@blamejs/exceptd-skills 0.12.6 → 0.12.8

package/data/d3fend-catalog.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-11",
+    "last_updated": "2026-05-13",
     "d3fend_version": "1.0.0",
     "d3fend_release_date": "2024-06-01",
     "source": "https://d3fend.mitre.org",
@@ -734,5 +734,167 @@
     "ai_pipeline_applicability": "Applies to persistent hosts running MCP servers, AI coding assistants, or AI build agents. For serverless invocations, equivalent is per-invocation runtime telemetry (Lambda extension hooks, Cloud Run service workload identity logs) correlated with the AI-API call graph.",
     "lag_notes": "SI-4 / AU-2 require monitoring but do not require parent-child process-tree analytics. Most enterprise audits accept 'we have EDR' as evidence regardless of whether behavioral rules are tuned. Lag is in operationalization — control existence vs. detection quality.",
     "last_verified": "2026-05-11"
+  },
+  "D3-ANCI": {
+    "id": "D3-ANCI",
+    "name": "Authentication Cache Invalidation",
+    "tactic": "Evict",
+    "subtactic": "Credential Eviction",
+    "description": "Forcibly invalidating cached or active authentication artifacts (tokens, session IDs, cached Kerberos tickets, browser SSO cookies) so that a compromised credential cannot be reused after detection. Distinct from credential rotation in that it acts on the live session state, not just the stored material.",
+    "counters_attack_techniques": ["T1078", "T1550", "T1539", "AML.T0055"],
+    "digital_artifacts_addressed": ["Authentication Session", "Access Token", "Browser Session", "Kerberos Ticket"],
+    "skills_referencing": ["cred-stores", "identity-assurance", "incident-response-playbook"],
+    "implementation_examples": [
+      "OAuth refresh-token revocation on detected credential compromise",
+      "klist purge + ticket-granting-service revocation on suspicious Kerberos use",
+      "Browser-side single-sign-on cookie invalidation pushed via IDP signal",
+      "Service-account JWT issuer kid-rotation followed by global verifier refresh"
+    ],
+    "framework_controls_partially_mapped": ["NIST-800-53-IA-5(1)", "NIST-800-53-AC-12", "ISO-27001-2022-A.5.18"],
+    "ai_pipeline_applicability": "Applies to AI assistant identities (MCP server tokens, model-provider API keys). For ephemeral AI agents the cache invalidation is per-invocation; for long-lived AI sessions (assistant subscriptions), provider must expose a revoke API the operator can call.",
+    "lag_notes": "AC-12 (session termination) speaks to user sessions; service-to-service token invalidation under credential compromise is rarely audited. Operationalization gap: most orgs lack the integration to actively invalidate on detection.",
+    "last_verified": "2026-05-13"
+  },
+  "D3-CAA": {
+    "id": "D3-CAA",
+    "name": "Credential Access Auditing",
+    "tactic": "Detect",
+    "subtactic": "Credential Activity Analysis",
+    "description": "Recording and analyzing every access to credential stores (cloud secret managers, password vaults, KMS, environment-variable reads on privileged processes) to detect anomalous read patterns indicating credential theft or misuse.",
+    "counters_attack_techniques": ["T1555", "T1552", "T1078", "AML.T0055"],
+    "digital_artifacts_addressed": ["Credential Store Access Log", "Process Environment Variable Access"],
+    "skills_referencing": ["cred-stores", "secrets", "dlp-gap-analysis"],
+    "implementation_examples": [
+      "AWS Secrets Manager + CloudTrail GetSecretValue audit with anomaly baseline per principal",
+      "HashiCorp Vault audit log forwarded to SIEM with per-policy read-rate alerting",
+      "Linux audit on /proc/<pid>/environ reads outside the owning process",
+      "GitHub Actions secret-access audit + repository-event correlation"
+    ],
+    "framework_controls_partially_mapped": ["NIST-800-53-AU-2", "NIST-800-53-AU-12", "ISO-27001-2022-A.8.15"],
+    "ai_pipeline_applicability": "Applies wherever AI agents fetch credentials at runtime (MCP server bootstrap, fine-tuning job startup). Serverless equivalent: cloud-provider native secret-fetch audit (Secrets Manager VPC endpoint logs, GCP Secret Manager IAM audit logs).",
+    "lag_notes": "AU-2 prescribes audit event categories; framework controls do not require per-secret access baselining. Compliance audits accept 'logging is enabled' without requiring detection rules on read anomalies.",
+    "last_verified": "2026-05-13"
+  },
+  "D3-CH": {
+    "id": "D3-CH",
+    "name": "Credential Hardening",
+    "tactic": "Harden",
+    "subtactic": "Credential Hardening",
+    "description": "Increasing the cryptographic and operational strength of credentials at rest and in transit — memory-hard password hashing, hardware-backed key storage, short credential lifetime, mandatory MFA on high-impact identities.",
+    "counters_attack_techniques": ["T1110", "T1555", "T1552"],
+    "digital_artifacts_addressed": ["Password Hash", "Private Key", "API Token", "Session Token"],
