@blamejs/exceptd-skills 0.12.24 → 0.12.26

package/skills/ai-c2-detection/skill.md

@@ -48,13 +48,15 @@ d3fend_refs:
   - D3-NI
   - D3-NTA
   - D3-NTPM
-last_threat_review: "2026-05-13"
+last_threat_review: "2026-05-15"
 ---
 
 # AI C2 Detection
 
 ## Threat Context (mid-2026)
 
+The AI-as-adversary reality that motivates this skill is now operationally documented: 41% of 2025 zero-days were AI-discovered (GTIG 2025), the first AI-built in-the-wild zero-day was confirmed 2026-05-11 (GTIG AI 2FA-bypass case), and Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical AI-driven autonomous-discovery anchor — Zellic's agentic auditor surfaced an 18-year-old Linux kernel primitive. C2 channels riding the same agentic AI infrastructure are the next logical step; CTID Secure AI v2 (2026-05-06, replaces v1) treats AI-API C2 detection as an in-scope control class.
+
 ### SesameOp — AI APIs as Covert C2 (ATLAS AML.T0096)
 
 The SesameOp campaign documented a technique that has since been replicated and expanded: adversaries repurposing legitimate AI agent APIs as covert command-and-control channels.

package/skills/ai-risk-management/skill.md

@@ -42,7 +42,7 @@ cwe_refs:
   - CWE-1039
 d3fend_refs:
   - D3-IOPR
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # AI Risk Management (Governance Layer)
@@ -79,6 +79,8 @@ AI red-team activity has likewise shifted from voluntary research practice to go
 
 The 2024–2026 disclosure record is unforgiving: vendor advisories from OpenAI, Anthropic, Google DeepMind, and Microsoft have published AI vulnerability disclosures spanning prompt-injection-driven RCE (CVE-2025-53773, CVSS 7.8 / AV:L), local-vector MCP supply-chain RCE (CVE-2026-30615, CVSS 8.0 / AV:L), agentic-pipeline compromise patterns, and indirect-injection via retrieved content. An organisation with no governance artefact mapping these classes to internal use cases is not in a position to act on any of them.
 
+AI as adversary is now operational reality, not forecast: 41% of 2025 zero-days were AI-discovered (GTIG 2025 annual), the first documented AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass case), and Fragnesia (CVE-2026-46300, 2026-05-13) is the anchor case for autonomous agentic-AI discovery in load-bearing OSS — Zellic's agentic auditor surfaced an 18-year-old Linux kernel page-cache primitive. Risk registers, vendor questionnaires, and incident playbooks that omit AI-as-discovery-actor are out of currency. Align the AIMS to **CTID Secure AI v2 (2026-05-06)** — Secure AI v1 is superseded; Annex SL clause-by-clause mapping in `data/framework-control-gaps.json`.
+
 ---
 
 ## Framework Lag Declaration

package/skills/api-security/skill.md

@@ -63,6 +63,10 @@ d3fend_refs:
   - D3-CSPP
   - D3-MFA
   - D3-CBAN
+forward_watch:
+  - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
 last_threat_review: "2026-05-11"
 ---
 

package/skills/attack-surface-pentest/skill.md

@@ -55,6 +55,7 @@ forward_watch:
   - TIBER-EU scenario library refresh under DORA Year-2 supervisory cycle
   - OWASP WSTG v5.x AI/MCP test cases (currently in working-group draft)
   - PTES revision incorporating AI-surface enumeration
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add
 d3fend_refs:
   - D3-CSPP
   - D3-EAL

package/skills/container-runtime-security/skill.md

@@ -57,7 +57,9 @@ d3fend_refs:
   - D3-NI
   - D3-NTPM
   - D3-IOPR
-last_threat_review: "2026-05-11"
+forward_watch:
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo
+last_threat_review: "2026-05-15"
 ---
 
 # Container + Kubernetes Runtime Security (mid-2026)

package/skills/dlp-gap-analysis/skill.md

@@ -62,7 +62,7 @@ d3fend_refs:
   - D3-IOPR
   - D3-NTA
   - D3-NTPM
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # DLP Gap Analysis

package/skills/exploit-scoring/skill.md

@@ -19,7 +19,7 @@ attack_refs: []
 framework_gaps:
   - CWE-Top-25-2024-meta
   - CIS-Controls-v8-Control7
-last_threat_review: "2026-05-14"
+last_threat_review: "2026-05-15"
 ---
 
 # Real-World Exploit Priority (RWEP) Scoring
@@ -40,7 +40,7 @@ The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is
 
 RWEP exists because the exploit development cycle has compressed. The factors that CVSS does not model are now the dominant signal in real-world prioritization.
 
