npm - rtexit-method - Versions diffs - 0.1.0 → 0.1.2 - Mend

rtexit-method 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (224) hide show

package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md ADDED Viewed

@@ -0,0 +1,665 @@
+---
+name: rt-remediation-roadmap
+description: "Build prioritized remediation roadmap from all findings. Groups by timeline: Critical (0-24h), High (1-7 days), Medium (1-30 days), Low (1-3 months). Includes effort estimates (hours), responsible team (Dev/Ops/Security/Management), verification steps, and business risk reduction percentage per group. Creates executive-friendly Gantt-style timeline."
+---
+# rt-remediation-roadmap — Skill Guide
+## 1. Overview and Purpose
+The `rt-remediation-roadmap` skill transforms a completed red team engagement's raw findings into a structured, actionable remediation plan that both technical teams and executive leadership can act on immediately.
+### Where It Fits in the Engagement Lifecycle
+```
+Reconnaissance → Exploitation → Lateral Movement → Exfiltration
+      ↓                ↓               ↓                ↓
+  finding_tracker.py collects all findings throughout engagement
+                         ↓
+              [Engagement Close-Out]
+                         ↓
+         rt-remediation-roadmap  ←── YOU ARE HERE
+                         ↓
+         autodoc_engine.py renders final deliverable
+                         ↓
+              Executive Briefing / Client Handoff
+```
+This skill is the final technical step before report delivery. It answers the client's most pressing question: "We have 47 findings — where do we start, who does what, and how long will it take?"
+### What This Skill Produces
+- A timeline-bucketed remediation plan (Critical / High / Medium / Low)
+- Per-finding effort estimates in engineer-hours
+- Responsible team assignment (Dev / Ops / Security / Management)
+- Verification steps for each remediation item
+- Business risk reduction percentage per timeline bucket
+- An executive Gantt-style timeline visual (ASCII or Markdown table)
+- Integration-ready JSON/YAML output for finding_tracker.py status tracking
+---
+## 2. Step-by-Step Workflow
+### Step 1 — Pull Findings from finding_tracker.py
+Before building the roadmap, export all open findings from the tracker:
+```bash
+python finding_tracker.py export --status open --format json --out findings_export.json
+```
+Review the export to confirm:
+- Every finding has a CVSS score or manual severity rating
+- Each finding has an affected asset tag (e.g., `web-app`, `internal-network`, `ad-domain`)
+- No duplicate finding IDs exist
+If findings are missing severity scores, assign them now using the tracker's update command:
+```bash
+python finding_tracker.py update --id RT-2025-0041 --severity critical --cvss 9.8
+```
+### Step 2 — Triage and Bucket Findings
+Apply the following bucketing criteria. Use business context to override pure CVSS scores when warranted (e.g., a CVSS 7.5 finding on a PCI-scoped system may warrant Critical treatment).
+| Bucket   | Default Trigger                          | Timeline   |
+|----------|------------------------------------------|------------|
+| Critical | CVSS >= 9.0 OR active exploitation path  | 0–24 hours |
+| High     | CVSS 7.0–8.9 OR significant data access  | 1–7 days   |
+| Medium   | CVSS 4.0–6.9 OR hardening gap            | 1–30 days  |
+| Low      | CVSS < 4.0 OR informational / best practice | 1–3 months |
+Document any overrides with a brief justification in the `override_reason` field.
+### Step 3 — Estimate Remediation Effort
+For each finding, assign an effort estimate in engineer-hours using this reference table:
+| Finding Type                          | Low Estimate | High Estimate |
+|---------------------------------------|-------------|---------------|
+| Patch/version update (single system)  | 1h          | 4h            |
+| Patch/version update (fleet rollout)  | 4h          | 16h           |
+| Configuration change (single system)  | 0.5h        | 2h            |
+| Configuration change (policy/GPO)     | 2h          | 8h            |
+| Code fix (input validation)           | 2h          | 8h            |
+| Code fix (auth/session logic)         | 4h          | 24h           |
+| Architecture change (network segment) | 16h         | 80h           |
+| Process/policy creation               | 4h          | 16h           |
+| Security tooling deployment           | 8h          | 40h           |
+Always provide a range and note dependencies (e.g., "requires change freeze window").
