Externally-managed model updates bypass operator change control entirely |
 | Vendor/Third-Party Risk Theater — AI APIs (Pattern 6) | AML.T0010 (ML Supply Chain Compromise) | MCP servers and LLM APIs sit outside the vendor-management scope |
-| Security Awareness Theater — AI Phishing (Pattern 7) | T1566 (Phishing), AML.T0016 (Acquire Public ML Artifacts — misuse) | AI-generated content evades grammar/style heuristics and template-matching detectors |
+| Security Awareness Theater — AI Phishing (Pattern 7) | T1566 (Phishing), AML.T0016 (Obtain Capabilities: Develop Capabilities — misuse of public AI APIs for payload crafting) | AI-generated content evades grammar/style heuristics and template-matching detectors |
 
 Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.1.0, November 2025). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP fail Hard Rule #4 (no orphaned controls).
 
@@ -95,8 +95,8 @@ The theater patterns most acutely under attack today are those backed by high-RW
 | Theater pattern | Evidence CVE | CVSS | RWEP tier | KEV | Public PoC | AI-accelerated | Live-patchable | Active exploitation |
 |---|---|---|---|---|---|---|---|---|
 | Patch Management Theater | CVE-2026-31431 (Copy Fail) | High | Critical | Yes | Yes (732 bytes, deterministic) | Yes (AI-discovered) | Yes (kpatch/livepatch) | Confirmed |
-| Vendor Management Theater (AI APIs / MCP) | CVE-2026-30615 (Windsurf MCP) | 9.8 | Critical | No | Partial | No | N/A (vendor-side) | Suspected |
-| Access Control Theater (AI agents) | CVE-2025-53773 (Copilot prompt injection RCE) | 9.6 | High | No | Yes (demonstrated) | Yes (AI tooling enables) | N/A (vendor-side) | Suspected |
+| Vendor Management Theater (AI APIs / MCP) | CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Suspected |
+| Access Control Theater (AI agents) | CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 | 30 | No | Yes (demonstrated) | Yes (AI tooling enables) | Yes (SaaS push / IDE update) | Suspected |
 | Network Segmentation Theater (IPsec) | CVE-2026-43284 (Dirty Frag) | High | High | Pending | Partial | No | Limited (subsystem-dependent) | Suspected |
 | Incident Response Theater (AI pipeline) | SesameOp campaign + AML.T0096 | N/A | High | N/A | ATLAS-documented | Yes | N/A | Confirmed campaign |
 | Change Management Theater (AI models) | Continuous provider updates | N/A | Medium | N/A | N/A | N/A | N/A | Ongoing (uncontrolled) |
@@ -114,7 +114,7 @@ The first three rows (Critical / Critical / High RWEP with public PoC or active
 
 **The audit evidence:** Patch management policy document, ticketing system showing CVEs opened and closed within SLA, vulnerability scanner reports showing declining open vulnerabilities.
 
-**The reality:** CVE-2026-31431 (Copy Fail) was CISA KEV listed on 2026-03-15 with a public 732-byte exploit script. A 30-day SLA means an organization can be "compliant" while having a public deterministic root exploit unpatched for 30 days. During that window: active exploitation confirmed.
+**The reality:** CVE-2026-31431 (Copy Fail) was CISA KEV listed on 2026-05-01 with a public 732-byte exploit script (CISA due date 2026-05-15). A 30-day SLA means an organization can be "compliant" while having a public deterministic root exploit unpatched for weeks past the federal due date. During that window: active exploitation confirmed.
 
 **Why it's theater:** The 30-day SLA was designed for environments where weaponization takes weeks. Copy Fail's weaponization time was ~1 hour (AI-discovered and PoC-ready). The control measures compliance with a time window that no longer reflects exploit development reality.
 

package/skills/container-runtime-security/skill.md

@@ -144,7 +144,7 @@ CWE cross-walk (see `data/cwe-catalog.json`):
 
 | Class / CVE | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch / Mitigation | Admission-Detectable | Runtime-Detectable (Falco/Tetragon) |
 |---|---|---|---|---|---|---|---|---|---|
-| Host-kernel LPE as container escape — Copy Fail (CVE-2026-31431) | 7.8 | 90 (see `cve-catalog.json`) | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Kernel patch + live-patch (kpatch/livepatch/kGraft) on supported distros; reboot rolling fleet on others | No (admission doesn't see kernel ops) | Yes — Falco/Tetragon catches the post-escape host operations; the in-kernel write itself is invisible to eBPF |
+| Host-kernel LPE as container escape — Copy Fail (CVE-2026-31431) | 7.8 | 90 (see `cve-catalog.json`) | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Kernel patch + live-patch (kpatch/livepatch/kGraft) on supported distros; reboot rolling fleet on others | No (admission doesn't see kernel ops) | Yes — Falco/Tetragon catches the post-escape host operations; the in-kernel write itself is invisible to eBPF |
 | Container-runtime CVE class — runc CVE-2024-21626 ("LeakyVessels") family | 8.6 | varies (historical reference) | Yes (at time of disclosure) | Yes | No (manual disclosure) | Patched in modern fleets; brownfield self-managed clusters lag | runc / containerd / CRI-O upgrade | Partial — admission can require minimum runtime versions via node-feature labels | Yes — Tetragon can enforce SIGKILL on the abuse syscall sequence |
 | Misconfigured PSS — `pod-security.kubernetes.io/enforce: privileged` on a workload namespace | n/a (class) | n/a | n/a | Trivial — `kubectl run --privileged` | Operator misconfig + AI-coding-assistant template drift | Routinely observed in incident response 2024–2026 | Set namespace label to `restricted`; remediate the workload | Yes — Kyverno PolicyReport + Kubescape surface this; PSA itself enforces on admit if label set |
 | Misconfigured RBAC — ServiceAccount with `create/patch` on `pods` or `secrets` cluster-wide | n/a (class) | n/a | n/a | Trivial — `can-i --list --as=system:serviceaccount:...` | Operator misconfig | Routinely observed | Replace wildcard ClusterRoles with scoped Roles; deny `automountServiceAccountToken: true` by default | Yes — Kyverno + OPA policies; kube-bench check | Yes — Falco detects token use from unexpected ServiceAccount |