-- **AI-accelerated exploit development is current operational reality, not emerging.** 41% of 2025 zero-days were discovered or weaponized with AI-assisted tooling (AGENTS.md DR-5). Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour. CVSS scoring assumes a human-speed gap between disclosure and reliable exploitation — that gap is gone for AI-capable threat actors.
+- **AI-accelerated exploit development is current operational reality, not emerging.** 41% of 2025 zero-days were discovered or weaponized with AI-assisted tooling (AGENTS.md DR-5 / GTIG 2025). Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour; Fragnesia (CVE-2026-46300, 2026-05-13) is the 2026 anchor case for autonomous agentic-AI discovery — Zellic's agentic auditor surfaced an 18-year-old Linux kernel primitive. The first documented AI-built in-the-wild zero-day landed 2026-05-11 (GTIG AI 2FA-bypass). CVSS scoring assumes a human-speed gap between disclosure and reliable exploitation — that gap is gone for AI-capable threat actors. RWEP's `ai_factor` weight is calibrated to this reality; align downstream scoring narratives to CTID Secure AI v2 (2026-05-06, replaces v1).
 - **CVSS undercounts AI-discovered + KEV-listed bugs.** CVE-2026-31431 scores CVSS 7.8 (High). Treated as a CVSS-band-7 item, it lands in a 30-day remediation queue. Treated honestly — CISA KEV listed, 732-byte deterministic public PoC, all Linux ≥ 4.14, AI-discovered — it is a 4-hour incident. CVSS misses every one of those amplifiers.
 - **CVSS local-vector blindness vs. RWEP exploitation reality.** CVE-2026-30615 (Windsurf MCP) scores CVSS 8.0 with AV:L (the NVD-authoritative corrected score; the initial CVSS 9.8 was withdrawn after attack-vector analysis confirmed the local-vector reality — the attacker must control HTML content that the Windsurf MCP client processes). RWEP rates it 35, lower than Copy Fail at 90: the supply-chain prerequisite (a victim first installs a malicious MCP server) plus the local attack vector throttle real exploitation rate. This pair is the canonical example of CVSS-vector-only scoring losing to RWEP's exploitation-evidence weighting.
 - **Compliance frameworks anchor SLAs on CVSS bands.** NIST 800-53 SI-2, PCI DSS 6.3.3, ISO 27001:2022 A.8.8, and most internal vuln-management policies translate CVSS High/Critical into 30-day/7-day windows. For AI-discovered KEV-listed LPEs with public PoCs, these windows are exploitation windows. RWEP is the layer that lets an org prioritize honestly without re-writing every framework control.

package/skills/incident-response-playbook/skill.md

@@ -59,7 +59,7 @@ forward_watch:
   - AU SOCI Act expanded sector coverage (data-storage and processing entities added 2024; further mandatory-reporting tiers under review)
   - IL INCD Incident Response Process v4 (slated for 2026-2027) consolidating AI-incident sub-class
   - NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # Incident Response Playbook

package/skills/kernel-lpe-triage/skill.md

@@ -47,7 +47,12 @@ d3fend_refs:
   - D3-PHRA
   - D3-PSEP
   - D3-SCP
-last_threat_review: "2026-05-14"
+forward_watch:
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12 or sooner via Patch Tuesday) — Windows 11 LPE improper access control by DEVCORE (Angelboy + TwinkleStar03); track MSRC advisory and KEV add
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12 or sooner via Patch Tuesday) — Windows 11 LPE heap buffer overflow by Marcin Wiązowski; track MSRC advisory and KEV add
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12 or sooner via Patch Tuesday) — Windows 11 LPE 2x use-after-free by Kentaro Kawane (GMO); track MSRC advisory and KEV add
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — RHEL race-condition LPE by chompie / IBM X-Force XOR; track Red Hat advisory and KEV add
+last_threat_review: "2026-05-15"
 ---
 
 # Kernel LPE Triage

package/skills/mcp-agent-trust/skill.md

@@ -60,14 +60,19 @@ d3fend_refs:
   - D3-EAL
   - D3-EHB
   - D3-MFA
-last_threat_review: "2026-05-13"
+forward_watch:
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; MCP-adjacent LLM proxy surface; track upstream patch and MCP trust advisory
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LM Studio 5-bug exploit chain by STARLabs SG; impacts local MCP/agent runtime trust; track patch and integration advisories
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Claude Code MCP collision-scored entry by Viettel Cyber Security; CVE in flight; track MCP trust and tool-collision advisory
+last_threat_review: "2026-05-15"
 ---
 
 # MCP Agent Trust Assessment
 
 ## Threat Context (mid-2026)
 
-The Model Context Protocol (MCP) is an open protocol for connecting AI assistants to external tools and data sources. It is now the standard integration layer for AI coding assistants: Cursor, VS Code + GitHub Copilot, Windsurf, Claude Code, and Gemini CLI all support MCP servers.
+The Model Context Protocol (MCP) is an open protocol for connecting AI assistants to external tools and data sources. It is now the standard integration layer for AI coding assistants: Cursor, VS Code + GitHub Copilot, Windsurf, Claude Code, and Gemini CLI all support MCP servers. Background reality: 41% of 2025 zero-days were AI-discovered (GTIG 2025); Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical AI-driven autonomous-discovery anchor — Zellic's agentic auditor surfaced an 18-year-old kernel primitive that load-bearing MCP-server hosts depend on. The first documented AI-built in-the-wild zero-day landed 2026-05-11 (GTIG AI 2FA-bypass). MCP trust posture should align to CTID Secure AI v2 (2026-05-06, replaces v1).
 