+    "skills_referencing": ["crypto-codebase", "identity-assurance", "cred-stores"],
+    "implementation_examples": [
+      "Argon2id password hashing with tuned m/t/p",
+      "TPM/HSM-backed private keys (Windows Hello for Business, Apple Secure Enclave, AWS CloudHSM)",
+      "Short-lived OIDC tokens with mandatory refresh-token rotation",
+      "WebAuthn/passkey adoption replacing password authentication"
+    ],
+    "framework_controls_partially_mapped": ["NIST-800-53-IA-5", "NIST-800-53-SC-12", "NIST-SP-800-63B"],
+    "ai_pipeline_applicability": "Applies to credentials issued to AI agents — model-provider keys should be short-lived and rotated; MCP server tokens should use mTLS or signed JWTs rather than long-lived bearer secrets.",
+    "lag_notes": "IA-5 covers authenticator strength categorically; framework audit rarely samples the actual KDF in use. SP 800-63B's 2022 iteration-count update (PBKDF2 ≥ 600,000) lags in many compliance attestations citing the 2017 numbers.",
+    "last_verified": "2026-05-13"
+  },
+  "D3-EI": {
+    "id": "D3-EI",
+    "name": "Execution Isolation",
+    "tactic": "Isolate",
+    "subtactic": "Execution Isolation",
+    "description": "Constraining a process so that even successful exploitation cannot reach resources outside the isolation boundary — containers with read-only rootfs, sandboxed renderers, seccomp-restricted syscall sets, namespace-isolated workers, gVisor / Firecracker microVMs.",
+    "counters_attack_techniques": ["T1611", "T1068", "T1055", "T1106"],
+    "digital_artifacts_addressed": ["Process", "Container", "Sandbox", "Namespace"],
+    "skills_referencing": ["container-runtime-security", "hardening"],
+    "implementation_examples": [
+      "Read-only container rootfs + tmpfs for ephemeral state",
+      "seccomp-bpf default-deny syscall profiles per workload",
+      "gVisor (runsc) for untrusted-tenant workloads",
+      "Firecracker microVMs for multi-tenant SaaS execution",
+      "Linux user namespaces dropping CAP_SYS_ADMIN at process start"
+    ],
+    "framework_controls_partially_mapped": ["NIST-800-53-SC-39", "NIST-800-53-AC-4", "ISO-27001-2022-A.8.22"],
+    "ai_pipeline_applicability": "Critical for AI agent execution: untrusted-code-execution tools (interpreter, code-runner MCP servers) must run in a microVM or gVisor sandbox, not in the host AI's process. Serverless platforms provide this implicitly (Lambda firecracker, Cloud Run gVisor).",
+    "lag_notes": "SC-39 covers process isolation conceptually; framework controls do not specify required isolation primitives. 'Containers' alone do not satisfy isolation without read-only rootfs + seccomp + capability dropping — controls rarely audit which container hardening is actually enforced.",
+    "last_verified": "2026-05-13"
+  },
+  "D3-FCR": {
+    "id": "D3-FCR",
+    "name": "File Content Rules",
+    "tactic": "Detect",
+    "subtactic": "File Analysis",
+    "description": "Inspecting file contents against rule sets (YARA, Sigma, custom regex, ML classifier) to detect malicious patterns, embedded secrets, or unauthorized content classes at rest or at egress.",
+    "counters_attack_techniques": ["T1552.001", "T1552.004", "T1567", "AML.T0055"],
+    "digital_artifacts_addressed": ["File Content", "Source Code", "Configuration File"],
+    "skills_referencing": ["secrets", "dlp-gap-analysis", "cred-stores"],
+    "implementation_examples": [
+      "gitleaks / trufflehog pre-commit and CI-time secret scanning",
+      "YARA rules on uploaded files at SaaS file-upload boundaries",
+      "DLP content-classification on outbound email + cloud-storage uploads",
+      "AI prompt-content classification before egress to public LLM endpoints"
+    ],
+    "framework_controls_partially_mapped": ["NIST-800-53-SI-3", "NIST-800-53-SI-4", "ISO-27001-2022-A.8.12"],
+    "ai_pipeline_applicability": "Critical for AI exfil prevention: prompt content rules block sending sensitive data to public AI endpoints; retrieval-corpus content rules block injection of attacker-controlled documents. For RAG: per-document content classification at ingest.",
+    "lag_notes": "SI-3 / SI-4 cover monitoring categorically; rule-set freshness and tuning are operational concerns rarely audited. DLP frameworks lag in covering AI prompts as an egress channel.",
+    "last_verified": "2026-05-13"
+  },
+  "D3-KBPI": {
+    "id": "D3-KBPI",
+    "name": "Kernel-Based Process Isolation",
+    "tactic": "Isolate",
+    "subtactic": "Execution Isolation",
+    "description": "Using kernel primitives (namespaces, cgroups, seccomp, capabilities, LSMs, eBPF) to enforce isolation boundaries between processes that share the same kernel. Distinct from D3-EI in that the isolation is enforced inside a shared kernel rather than across a hypervisor or microVM boundary.",
+    "counters_attack_techniques": ["T1055", "T1068", "T1611"],