+### Step 4 — Assign Responsible Teams
+Use these standard team labels. Assign primary and, where needed, secondary teams:
+- **Dev** — Application development team; owns code-level fixes
+- **Ops** — Infrastructure / SRE / DevOps; owns system configuration and patching
+- **Security** — Internal security team; owns tooling, policy, and verification
+- **Management** — Executive sponsor; owns resource allocation and policy sign-off
+A finding may have multiple teams listed (e.g., `Dev + Security` for a vulnerability requiring both a code fix and WAF rule).
+### Step 5 — Write Verification Steps
+Each remediation item must include specific, testable verification steps. Generic statements like "verify the fix was applied" are not acceptable. Write steps an analyst can run on Day 1 after remediation:
+Good example:
+```
+Verification for RT-2025-0038 (SQLi on /api/orders endpoint):
+1. Run sqlmap against https://orders.acme.com/api/orders?id=1 with tamper=space2comment
+2. Confirm all payloads return HTTP 400 with no database error strings in response body
+3. Review application WAF logs to confirm rule RT-SQL-001 is triggering on test payloads
+4. Run DAST scan profile "OWASP-SQLi" and confirm zero findings on endpoint
+```
+### Step 6 — Calculate Business Risk Reduction
+Assign a business risk reduction percentage to each timeline bucket. This represents the estimated reduction in overall organizational risk exposure if all items in that bucket are remediated.
+Use this formula as a starting point:
+```
+Risk Reduction % = (Sum of CVSS scores in bucket / Sum of all CVSS scores) * exploitability_weight
+```
+Where `exploitability_weight` is:
+- 1.3x if the engagement demonstrated active exploitation of findings in this bucket
+- 1.0x for theoretical/undemonstrated findings
+- 0.7x for informational/hardening items
+Round to the nearest 5% for executive readability. These numbers will be challenged — document your methodology.
+### Step 7 — Build the Gantt Timeline
+Create the executive-facing Gantt table using the template in Section 3. The timeline must be calendar-anchored to the report delivery date, not relative ("Week 1" is ambiguous — use "June 2–6, 2025").
+### Step 8 — Write to autodoc_engine.py
+Pass the completed roadmap data to the autodoc engine for rendering into the final report:
+```bash
+python autodoc_engine.py render \
+  --template remediation_roadmap \
+  --data roadmap_data.json \
+  --out reports/acme-corp-remediation-roadmap.md \
+  --client "Acme Corporation" \
+  --engagement-id RT-2025-Q2-ACME
+```
+Then update finding_tracker.py with roadmap assignments:
+```bash
+python finding_tracker.py bulk-update \
+  --from-roadmap roadmap_data.json \
+  --set-status "remediation_assigned"
+```
+---
+## 3. Templates with Example Content
+### 3.1 Roadmap Data JSON (input to autodoc_engine.py)
+```json
+{
+  "engagement_id": "RT-2025-Q2-ACME",
+  "client": "Acme Corporation",
+  "report_delivery_date": "2025-06-01",
+  "analyst": "M. Hegazy",
+  "total_findings": 18,
+  "business_risk_reduction_if_all_remediated": "94%",
+  "buckets": [
+    {
+      "label": "Critical",
+      "timeline": "0–24 hours",
+      "deadline": "2025-06-02",
+      "risk_reduction_pct": 42,
+      "findings": [
+        {
+          "id": "RT-2025-0001",
+          "title": "Domain Admin via AS-REP Roasting — svc_backup account",
+          "cvss": 9.8,
+          "asset": "ad.acme.internal",
+          "affected_systems": ["DC01.acme.internal", "DC02.acme.internal"],
+          "effort_hours": "2–4",
+          "primary_team": "Ops",
+          "secondary_team": "Security",
+          "override_reason": null,
+          "remediation_steps": [
+            "Enable Kerberos pre-authentication on svc_backup account in Active Directory Users and Computers",
+            "Audit all service accounts for DONT_REQUIRE_PREAUTH flag: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}",
+            "Reset svc_backup password to 25+ character random string and store in PAM vault",
+            "Review svc_backup permissions — principle of least privilege audit required"
+          ],
+          "verification_steps": [