package/skills/dlp-gap-analysis/skill.md

@@ -152,7 +152,11 @@ DLP gaps in this skill are misuse patterns and architectural blind spots, not si
 | Embedding-store membership inference (`DLP-SURFACE-EMBEDDING-STORE`) | No | Academic and red-team work 2023-2025 demonstrating membership inference against Pinecone / Weaviate / Qdrant indexes built from sensitive corpora | N/A | Yes — AI-assisted query optimisation accelerates inference attacks | None — no commercial DLP product addresses this. Mitigations are architectural (DP-SGD fine-tuning, query rate limits, k-anonymity at retrieval). | None |
 | IDE / dev-tool telemetry leak (`DLP-CHAN-IDE-TELEMETRY`) | No | JetBrains / VS Code / Visual Studio crash-dump and error-report leakage cases 2022-2025 | N/A | Partial — AI-extension telemetry includes prompt previews | GPO/MDM telemetry suppression; SWG egress block on telemetry domains | None |
 
-**Interpretation:** no patch applies because there is no vendor CVE. Mitigation is architectural — defense-in-depth across SDK, gateway, browser-isolation, endpoint, and egress NTA. Vendor-side contractual controls (zero retention enterprise tiers, BAAs for HIPAA, EU data residency for GDPR Art 44) are necessary but technically un-verifiable; treat as compensating controls, not primary.
+**Interpretation:** no patch applies because there is no vendor CVE for the *architectural* DLP gaps above. Mitigation is architectural — defense-in-depth across SDK, gateway, browser-isolation, endpoint, and egress NTA. Vendor-side contractual controls (zero retention enterprise tiers, BAAs for HIPAA, EU data residency for GDPR Art 44) are necessary but technically un-verifiable; treat as compensating controls, not primary.
+
+### Adjacent CVE — LLM-Gateway Credential Exfiltration
+
+**CVE-2026-42208** — BerriAI LiteLLM Proxy authorization-header SQL injection (CVSS 9.8 / CVSS v4 9.3 / CISA KEV-listed 2026-05-08, federal due 2026-05-29; in-wild exploitation confirmed). LiteLLM is the open-source LLM-API gateway used in front of agent stacks, MCP-server fronts, and multi-model proxy deployments — exactly the egress path this skill treats as the credential boundary for hosted-model use. The proxy concatenated an attacker-controlled `Authorization` header value into a SQL query in the error-logging path, so a curl-able POST against `/chat/completions` with a SQL-injection payload returns the managed-credentials DB content without prior auth. Patched in 1.83.7+; temporary workaround `general_settings: disable_error_logs: true`. DLP relevance: a compromised LiteLLM gateway hands the adversary every downstream model-provider credential plus the per-tenant routing config — every subsequent prompt/response pair routes through attacker-known credentials and the *exfiltration* channel becomes the legitimate AI-API egress that the DLP architectures above are designed to monitor. Any organisation whose DLP scope treats the LLM gateway as "just a reverse proxy" misses that the gateway is the credential-and-routing boundary that determines whether outbound LLM traffic is trustworthy at all.
 
 ---
 

package/skills/email-security-anti-phishing/skill.md

@@ -71,7 +71,7 @@ Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025)
 
 **Business Email Compromise losses continued growing through 2025.** FBI IC3 2024 and 2025 reports place BEC at multi-billion-USD annual loss globally, with the wire-redirection and vendor-invoice-fraud subclasses dominant. The 2026 reality is that BEC is no longer "compromised mailbox sends a wire request" — it is increasingly "spoofed-or-look-alike domain plus deepfake voice/video confirmation channel" so that out-of-band verification by phone *fails open* unless the callback number is a pre-registered known-good.
 
-**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (RFC 9622, published 2024) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical ephemeral inbox environment per the project's ephemeral-realities rule; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
+**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (AuthIndicators Working Group draft, with IETF mailing-list discussion ongoing as of mid-2026) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical ephemeral inbox environment per the project's ephemeral-realities rule; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
 
 **Phishing-resistant authentication.** FIDO2 / WebAuthn synced passkeys are the only widely deployed authenticator class that survives AiTM proxy phishing (evilginx-class), Tycoon-2FA-style session-token relay, and push-notification fatigue attacks. TOTP, SMS, and push-MFA are all bypassable by 2026 phishing-kit ecosystems. Caffeine and Tycoon 2FA continue to evolve; observed 2025 telemetry shows passkey-relay attempts emerging against poorly configured WebAuthn relying-party verification.
 

package/skills/exploit-scoring/skill.md

@@ -42,7 +42,7 @@ RWEP exists because the exploit development cycle has compressed. The factors th
 