+    "digital_artifacts_addressed": ["Process", "Namespace", "cgroup", "LSM Profile"],
+    "skills_referencing": ["kernel-lpe-triage", "hardening", "container-runtime-security"],
+    "implementation_examples": [
+      "SELinux / AppArmor confinement profiles per workload",
+      "Linux user namespaces + capability dropping (CAP_SYS_ADMIN removed)",
+      "Landlock for application-level filesystem restriction",
+      "eBPF LSM hooks for fine-grained policy enforcement",
+      "systemd hardening directives (ProtectSystem=strict, RestrictSUIDSGID, NoNewPrivileges)"
+    ],
+    "framework_controls_partially_mapped": ["NIST-800-53-SC-39", "NIST-800-53-AC-6"],
+    "ai_pipeline_applicability": "Less applicable on managed serverless (no kernel-tuning surface). Critical on self-managed hosts running MCP servers, AI build agents, training pipelines. Containerized AI runtimes still rely on kernel isolation primitives — a kernel LPE escapes the container.",
+    "lag_notes": "SC-39 process isolation is named but not parameterized; framework controls accept 'containers are used' as evidence without auditing the kernel-level confinement layer. KASLR + SMEP + SMAP + KPTI presence is implicit not explicit in any framework control.",
+    "last_verified": "2026-05-13"
+  },
+  "D3-SCA": {
+    "id": "D3-SCA",
+    "name": "System Call Analysis",
+    "tactic": "Detect",
+    "subtactic": "Process Analysis",
+    "description": "Recording and analyzing system calls made by processes to detect malicious behavior — unusual syscall patterns, attempts to disable security mechanisms, kernel exploitation primitives (e.g. unshare(2), ptrace(2) on unrelated PIDs, bpf(2) on unprivileged contexts).",
+    "counters_attack_techniques": ["T1055", "T1068", "T1562", "T1106"],
+    "digital_artifacts_addressed": ["System Call", "Process Behavior"],
+    "skills_referencing": ["runtime", "kernel-lpe-triage"],
+    "implementation_examples": [
+      "Linux auditd with syscall rules (ausearch -k privesc)",
+      "Falco runtime rules on suspicious syscall sequences",
+      "eBPF-based tools (tetragon, tracee) for kernel-level visibility",
+      "Sysdig / inspector for container-syscall-anomaly detection"
+    ],
+    "framework_controls_partially_mapped": ["NIST-800-53-SI-4", "NIST-800-53-AU-2", "ISO-27001-2022-A.8.16"],
+    "ai_pipeline_applicability": "Self-managed AI hosts: standard syscall monitoring applies. Serverless: equivalent is provider-side runtime telemetry (Lambda runtime API, GVisor sentry events). MCP server hosts especially: malicious MCP plugins often hit suspicious syscalls (ptrace, bpf, unshare).",
+    "lag_notes": "SI-4 prescribes monitoring at the system level abstractly; specific syscall analytics (which calls, which thresholds, which response) are deployment-team choices that framework audits do not sample.",
+    "last_verified": "2026-05-13"
+  },
+  "D3-SFA": {
+    "id": "D3-SFA",
+    "name": "System File Analysis",
+    "tactic": "Detect",
+    "subtactic": "File Analysis",
+    "description": "Monitoring critical system files (auth databases, audit configurations, init scripts, boot loaders, sudoers, SSH authorized_keys) for unauthorized modification — file integrity monitoring with cryptographic baselines and immutable-write enforcement.",
+    "counters_attack_techniques": ["T1543", "T1547", "T1098", "T1562.001"],
+    "digital_artifacts_addressed": ["System File", "Configuration File", "File Hash"],
+    "skills_referencing": ["runtime", "hardening", "incident-response-playbook"],
+    "implementation_examples": [
+      "AIDE / Tripwire / OSSEC file-integrity baselines on /etc, /usr/bin, /sbin",
+      "Auditd watch rules on /etc/passwd, /etc/shadow, /etc/sudoers, ~/.ssh/authorized_keys",
+      "Linux IMA-EVM measured boot extending into runtime FIM",
+      "AWS Config rules monitoring IAM policy file analogs (managed-policy versions)"
+    ],
+    "framework_controls_partially_mapped": ["NIST-800-53-SI-7", "NIST-800-53-AU-2", "ISO-27001-2022-A.8.13"],
+    "ai_pipeline_applicability": "Self-managed AI hosts: standard FIM applies to MCP server configs, ~/.claude, ~/.cursor settings. Serverless: equivalent is image-immutability + read-only rootfs (modifications outside writable tmpfs are structurally impossible).",
+    "lag_notes": "SI-7 covers software/firmware integrity; user-space configuration FIM is implicit not explicit. Framework audits accept 'FIM is deployed' without sampling whether the rule set covers AI-assistant config paths that have become high-value targets.",
+    "last_verified": "2026-05-13"
   }
 }

package/data/framework-control-gaps.json

@@ -1251,5 +1251,248 @@
     "attack_refs": [
       "T1059"
     ]
+  },
+  "NIS2-Art21-incident-handling": {
+    "framework": "EU NIS2 Directive (2022/2555)",
+    "control_id": "Art. 21(2)(b)",
+    "control_name": "Incident handling",