+            "Run: impacket-GetNPUsers acme.internal/ -usersfile service_accounts.txt -no-pass",
+            "Confirm svc_backup no longer returns AS-REP hash",
+            "Verify EventID 4768 logs show pre-auth required for all service accounts"
+          ]
+        },
+        {
+          "id": "RT-2025-0002",
+          "title": "Unauthenticated RCE — Apache Struts 2.5.28 (CVE-2023-50164)",
+          "cvss": 9.8,
+          "asset": "erp.acme.com",
+          "affected_systems": ["erp.acme.com (10.20.1.45)"],
+          "effort_hours": "1–2",
+          "primary_team": "Ops",
+          "secondary_team": "Dev",
+          "override_reason": null,
+          "remediation_steps": [
+            "Upgrade Apache Struts to 2.5.33 or 6.3.0.2 immediately",
+            "Deploy WAF rule to block multipart content-type path traversal patterns as interim control",
+            "Isolate erp.acme.com from internal network segments until patch is confirmed"
+          ],
+          "verification_steps": [
+            "Confirm Struts version: curl -s https://erp.acme.com/struts2-showcase/ | grep 'Struts'",
+            "Run PoC script RT-CVE-2023-50164-check.py against patched host — must return 'NOT VULNERABLE'",
+            "Verify WAF logs show blocked multipart traversal attempts"
+          ]
+        }
+      ]
+    },
+    {
+      "label": "High",
+      "timeline": "1–7 days",
+      "deadline": "2025-06-08",
+      "risk_reduction_pct": 31,
+      "findings": [
+        {
+          "id": "RT-2025-0005",
+          "title": "Kerberoastable Service Account with Weak Password — svc_sql",
+          "cvss": 8.1,
+          "asset": "ad.acme.internal",
+          "affected_systems": ["SQL01.acme.internal"],
+          "effort_hours": "1–3",
+          "primary_team": "Ops",
+          "secondary_team": "Security",
+          "override_reason": null,
+          "remediation_steps": [
+            "Rotate svc_sql password to 30+ character random string",
+            "Convert svc_sql to Managed Service Account (gMSA) to eliminate manual password management",
+            "Audit all SPN-registered accounts: Get-ADUser -Filter {ServicePrincipalName -ne '$null'}"
+          ],
+          "verification_steps": [
+            "Run: impacket-GetUserSPNs acme.internal/analyst:password -dc-ip 10.10.1.10",
+            "Attempt offline crack of new svc_sql hash with rockyou.txt — should not crack within 24h",
+            "Confirm gMSA conversion in AD: Get-ADServiceAccount -Identity svc_sql"
+          ]
+        },
+        {
+          "id": "RT-2025-0006",
+          "title": "SSRF in Document Preview Service — Internal AWS Metadata Accessible",
+          "cvss": 7.7,
+          "asset": "app.acme.com",
+          "affected_systems": ["app.acme.com /api/v2/preview"],
+          "effort_hours": "4–8",
+          "primary_team": "Dev",
+          "secondary_team": "Security",
+          "override_reason": null,
+          "remediation_steps": [
+            "Implement allowlist-based URL validation for preview endpoint — deny all private RFC1918 ranges and 169.254.0.0/16",
+            "Deploy IMDSv2 on all EC2 instances to require session tokens for metadata access",
+            "Add egress filtering on preview service container to block metadata IP 169.254.169.254"
+          ],
+          "verification_steps": [
+            "Submit request: POST /api/v2/preview with url=http://169.254.169.254/latest/meta-data/",
+            "Confirm response is HTTP 400 with error 'URL not permitted'",
+            "Verify IMDSv2 enforcement: aws ec2 describe-instances --query 'HttpTokens' must return 'required'"
+          ]
+        }
+      ]
+    },
+    {
+      "label": "Medium",
+      "timeline": "1–30 days",
+      "deadline": "2025-07-01",
+      "risk_reduction_pct": 16,
+      "findings": [
+        {
+          "id": "RT-2025-0009",
+          "title": "Missing HTTP Security Headers — X-Frame-Options, CSP Absent",
+          "cvss": 5.4,
+          "asset": "portal.acme.com",
+          "affected_systems": ["portal.acme.com"],
+          "effort_hours": "2–4",
+          "primary_team": "Dev",
+          "secondary_team": null,