 - **AI-accelerated exploit development is current operational reality, not emerging.** 41% of 2025 zero-days were discovered or weaponized with AI-assisted tooling (AGENTS.md DR-5). Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour. CVSS scoring assumes a human-speed gap between disclosure and reliable exploitation — that gap is gone for AI-capable threat actors.
 - **CVSS undercounts AI-discovered + KEV-listed bugs.** CVE-2026-31431 scores CVSS 7.8 (High). Treated as a CVSS-band-7 item, it lands in a 30-day remediation queue. Treated honestly — CISA KEV listed, 732-byte deterministic public PoC, all Linux ≥ 4.14, AI-discovered — it is a 4-hour incident. CVSS misses every one of those amplifiers.
-- **CVSS overscores supply-chain-prerequisite CVEs.** CVE-2026-30615 (Windsurf MCP) scores CVSS 9.8 because the worst-case is zero-interaction RCE. The actual exploitation rate is throttled by the requirement that a victim first install a malicious MCP server. RWEP correctly rates it 35, lower than Copy Fail at 90 despite the lower CVSS.
+- **CVSS local-vector blindness vs. RWEP exploitation reality.** CVE-2026-30615 (Windsurf MCP) scores CVSS 8.0 with AV:L (the NVD-authoritative corrected score; the initial CVSS 9.8 was withdrawn after attack-vector analysis confirmed the local-vector reality — the attacker must control HTML content that the Windsurf MCP client processes). RWEP rates it 35, lower than Copy Fail at 90: the supply-chain prerequisite (a victim first installs a malicious MCP server) plus the local attack vector throttle real exploitation rate. This pair is the canonical example of CVSS-vector-only scoring losing to RWEP's exploitation-evidence weighting.
 - **Compliance frameworks anchor SLAs on CVSS bands.** NIST 800-53 SI-2, PCI DSS 6.3.3, ISO 27001:2022 A.8.8, and most internal vuln-management policies translate CVSS High/Critical into 30-day/7-day windows. For AI-discovered KEV-listed LPEs with public PoCs, these windows are exploitation windows. RWEP is the layer that lets an org prioritize honestly without re-writing every framework control.
 
 ---
@@ -71,7 +71,7 @@ This skill is meta — it does not pin to a single TTP class. RWEP is the cross-
 | Catalog | Role for RWEP |
 |---|---|
 | `data/cve-catalog.json` | Source of factor values: CISA KEV flag, PoC availability, AI-discovery flag, active-exploitation status, patch and live-patch availability per CVE |
-| `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) | Provides the AI/ML TTP context where AI-discovery and AI-acceleration factors apply (e.g., AML.T0017 Develop Capabilities) |
+| `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) | Provides the AI/ML TTP context where AI-discovery and AI-acceleration factors apply (e.g., AML.T0016 Obtain Capabilities: Develop Capabilities, AML.T0017 Discover ML Model Ontology) |
 | `data/exploit-availability.json` | Authoritative PoC + KEV + last-verified date snapshot — drives factor freshness |
 | `data/zeroday-lessons.json` | Closes the loop: zero-day's lesson entry feeds back the framework gap that RWEP's score implied |
 
@@ -88,10 +88,10 @@ How each RWEP factor maps to a real CVE in `data/cve-catalog.json`:
 | CVE-2026-31431 (Copy Fail) | Yes | Yes (732-byte) | Yes | Confirmed | All Linux ≥ 4.14 (30) | Yes | Yes (kpatch/livepatch/kGraft) | 90 | 7.8 |
 | CVE-2026-43284 (Dirty Frag ESP/IPsec) | No | Yes (chain) | No | Suspected | IPsec-using systems (18) | Yes | RHEL-only kpatch | 38 | 7.8 |
 | CVE-2026-43500 (Dirty Frag RxRPC) | No | Yes (chain) | No | Suspected | RxRPC-loaded systems | Yes | Partial | 32 | 7.6 |
-| CVE-2025-53773 (Copilot prompt-injection RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | Suspected | GitHub Copilot users (22) | Yes (SaaS) | Yes (SaaS push) | 42 | 9.6 |
-| CVE-2026-30615 (Windsurf MCP RCE) | No | Partial | No | Suspected (supply-chain) | 150M+ downloads but supply-chain prereq | Yes | Yes (IDE update) | 35 | 9.8 |
+| CVE-2025-53773 (Copilot YOLO-mode RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | Suspected | GitHub Copilot users (15) | Yes (SaaS) | Yes (SaaS push) | 30 | 7.8 |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | No | Partial | No | Suspected (supply-chain) | 150M+ downloads, local-vector + supply-chain prereq | Yes | Yes (IDE update) | 35 | 8.0 |
 
-Key reads: Copy Fail (RWEP 90, CVSS 7.8) and Windsurf MCP (RWEP 35, CVSS 9.8) sit at opposite ends — Copy Fail is the canonical case of CVSS under-prioritization; Windsurf MCP is the canonical case of CVSS over-prioritization (supply-chain prerequisite as throttle).
+Key reads: Copy Fail (RWEP 90, CVSS 7.8) and Windsurf MCP (RWEP 35, CVSS 8.0) sit at opposite ends of the exploitation-evidence axis — Copy Fail is the canonical case of CVSS under-prioritization (KEV + deterministic public PoC + AI-discovered + broad blast-radius dominate); Windsurf MCP is the canonical case of CVSS-vector blindness (the AV:L local-attack vector plus the supply-chain prerequisite throttle real exploitation rate even after CVSS was corrected from 9.8 to 8.0).
 