+    "designed_for": "Essential and important entities operating in critical sectors across the EU; sets minimum cybersecurity risk-management measures including incident handling, business continuity, and supply chain security",
+    "misses": [
+      "Incident-handling 24-hour early-warning + 72-hour notification clock starts from awareness, not from detection — gap covers AI-mediated incidents detected only after material harm",
+      "No explicit AI/ML incident category — prompt injection RCE, MCP supply-chain compromise, AI-API C2 not enumerated as in-scope incident classes",
+      "'State of the art' wording leaves the framework lag-permissive — operators can claim compliance without AI-specific incident playbooks",
+      "Cross-border supply-chain incidents (Shai-Hulud-class) span multiple competent authorities; coordination requirements are weakly specified"
+    ],
+    "real_requirement": "Incident-handling playbook enumerates AI-specific classes (LLM prompt injection RCE, MCP plugin compromise, AI-API C2 beaconing) with detection sources, evidence requirements, and the cross-jurisdiction notification matrix (NIS2 24h early-warning + 72h full report alongside DORA 4h + GDPR 72h). Continuity plans assume AI-assistant denial-of-service alongside classical IT outages.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2025-53773",
+      "CVE-2026-30615",
+      "CVE-2026-45321"
+    ],
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0096"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1567"
+    ]
+  },
+  "EU-AI-Act-Art-15": {
+    "framework": "EU Artificial Intelligence Act (2024/1689)",
+    "control_id": "Art. 15",
+    "control_name": "Accuracy, robustness and cybersecurity",
+    "designed_for": "Providers of high-risk AI systems; requires AI systems to achieve appropriate accuracy, robustness, and cybersecurity throughout their lifecycle",
+    "misses": [
+      "'Appropriate level of cybersecurity' is undefined operationally — no benchmark for prompt-injection resistance, RAG-poisoning robustness, or supply-chain attack resilience",
+      "No required testing methodology — adversarial robustness assessment is recommended but not mandated with specific test classes",
+      "Scope binds providers of high-risk AI systems; downstream operators integrating non-high-risk-classified AI (e.g. coding assistants) inherit no Art. 15 obligations even when they reach equivalent threat exposure",
+      "Cybersecurity reporting integrates with NIS2 but does not specify AI-specific incident classes (prompt injection, model theft, RAG poisoning)"
+    ],
+    "real_requirement": "AI-systems-in-scope undergo prompt-injection red-team (per OWASP LLM Top 10), RAG corpus integrity testing, MCP plugin trust verification, model-extraction-resistance assessment, and continuous adversarial regression. Cybersecurity reporting bridges to NIS2 + DORA notification clocks. Downstream operators apply equivalent diligence to AI tools used in their pipeline even when the AI itself isn't classified high-risk.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2025-53773",
+      "CVE-2026-30615"
+    ],
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0051",
+      "AML.T0054",
+      "AML.T0057"
+    ],
+    "attack_refs": []
+  },
+  "UK-CAF-A1": {
+    "framework": "UK NCSC Cyber Assessment Framework v3.2",
+    "control_id": "Objective A — Principle A1",
+    "control_name": "Governance",
+    "designed_for": "Operators of essential services and critical national infrastructure; sets a board-level governance expectation for cyber risk management",
+    "misses": [
+      "Governance principle is intentionally outcome-focused; without published Indicators of Good Practice (IGPs) for AI-specific governance, boards have no specific test for AI risk awareness",
+      "No requirement to enumerate AI/ML supply-chain trust dependencies as a governance artefact",
+      "AI-procurement governance overlap with NCSC AI Cyber Code of Practice is recommended but not enforced through CAF assessment criteria"
+    ],
+    "real_requirement": "Board-level governance includes an AI-systems-in-use inventory, an MCP/plugin trust register with provenance attestation, and a documented assignment of accountability for AI security outcomes that maps to the NIS2/CCRA scope.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2026-30615"
+    ],
+    "atlas_refs": [
+      "AML.T0010"
+    ],
+    "attack_refs": []
+  },
+  "UK-CAF-B2": {
+    "framework": "UK NCSC Cyber Assessment Framework v3.2",
+    "control_id": "Objective B — Principle B2",
+    "control_name": "Identity and access control",
+    "designed_for": "Restricting access to systems and data to authorised users, devices, and systems",
+    "misses": [
+      "AI agent identity is not addressed — AI assistants operate under user identity but execute attacker-controlled actions when prompt-injected (the access decision is correct at IAM layer; the action is not)",