 MCP creates an architectural trust problem that no existing security framework addresses.
 

package/skills/mlops-security/skill.md

@@ -62,7 +62,7 @@ forward_watch:
   - SLSA v1.1 ML profile (draft) — model-provenance extension for training-run attestation chains; track ID and section changes
   - EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing
   - MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # MLOps Pipeline Security Assessment

package/skills/rag-pipeline-security/skill.md

@@ -37,14 +37,16 @@ d3fend_refs:
   - D3-FAPA
   - D3-IOPR
   - D3-NTA
-last_threat_review: "2026-05-13"
+forward_watch:
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Chroma vector DB CWE-190 + CWE-362 chain by haehae; impacts RAG vector store integrity (integer overflow + race condition); track patch and downstream RAG pipeline advisory
+last_threat_review: "2026-05-15"
 ---
 
 # RAG Pipeline Security Assessment
 
 ## Threat Context (mid-2026)
 
-Retrieval-Augmented Generation (RAG) pipelines introduce a unique attack surface that exists at the intersection of traditional data security and AI-specific vulnerabilities. No current compliance framework has adequate controls for this attack surface. The threats in this skill are not theoretical — they have been demonstrated in research and observed in production incidents.
+Retrieval-Augmented Generation (RAG) pipelines introduce a unique attack surface that exists at the intersection of traditional data security and AI-specific vulnerabilities. No current compliance framework has adequate controls for this attack surface. The threats in this skill are not theoretical — they have been demonstrated in research and observed in production incidents. Operational context: 41% of 2025 zero-days were AI-discovered (GTIG 2025); the first AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass), and Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical AI-driven autonomous-discovery anchor (Zellic agentic auditor, 18-year-old Linux kernel primitive). RAG corpus trust posture should align to CTID Secure AI v2 (2026-05-06, replaces v1) — embedding-store integrity is in-scope.
 
 A RAG pipeline has five attack surfaces:
 

package/skills/sector-financial/skill.md

@@ -73,7 +73,7 @@ forward_watch:
   - BCB Resolução BCB 85 (cyber policy for FIs) and Brazil PIX fraud-typology updates
   - OSFI B-13 (Technology and Cyber Risk Management) post-2024 examination findings
   - TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # Sector — Financial Services Cybersecurity (mid-2026)

