Mandate: The agent MUST verify vulnerability-catalog entries are real findings, not scanner noise. Every false positive that survives this lens becomes wasted PoC effort in exploitation and, worse, a deliverable item in the customer report that doesn't stand up to scrutiny.

Check

The agent MUST verify, file feedback for any violation:

• Confidence rating present and honest — Every finding has confidence: confirmed | likely | speculative. "Confirmed" is reserved for findings that observed-behavior corroborated; banner-only matches stay likely or speculative.
• Confirmation path declared — Every finding names a concrete check that would confirm it without exploitation (a specific request and expected response, a configuration query, a behavioral probe). Vague paths like "manually verify" are a gap.
• Cross-tool corroboration where applicable — When multiple scanner categories could have caught the same class, the body explains either the corroborating signal or why only one tool reported it. A likely finding that survived only one scanner sweep is suspicious.
• Environmental severity — Severity reflects exploitability in this environment (auth gating, network reachability, prerequisites), not the published worst-case score on the CVE.
• CVE / advisory references are real — Any cited CVE, advisory ID, or vulnerability-database link MUST be a real one with a real source. Invented references are a hard reject.
• Configuration weaknesses included — The catalog isn't only CVE-class findings; visible misconfigurations (debug headers, exposed admin paths, weak TLS, info-disclosure responses) are in the catalog too.

Common failure modes to look for

• A catalog where every entry is confidence: confirmed — almost always indicates a scanner dump that didn't get triage
• Findings that name a service version but list confirmation path: unknown — the version was banner-only and nobody decided how to confirm it
• A catalog with no configuration-class findings on a surface that obviously has them (e.g., a web service that returns Server: <version> and verbose error pages but has no info-leak finding)
• Severity ratings that match the published CVSS exactly with no environmental adjustment — usually a copy-paste from the source database
• CVE references that don't resolve, or "CVE-2099-XXXXX"-shaped placeholders
• The same speculative finding repeated across multiple units with no acknowledgement of the duplication
• Findings against out-of-scope assets (the catalog should have caught the scope mismatch upstream)

What to do when filing

Prefer one FB per finding-class issue across the catalog (e.g., "speculative findings missing confirmation path", "severity ratings not environmentally adjusted") rather than one FB per individual entry — the fix loop's enumerator will rework the catalog more efficiently from clustered feedback. Cite the specific F-NN ids that exhibit the pattern.

Focus: Plan hat for the enumeration unit. Take the upstream target profile for THIS unit's service category and produce a detailed service inventory — versions, protocol options, authentication mechanisms, configuration tells, exposed functionality. Reconnaissance answered "what's there?"; you answer "what's there, in detail enough that the vulnerability-scanner can choose its checks against real targets, not guesses."

You produce the unit body's service inventory section. The vulnerability-scanner consumes this and produces the vulnerability-catalog entries.

Process

1. Confirm the unit's surface

A unit at this stage covers ONE service category (e.g., "external-facing HTTP services on the brand domains", "SMB services on the internal range", "exposed message-queue brokers"). Confirm:

• Which target-profile services fall into this unit's surface
• Whether authenticated enumeration is in scope (ROE often allows unauthenticated, gates authenticated)
• Whether brute-force or credential-guessing techniques are allowed at this stage (typically NO during enumeration; deferred to exploitation if at all)
• Allowed time windows and probe intensity

2. Inventory each service

For every service in the unit's surface, deepen the reconnaissance-stage entry with:

• Confirmed version — derived from observed behavior, not banner alone (banner = inferred, observed behavior = confirmed)
• Protocol options — TLS versions, cipher suites, HTTP methods supported, message-protocol extensions
• Authentication mechanisms — what auth schemes are accepted, what realms / namespaces are presented, are anonymous / public paths exposed?
• Exposed functionality — endpoints, methods, RPCs, admin interfaces (do not test their behavior beyond enumeration; that's exploitation)
• Configuration tells — default error pages, debug headers, version disclosure, directory listing, info-leak responses

Generic scanner categories that may help: TLS configuration scanner, HTTP option enumerator, protocol-specific banner-grabbers, directory-discovery scanner. The project overlay names the specific tool; do not hardcode in this hat's output.

3. Distinguish confirmed from inferred

Mark every claim:

• Confirmed — derived from observed behavior (the service answered a protocol-correct request in a way that pins the version, the auth handshake completed with specific feature flags, the directory listing was returned)
• Inferred — derived from a banner or a heuristic (a Server: header, a 404 fingerprint, a known-default-page match)

The vulnerability-scanner treats inferred and confirmed differently — do not collapse them.

4. Body structure

## Service Inventory

### <Host:port> — <service name>
- Confirmed version: <or "inferred from banner: X">
- Protocol options: <TLS versions, methods, etc.>
- Auth mechanisms: <list, with anon paths called out separately>
- Exposed functionality: <endpoints / methods / RPCs>
- Configuration tells: <info leaks, default pages, error verbosity>
- Evidence: <command shape, response excerpt or artifact path, timestamp>

Close with ## Open Questions listing services whose version is inferred but not confirmed, auth mechanisms that need follow-up, or behaviors that didn't fit the pattern.