 ---
 
@@ -190,7 +190,7 @@ RWEP = min(100, max(0,
 
 ---
 
-### CVE-2025-53773 — GitHub Copilot Prompt Injection RCE
+### CVE-2025-53773 — GitHub Copilot YOLO-Mode RCE
 
 | Factor | Value | Points |
 |---|---|---|
@@ -198,17 +198,17 @@ RWEP = min(100, max(0,
 | PoC Public | Yes (demonstrated) | +20 |
 | AI-Assisted | Yes (AI tooling enables) | +15 |
 | Active Exploitation | Suspected | +10 |
-| Blast Radius | GitHub Copilot users — large developer population | +22 |
+| Blast Radius | GitHub Copilot users — large developer population, but local-vector via IDE interaction | +10 |
 | Patch Available | Yes (GitHub patched) | -15 |
 | Live Patch Available | Yes (SaaS patch) | -10 |
 | Reboot Required | No (SaaS update) | 0 |
-| **RWEP** | | **42** |
+| **RWEP** | | **30** |
 
-**Interpretation:** CVSS 9.6 vs. RWEP 42 — significant divergence. CVSS is high because the worst-case impact is critical RCE. RWEP is lower because there's no CISA KEV listing and exploitation is suspected (not confirmed at scale). The lack of framework coverage for prompt injection as an attack class (no control in any major framework) makes this a critical monitoring gap regardless of the RWEP score.
+**Interpretation:** CVSS 7.8 (AV:L) vs. RWEP 30 — the local-vector reality is baked into both scores; RWEP additionally throttles for "suspected, not confirmed" exploitation and for the SaaS live-patch path. The lack of framework coverage for prompt injection as an attack class (no control in any major framework) makes this a critical monitoring gap regardless of the RWEP score.
 
 ---
 
-### CVE-2026-30615 — Windsurf MCP Zero-Interaction RCE
+### CVE-2026-30615 — Windsurf MCP Local-Vector RCE
 
 | Factor | Value | Points |
 |---|---|---|
@@ -216,13 +216,13 @@ RWEP = min(100, max(0,
 | PoC Public | Partial | +10 |
 | AI-Assisted | No | 0 |
 | Active Exploitation | Suspected (supply chain targeting) | +10 |
-| Blast Radius | 150M+ AI coding assistant downloads (all affected IDEs) | +30 |
+| Blast Radius | 150M+ MCP-capable assistant downloads, local-vector + supply-chain prerequisite | +20 |
 | Patch Available | Yes | -15 |
 | Live Patch Available | Yes (IDE update) | -10 |
 | Reboot Required | No | 0 |
 | **RWEP** | | **35** |
 
-**vs. CVSS:** CVSS 9.8 vs. RWEP 35 — the largest CVSS/RWEP divergence in the catalog. CVSS is high because zero-interaction network RCE with no-auth is the maximum-severity scenario. RWEP is lower because no CISA KEV, suspected-only exploitation, and the attack requires a malicious MCP server to be installed first (the supply-chain prerequisite is the limiting factor). Key insight: RWEP correctly signals that this is an elevated priority, not an emergency — unlike Copy Fail where RWEP signals emergency regardless of CVSS.
+**vs. CVSS:** CVSS 8.0 (AV:L, NVD-corrected from initial 9.8) vs. RWEP 35 — this pair demonstrates CVSS local-vector blindness against RWEP exploitation-reality weighting. CVSS 8.0 is still high because the worst-case is RCE in user context, but the AV:L correction already reflects that the attacker must control HTML content the MCP client processes. RWEP additionally throttles for no CISA KEV, suspected-only exploitation, and the supply-chain prerequisite (a malicious MCP server must first be installed). Key insight: RWEP correctly signals elevated priority, not emergency — unlike Copy Fail (RWEP 90) where signal dominates regardless of CVSS band.
 
 ---
 
@@ -242,11 +242,11 @@ When CVSS and RWEP diverge significantly, it surfaces important context:
 - Example: Copy Fail — CVSS doesn't capture AI-discovered + deterministic + CISA KEV + all Linux
 - Framework compliance that uses CVSS thresholds for SLA will deprioritize Copy Fail relative to a CVSS 9.8 with no public exploit
 
-**High CVSS, moderate RWEP** — CVSS overstates urgency for AI/supply-chain threats:
-- Copilot RCE (CVSS 9.6 / RWEP 42): no KEV, suspected exploitation — important but not emergency
-- Windsurf MCP (CVSS 9.8 / RWEP 35): no KEV, supply-chain prerequisite limits actual exploitation rate
-- RWEP correctly prioritizes Copy Fail (RWEP 90) over Windsurf MCP (RWEP 35) despite Windsurf having higher CVSS
-- Framework compliance that uses CVSS alone will treat Windsurf MCP as MORE urgent than Copy Fail — incorrect
+**Moderate CVSS, low RWEP** — CVSS-vector still overstates urgency once exploitation evidence is weighted:
+- Copilot YOLO-mode RCE (CVSS 7.8 / RWEP 30): local-vector, no KEV, suspected exploitation — important monitoring gap but not emergency
+- Windsurf MCP (CVSS 8.0 / RWEP 35): local-vector, no KEV, supply-chain prerequisite limits actual exploitation rate
+- RWEP correctly prioritizes Copy Fail (RWEP 90, CVSS 7.8) over Windsurf MCP (RWEP 35, CVSS 8.0) despite the two CVEs sitting in adjacent CVSS bands
+- Framework compliance that uses CVSS alone may treat Windsurf MCP and Copy Fail as similar-urgency — incorrect
 
 ---
 
@@ -334,4 +334,4 @@ Run this check against any organization claiming vulnerability-management compli
 
 > "Open your last quarterly vuln-management metrics report. Does it report `mean time to remediate by CVSS band`? If that is the headline metric, the program optimizes for CVSS-band SLAs, not for actual exploit-priority response. The KPI itself is theater. The honest metric is: for CVEs that crossed RWEP ≥ 75 during the quarter, what was the mean time from RWEP-75 threshold crossing to deployed mitigation? If the org doesn't track RWEP at all, the program has no instrumentation to detect when CVSS-banded SLAs fail — which they do for every CISA KEV + AI-discovered class in `data/cve-catalog.json`."
 