package/skills/sector-telecom/skill.md

@@ -0,0 +1,259 @@
+---
+name: sector-telecom
+version: "1.0.0"
+description: Telecom and 5G security for mid-2026 — Salt Typhoon, Volt Typhoon, CALEA / IPA-LI gateway compromise, signaling-protocol abuse (SS7 / Diameter / GTP), 5G N6 / N9 isolation, gNB / DU / CU integrity, OEM-equipment supply-chain compromise, AI-RAN / O-RAN security; FCC CPNI + 4-business-day notification, NIS2 Annex I telecom essential entities, UK TSA 2021 + Ofcom, AU SOCI / TSSR, GSMA NESAS, 3GPP TR 33.926 + TS 33.501, ITU-T X.805.
+triggers:
+  - telecom security
+  - 5g core
+  - salt typhoon
+  - volt typhoon
+  - gnb integrity
+  - lawful intercept
+  - calea
+  - fcc cpni
+  - 4-business-day notification
+  - gsma nesas
+  - ss7
+  - diameter
+  - gtp
+  - 3gpp ts 33.501
+  - 3gpp tr 33.926
+  - o-ran
+  - n6 n9 isolation
+  - nis2 annex i
+  - uk tsa 2021
+  - au soci
+  - tssr
+  - itu-t x.805
+data_deps:
+  - cve-catalog.json
+  - atlas-ttps.json
+  - framework-control-gaps.json
+  - global-frameworks.json
+  - cwe-catalog.json
+  - d3fend-catalog.json
+atlas_refs:
+  - AML.T0040
+attack_refs:
+  - T1071
+  - T1078
+  - T1098
+  - T1190
+  - T1199
+  - T1556
+framework_gaps:
+  - FCC-CPNI-4.1
+  - FCC-Cyber-Incident-Notification-2024
+  - NIS2-Annex-I-Telecom
+  - DORA-Art-21-Telecom-ICT
+  - UK-CAF-B5
+  - AU-ISM-1556
+  - GSMA-NESAS-Deployment
+  - 3GPP-TR-33.926
+  - ITU-T-X.805
+rfc_refs:
+  - RFC-9622
+cwe_refs:
+  - CWE-287
+  - CWE-306
+  - CWE-918
+d3fend_refs:
+  - D3-NTA
+  - D3-NTPM
+  - D3-IOPR
+  - D3-NI
+forward_watch:
+  - "FCC CPNI rule updates (47 CFR 64.2009 / 64.2011 amendments)"
+  - "5G AI-RAN security guidance from CISA, ENISA, NCSC, ASD ACSC"
+  - "GSMA FS.32 / FS.36 / FS.43 revisions"
+  - "Volt Typhoon / Salt Typhoon successor-actor disclosures"
+  - "Five Eyes joint advisories on telecom-equipment intrusion"
+  - "3GPP TS 33.501 updates (5G security architecture rebaseline)"
+  - "O-RAN SFG / WG11 security specifications"
+last_threat_review: 2026-05-15
+---
+
+## Threat Context (mid-2026)
+
+**Salt Typhoon (China nation-state; PRC Ministry of State Security nexus).** The 2024–2026 campaign — disclosed in successive Five Eyes joint advisories from October 2024 onward (CISA / NSA / FBI joint product reissued through 2025–2026) — compromised at least nine US carriers (publicly named: AT&T, Verizon, T-Mobile US, Lumen, Charter, Cox, Windstream, Consolidated, plus undisclosed others) and extended to AU / CA / NZ / UK Tier-1 carriers. Threat actor TTPs map to T1199 (Trusted Relationship) via OEM vendor supply chain, T1098 (Account Manipulation) for persistent admin access on NMS, and T1078 (Valid Accounts) with stolen LI-gateway operator credentials. The campaign's defining feature: targeted access to CALEA-mandated lawful-intercept systems, allowing PRC actors to read US-authorized intercept feeds — including those covering PRC counter-intelligence targets and presidential-campaign communications (2024 election cycle). The intercept-system vector is structurally novel: every carrier serving US-jurisdiction subscribers is legally required to maintain a CALEA-compliant intercept capability, which means every carrier has a high-value, low-monitored attack surface by mandate.
+
+**Volt Typhoon (China; OT-adjacent telecom + ISP critical infrastructure).** CISA AA24-038A (Feb 2024) and follow-ons document prepositioning across US critical infrastructure operators, including telecom-adjacent ISPs and edge equipment. Living-off-the-land TTPs (T1190 + T1556) defeat conventional EDR. Distinct from Salt Typhoon in mission (prepositioning vs intelligence collection) but the equipment-supply-chain access pattern overlaps.
+
+**Lawful-intercept abuse vectors.** LI gateway compromise can defeat CALEA / IPA-LI / EU EECC Art. 40 mandated intercept capability protections. LIDB poisoning, J-STD-025 / ATIS-1000013 reference-data tampering, and operator-credential theft against the LI-management subsystems are the primary access patterns. The same vectors apply to UK IPA 2016 + TSA 2021, AU TSSR / SOCI Act 2018, Singapore IMDA TCCSCoP, India CERT-In 6-hour rule, Japan Telecommunications Business Act amended 2023.
+
+**Signaling-protocol attacks.** SS7 (2G/3G legacy), Diameter (4G LTE/IMS), GTP (3G/4G data plane), and 5G core interfaces N1 / N2 / N4 / N6 / N9 — each carries authentication and authorization fragility legacies. SS7-class abuse remains operationally relevant in mid-2026 against carriers maintaining legacy interconnect. 5G core slice-isolation under TS 33.501 is the modern equivalent control surface.
+
+**OEM equipment supply-chain compromise.** Cisco / Juniper / Nokia / Ericsson / Huawei / ZTE equipment vendors are the high-value target. Vendor remote-support inbound tunnels (Cisco TAC, Ericsson ENS, Nokia 1350 OMS) are a recurring intrusion vector. GSMA NESAS (FS.13 / FS.14 / FS.15) is product-time certification — operator-attested deployment posture is the operational gap.
+
+**AI-RAN / O-RAN security.** ETSI O-RAN SFG / WG11, 3GPP TR 33.926, NIST IR 8505 (5G Cybersecurity Practice Guide). AI-RAN deployments add model-tampering and slice-mismapping risks that 3GPP TR 33.926 does not yet model.
+
+## Framework Lag Declaration