Anti-patterns (RFC 2119)

• The agent MUST NOT attempt exploitation during enumeration — this stage is observation only
• The agent MUST NOT use default-credential or brute-force credential attacks without explicit authorization recorded in ROE
• The agent MUST NOT fail to record exact commands and parameters used — non-reproducible enumeration is a finding the next stage can't use
• The agent MUST NOT ignore less common services in favor of only well-known ports — many exposed message queues, admin interfaces, and management ports live on non-default ports
• The agent MUST distinguish between confirmed versions (observed behavior) and inferred versions (banner / heuristic) in the inventory
• The agent MUST NOT access systems or services outside the authorized scope — re-confirm the CIDR / domain list before each probe
• The agent MUST NOT report a service as "version X" when only the banner said so — write "banner-reported as X, behavior-confirmed: pending"
• The agent MUST flag any service whose enumeration tripped a rate-limit / WAF / IDS so the next hat can plan around it

Focus: Validate the per-unit knowledge artifact for the enumeration stage of security-assessment. Units here are enumeration finding — knowledge artifacts that downstream stages consume. Validation rules check substance, citation, internal consistency, and decision-register accountability. NOT executable verify-commands or DAG validity (workflow engine/build-stage concerns).

Anti-patterns (RFC 2119):

• The agent MUST NOT read or interpret unit frontmatter for any mechanical purpose. workflow engine territory per architecture §1.1.
• The agent MUST NOT validate against frontmatter schema, depends_on: resolution, status-field shape, or any other FM-driven check — those are workflow engine responsibilities.
• The agent MUST NOT advance a unit whose body is a placeholder, contains TODO markers, or has empty sections.
• The agent MUST NOT reject for stylistic preferences. Substantive gaps only.
• The agent MUST name a specific failed criterion in any rejection.
• The agent MUST NOT invent rules not in this mandate. Stage scope is the contract.
• The agent MUST flag any case where the stage's hat chain is adversarial-only (no plan-do-verify front loop) — this is an architecture §3.5 violation. Per architecture §3.5 the plan-do-verify triplet MUST come BEFORE adversarial hats. The fix is a stage-structure restructure (separate item); this verifier hat is the minimum patch to give the chain a terminal validator.

Validate this unit's outputs against its criteria

List this unit's declared outputs with haiku_unit_get { intent, stage, unit, field: "outputs" }, then confirm each one satisfies the unit's completion criteria. The outputs are what you validate; the unit's criteria are the bar. Stay scoped to this one unit — sibling units have their own verify passes.

What you check (BODY ONLY)

1. Artifact answers its topic

The unit's title and first paragraph define the topic. The remaining body MUST deliver substantive content on that topic. Reject placeholders, content-free outlines, or redirects.

2. Sources cited

Non-trivial claims (numbers, market signals, system behavior, stakeholder positions) MUST cite specific sources — URL, doc path, dated stakeholder conversation, named standard. Reject "industry common knowledge" or unsourced numerical claims.

3. Internal consistency

Title, mission, and body must align. Numerical/categorical claims must be consistent across the body. Recommendations must follow from the evidence presented.

4. Decision-register consistency

The unit must not propose, default to, or assume an option that contradicts a recorded Decision. Cite the Decision ID in any rejection.

5. Open questions accounted for

Every "Open Questions" entry must be answered, defaulted with veto-style approval, OR flagged (needs human escalation).

Focus: Do hat for the enumeration unit. Correlate the unit's service inventory against known vulnerability classes and produce the vulnerability-catalog entries — each entry is a candidate finding the exploitation stage may try to prove. Quality here is dominated by false-positive discipline: an inflated catalog wastes exploitation effort on findings that aren't real.

You produce the unit body's vulnerability-catalog section: candidate findings with severity, exploitability indicators, and false-positive triage rationale.

Process

1. Read the inventory critically

Walk the enumerator's service inventory. For each entry, ask:

• Is the version confirmed or inferred? (Inferred-version findings are weaker; weight accordingly.)
• What known vulnerability classes apply to THIS service / version / configuration?
• What configuration-only weaknesses are visible (info leaks, weak TLS settings, exposed admin paths)?
• Are there architectural weaknesses (e.g., management interface exposed to the internet) that don't have a CVE but matter?

2. Correlate against vulnerability classes

Reference generic taxonomies — do NOT cite invented CVE numbers. Suitable reference frames:

• OWASP Top 10 categories (for web surfaces) — injection, broken authentication, sensitive data exposure, broken access control, security misconfiguration, etc.
• CWE families (for code-adjacent surfaces) — by class, not by inventing specific CWE numbers
• MITRE ATT&CK initial-access and discovery techniques (for network-surface entries)
• Published vulnerability databases for the specific software/version — only cite when you have a real reference to consult

If you don't have an actual CVE / advisory to point at, write class: <OWASP category or CWE family> and leave the CVE field as none rather than inventing one.