+          "override_reason": null,
+          "remediation_steps": [
+            "Add to nginx.conf: add_header X-Frame-Options 'SAMEORIGIN';",
+            "Implement Content-Security-Policy header — start with report-only mode for 1 week before enforcing",
+            "Add Permissions-Policy header to restrict camera/microphone/geolocation"
+          ],
+          "verification_steps": [
+            "Run: curl -I https://portal.acme.com | grep -E 'X-Frame|Content-Security|Permissions-Policy'",
+            "Verify all three headers present with correct values",
+            "Run Mozilla Observatory scan — target score B+ or above"
+          ]
+        },
+        {
+          "id": "RT-2025-0010",
+          "title": "Default Credentials on Grafana Instance — admin:admin",
+          "cvss": 6.8,
+          "asset": "monitoring.acme.internal",
+          "affected_systems": ["monitoring.acme.internal:3000"],
+          "effort_hours": "0.5–1",
+          "primary_team": "Ops",
+          "secondary_team": null,
+          "override_reason": null,
+          "remediation_steps": [
+            "Change admin password immediately to 20+ character random string",
+            "Disable local admin login and enforce SSO via SAML/OIDC with corporate IdP",
+            "Restrict Grafana access to VPN/internal network only — remove public exposure"
+          ],
+          "verification_steps": [
+            "Attempt login with admin:admin — must return 401",
+            "Confirm Grafana is not accessible from external IPs via nmap scan from external vantage point",
+            "Verify SSO login flow works for standard users"
+          ]
+        }
+      ]
+    },
+    {
+      "label": "Low",
+      "timeline": "1–3 months",
+      "deadline": "2025-09-01",
+      "risk_reduction_pct": 5,
+      "findings": [
+        {
+          "id": "RT-2025-0015",
+          "title": "TLS 1.0/1.1 Enabled on Legacy API Gateway",
+          "cvss": 3.7,
+          "asset": "api-legacy.acme.com",
+          "affected_systems": ["api-legacy.acme.com:443"],
+          "effort_hours": "1–2",
+          "primary_team": "Ops",
+          "secondary_team": null,
+          "override_reason": null,
+          "remediation_steps": [
+            "Disable TLS 1.0 and 1.1 in nginx SSL configuration",
+            "Enforce TLS 1.2 minimum with TLS 1.3 preferred",
+            "Update cipher suite to modern AEAD-only list"
+          ],
+          "verification_steps": [
+            "Run: nmap --script ssl-enum-ciphers -p 443 api-legacy.acme.com",
+            "Confirm TLS 1.0 and 1.1 are absent from supported protocols",
+            "Run testssl.sh and confirm grade A-"
+          ]
+        }
+      ]
+    }
+  ]
+}
+```
+### 3.2 Executive Gantt Timeline (Markdown output)
+```markdown
+## Remediation Roadmap — Acme Corporation
+**Engagement:** RT-2025-Q2-ACME | **Delivered:** June 1, 2025 | **Analyst:** M. Hegazy
+| Phase    | Timeline        | Calendar Window    | Findings | Effort   | Owner(s)         | Risk Reduction |
+|----------|-----------------|--------------------|----------|----------|------------------|----------------|
+| Critical | 0–24 hours      | Jun 2, 2025        | 2        | 3–6h     | Ops + Security   | -42%           |
+| High     | 1–7 days        | Jun 2–8, 2025      | 4        | 12–28h   | Dev + Ops        | -31%           |
+| Medium   | 1–30 days       | Jun 2 – Jul 1      | 8        | 18–44h   | Dev + Ops        | -16%           |
+| Low      | 1–3 months      | Jun 2 – Sep 1      | 4        | 8–20h    | Ops + Security   | -5%            |
+| **TOTAL**|                 |                    | **18**   | **41–98h** |                | **-94%**       |
+### Visual Timeline
+```
+Jun 2025       Jul 2025       Aug 2025       Sep 2025
+|              |              |              |
+█ CRITICAL (Jun 2)
+████████ HIGH (Jun 2–8)
+████████████████████████████ MEDIUM (Jun 2 – Jul 1)
+████████████████████████████████████████████████████████████ LOW (Jun 2 – Sep 1)
+```
+> Risk reduction percentages represent estimated reduction in overall organizational
+> risk exposure based on CVSS scoring and exploitability demonstrated during engagement.
