security-mcp 1.1.4 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +341 -1018
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/defaults/security-policy.json +2 -2
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +582 -15
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +955 -2
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +256 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +202 -9
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +316 -130
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +131 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +161 -24
- package/dist/mcp/orchestration.js +377 -89
- package/dist/mcp/server.js +460 -69
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +37 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +56 -3
- package/dist/tests/run.js +124 -1
- package/package.json +9 -9
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +118 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +377 -0
- package/skills/ai-llm-redteam/SKILL.md +113 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
- package/skills/android-penetration-tester/SKILL.md +464 -46
- package/skills/anti-replay-tester/SKILL.md +115 -0
- package/skills/appsec-code-auditor/SKILL.md +94 -0
- package/skills/artifact-integrity-analyst/SKILL.md +450 -0
- package/skills/attack-navigator/SKILL.md +476 -8
- package/skills/auth-session-hacker/SKILL.md +111 -0
- package/skills/aws-penetration-tester/SKILL.md +510 -0
- package/skills/azure-penetration-tester/SKILL.md +542 -3
- package/skills/binary-auth-validator/SKILL.md +120 -0
- package/skills/bot-detection-specialist/SKILL.md +118 -0
- package/skills/business-logic-attacker/SKILL.md +240 -0
- package/skills/capec-code-mapper/SKILL.md +93 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
- package/skills/ciso-orchestrator/SKILL.md +465 -43
- package/skills/cloud-infra-specialist/SKILL.md +127 -0
- package/skills/compliance-gap-analyst/SKILL.md +431 -0
- package/skills/compliance-grc/SKILL.md +94 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +111 -0
- package/skills/crypto-pki-specialist/SKILL.md +96 -0
- package/skills/csa-ccm-mapper/SKILL.md +93 -0
- package/skills/csf2-governance-mapper/SKILL.md +93 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +118 -0
- package/skills/dependency-confusion-attacker/SKILL.md +424 -0
- package/skills/device-integrity-aggregator/SKILL.md +117 -0
- package/skills/dos-resilience-tester/SKILL.md +106 -0
- package/skills/dread-scorer/SKILL.md +93 -0
- package/skills/egress-policy-enforcer/SKILL.md +108 -0
- package/skills/evidence-collector/SKILL.md +107 -0
- package/skills/file-upload-attacker/SKILL.md +118 -0
- package/skills/gcp-penetration-tester/SKILL.md +510 -2
- package/skills/git-history-secret-scanner/SKILL.md +115 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
- package/skills/incident-responder/SKILL.md +120 -0
- package/skills/injection-specialist/SKILL.md +111 -0
- package/skills/ios-security-auditor/SKILL.md +291 -0
- package/skills/json-ambiguity-tester/SKILL.md +145 -0
- package/skills/k8s-container-escaper/SKILL.md +406 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
- package/skills/kill-switch-engineer/SKILL.md +111 -0
- package/skills/linddun-privacy-analyst/SKILL.md +111 -0
- package/skills/logic-race-fuzzer/SKILL.md +452 -0
- package/skills/mobile-api-network-attacker/SKILL.md +430 -0
- package/skills/mobile-binary-hardener/SKILL.md +111 -0
- package/skills/mobile-security-specialist/SKILL.md +94 -0
- package/skills/mobile-webview-auditor/SKILL.md +105 -0
- package/skills/model-extraction-attacker/SKILL.md +228 -0
- package/skills/multipart-abuse-tester/SKILL.md +93 -0
- package/skills/oauth-pkce-specialist/SKILL.md +113 -0
- package/skills/parser-exhaustion-tester/SKILL.md +151 -0
- package/skills/pentest-infra/SKILL.md +107 -0
- package/skills/pentest-social/SKILL.md +210 -0
- package/skills/pentest-team/SKILL.md +96 -0
- package/skills/pentest-web-api/SKILL.md +107 -0
- package/skills/privacy-flow-analyst/SKILL.md +243 -0
- package/skills/prompt-injection-specialist/SKILL.md +403 -0
- package/skills/quantum-migration-planner/SKILL.md +105 -0
- package/skills/rag-poisoning-specialist/SKILL.md +367 -0
- package/skills/registry-mirror-enforcer/SKILL.md +93 -0
- package/skills/rotation-validation-agent/SKILL.md +121 -0
- package/skills/samm-assessor/SKILL.md +94 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
- package/skills/senior-security-engineer/SKILL.md +178 -0