+
+Telecom security mandates lag the current threat reality because the regulatory frame was constructed before the Salt Typhoon-class adversary access pattern surfaced. **NIS2 Annex I** (EU) designates telecom providers as essential entities and requires 24-hour incident notification + supply-chain due diligence (Art. 21(2)(d)), but does not name OEM-equipment firmware integrity attestation, AI-RAN model-tampering controls, or LI-gateway-specific access auditing. **FCC CPNI rules** (47 CFR 64.2009(e) annual certification, 47 CFR 64.2011 4-business-day cyber incident notification effective 2024-03-13) predate the Salt Typhoon LI-system vector and do not require notification on LI-system compromise that does not exfiltrate PII directly. **UK CAF Principle B5** (resilient networks) is outcome-tested but the outcome catalog does not include signaling-anomaly detection, gNB firmware attestation, or slice-isolation tests; lawful-intercept access is covered separately by IPA 2016 + TSA 2021. **AU ISM-1556** (privileged user MFA) covers human privileged users but does not reach telecom NMS service accounts (the actual privilege-holders) or OEM remote-support tunnels. **DORA Art. 21** (EU) binds the financial entity consuming telecom services but does not align cadences with NIS2 telecom-essential-entity reporting and does not bridge to 5G slice-isolation obligations for finance-dedicated slices. **GSMA NESAS** is product-time, vendor-attested certification with no operator-attested-runtime check, no firmware-update-cadence-tied recertification, and no EMS / OSS / NMS coverage. **3GPP TR 33.926** assumes deterministic equipment behavior — adversary-modified firmware that passes the SCAS suite at submission remains undetected after deployment. **ITU-T X.805** (2003) is reference architecture, not a deployment-validation framework, and predates 5G, O-RAN, AI-RAN, and the modern threat model. **CTID Secure AI v2** (2026-05-06) extends MITRE ATLAS coverage of agentic-AI and AI-RAN attacks but is layered guidance, not a mandate.
+
+## TTP Mapping
+
+| Tactic | ATT&CK | ATLAS | Description |
+|---|---|---|---|
+| Initial Access | T1199 Trusted Relationship | AML.T0040 (Tool/Plugin Compromise) | OEM vendor remote-support tunnel or AI-RAN plugin compromise opens a path into the operator network |
+| Initial Access | T1190 Exploit Public-Facing Application | — | Internet-facing OSS / EMS / NMS exposed services (Salt Typhoon access pattern) |
+| Persistence | T1098 Account Manipulation | — | Persistent admin role grants on NMS / EMS / OSS after initial compromise |
+| Defense Evasion | T1556 Modify Authentication Process | — | LI-gateway credential pivot — operator account credentials forged or replayed against LI provisioning subsystem |
+| Credential Access | T1078 Valid Accounts | — | Stolen LI-gateway operator credentials used directly, no separate exploitation path |
+| Command and Control | T1071 Application Layer Protocol | — | Living-off-the-land C2 over telecom internal management protocols (SNMP, NETCONF, Telco-IP-fabric) |
+| Collection | T1199 (downstream) | AML.T0040 (downstream) | Pulling subscriber call-detail records, location data, and LI feed contents via compromised access |
+
+ATLAS AML.T0040 (Tool / Plugin Compromise) anchors the AI-RAN attack class: plugin-layer compromise of an O-RAN xApp or rApp can route traffic through an adversary-controlled inference path while the NMS believes the legitimate xApp is still in use.
+
+## Exploit Availability Matrix
+
+| Vector | PoC status | Weaponization | AI-assist factor | Notes |
+|---|---|---|---|---|
+| LI-gateway operator credential theft | Public (per CISA AA24 advisories) | Confirmed in-the-wild | Low | Salt Typhoon TTP; credentials harvested through OEM-vendor supply chain |
+| OEM vendor remote-support tunnel | Public (TTP class, no single PoC) | Confirmed in-the-wild | Low | Vendor TAC / ENS tunnels documented as Salt Typhoon vector |
+| SS7 / Diameter signaling abuse | Public (signaling-research community) | Commodity | Low | Pre-dates AI-augmented attack landscape |
+| GTP-U tunneling attacks | Public | Demonstrated | Low | Operator-side defense via signaling firewalls |
+| 5G core N4 abuse (PFCP) | Researcher PoCs | Demonstrated | Low | Defense via N4 isolation per TS 33.501 |
+| AI-RAN xApp tampering | No public PoC | Speculative | High (ATLAS AML.T0040 class) | CTID Secure AI v2 forward-watch |
+| gNB firmware tampering | Researcher PoCs (vendor-specific) | Demonstrated against vendor pre-prod | Low | GSMA NESAS scope gap |
+| Slice mismapping (cross-slice leak) | Researcher PoCs against test cores | Demonstrated | Low | TS 33.501 control surface |
+
+## Analysis Procedure
+
+### Phase 1 — govern (jurisdictional clock + obligations)
+
+Surface the operator's jurisdictional notification clocks immediately on detection:
+
+- **US**: FCC 47 CFR 64.2011 — 4 business days from discovery of PII/CPNI breach; CALEA / Title III LI-system compromise reporting through DOJ / FBI per separate channel
+- **EU**: NIS2 Art. 23 — 24 hours initial notification, 72 hours intermediate, 1 month final (telecom essential entity)
+- **EU finance-touching**: DORA Art. 19 — 4 hours major-ICT-incident initial notification for financial-entity-impacting telecom incidents