+> Percentages are additive across sequential phases.
+```
+---
+## 4. Integration with finding_tracker.py and autodoc_engine.py
+### finding_tracker.py Integration
+The roadmap skill reads from and writes back to finding_tracker.py at multiple points:
+**Read: Export findings before bucketing**
+```bash
+# Export all open findings sorted by CVSS descending
+python finding_tracker.py export \
+  --status open \
+  --sort cvss-desc \
+  --format json \
+  --out findings_export.json
+# Export with asset filter for scoped roadmaps
+python finding_tracker.py export \
+  --status open \
+  --asset-tag web-app \
+  --format json \
+  --out findings_webapp_only.json
+```
+**Write: Update findings with roadmap assignments**
+```bash
+# Bulk update all findings with bucket, team, and deadline
+python finding_tracker.py bulk-update \
+  --from-roadmap roadmap_data.json \
+  --set-status "remediation_assigned"
+# Update individual finding status after client confirms fix
+python finding_tracker.py update \
+  --id RT-2025-0001 \
+  --status "remediation_in_progress" \
+  --assigned-team "Ops" \
+  --deadline "2025-06-02"
+```
+**Query: Track remediation progress post-delivery**
+```bash
+# Show remediation completion dashboard
+python finding_tracker.py status-report \
+  --engagement RT-2025-Q2-ACME \
+  --format table
+# Show overdue critical/high items
+python finding_tracker.py overdue \
+  --severity critical,high \
+  --engagement RT-2025-Q2-ACME
+```
+**Expected finding_tracker.py finding schema fields used by this skill:**
+| Field              | Type     | Required | Description                              |
+|--------------------|----------|----------|------------------------------------------|
+| `id`               | string   | Yes      | Unique finding ID (e.g., RT-2025-0001)   |
+| `title`            | string   | Yes      | Short descriptive title                  |
+| `cvss`             | float    | Yes      | CVSS 3.x base score                      |
+| `severity`         | string   | Yes      | critical/high/medium/low                 |
+| `asset`            | string   | Yes      | Asset hostname or tag                    |
+| `status`           | string   | Yes      | Lifecycle status                         |
+| `assigned_team`    | string   | No       | Set by roadmap skill                     |
+| `deadline`         | date     | No       | Set by roadmap skill                     |
+| `roadmap_bucket`   | string   | No       | Set by roadmap skill                     |
+| `effort_hours`     | string   | No       | Range string, e.g., "4–8"               |
+### autodoc_engine.py Integration
+The autodoc engine consumes `roadmap_data.json` and renders it against the `remediation_roadmap` template:
+```bash
+# Standard render
+python autodoc_engine.py render \
+  --template remediation_roadmap \
+  --data roadmap_data.json \
+  --out reports/acme-corp-remediation-roadmap.md \
+  --client "Acme Corporation" \
+  --engagement-id RT-2025-Q2-ACME
+# With custom branding/logo path
+python autodoc_engine.py render \
+  --template remediation_roadmap \
+  --data roadmap_data.json \
+  --out reports/acme-corp-remediation-roadmap.md \
+  --client "Acme Corporation" \
+  --engagement-id RT-2025-Q2-ACME \
+  --logo assets/acme-logo.png \
+  --theme corporate-blue
+# Render executive summary only (no technical details)
+python autodoc_engine.py render \
+  --template remediation_roadmap_exec \
+  --data roadmap_data.json \
+  --out reports/acme-corp-exec-summary.md \
+  --client "Acme Corporation" \
+  --engagement-id RT-2025-Q2-ACME
+```
+**Template variants available:**
+| Template Name                  | Audience         | Includes Technical Detail |
+|-------------------------------|------------------|--------------------------|
+| `remediation_roadmap`          | Security team    | Yes — full steps         |
+| `remediation_roadmap_exec`     | C-suite / board  | No — risk % and timeline only |
+| `remediation_roadmap_ticketed` | Dev / Ops teams  | Yes — formatted as tickets |
+**autodoc_engine.py variable mapping:**
+The engine expects these top-level keys in `roadmap_data.json`:
+```
+engagement_id          → report header
+client                 → report header and footer
+report_delivery_date   → timeline anchor for Gantt
+analyst                → sign-off block
+total_findings         → executive summary stat
+business_risk_reduction_if_all_remediated → executive summary stat
+buckets[]              → each bucket becomes a report section
+  buckets[].label      → section heading
+  buckets[].deadline   → Gantt calendar date
+  buckets[].risk_reduction_pct → risk bar chart value
+  buckets[].findings[] → finding detail rows
+```
+---
+## 5. Quality Checklist
+Run through this checklist before finalizing the roadmap. Every item must be checked before the document is delivered to the client.