- package/skills/serialization-memory-attacker/SKILL.md +341 -0
- package/skills/session-timeout-tester/SKILL.md +170 -0
- package/skills/slsa-level3-enforcer/SKILL.md +121 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
- package/skills/ssrf-detection-validator/SKILL.md +117 -0
- package/skills/step-up-auth-enforcer/SKILL.md +93 -0
- package/skills/stride-pasta-analyst/SKILL.md +429 -0
- package/skills/supply-chain-devsecops/SKILL.md +107 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
- package/skills/threat-modeler/SKILL.md +94 -0
- package/skills/tls-certificate-auditor/SKILL.md +582 -18
- package/skills/token-reuse-detector/SKILL.md +104 -0
- package/skills/trike-risk-modeler/SKILL.md +93 -0
- package/skills/unicode-homograph-tester/SKILL.md +93 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
- package/skills/webhook-security-tester/SKILL.md +111 -0
- package/skills/zero-trust-architect/SKILL.md +118 -0
|
@@ -35,6 +35,15 @@ On every finding resolved, emit:
|
|
|
35
35
|
}
|
|
36
36
|
```
|
|
37
37
|
|
|
38
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
39
|
+
|
|
40
|
+
The `infra`, `iac`, and `k8s` detection modules (`src/gate/checks/infra.ts`, `src/gate/checks/iac.ts`, `src/gate/checks/k8s.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the hardening fix (Edit), not just advise:
|
|
41
|
+
|
|
42
|
+
- **Cross-file / multi-step reasoning the regex can't do:** `infra.ts`/`iac.ts` can flag an open egress rule or a permissive security group in one Terraform file, but they cannot correlate that the same workload's IAM role (defined elsewhere) plus a reachable metadata endpoint plus a wide-open ASN range forms an exfiltration path an observed C2 cluster would use. Build the egress + IAM + network-segmentation graph across IaC, K8s manifests, and infra config.
|
|
43
|
+
- **Semantic / effective-state analysis:** map observed TTPs to the effective control state — does a `k8s.ts` NetworkPolicy gap actually permit the DoH-tunnelled C2 or HTTP/2 Rapid Reset pattern you attributed? Model bulletproof-ASN co-tenancy and CDN-fronted C2 against the real egress firewall, not the declared intent.
|
|
44
|
+
- **External corroboration:** WebSearch/WebFetch for current CVEs/advisories/threat-intel for the observed campaign (CISA KEV, MITRE ATT&CK technique pages, VirusTotal/AbuseIPDB/Shodan, RIPEstat BGP for ASN pivoting).
|
|
45
|
+
- **Apply & prove:** write the targeted defense inline (egress allowlist, NetworkPolicy, IMDSv2 enforcement, ASN-level block, stream-reset rate limit), re-run the `infra`/`iac`/`k8s` checks plus a `nmap`/`nuclei` reachability probe as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs against the secure default (deny-by-default egress vs. third-party integration reach).
|
|
46
|
+
|
|
38
47
|
## EXECUTION
|
|
39
48
|
|
|
40
49
|
### Phase 1 — Reconnaissance
|
|
@@ -165,3 +174,87 @@ If internet permitted:
|
|
|
165
174
|
- `requiredActions`: prioritized defensive actions
|
|
166
175
|
- `complianceImpact`: framework mappings
|
|
167
176
|
- `beyondSkillMd`: true — entirely beyond-policy
|
|
177
|
+
|
|
178
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
179
|
+
```json
|
|
180
|
+
{
|
|
181
|
+
"intelligenceForOtherAgents": {
|
|
182
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
183
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
184
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
185
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
186
|
+
}
|
|
187
|
+
}
|
|
188
|
+
```
|
|
189
|
+
|
|
190
|
+
## BEYOND SKILL.MD
|
|
191
|
+
|
|
192
|
+
Domain-specific threat intelligence intelligence that no static scanner surfaces. Each item is tied to a named CVE, technique, tool, or research finding.
|
|
193
|
+
|
|
194
|
+
- **CVE-2024-3400 (PAN-OS command injection via GlobalProtect)** — Threat actors (UTA0218, attributed by Volexity) weaponised this within 48 hours of disclosure to implant UPSTYLE backdoor via crafted session IDs. Check edge-device logs for `SESSID` values containing shell metacharacters; correlate with outbound connections to novel hosting ASNs on TCP/4444 or 8443.
|
|
195
|
+
- **Bulletproof hosting ASN cluster pivoting** — APT groups regularly rotate C2 infrastructure across a stable set of ~20 "bulletproof" ASNs (AS58061 Frantech/BuyVM, AS209588 Flyservers, AS59676 Networks Land). A single observed C2 IP should trigger a full ASN-level block review, not a per-IP block. Use BGP routing data (RIPEstat, CAIDA) to identify co-tenanted infrastructure.