-> "Ask: when CVE-2026-31431 was published, what was the actual time from publication to deployed mitigation across the estate? Compare it to the policy's 30-day High SLA. The org likely met SLA. RWEP 90 required action in 4 hours. The gap between 'met SLA' and 'was exposed for ~30 days to a 732-byte public PoC on CISA KEV' is the size of the theater."
+> "Ask: when CVE-2026-31431 was published, what was the actual time from publication to deployed mitigation across the estate? Compare it to the policy's 30-day High SLA. The org likely met SLA. RWEP 90 required action in 4 hours. CISA KEV listed the CVE on 2026-05-01 with federal due date 2026-05-15. Today (~13 days after listing) any unpatched estate is past the federal due date and demonstrably exposed to a 732-byte deterministic public PoC on CISA KEV. The gap between 'met internal SLA' and 'past federal due date with active exploitation in scope' is the size of the theater."

package/skills/framework-gap-analysis/skill.md

@@ -32,8 +32,8 @@ This skill analyzes the gap between what a compliance framework control was desi
 Compliance frameworks lag the threat environment by years. Most active controls in NIST 800-53, ISO 27001:2022, SOC 2, PCI DSS 4.0, NIS2, and DORA were drafted against assumptions (human-speed exploit development, persistent inventoriable assets, human-controlled accounts) that current attacker TTPs no longer respect. Three concrete mid-2026 instances anchor the lag:
 
 - **CVE-2026-31431 (Copy Fail)** — CISA KEV-listed Linux kernel LPE, AI-discovered in roughly one hour, 732-byte deterministic public PoC, no race condition. NIST 800-53 SI-2 and ISO 27001:2022 A.8.8 patch-window language permits 30-day remediation, during which active exploitation is the documented condition. See `data/cve-catalog.json` for the full entry.
-- **CVE-2025-53773** — GitHub Copilot prompt-injection RCE, CVSS 9.6. Bypasses SOC 2 CC6 and NIST 800-53 AC-2 because the action executes under the AI service account's authorized identity; the access control audit shows "passed."
-- **CVE-2026-30615** — Windsurf MCP zero-interaction RCE, 150M+ affected downloads. ISO 27001:2022 A.5.19 / A.5.20 vendor-management language treats MCP servers as SaaS tools, not third-party code executing in production developer environments.
+- **CVE-2025-53773** — GitHub Copilot YOLO-mode RCE, CVSS 7.8 (AV:L — local-vector through developer-side IDE interaction; the NVD-authoritative score was corrected from an initial 9.6 / AV:N). Bypasses SOC 2 CC6 and NIST 800-53 AC-2 because the action executes under the AI service account's authorized identity; the access control audit shows "passed."
+- **CVE-2026-30615** — Windsurf MCP local-vector RCE, CVSS 8.0 / AV:L (NVD-authoritative; corrected from initial 9.8 / AV:N once the attack-vector reality — attacker controls HTML the MCP client processes — was confirmed). 150M+ combined downloads across MCP-capable assistants share the architectural surface. ISO 27001:2022 A.5.19 / A.5.20 vendor-management language treats MCP servers as SaaS tools, not third-party code executing in production developer environments.
 
 This skill exists because every gap-analysis engagement encounters at least one control where a "compliant" auditor finding masks current-TTP exposure. The built-in gap catalog below is the codified evidence base.
 
@@ -76,7 +76,7 @@ This skill maps framework controls to attacker TTPs on demand rather than static
 | NIST 800-53 SI-2 vs. deterministic LPE | T1068 (Exploitation for Privilege Escalation), T1548.001 | Patch SLA permits active exploitation window |
 | NIST 800-53 SC-8/SC-28 vs. Dirty Frag | T1190 (Exploit Public-Facing Application) via IPsec subsystem | Cryptographic control is the attack surface |
 | NIST 800-53 AC-2 vs. prompt injection | AML.T0051 (LLM Prompt Injection), AML.T0054 | Authorized identity executes attacker intent |
-| NIST 800-53 SI-3 vs. AI-generated malware | AML.T0017, AML.T0018 | Signature-based detection has zero coverage |
+| NIST 800-53 SI-3 vs. AI-generated malware | AML.T0016 (adversary Develop Capabilities — payload generation), AML.T0018 | Signature-based detection has zero coverage |
 | ISO 27001 A.8.8 vs. CISA KEV class | T1068, T1203 | "Appropriate timescales" undefined for AI-accelerated weaponization |
 | SOC 2 CC6 vs. prompt injection | AML.T0051 | Authorization model has no prompt-level granularity |
 | PCI DSS 6.3.3 vs. AI-accelerated weaponization | T1068, T1190 | One-month window predates AI-assisted exploit development |
@@ -93,8 +93,8 @@ This skill consumes the matrix produced upstream by the exploit-scoring skill. T
 |---|---|---|---|---|---|---|---|
 | CVE-2026-31431 (Copy Fail) | High | Critical | Yes | Yes (732 bytes, deterministic) | Yes (AI-discovered) | Yes (kpatch/livepatch) | Confirmed |
 | CVE-2026-43284 (Dirty Frag) | High | High | Pending | Partial | No | Limited (subsystem-dependent) | Suspected |
-| CVE-2025-53773 (Copilot prompt injection RCE) | 9.6 | High | No | Yes (demonstrated) | Yes (AI tooling enables) | N/A (vendor-side) | Suspected |
-| CVE-2026-30615 (Windsurf MCP RCE) | 9.8 | Critical | No | Partial | No | N/A (vendor-side) | Suspected |
+| CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 | 30 | No | Yes (demonstrated) | Yes (AI tooling enables) | Yes (SaaS push / IDE update) | Suspected |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Suspected |
 