+- **UK**: TSA 2021 + Electronic Communications (Security Measures) Regulations 2022 — Ofcom notification immediately on a security compromise of significance; NCSC notification when applicable
+- **AU**: SOCI Act 2018 (as amended 2022) + TSSR 2017 — Critical Infrastructure Centre notification + ACMA where applicable; ASD ACSC reporting per Essential 8 obligations
+- **CA**: Bill C-26 (Critical Cyber Systems Protection Act) notification once in force
+- **JP**: MIC Telecommunications Business Act amended 2023; immediate notification
+- **IN**: Telecommunications (Security) Rules 2024 + CERT-In 6-hour rule
+- **SG**: IMDA TCCSCoP (2022 v2 + 2024 update) — immediate
+- **NZ**: TICSA 2013
+
+Wait for operator acknowledgment of the highest-priority clock before proceeding.
+
+### Phase 2 — direct (threat context)
+
+Brief the operator on Salt Typhoon-class TTPs + RWEP-threshold bands. For telecom CVEs with active exploitation: live-patch threshold 90, urgent-patch 70, scheduled 30.
+
+### Phase 3 — look (artifacts to capture)
+
+Capture the following telecom-specific evidence (use `air_gap_alternative` paths if operator is in disconnected mode):
+
+- **LI provisioning audit log** — full activation/deactivation history for the assessment window (typically last 90 days). Air-gap alternative: operator-supplied CSV export.
+- **gNB / DU / CU firmware hashes** — operator-attested hash for every running base station, compared against vendor-published expected hashes. Air-gap alternative: out-of-band hash list verified against PGP-signed vendor bulletin.
+- **NMS / EMS / OSS access logs** — last 90 days of admin actions on the network management plane.
+- **Signaling-flow statistics** — SS7 SCCP / TCAP / MAP message rates per peer; Diameter ABMF / CCR / CCA rates per Diameter peer; GTP-C / GTP-U bytes per APN.
+- **Cross-PLMN signaling exchange patterns** — anomalous PLMN-pair flows that did not previously exchange traffic.
+- **eUICC SIM-swap event log** — recent IMSI swaps, MSISDN reassignments.
+- **5GC slice-isolation verification output** — last AMF / SMF / UPF reachability test per slice.
+- **OEM vendor remote-support tunnel inventory** — open Cisco TAC / Ericsson ENS / Nokia OMS tunnels with last-active timestamp.
+- **NESAS deployment posture report** — most recent operator-attested deployment match against the vendor-certified build.
+
+### Phase 4 — detect (indicators)
+
+Walk every indicator's `false_positive_checks_required` list before submitting a hit:
+
+- **Anomalous LI activation requests** — provisioning events outside the operator's standard workflow (e.g. activation without paired law-enforcement-agency ticket reference, activation from a service-account that never previously performed LI provisioning).
+- **gNB firmware hash drift** — running firmware does not match the vendor-published or operator-attested expected hash. FP check: rule out staged update window.
+- **NMS access from anomalous source** — admin login from an ASN, region, or device class not previously used for the role. FP check: rule out OEM TAC support session (correlate against open tunnel inventory).
+- **Cross-PLMN signaling spikes** — sudden order-of-magnitude increase in signaling exchange with a previously-quiet PLMN-pair. FP check: rule out legitimate roaming-agreement reactivation, peering reconfiguration.
+- **Unauthorized LI gateway tunnel** — outbound connection from the LI gateway to an IP outside the LE / DOJ / regulator allowlist. FP check: rule out documented maintenance bastion.
+- **OEM firmware downgrade events** — vendor-equipment firmware version regressed below the operator-published minimum. FP check: rule out documented incident-response rollback.
+
+### Phase 5 — analyze (correlation)
+
+Match captured artifacts against `data/cve-catalog.json` entries with `attack_class: telecom` or matching `attack_refs`. Cross-reference against `data/framework-control-gaps.json` for FCC-CPNI-4.1, FCC-Cyber-Incident-Notification-2024, NIS2-Annex-I-Telecom, DORA-Art-21-Telecom-ICT, UK-CAF-B5, AU-ISM-1556, GSMA-NESAS-Deployment, 3GPP-TR-33.926, ITU-T-X.805. Score blast-radius based on subscriber count + LI-feed-exposure dimension + AI-RAN slice-mismapping potential.
+
+### Phase 6 — validate (priority-sorted remediation)
+
+Priority 1 (immediate): isolate compromised NMS account; revoke and re-issue LI-gateway operator credentials; pull running-gNB firmware hash off every base station and compare against operator-attested expected.
+Priority 2 (24h): rotate all OEM vendor remote-support credentials; close TAC tunnels not actively in use; signaling-firewall block on cross-PLMN spike sources.
+Priority 3 (72h): operator-attested NESAS recertification of every gNB / EMS / OSS; slice-isolation verification across every active 5GC slice; comprehensive review of the last 90 days of NMS admin actions.
+
+### Phase 7 — close (regulator notifications + evidence preservation)
+
+Draft jurisdictional notification messages with regulator-specific evidence templates. Preserve LI-system audit trail for downstream law-enforcement / intelligence-community handoff. Schedule a follow-up `reattest` window at the highest applicable regulator deadline minus 48 hours.