|
|
196
|
+
- **MITRE ATT&CK T1583.006 (Web Services — adversary-controlled cloud CDN)** — Threat actors front C2 traffic through legitimate CDN providers (Cloudflare, Fastly) to blend with allowed traffic. DNS-only IOC lists miss this entirely. Detection requires JA3/JA3S TLS fingerprint correlation and SNI inspection at the egress proxy.
|
|
197
|
+
- **LLM-assisted spear-phishing infrastructure (Mandiant FIN7 research, 2024)** — FIN7 was observed using LLM-generated lure content to dynamically generate per-target phishing pages hosted on compromised legitimate domains. Static URL/IP reputation feeds have zero coverage. Detection: entropy analysis of page content, registration-date skew of hosting domains (less than 30 days old), and DMARC misalignment on sender domains.
|
|
198
|
+
- **CVE-2023-44487 / HTTP/2 Rapid Reset (CVSS 7.5)** — Enables application-layer DDoS at record scale (398 Mpps observed by Google). Standard rate-limiters that count completed requests miss this because connections are reset before response. Requires server-side stream-reset rate monitoring at the HTTP/2 framing layer.
|
|
199
|
+
- **Post-quantum harvest-now-decrypt-later (HNDL) campaigns** — Nation-state actors (assessed: China/APT41 cluster) are actively collecting encrypted traffic today for decryption once cryptographically relevant quantum computers (CRQCs) arrive (~2028–2032, NAS 2024 report). Any long-lived sensitive data transmitted over RSA/ECDSA-protected channels is already compromised in adversary archives. Immediate action: inventory all TLS certificate key types; prioritise migration of authentication and PII-bearing endpoints to ML-KEM (FIPS 203) hybrid key exchange.
|
|
200
|
+
- **AI-generated infrastructure impersonation (novel TTPs, 2025)** — LLM-powered tools (e.g., FraudGPT derivatives) generate typosquatting domains, SSL certificates, and pixel-perfect brand impersonation pages at scale. Traditional phishing-domain detection based on Levenshtein distance or static brand-name lists is bypassed by semantic lookalike generation. Detection: perceptual hash comparison of favicon/logo assets against protected brand assets + certificate transparency log monitoring with ML-based domain classifier.
|
|
201
|
+
- **DNS-over-HTTPS (DoH) C2 tunnelling** — Threat actors tunnel C2 traffic through legitimate DoH providers (Cloudflare 1.1.1.1, Google 8.8.8.8) to evade DNS-layer security controls. Traditional DNS sinkholes and CIPA-style DNS filtering are completely blind. Requires HTTPS traffic inspection at the application layer or enforcement of internal-only DNS resolution with DoH explicitly blocked at the egress firewall.
|
|
202
|
+
|
|
203
|
+
---
|
|
204
|
+
|
|
205
|
+
## §EDGE-CASE-MATRIX
|
|
206
|
+
|
|
207
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
208
|
+
|
|
209
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
210
|
+
|---|-----------|----------------------|---------------|
|
|
211
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
212
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
213
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
214
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
215
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
216
|
+
|
|
217
|
+
## §TEMPORAL-THREATS
|
|
218
|
+
|
|
219
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
220
|
+
|
|
221
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
222
|
+
|--------|--------------|--------------------------|----------------|
|
|
223
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
224
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
225
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
226
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
227
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
228
|
+
|
|
229
|
+
## §DETECTION-GAP
|
|
230
|
+
|
|
231
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
232
|
+
|
|
233
|
+
**Standard gaps that MUST be checked:**
|
|
234
|
+
|
|
235
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
236
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
237
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
238
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
239
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
240
|
+
|
|
241
|
+
## §ZERO-MISS-MANDATE
|
|
242
|
+
|
|
243
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
244
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
245
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
246
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
247
|
+
|
|
248
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
249
|
+
|
|
250
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
251
|
+
```json
|
|
252
|
+
{
|
|
253
|
+
"coverageManifest": {
|
|
254
|
+
"attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
|
|
255
|
+
"filesReviewed": 47,
|
|
256
|
+
"negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
|
|
257
|
+
"uncoveredReason": {}
|
|
258
|
+
}
|
|
259
|
+
}
|
|
260
|
+
```
|
|
@@ -24,6 +24,15 @@ SKILL.md §2 and §8 are the MINIMUM. Go beyond them.
|
|
|
24
24
|
Think like APT29, Lazarus Group, or FIN7 depending on the project's industry vertical.
|
|
25
25
|
90% fixing — every threat you identify must have a mitigation written and implemented.