 When a gap analysis cites a CVE not in this matrix, the analyst must populate the row from `data/cve-catalog.json` before producing the declaration. A declaration without an evidence row is incomplete.
 
@@ -368,7 +368,7 @@ Specific high-confidence theater signals (each triggers a mandatory Framework La
 |---|---|
 | Org claims SI-2 / A.8.8 / PCI 6.3.3 30-day patching as adequate for CISA KEV entries | CVE-2026-31431 KEV-listed; deterministic public PoC means active exploitation during the window |
 | Org claims AC-2 / CC6 as adequate for AI-agent access control | CVE-2025-53773 demonstrates AML.T0051 routing around the identity model entirely |
-| Org claims A.5.19 / SA-12 vendor management as adequate for MCP servers | CVE-2026-30615 demonstrates AML.T0010 supply-chain RCE with zero user interaction |
+| Org claims A.5.19 / SA-12 vendor management as adequate for MCP servers | CVE-2026-30615 demonstrates AML.T0010 supply-chain RCE via attacker-controlled HTML processed by the MCP client (local-vector, not network) |
 | Org claims IPsec-based SC-8 segmentation as adequate without a kernel-patch status check | CVE-2026-43284 makes the IPsec implementation the attack surface |
 
 When this check fires, hand off to the compliance-theater skill for the theater-pattern detection test and to policy-exception-gen if the org needs to grant a defensible exception with concrete compensating controls.

package/skills/global-grc/skill.md

@@ -453,8 +453,9 @@ A summary of the multi-jurisdiction control surface vs. the high-priority TTPs f
 | ML supply chain (MCP, models) | AML.T0010 | EU CRA Annex I (post 2026-09-11 reporting) | All others — supply-chain controls do not name AI plugins |
 | LLM C2 abuse (SesameOp) | AML.T0096 | None | All — no jurisdiction has a control for AI-API as C2 |
 | Poison Training Data | AML.T0020 | EU AI Act Art. 10 (data and data governance for high-risk AI) | All others |
-| Craft Adversarial Data — NLP | AML.T0054 | None — same gap as AML.T0051 | All |
-| Develop Capabilities (AI-assisted) | AML.T0017 | None — adversary capability, not directly controllable | All |
+| LLM Jailbreak | AML.T0054 | None — same gap as AML.T0051 | All |
+| Discover ML Model Ontology | AML.T0017 | None — adversary reconnaissance against deployed models, no mapped control | All |
+| Obtain Capabilities: Develop Capabilities (AI-assisted weaponization) | AML.T0016 | None — adversary capability, not directly controllable | All |
 | Privilege escalation (T1068) | ATT&CK T1068 | AU ISM-1623 / Essential 8 ML3 (48h patch with exploit) | EU (no specific SLA), UK (14d generic), SG (30d), JP, IN, CA |
 | Exploit public-facing app (T1190) | ATT&CK T1190 | AU Essential 8 (patching applications) | All — none address AI-mediated T1190 like CVE-2025-53773 |
 | Phishing (T1566) | ATT&CK T1566 | None updated for AI-generated content | All — phishing guidance generally pre-AI-baseline |

package/skills/identity-assurance/skill.md

@@ -67,7 +67,7 @@ last_threat_review: "2026-05-11"
 
 Identity is the new perimeter, and the perimeter expanded. The 2026 principal population is no longer "humans + service accounts" — it now includes AI agents acting on behalf of users, MCP servers exchanging short-lived tokens, and ephemeral workload identities minted per function invocation. Each of these is a principal that authenticates, holds scopes, and shows up in audit logs — and each was outside the design envelope of every identity standard in production use before NIST 800-63 rev 4 (Q4 2025).
 
-**Agent-as-principal is operational reality.** When an AI coding assistant calls an MCP tool, it does so under the IDE user's OAuth session by default. The agent inherits the user's scopes wholesale — not because anyone designed it that way, but because no current identity standard defines an agent-as-principal model. CVE-2026-30615 (Windsurf MCP zero-interaction RCE, CVSS 9.8) hinged in part on this implicit inheritance: tool calls executed under the IDE user's privileges with no separate authentication challenge for the agent's actions. The principal who authenticated (the human) is not the principal who took the action (the agent), and the audit trail does not distinguish them.
+**Agent-as-principal is operational reality.** When an AI coding assistant calls an MCP tool, it does so under the IDE user's OAuth session by default. The agent inherits the user's scopes wholesale — not because anyone designed it that way, but because no current identity standard defines an agent-as-principal model. CVE-2026-30615 (Windsurf MCP local-vector RCE, CVSS 8.0 / AV:L) hinged in part on this implicit inheritance: tool calls executed under the IDE user's privileges with no separate authentication challenge for the agent's actions. The principal who authenticated (the human) is not the principal who took the action (the agent), and the audit trail does not distinguish them.
 