+
+## Output Format
+
+The investigation evidence bundle returned by phase 5 + 6 has this shape:
+
+```json
+{
+  "session_id": "telecom-<iso>",
+  "playbook_id": "sector-telecom",
+  "classification": "detected | clean | not_detected | inconclusive",
+  "evidence_hash": "sha256:...",
+  "telecom_specific_findings": {
+    "li_gateway_audit": {
+      "anomalous_activations": 0,
+      "activations_outside_ticket": 0,
+      "outbound_tunnel_to_non_allowlist_ip": 0
+    },
+    "gnb_attestation_state": {
+      "expected_hashes_compared": 0,
+      "drifted_basestations": [],
+      "downgrade_events": 0
+    },
+    "signaling_anomaly_count": {
+      "ss7_per_peer_z_score_outliers": 0,
+      "diameter_per_peer_z_score_outliers": 0,
+      "gtp_apn_byte_z_score_outliers": 0,
+      "cross_plmn_unexpected_pairs": []
+    },
+    "nms_admin_access": {
+      "logins_from_anomalous_asn": 0,
+      "service_account_role_grants_outside_workflow": 0,
+      "open_oem_tac_tunnels": []
+    },
+    "oem_firmware_drift": {
+      "vendor_published_min_version_violations": [],
+      "operator_attested_mismatch": []
+    },
+    "slice_isolation": {
+      "amf_smf_upf_reachability_misses": [],
+      "cross_slice_packet_leakage_detected": false
+    }
+  },
+  "jurisdiction_notifications": [
+    { "jurisdiction": "US-FCC", "regulation": "47-CFR-64.2011", "deadline_iso": "...", "clock_anchor": "detect_confirmed" },
+    { "jurisdiction": "EU", "regulation": "NIS2-Art-23", "deadline_iso": "...", "clock_anchor": "detect_confirmed" }
+  ]
+}
+```
+
+## Compliance Theater Check
+
+Theater patterns specific to telecom posture:
+
+- **"We have CPNI annual certification."** Annual certification is a process artifact, not a compromise-detection control. The certification covers operational procedures; it does not test LI-gateway compromise detection. Theater test: ask whether the last CPNI certification audit reviewed LI provisioning logs for anomalous activations.
+- **"We are GSMA NESAS certified."** NESAS is product-time, vendor-attested certification of the equipment itself — not the deployed posture. Theater test: ask for the most recent operator-attested-runtime gNB firmware hash report compared against the NESAS-certified build hash. Mismatch or absence is theater.
+- **"OEM firmware is verified at receipt."** Vendor-supplied hash is the input to the receipt verification; the operator does not independently re-derive the hash from upstream OEM-vendor source. Theater test: ask whether the operator separately verifies OEM firmware against an out-of-band PGP-signed vendor bulletin OR an operator-side reproducible build.
+- **"3GPP TR 33.926 tests passed at deployment."** TR 33.926 SCAS is product-class testing; it does not detect adversary-modified firmware that passes the test suite at submission. Theater test: ask for the post-deployment hash-attestation report on the running gNB.
+- **"ITU-T X.805 framework adopted."** X.805 is reference architecture, not validation. Theater test: ask for a deployment validation checklist mapping X.805's 8 dimensions to specific operational telemetry. Most operators cite the framework but do not validate against it.
+- **"We have signaling firewall (SS7 / Diameter / GTP)."** Signaling firewalls are policy-engine dependent on a current threat-actor PLMN catalog. Theater test: ask when the threat-actor PLMN list was last refreshed against GSMA Fraud and Security Group bulletins.
+- **"LI-gateway operator credentials use MFA."** Human-MFA on the LI gateway is necessary but not sufficient — service accounts and OEM remote-support tunnels frequently bypass. Theater test: count the LI-gateway admin actions executed in the last 30 days by service-account principals vs human-MFA principals.
+
+## Defensive Countermeasure Mapping
+
+| Threat | D3FEND technique | Operational mapping |
+|---|---|---|
+| Signaling anomaly | D3-NTA (Network Traffic Analysis) | SS7 / Diameter / GTP per-peer baseline + alert on z-score outliers |
+| 5G slice cross-leak | D3-NTPM (Network Traffic Policy Mapping) | Per-slice ACL + AMF/SMF/UPF reachability testing |
+| LI-gateway audit-trail integrity | D3-IOPR (I/O Read) | Immutable / append-only LI provisioning log + cross-system reconciliation |
+| 5GC slice / N6 / N9 isolation | D3-NI (Network Isolation) | Slice ID + DNN + S-NSSAI policy enforcement; N6 transit egress monitoring |
+| OEM firmware tampering | D3-EFA (Executable File Analysis) | Out-of-band hash verification + operator-attested-runtime checks |
+
+## Hand-Off / Related Skills
+
+- **incident-response-playbook** — parent IR flow; sector-telecom extends the IR contract with telecom-specific evidence and jurisdictional clocks.
+- **framework-gap-analysis** — invoke for downstream Hard-Rule-5 gap mapping against catalog framework_gaps.
+- **cred-stores** — LI-gateway operator credential storage falls under the cred-stores skill for secret-management depth.
+- **sector-federal-government** — national-security adjacency on LI-system compromise touches federal investigation scope.
+- **mcp-agent-trust** — AI-RAN xApp / rApp compromise (ATLAS AML.T0040 class) crosses into MCP-class agent-tool trust boundaries.