+      "MCP server / plugin trust is access-control-adjacent but framework treats plugins as part of the user's process, not as separate identities requiring authorization",
+      "Service-account credentials for AI providers (OpenAI/Anthropic/HuggingFace) are not enumerated as a regulated credential class with rotation policy"
+    ],
+    "real_requirement": "Identity controls treat AI agents as distinct principals where they execute tools; MCP plugin invocations log model decision + tool name + arguments + user identity; AI-provider service credentials are short-lived, rotated, and excluded from cleartext storage policy exceptions; passkeys/WebAuthn for human-operator-to-AI authentication where supported.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2025-53773",
+      "CVE-2026-30615"
+    ],
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1078"
+    ]
+  },
+  "UK-CAF-C1": {
+    "framework": "UK NCSC Cyber Assessment Framework v3.2",
+    "control_id": "Objective C — Principle C1",
+    "control_name": "Security monitoring",
+    "designed_for": "Detecting and analysing events that may indicate a cybersecurity incident on the operator's essential function",
+    "misses": [
+      "AI-API traffic monitoring is not a recognised security-monitoring discipline — egress logs typically allowlist AI providers, leaving AI-API C2 (SesameOp / PROMPTFLUX class) invisible",
+      "Prompt/response content classification is absent from typical SOC tooling — DLP on AI prompts is structurally outside C1's monitored event set",
+      "MCP server invocations are not enumerated as a monitored event source"
+    ],
+    "real_requirement": "Security monitoring includes prompt/response content classification on egress to AI providers, MCP tool-call audit trail (model decision + tool name + arguments + result), AI-API traffic baselines per service identity with anomaly alerts, and unified retention covering AI events alongside classical telemetry.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2025-53773",
+      "CVE-2026-30615"
+    ],
+    "atlas_refs": [
+      "AML.T0096",
+      "AML.T0024",
+      "AML.T0057"
+    ],
+    "attack_refs": [
+      "T1567"
+    ]
+  },
+  "UK-CAF-D1": {
+    "framework": "UK NCSC Cyber Assessment Framework v3.2",
+    "control_id": "Objective D — Principle D1",
+    "control_name": "Response and recovery planning",
+    "designed_for": "Maintaining the ability to respond and recover from cybersecurity incidents affecting the operator's essential function",
+    "misses": [
+      "Response planning treats patch deployment as a routine activity; CISA KEV class kernel-LPE timelines (hours-not-days) demand a live-patch workflow that response plans rarely include",
+      "AI-incident response (model rollback, prompt blocklist updates, MCP allowlist tightening) is not a standard response-plan category",
+      "Backup-and-recovery validation does not include AI-system artefacts (fine-tuned model weights, RAG corpora, MCP server inventories)"
+    ],
+    "real_requirement": "Response plans include live kernel patching as a documented capability with operator drill cadence; AI-incident playbooks cover model rollback, prompt classifier updates, MCP allowlist tightening; backups validate AI-system artefacts; recovery clocks align to NIS2 24h + DORA 4h + GDPR 72h notification matrix.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2026-31431",
+      "CVE-2026-43284",
+      "CVE-2026-43500"
+    ],
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068"
+    ]
+  },
+  "AU-Essential-8-MFA": {
+    "framework": "ASD Essential Eight (AU)",
+    "control_id": "Multi-factor authentication",
+    "control_name": "Multi-factor authentication",
+    "designed_for": "Reducing the impact of compromised credentials on Australian Government and broader essential-service identities; Maturity Levels 1-3",
+    "misses": [
+      "MFA on AI-provider service accounts (OpenAI, Anthropic, HuggingFace API tokens) is not addressed — these are bearer tokens, not user identities, but carry equivalent or greater blast radius",
+      "Phishing-resistance criterion (ML2+) does not specify resistance to AI-generated social engineering — deepfake-grade phishing breaks SMS/voice MFA categorically",
+      "MCP server / plugin authentication is silent; bearer tokens with no rotation policy commonly stored alongside developer credentials"
+    ],
+    "real_requirement": "MFA covers human identities at ML2+ with phishing-resistant factors (WebAuthn/passkeys, FIDO2). AI-provider credentials use short-lived OIDC tokens with mandatory rotation, never long-lived bearer keys. MCP server authentication uses signed JWTs / mTLS in production. Deepfake-grade phishing assumed; MFA decisions treat SMS/voice as insufficient.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [],
+    "atlas_refs": [
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1078",
+      "T1556"
+    ]
+  },
+  "AU-Essential-8-App-Hardening": {
+    "framework": "ASD Essential Eight (AU)",