 **Phishing-resistant authentication is now table-stakes.** FIDO2 / WebAuthn synced passkeys are the only widely deployed authenticator class that survives credential phishing, AiTM proxy phishing (evilginx-class), and push-notification fatigue attacks. Orgs still standing on TOTP / SMS / push-MFA in 2026 are shipping password-equivalent risk forward, and the framework gap analysis must say so. AI-assisted phishing kit development means the time-to-weaponize a new bypass technique is hours, not weeks (per DR-5: AI acceleration is current operational reality, not a future consideration).
 
@@ -125,7 +125,7 @@ Sourced from `data/cve-catalog.json` and `data/exploit-availability.json` as of
 
 | Threat | CVSS | RWEP | PoC Public? | CISA KEV? | AI-Accelerated Weaponization? | Patch / Mitigation? |
 |---|---|---|---|---|---|---|
-| CVE-2026-30615 (Windsurf MCP zero-interaction RCE — implicit identity inheritance) | 9.8 | 35 | Partial — conceptual exploit demonstrated | No (architectural class) | No direct AI-assisted weaponization recorded; the attack rides on agent tool-call autonomy under the user's inherited session | Vendor IDE update; identity-layer mitigation is scoped agent token + tool allowlist (see mcp-agent-trust). |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE — implicit identity inheritance) | 8.0 | 35 | Partial — conceptual exploit demonstrated | No (architectural class) | No direct AI-assisted weaponization recorded; the attack rides on agent tool-call autonomy under the user's inherited session, AV:L through attacker-controlled HTML the MCP client processes | Vendor IDE update; identity-layer mitigation is scoped agent token + tool allowlist (see mcp-agent-trust). |
 | AiTM passkey-relay / FIDO2-bypass phishing kits | N/A (kit class, not vendor CVE) | N/A | Public research and limited in-the-wild observations; nothing fully bypasses **synced** passkeys without endpoint compromise (the device-bound private key remains in the secure enclave). Bypasses against TOTP / push-MFA / SMS are commodity. | Technique class | Yes — AI-assisted kit configuration and target-tailored lure generation are documented capabilities. | Mitigation: enforce phishing-resistant authenticators (passkey or hardware-token AAL3) for privileged roles; endpoint-binding (D3-CBAN) for highly-privileged roles. |
 | OAuth refresh-token theft + replay (RFC 9700 BCP §2.2.2) | N/A (technique) | N/A | Yes — public research; commodity in adversary toolkits. | No (technique) | Yes — credential-theft → automated replay is well-AI-assisted. | Mitigation: short-lived access tokens, sender-constrained tokens (DPoP / mTLS per RFC 9700), rotated refresh tokens, refresh-token-reuse detection. |
 | JWT validation-bypass class (RFC 8725 BCP failures: `alg=none`, key confusion, audience confusion, `kid` traversal) | Class-level — multiple vendor CVEs over time, current high-RWEP entries vary | N/A (class) | Yes — generic class with library-specific PoCs. | No (class) | Yes — AI-assisted scanning for vulnerable verifier configurations. | Mitigation: pin allowed algorithms server-side, validate `iss` / `aud` / `exp` / `nbf`, treat `kid` as untrusted input, follow RFC 8725 BCP. |

package/skills/incident-response-playbook/skill.md

@@ -66,7 +66,7 @@ last_threat_review: "2026-05-11"
 
 Incident response (IR) is the operational closure of every other skill in this catalog. A vulnerability becomes a CVE through `coordinated-vuln-disclosure`; a CVE becomes a lesson through `zeroday-gap-learn`; a lesson becomes a control through `framework-gap-analysis`; an attack on that control becomes an incident — and the incident handler runs the playbook this skill defines. If the playbook is wrong, every preceding investment leaks at the last yard.
 
-This skill operationalizes NIST SP 800-61r3 (Computer Security Incident Handling Guide, 2025 update integrating ATT&CK and Cyber Kill Chain), ISO/IEC 27035-1:2023 (principles and process) + ISO/IEC 27035-2:2023 (guidelines for incident response planning), and the SANS PICERL phases (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned). It threads the Diamond Model and the MITRE Unified Kill Chain for adversary-narrative reconstruction, anchors detection engineering to MITRE ATT&CK v15.1, and treats three incident classes that the legacy IR literature predates: AI-class incidents (prompt-injection breach, model exfiltration, AI-API as C2 channel, AI-agent-initiated unauthorized action), AI-generated supply-chain compromise, and regulator-mandated notification under cross-jurisdiction clocks running in parallel.
+This skill operationalizes NIST SP 800-61r3 (Computer Security Incident Handling Guide, 2025 update integrating ATT&CK and Cyber Kill Chain), ISO/IEC 27035-1:2023 (principles and process) + ISO/IEC 27035-2:2023 (guidelines for incident response planning), and the SANS PICERL phases (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned). It threads the Diamond Model and the MITRE Unified Kill Chain for adversary-narrative reconstruction, anchors detection engineering to MITRE ATT&CK v17 (2025-06-25), and treats three incident classes that the legacy IR literature predates: AI-class incidents (prompt-injection breach, model exfiltration, AI-API as C2 channel, AI-agent-initiated unauthorized action), AI-generated supply-chain compromise, and regulator-mandated notification under cross-jurisdiction clocks running in parallel.
 