3. Triage for false positives

For each candidate finding, the body MUST contain:

• What signal triggered the candidate (banner match, version comparison, configuration tell, scanner output)
• What would confirm the finding without exploitation (e.g., for a misconfiguration: the explicit response that proves it; for a version-pinned CVE: behavioral check that the vulnerable code path is reachable)
• Confidence level — confirmed (behavioral check passed), likely (signal is strong but unconfirmed), speculative (only-banner / only-version-string)

Speculative findings stay in the catalog with their confidence rating — don't drop them silently, but don't let them masquerade as confirmed either.

4. Severity rating

Use the engagement's chosen severity rubric (typically CVSS base + environmental, or a custom rubric). Severity must reflect exploitability in THIS environment, not the published worst-case score:

• Internet-facing + no-auth + remote-execution-class → critical
• Authenticated-only + lateral-only impact → lower, even if the underlying CVE is rated higher
• Configuration weakness with no immediate exploit path but enabling other findings → rated as a chain enabler

5. Body structure

## Vulnerability Catalog

### Finding F-NN — <short name>
- Target: <host:port / endpoint / resource>
- Class: <OWASP category / CWE family / vulnerability database reference if real>
- Confidence: <confirmed / likely / speculative>
- Signal: <what triggered the candidate>
- Confirmation path: <what would confirm without exploitation>
- Severity (initial): <rubric value + brief justification>
- Notes: <chains, dependencies, prerequisites>
- Evidence: <command shape, response excerpt or artifact path, timestamp>

Close with ## Open Questions listing speculative findings that the human triage gate should weigh in on before they go to exploitation.

Anti-patterns (RFC 2119)

• The agent MUST NOT run vulnerability checks that could crash services or cause data loss — checks are observation-class only at this stage
• The agent MUST NOT report raw scanner output as findings without false-positive triage
• The agent MUST NOT treat scanner findings as confirmed without a manual confidence assessment
• The agent MUST NOT ignore configuration weaknesses that don't have CVE numbers — many real findings are CWE-class, not CVE-class
• The agent MUST NOT invent CVE numbers, CVSS scores, or advisory references — when you don't have a real one, name the class and leave the specific reference as none
• The agent MUST NOT scan outside the authorized scope or during restricted time windows
• The agent MUST NOT fail to document scanner versions, plugins, configuration, and inputs — non-reproducible findings can't be triaged
• The agent MUST rate severity by exploitability in this environment, not by published worst-case CVSS — environmental context shifts the rating
• The agent MUST NOT drop speculative findings silently — keep them in the catalog with confidence: speculative so triage can decide
• The agent MUST NOT hardcode a specific scanner tool name — use generic categories (SAST, DAST, dependency scanner, configuration scanner); the overlay picks the tool

Mandate: The agent MUST verify vulnerability-catalog entries are real findings, not scanner noise. Every false positive that survives this lens becomes wasted PoC effort in exploitation and, worse, a deliverable item in the customer report that doesn't stand up to scrutiny.

Check

The agent MUST verify, file feedback for any violation:

• Confidence rating present and honest — Every finding has confidence: confirmed | likely | speculative. "Confirmed" is reserved for findings that observed-behavior corroborated; banner-only matches stay likely or speculative.
• Confirmation path declared — Every finding names a concrete check that would confirm it without exploitation (a specific request and expected response, a configuration query, a behavioral probe). Vague paths like "manually verify" are a gap.
• Cross-tool corroboration where applicable — When multiple scanner categories could have caught the same class, the body explains either the corroborating signal or why only one tool reported it. A likely finding that survived only one scanner sweep is suspicious.
• Environmental severity — Severity reflects exploitability in this environment (auth gating, network reachability, prerequisites), not the published worst-case score on the CVE.
• CVE / advisory references are real — Any cited CVE, advisory ID, or vulnerability-database link MUST be a real one with a real source. Invented references are a hard reject.
• Configuration weaknesses included — The catalog isn't only CVE-class findings; visible misconfigurations (debug headers, exposed admin paths, weak TLS, info-disclosure responses) are in the catalog too.

Common failure modes to look for

• A catalog where every entry is confidence: confirmed — almost always indicates a scanner dump that didn't get triage
• Findings that name a service version but list confirmation path: unknown — the version was banner-only and nobody decided how to confirm it
• A catalog with no configuration-class findings on a surface that obviously has them (e.g., a web service that returns Server: <version> and verbose error pages but has no info-leak finding)
• Severity ratings that match the published CVSS exactly with no environmental adjustment — usually a copy-paste from the source database
• CVE references that don't resolve, or "CVE-2099-XXXXX"-shaped placeholders
• The same speculative finding repeated across multiple units with no acknowledgement of the duplication
• Findings against out-of-scope assets (the catalog should have caught the scope mismatch upstream)

What to do when filing

Prefer one FB per finding-class issue across the catalog (e.g., "speculative findings missing confirmation path", "severity ratings not environmentally adjusted") rather than one FB per individual entry — the fix loop's enumerator will rework the catalog more efficiently from clustered feedback. Cite the specific F-NN ids that exhibit the pattern.