+### Completeness
+- [ ] Every open finding from finding_tracker.py appears in exactly one bucket
+- [ ] No finding is bucketed in two places
+- [ ] All findings have a non-null `effort_hours` value
+- [ ] All findings have a `primary_team` assigned
+- [ ] Every finding has at least two `verification_steps`
+- [ ] The `business_risk_reduction_if_all_remediated` percentage sums correctly across buckets
+### Accuracy
+- [ ] CVSS scores match the finding_tracker.py records (no manual edits without override justification)
+- [ ] All override decisions are documented with `override_reason` text
+- [ ] Deadline dates are calendar dates, not relative ("7 days from now")
+- [ ] Effort estimates account for testing/staging environments, not just production application
+### Clarity (Executive-Facing Content)
+- [ ] No jargon in executive Gantt section (no "AS-REP Roasting", "Kerberoasting" — use plain English)
+- [ ] Risk reduction percentages are rounded to nearest 5%
+- [ ] Visual timeline renders correctly in both light and dark mode Markdown viewers
+- [ ] Client name spelled correctly throughout (run: grep -i "acme" report.md | head -20)
+### Verification Steps Quality
+- [ ] Every verification step uses specific commands, not vague instructions
+- [ ] Commands include actual tool names (nmap, sqlmap, curl, impacket-*)
+- [ ] Expected output or pass/fail condition is stated
+- [ ] Steps are runnable by the client's internal security team without red team access
+### Finding Descriptions
+- [ ] Title is specific enough that two separate findings are not confused
+- [ ] Affected systems list is accurate and current (re-verify against scope doc)
+- [ ] Remediation steps are ordered logically (interim controls before permanent fixes)
+---
+## 6. Example Output — Finished Product Excerpt
+Below is a complete rendered section as it would appear in the final client deliverable.
+---
+### CRITICAL — Remediate Within 24 Hours
+**Deadline: June 2, 2025 | Risk Reduction: 42% | Owner: Ops + Security**
+Immediate action is required on the following two findings. Both were actively exploited during the engagement and represent a direct path to full domain compromise and data exfiltration. These items should be treated as an active incident response scenario, not a scheduled remediation task.
+---
+**RT-2025-0001 | Domain Admin via AS-REP Roasting — svc_backup**
+- **Asset:** ad.acme.internal (DC01, DC02)
+- **CVSS:** 9.8 (Critical)
+- **Effort:** 2–4 hours
+- **Primary Team:** Ops | **Secondary:** Security
+During the engagement, the `svc_backup` service account was found to have Kerberos pre-authentication disabled. An unauthenticated attacker on the internal network requested an AS-REP response for this account and cracked the resulting hash offline within 8 minutes using Hashcat on a modest GPU, yielding the cleartext password `Backup2022!`. This account held Domain Admin privileges.
+**Remediation Steps:**
+1. Enable Kerberos pre-authentication on `svc_backup` in Active Directory Users and Computers immediately.
+2. Audit all service accounts for the `DONT_REQUIRE_PREAUTH` flag:
+   `Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth`
+3. Reset `svc_backup` password to a 25+ character random string and store in the PAM vault.
+4. Initiate a least-privilege audit on `svc_backup` — Domain Admin rights are not justified for a backup service account.
+**Verification Steps:**
+1. Run `impacket-GetNPUsers acme.internal/ -usersfile service_accounts.txt -no-pass` from an internal network host.
+2. Confirm `svc_backup` does not return an AS-REP hash in the output.
+3. Verify EventID 4768 logs in the Windows Security event log show `Pre-Authentication Type: 2` for `svc_backup`.