 ---
 
@@ -129,10 +129,10 @@ This skill is response-shaped — the TTPs below name the incident classes the p
 | **T1567** | Exfiltration Over Web Service | Exfiltration via legitimate web/SaaS services including AI-API | Identification: web-egress to anomalous services or anomalous-volume to legitimate services; for AI-API channel pair with `ai-c2-detection`. Containment: egress block of identified channel, AI-API key revocation, MCP-server scope reduction. Eradication: identify exfiltrated dataset, follow data-incident sub-playbook. Recovery: re-key + re-issue access. | AI-API exfiltration (sub-technique T1567.<sub-technique-id> pattern; ATLAS overlap with AML.T0017) typically blends with legitimate traffic — see `ai-c2-detection` for content-layer detection. |
 | **T1078** | Valid Accounts | Identity compromise as initial access | Identification: anomalous-sign-in UEBA, impossible-travel, MFA-fatigue patterns. Containment: account disable + session revocation + re-authentication for affected blast radius. Eradication: credential rotation, token revocation, OAuth-grant audit, AI-agent service-account rotation. Recovery: re-issue under zero-trust posture. Lessons: identity-control gap analysis. | Dominant initial-access vector mid-2026; coverage strong for human accounts, weak for AI-agent / service-account / OAuth-app identities. |
 | **AML.T0096** | LLM API as C2 | AI-API as command-and-control channel (SesameOp pattern) | Identification: see `ai-c2-detection` skill — content-layer detection at the AI API egress boundary, prompt-and-response correlation, anomalous AI-API usage shape. Containment: AI-API egress block or proxy-mediated allowlist. Eradication: identify the agent or workload abusing the channel. Recovery: re-issue AI-API keys under scoped least-privilege. | Detection coverage near-absent in legacy SOC stacks; the AI traffic shape is novel and signatures do not exist for most enterprise SIEMs. |
-| **AML.T0017** | ML Model Exfiltration | Model weights, training data, or system-prompt extraction | Identification: anomalous inference-API usage patterns (high-volume queries, structured probing, membership-inference signatures, repeated training-data extraction prompts). Containment: rate-limit + API-key revocation + IP block. Eradication: identify attacker access surface; assess data sensitivity. Recovery: re-key, consider model-rotation if proprietary weights are at risk; for training-data exfiltration consider differential-privacy retraining. | No standardized detection signatures; org must build custom telemetry over AI inference APIs. |
+| **AML.T0017** | Discover ML Model Ontology | Adversary mapping of deployed model family, system-prompt structure, guardrails, and training-data signal — precursor to extraction and adversarial-input crafting | Identification: anomalous inference-API usage patterns (high-volume queries, structured probing, membership-inference signatures, repeated training-data extraction prompts). Containment: rate-limit + API-key revocation + IP block. Eradication: identify attacker access surface; assess what model-ontology data was exposed. Recovery: re-key, consider model-rotation if proprietary weights are at risk; for training-data exfiltration consider differential-privacy retraining. | No standardized detection signatures; org must build custom telemetry over AI inference APIs. |
 | **AML.T0051** | LLM Prompt Injection | Prompt-injection breach as incident trigger | Identification: AI-assistant or agentic-system anomalous action (unauthorized data access, anomalous tool invocation, identity-context confusion). Containment: revoke AI-system tool scopes, disable agent autonomy, isolate affected RAG corpus. Eradication: identify injection vector (web content, email signature, document metadata, RAG corpus poisoning) and remove. Recovery: re-deploy with hardened system prompt + tool-scoping per `mcp-agent-trust`. | Detection lags; most orgs discover the incident from downstream effect (unauthorized action) rather than detection at the prompt boundary. |
 
-ATLAS pinned to v5.1.0 (November 2025) per AGENTS.md rule #12. ATT&CK pinned to v15.1 (April 2025) per the same rule; ATT&CK v16 was released October 2024 with the v15-to-v16 ID migration not introducing breaking changes for the T-IDs cited above.
+ATLAS pinned to v5.1.0 (November 2025) per AGENTS.md rule #8. ATT&CK pinned to v17 (2025-06-25) per the same rule; the v15-to-v17 ID migration does not introduce breaking changes for the T-IDs cited above.
 
 ---
 
@@ -215,7 +215,7 @@ Apply containment matching the class. Common patterns:
 - **Data exfiltration (T1041 / T1567)**: egress block at the identified channel; certificate-pinned proxy enforcement; identify what was exfiltrated (scope determination drives notification scope).
 - **Identity compromise (T1078)**: account disable, session revocation, MFA re-enrollment, OAuth-grant audit; for service / AI-agent accounts, scope-reduce + rotate.
 - **AI-API C2 (AML.T0096)**: AI-API egress block or proxy-mediated allowlist; identify the workload abusing the channel; AI-API key revocation.
-- **Model exfiltration (AML.T0017)**: rate-limit the inference API; revoke the abusing API key; IP-block as supplemental; assess sensitivity of extracted data / weights.
+- **Model ontology discovery (AML.T0017)**: rate-limit the inference API; revoke the abusing API key; IP-block as supplemental; assess what model-ontology data (system prompt, guardrail surface, model family signal) was exposed and tighten the inference-API rate + shape baseline before re-issue.
 - **Prompt-injection breach (AML.T0051)**: disable the affected agent autonomy or revoke its tool scopes; isolate the RAG corpus suspected as injection vector; capture the injected content for forensics.
 - **Supply-chain (T1195)**: identify affected component versions via SBOM; coordinate with vendor (hand off to `coordinated-vuln-disclosure` reverse-direction — receiving vendor advisory); VEX-driven inventory of affected workloads.