+    "control_id": "User application hardening",
+    "control_name": "User application hardening",
+    "designed_for": "Reducing the attack surface of common user applications (browsers, office, PDF readers) on Australian Government and essential-service endpoints",
+    "misses": [
+      "AI coding assistants (Copilot, Cursor, Windsurf, Claude) are not enumerated in the standard hardened-application list, yet they are the highest-value attack surface on developer endpoints (CVE-2025-53773, CVE-2026-30615 class)",
+      "MCP server runtime is not addressed — these are user-mode processes with capabilities that exceed typical productivity applications",
+      "Hardening focuses on browser/Java/Flash legacy classes; the equivalent for AI tools (default-deny MCP servers, plugin signing, capability-grant prompts) has no Essential-Eight analogue"
+    ],
+    "real_requirement": "User-application hardening enumerates AI assistants and MCP servers in scope; sets default-deny on tool grants with explicit per-tool acknowledgement; pins MCP server versions with signature verification; treats AI-tool config files (.claude/settings.json, .cursor/mcp.json, .vscode/settings.json's chat.tools.autoApprove) as integrity-monitored configuration with the same protection profile as security-sensitive files.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2025-53773",
+      "CVE-2026-30615"
+    ],
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1204"
+    ]
+  },
+  "AU-Essential-8-Patch": {
+    "framework": "ASD Essential Eight (AU)",
+    "control_id": "Patch operating systems",
+    "control_name": "Patch operating systems",
+    "designed_for": "Maintaining current security patches on operating systems on Australian Government and essential-service endpoints; ML3 target is 48 hours for critical exploits",
+    "misses": [
+      "ML3 '48 hours for public exploit' is the closest framework target to KEV reality, but still assumes a reboot is acceptable within that window — live-patching deployment is not a required capability",
+      "Linux kernel patching cadence differs from OS-vendor patch cadence; third-party kernel modules (OOT drivers, runtime hardening modules) are silent in scope",
+      "Patch-management metrics rarely measure 'time from CISA KEV listing to patched on fleet' as the operational SLA"
+    ],
+    "real_requirement": "Patch operating systems with KEV-anchored SLA (≤48h for critical with public PoC, live-patching mandatory on hosts that can't accept a reboot within window); kernel patching pipeline distinct from userspace patch pipeline; third-party kernel module patches tracked alongside vendor patches; SLA metric is 'time from KEV listing to deployed', not 'time from advisory publication'.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2026-31431",
+      "CVE-2026-43284",
+      "CVE-2026-43500"
+    ],
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068"
+    ]
+  },
+  "AU-Essential-8-Backup": {
+    "framework": "ASD Essential Eight (AU)",
+    "control_id": "Regular backups",
+    "control_name": "Regular backups",
+    "designed_for": "Ensuring critical data and configuration can be restored after a cybersecurity incident; coverage spans daily backups with off-network retention",
+    "misses": [
+      "AI-system artefacts (fine-tuned model weights, RAG corpora, MCP server inventories, .claude/settings.json local-override files) are not enumerated as backup scope",
+      "Backup-integrity verification typically targets data restoration; AI-corpus poisoning detection requires per-document hash comparison against backup state, which is not standard practice",
+      "Incident-driven 'restore to last-known-good' for AI systems implies a known-good baseline that the backup process must maintain — workflow rarely documented"
+    ],
+    "real_requirement": "Backups cover AI-system artefacts (model weights, RAG corpora, plugin registries, AI-tool configuration files) with off-network retention; backup-integrity verification includes per-document hash comparison for RAG corpora to detect corpus poisoning; documented 'AI-system restore to last-known-good' workflow that maps to detected AI-incident classes.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2026-45321"
+    ],
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0020",
+      "AML.T0048"
+    ],
+    "attack_refs": []
   }
 }

package/data/playbooks/containers.json

@@ -395,7 +395,7 @@
         {
           "id": "dockerfile-from-latest",
           "type": "file_path",
-          "value": "Dockerfile FROM directive with :latest tag OR no tag at all (defaults to :latest)",
+          "value": "For each file in the dockerfile-inventory artifact, scan dockerfile-content lines: FROM directive with :latest tag OR no tag at all (defaults to :latest)",
           "description": "Image base resolves differently between scan and deploy. Image scanning attestation does not apply to the deployed image.",