+---
+**RT-2025-0002 | Unauthenticated RCE — Apache Struts 2.5.28 (CVE-2023-50164)**
+- **Asset:** erp.acme.com (10.20.1.45)
+- **CVSS:** 9.8 (Critical)
+- **Effort:** 1–2 hours
+- **Primary Team:** Ops | **Secondary:** Dev
+The ERP application runs Apache Struts 2.5.28, which is vulnerable to CVE-2023-50164, a critical file upload path traversal vulnerability that enables unauthenticated remote code execution. The engagement demonstrated full RCE, achieving a shell running as `www-data` with subsequent privilege escalation to root via a local sudo misconfiguration.
+**Remediation Steps:**
+1. Upgrade Apache Struts to version 2.5.33 or 6.3.0.2 immediately. Test in staging first; estimated 1 hour if staging mirrors production.
+2. As an interim control, deploy a WAF rule blocking multipart content-type requests containing `../` or `%2e%2e%2f` patterns.
+3. Isolate `erp.acme.com` from all internal network segments (firewall rule: deny all inbound except port 443 from load balancer) until patch is confirmed in production.
+**Verification Steps:**
+1. Confirm Struts version post-patch: `curl -s https://erp.acme.com/struts2-showcase/ | grep -i struts`
+2. Run the engagement's PoC verification script: `python RT-CVE-2023-50164-check.py --target https://erp.acme.com` — output must be `[NOT VULNERABLE]`.
+3. Verify WAF logs show blocked multipart traversal attempts during the verification test.
+---
+## 7. Common Mistakes to Avoid
+### Mistake 1 — Vague Verification Steps
+**Bad:**
+> "Verify that the patch has been applied and the vulnerability is resolved."
+**Good:**
+> "Run `nmap --script http-struts2-multi-ite -p 443 erp.acme.com` and confirm the output shows 'VULNERABLE: false'. Then run the PoC script from the engagement toolkit."
+Clients cannot verify what they cannot measure. Vague steps lead to false confidence.
+---
+### Mistake 2 — Ignoring Business Context in Bucketing
+Applying CVSS scores mechanically without considering environment produces a misleading roadmap. A CVSS 6.5 finding on a system that processes all payment card data may be more urgent than a CVSS 8.0 finding on a dev box with no sensitive data. Always ask: "What is the worst realistic outcome if this is exploited tomorrow?"
+---
+### Mistake 3 — Missing Interim Controls
+Remediation of complex findings (architecture changes, major code refactors) can take weeks. Every Critical and High finding must have at least one interim control documented alongside the permanent fix. Examples: WAF rules, network segmentation, account disablement, feature flags to disable vulnerable functionality.
+---
+### Mistake 4 — Assigning Unrealistic Effort Estimates
+Effort estimates that are too low destroy trust when teams miss deadlines. Be conservative. Account for:
+- Change advisory board (CAB) approval cycles (often 1–2 weeks for production changes)
+- Testing in staging environments
+- Rollback planning
+- Communication and coordination time across teams
+---
+### Mistake 5 — Putting Technical Jargon in the Executive Section
+The Gantt timeline and risk summary table are read by CISOs, CTOs, and board members. "AS-REP Roasting" and "Kerberoasting" mean nothing to them. Use: "Weak password on privileged service account — cracked in 8 minutes."
+---
+### Mistake 6 — Not Anchoring Timelines to Calendar Dates
+"Week 1", "Day 7", "Month 2" are useless in a delivered report. The report may sit in legal review for three weeks before the client reads it. Always use actual calendar dates anchored to the report delivery date. Update dates if delivery is delayed.
+---
+### Mistake 7 — Forgetting to Update finding_tracker.py
+The roadmap is not a static document — it is a living artifact. After delivery, the tracker should reflect assignment status. Failure to update the tracker means progress checks, follow-up assessments, and closure verification all operate on stale data.
+Run after every client status meeting:
+```bash
+python finding_tracker.py update --id RT-2025-0001 --status "remediation_complete" --closed-date "2025-06-02"
+python finding_tracker.py status-report --engagement RT-2025-Q2-ACME
+```
+---
+### Mistake 8 — Risk Reduction Percentages That Don't Add Up
+If Critical = 42%, High = 31%, Medium = 16%, Low = 5%, the total should be 94% (not 100% — there is always residual risk). Percentages that sum to exactly 100% look fabricated. Percentages greater than 100% are a math error. Review the methodology documented in Step 6 before finalizing.