|
|
26
26
|
|
|
27
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
28
|
+
|
|
29
|
+
As the master threat-model lead, the full suite of detection modules in `src/gate/checks/` (especially `auth-deep.ts`, `injection-deep.ts`, and `infra.ts`) is your deterministic floor, not your ceiling. The threat model you produce is the attack brief that drives every other check — so treat their finding IDs as the minimum, reason past single-line/single-file pattern matching, and APPLY the mitigation (Edit), not just advise:
|
|
30
|
+
|
|
31
|
+
- **Cross-file / multi-step reasoning the regex can't do:** each detection module sees one component in isolation; your job is the interaction boundary the regex cannot reach — a multi-service flow where an auth bypass in one service plus a missing tenant filter in another yields cross-org data leak, or a webhook→outbound-fetch→IMDS pivot spanning three files. Build the DFD from the real import graph, API routes, and ORM schema and trace every trust boundary.
|
|
32
|
+
- **Semantic / effective-state analysis:** model whole attack trees and their effective exploitability — APT-vertical TTP chains (FIN7/Lazarus/Scattered Spider), formal-verification-worthy auth/payment state machines, and temporal threats (post-quantum harvest-now-decrypt-later, upcoming regulatory deadlines) that no single-line check surfaces — and prove each with a working PoC before and a failing PoC after the mitigation.
|
|
33
|
+
- **External corroboration:** WebSearch/WebFetch for current CVEs/advisories/standards, the latest ATT&CK v15 STIX bundle, industry APT group profiles, and CISA KEV.
|
|
34
|
+
- **Apply & prove:** write the mitigation inline, re-run the relevant `src/gate/checks/` modules (plus targeted tools — `nuclei`, `osv-scanner`, `sslyze`, `slsa-verifier`) as a regression floor, then re-audit and regenerate `threat-model.json`. Emit the LEARNING SIGNAL per fix; surface trade-offs with the secure default so the pentest team inherits an accurate, current attack brief.
|
|
35
|
+
|
|
27
36
|
## ACTIVATION PROTOCOL
|
|
28
37
|
|
|
29
38
|
1. Call `orchestration.update_agent_status(agentRunId, "threat-modeler", "running")`
|
|
@@ -114,3 +123,88 @@ On complete: append new threat patterns; update intel with latest ATT&CK fetch t
|
|
|
114
123
|
|
|
115
124
|
If a sub-agent fails: continue with remaining three, mark findings as partial.
|
|
116
125
|
If ATT&CK STIX fetch fails: use cached intel.json regardless of age, note the age.
|
|
126
|
+
|
|
127
|
+
## LEARNING SIGNAL
|
|
128
|
+
|
|
129
|
+
On every finding resolved, emit:
|
|
130
|
+
```json
|
|
131
|
+
{
|
|
132
|
+
"findingId": "FINDING_ID",
|
|
133
|
+
"agentName": "threat-modeler",
|
|
134
|
+
"resolved": true,
|
|
135
|
+
"remediationTemplate": "one-line description of what was done",
|
|
136
|
+
"falsePositive": false
|
|
137
|
+
}
|
|
138
|
+
```
|
|
139
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|
|
140
|
+
|
|
141
|
+
---
|
|
142
|
+
|
|
143
|
+
## §EDGE-CASE-MATRIX
|
|
144
|
+
|
|
145
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
146
|
+
|
|
147
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
148
|
+
|---|-----------|----------------------|---------------|
|
|
149
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
150
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
151
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
152
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
153
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
154
|
+
|
|
155
|
+
## §TEMPORAL-THREATS
|
|
156
|
+
|
|
157
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
158
|
+
|
|
159
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
160
|
+
|--------|--------------|--------------------------|----------------|
|
|
161
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
162
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
163
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
164
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
165
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
166
|
+
|
|
167
|
+
## §DETECTION-GAP
|
|
168
|
+
|
|
169
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
170
|
+
|
|
171
|
+
**Standard gaps that MUST be checked:**
|
|
172
|
+
|
|
173
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
174
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
175
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
176
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
177
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
178
|
+
|
|
179
|
+
## §ZERO-MISS-MANDATE
|
|
180
|
+
|
|
181
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
182
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
183
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
184
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
185
|
+
|
|
186
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
187
|
+
|
|
188
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
189
|
+
```json
|
|
190
|
+
{
|
|
191
|
+
"coverageManifest": {
|
|
192
|
+
"attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
|
|
193
|
+
"filesReviewed": 47,
|
|
194
|
+
"negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
|
|
195
|
+
"uncoveredReason": {}
|
|
196
|
+
}
|
|
197
|
+
}
|
|
198
|
+
```
|
|
199
|
+
|
|
200
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
201
|
+
```json
|
|
202
|
+
{
|
|
203
|
+
"intelligenceForOtherAgents": {
|
|
204
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
205
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
206
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
207
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
208
|
+
}
|
|
209
|
+
}
|
|
210
|
+
```
|