           "confidence": "deterministic",
           "deterministic": true,
@@ -404,7 +404,7 @@
         {
           "id": "dockerfile-no-digest-pin",
           "type": "log_pattern",
-          "value": "Dockerfile FROM directive without @sha256:* digest",
+          "value": "For each file in the dockerfile-inventory artifact, scan dockerfile-content lines: FROM directive without @sha256:* digest",
           "description": "Tag-only base reference. Tag mutability means provenance cannot be verified.",
           "confidence": "high",
           "deterministic": false,
@@ -431,7 +431,7 @@
         {
           "id": "compose-privileged",
           "type": "log_pattern",
-          "value": "docker-compose service block containing `privileged: true`",
+          "value": "Within any compose-files artifact: docker-compose service block containing `privileged: true`",
           "description": "Container has full host kernel access. Container escape is built in by configuration.",
           "confidence": "deterministic",
           "deterministic": true,
@@ -467,7 +467,7 @@
         {
           "id": "k8s-privileged",
           "type": "log_pattern",
-          "value": "k8s manifest containers[].securityContext.privileged: true",
+          "value": "Within any k8s-manifests artifact (including templates rendered from helm-charts or kustomize-overlays): containers[].securityContext.privileged: true",
           "description": "K8s container with privileged: true. Same risk class as compose-privileged.",
           "confidence": "deterministic",
           "deterministic": true,
@@ -521,11 +521,29 @@
         {
           "id": "k8s-cluster-admin-binding",
           "type": "log_pattern",
-          "value": "k8s manifest kind: ClusterRoleBinding referencing cluster-admin role AND subjects include a ServiceAccount in a workload namespace",
+          "value": "Within service-account-manifests artifact entries (or any k8s-manifests artifact containing RBAC kinds): kind: ClusterRoleBinding referencing cluster-admin role AND subjects include a ServiceAccount in a workload namespace",
           "description": "Workload SA bound to cluster-admin. Pod compromise = cluster compromise.",
           "confidence": "deterministic",
           "deterministic": true,
           "attack_ref": "T1078.004"
+        },
+        {
+          "id": "psa-policy-permissive-or-absent",
+          "type": "log_pattern",
+          "value": "pod-security-admission-config artifact missing OR enforces only `pod-security.kubernetes.io/enforce: privileged` (the most permissive level) on a workload namespace; OR no PodSecurity admission configuration exists for namespaces hosting deployable manifests",
+          "description": "Without PodSecurity admission enforcement at baseline or restricted level on workload namespaces, the cluster will accept manifests that the other detect indicators (k8s-privileged, k8s-host-namespaces, k8s-run-as-root, k8s-hostpath-sensitive) flag — admission control is the gate that turns those manifest findings into rejections at apply time.",
+          "confidence": "high",
+          "deterministic": false,
+          "attack_ref": "T1611"
+        },
+        {
+          "id": "network-policies-absent-from-workload-namespace",
+          "type": "log_pattern",
+          "value": "For each workload namespace observed in k8s-manifests: zero entries in the network-policies artifact target that namespace (no NetworkPolicy / CiliumNetworkPolicy / CalicoNetworkPolicy with metadata.namespace == workload_ns). Kubernetes default is allow-all pod-to-pod traffic.",
+          "description": "Absent NetworkPolicy on a workload namespace leaves East-West traffic unrestricted: a compromised pod can reach every other pod, including the API server, etcd, and management planes. Closes the lateral-movement primitive that container escape playbooks rely on.",
+          "confidence": "high",
+          "deterministic": false,
+          "attack_ref": "T1610"
         }
       ],
       "false_positive_profile": [

package/data/playbooks/cred-stores.json

@@ -414,7 +414,7 @@
         {
           "id": "aws-static-key-present",
           "type": "log_pattern",
-          "value": "~/.aws/credentials contains a [profile] block with aws_access_key_id = AKIA* AND no sso_session / credential_process",
+          "value": "Within the aws-credentials artifact (~/.aws/credentials): a [profile] block with aws_access_key_id = AKIA* AND no sso_session / credential_process; cross-reference the aws-sso-cache artifact — if aws-sso-cache is empty AND aws-credentials carries an AKIA* key, the workstation has zero federated session coverage for that profile",
           "description": "Long-lived AWS IAM user key. AAL1-equivalent. Static credential.",
           "confidence": "deterministic",
           "deterministic": true,
@@ -423,7 +423,7 @@
         {
           "id": "kube-static-token",
           "type": "log_pattern",