package/skills/skill-update-loop/skill.md

@@ -32,7 +32,7 @@ forward_watch:
   - AI/MCP platform CVEs (GitHub Security Advisories, OSV database)
   - Framework publication updates (NIST SP updates, ISO amendments, NIS2 implementing acts)
   - IETF RFC publications and draft status changes (datatracker.ietf.org, rfc-editor.org); run `npm run validate-rfcs` quarterly
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # Skill Update Loop

package/skills/supply-chain-integrity/skill.md

@@ -54,6 +54,8 @@ forward_watch:
   - SPDX 3.1 — AI profile maturation, dataset provenance schema stabilization
   - EU CRA (Regulation 2024/2847) — implementing acts for technical documentation and SBOM submission expected through 2027
   - OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge overly permissive allowed list by Satoki Tsuji; AI training-stack supply-chain exposure; track patch and SBOM-attestation impact
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact
 cwe_refs:
   - CWE-1357
   - CWE-1395
@@ -64,7 +66,7 @@ d3fend_refs:
   - D3-CBAN
   - D3-EAL
   - D3-EHB
-last_threat_review: "2026-05-13"
+last_threat_review: "2026-05-15"
 ---
 
 # Supply-Chain Integrity Assessment

package/skills/threat-model-currency/skill.md

@@ -22,7 +22,7 @@ forward_watch:
   - New CISA KEV entries in kernel/AI/supply chain categories
   - New MCP or agent protocol security disclosures
   - Emerging malware families using AI for evasion
-last_threat_review: "2026-05-14"
+last_threat_review: "2026-05-15"
 ---
 
 # Threat Model Currency Assessment

package/skills/webapp-security/skill.md

@@ -68,6 +68,8 @@ d3fend_refs:
   - D3-CSPP
   - D3-EAL
   - D3-MFA
+forward_watch:
+  - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments
 last_threat_review: "2026-05-11"
 ---
 

package/skills/zeroday-gap-learn/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - New ATLAS TTP additions in each ATLAS release
   - Framework updates that close previously open gaps
   - Vendor advisories for MCP/AI tool supply chain CVEs
-last_threat_review: "2026-05-14"
+last_threat_review: "2026-05-15"
 ---
 
 # Zero-Day Learning Loop
@@ -44,7 +44,7 @@ The `atlas_refs`, `attack_refs`, and `framework_gaps` arrays are intentionally e
 
 The zero-day learning cycle has compressed. The frameworks have not.
 
-- **41% of 2025 zero-days were discovered by attackers using AI-assisted reverse engineering** (AGENTS.md DR-5). Copy Fail (CVE-2026-31431) was AI-found in approximately one hour. The historical learning rhythm — researcher disclosure → industry analysis → framework update cycle measured in quarters or years — is incompatible with AI-discovery cadence measured in weeks.
+- **41% of 2025 zero-days were discovered by attackers using AI-assisted reverse engineering** (AGENTS.md DR-5 / GTIG 2025). Copy Fail (CVE-2026-31431) was AI-found in approximately one hour; Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical 2026 anchor case — Zellic's agentic code-auditing tool surfaced an 18-year-old Linux kernel page-cache primitive in load-bearing OSS. The first documented AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass case). The exceptd catalog's 2026 AI-discovery rate now stands at 40% (4/10), tracking the GTIG reference. The historical learning rhythm — researcher disclosure → industry analysis → framework update cycle measured in quarters or years — is incompatible with AI-discovery cadence measured in weeks. CTID Secure AI v2 (2026-05-06) replaces v1 as the alignment target for the learning-loop outputs.
 - **The compounding consequence**: when a zero-day is announced, the relevant question is no longer "when will the patch ship?" but "what control, if it had existed, would have stopped this, and how do we add that control to the next thousand systems before the AI-generated variant lands?" Without a running learning loop, every novel TTP becomes a one-off incident response rather than a control-system improvement.
 - **AI-acceleration also compresses variant generation.** A single disclosed primitive (Copy Fail's deterministic page-cache CoW; SesameOp's AI-API C2 channel) can be re-applied by AI tooling to adjacent code paths within days. Frameworks that only respond to specific CVE-IDs miss the class-level lesson entirely.
 - **Compliance frameworks do not include zero-day learning as a required control category.** The "learn from incidents" language in NIST CSF 2.0 IMPROVE and ISO 27001:2022 A.5.7 is process-only, no required artifact. An org can be fully compliant while patching every CVE and learning nothing.