-          "value": "~/.kube/config users[].user.token: field present AND no exec: federated flow alongside",
+          "value": "Within the kube-config artifact (~/.kube/config): users[].user.token: field present AND no exec: federated flow alongside",
           "description": "Static Kubernetes service-account or admin token. Long-lived bearer. Indistinguishable from a federated kube context that uses cached token unless exec: is also present.",
           "confidence": "deterministic",
           "deterministic": true,
@@ -432,7 +432,7 @@
         {
           "id": "gcp-service-account-json-adc",
           "type": "log_pattern",
-          "value": "~/.config/gcloud/application_default_credentials.json contains \"type\": \"service_account\"",
+          "value": "Within the gcloud-credentials artifact: ~/.config/gcloud/application_default_credentials.json contains \"type\": \"service_account\" — OR the credentials.db SQLite query returns rows where type='service_account' for any active configuration",
           "description": "ADC pointing at a service-account JSON private key. Long-lived. The recommended posture is type=external_account (workforce identity) or type=authorized_user (federated user creds).",
           "confidence": "deterministic",
           "deterministic": true,
@@ -441,7 +441,7 @@
         {
           "id": "docker-cleartext-auth",
           "type": "log_pattern",
-          "value": "~/.docker/config.json contains auths[].auth: field with base64(user:password) AND no credHelpers / credsStore for that registry",
+          "value": "Within the docker-config artifact (~/.docker/config.json): auths[].auth field with base64(user:password) AND no credHelpers / credsStore for that registry",
           "description": "Docker registry credentials in cleartext (base64 is not encryption). credHelpers/credsStore would route to OS keychain or cloud-IAM-federated path.",
           "confidence": "deterministic",
           "deterministic": true,
@@ -468,7 +468,7 @@
         {
           "id": "ssh-key-rsa-short-bits",
           "type": "log_pattern",
-          "value": "ssh-keygen reports RSA key with bit-length < 3072 OR DSA key of any size",
+          "value": "Within the ssh-keys-inventory artifact: ssh-keygen reports any RSA key with bit-length < 3072 OR DSA key of any size",
           "description": "Weak SSH key. RSA-2048 is acceptable but trending out; RSA-1024 / DSA are deprecated. Cryptographic posture issue.",
           "confidence": "high",
           "deterministic": false
@@ -476,7 +476,7 @@
         {
           "id": "ssh-key-old",
           "type": "behavioral_signal",
-          "value": "Any ~/.ssh/id_* file with mtime > 365 days ago",
+          "value": "Within the ssh-keys-inventory artifact: any ~/.ssh/id_* file with mtime > 365 days ago; cross-reference the ssh-config artifact — if ssh-config carries no CertificateFile / ProxyJump bastion-mediated entry covering the same host, the stale raw key is the sole auth path",
           "description": "Stale SSH key. Predates likely org rotation cadence; predates likely AAL/FIDO2 enrollment.",
           "confidence": "high",
           "deterministic": false
@@ -484,7 +484,7 @@
         {
           "id": "gpg-key-old-or-weak",
           "type": "log_pattern",
-          "value": "gpg --list-secret-keys reports a secret key with algorithm DSA OR RSA<3072 OR creation date > 5 years AND no expiration set",
+          "value": "Within the gpg-keys artifact: any secret key reported with algorithm DSA OR RSA<3072 OR creation date > 5 years AND no expiration set",
           "description": "Weak or never-expiring GPG private key. Long-lived signing credential outside any rotation cadence.",
           "confidence": "high",
           "deterministic": false
@@ -501,8 +501,8 @@
         {
           "id": "all-stores-empty-or-federated",
           "type": "behavioral_signal",
-          "value": "Inventory shows zero static credentials AND every present store uses exec: / sso_session / credsStore / type=external_account (federated paths) OR is empty",
-          "description": "Clean federated posture. AAL3-equivalent. Not a finding; emit as positive evidence.",
+          "value": "Across the union of aws-credentials, aws-sso-cache, kube-config, gcloud-credentials, docker-config, npmrc, pypirc, gpg-keys, ssh-keys-inventory, ssh-config, and keychain-inventory artifacts: inventory shows zero static credentials AND every present store uses exec: / sso_session / credsStore / type=external_account (federated paths) OR is empty",
+          "description": "Clean federated posture. AAL3-equivalent. Not a finding; emit as positive evidence. The keychain-inventory artifact serves as the compensating-store check — when OS-keychain-resident items account for the credential surface, the on-disk stores can legitimately be empty.",
           "confidence": "high",
           "deterministic": false
         }