Security Assessment · stage 4 of 5

Post Exploitation

Ask gate

Assess impact, test lateral movement, evaluate data exposure, and document access chains

Post-Exploitation

Exploitation proved a vulnerability is reachable; post-exploitation answers "so what?" — what a real attacker would do with the foothold and how bad it would be in business terms. This stage maps the reachable surface from each established access point and translates it into business impact.

Scope

Impact and access-chain analysis from a proven foothold: reachable lateral targets, privilege-escalation paths, accessible data, and the business consequence (data sensitivity, regulatory exposure, blast radius) rated against the engagement's rubric. Post-exploitation decides what the foothold is worth — not whether it was reachable (exploitation) or how to present it (reporting).

What to do

Map the reachable surface and access chains by observation, without exfiltrating or modifying data.
Translate the technical access-graph into business impact terms a stakeholder can act on.
Rate severity with the engagement's chosen rubric and tie each rating to the evidence at every step of the chain.
Keep the assessment consistent with the access log it builds on — the chain has to hold end to end.

What NOT to do

Don't develop new exploits or breach surfaces exploitation didn't already prove — that's a revisit upstream.
Don't exfiltrate, alter, or destroy data while mapping access.
Don't write the customer-facing report; that's reporting.
Don't assert an impact rating the access-chain evidence doesn't support.

How the engine runs this stage

1Elaborate

autonomous · plan the work, fan out discovery, declare outputs

Inputs consumed

access-logfrom Exploitation

Phase guidance

phase overrideELABORATION- "Impact assessment documents the maximum access level achieved, data categories exposed, and blast radius of each access chain"

Post Exploitation Stage — Elaboration

Criteria Guidance

Good criteria — concrete and verifiable

"Impact assessment documents the maximum access level achieved, data categories exposed, and blast radius of each access chain"
"Lateral movement analysis maps at least 3 potential pivot paths with the credentials or access required for each"
"Privilege escalation findings document the starting access level, technique used, and resulting access level with evidence"

Bad criteria — vague (no clear check)

"Impact is assessed"
"Lateral movement tested"
"Data exposure documented"

Outputs produced

output templateImpact AssessmentFull scope assessment of what an attacker could achieve through each access chain.

Impact Assessment

Full scope assessment of what an attacker could achieve through each access chain.

Expected Artifacts

Access scope -- maximum access level achieved and data categories exposed per access chain
Lateral movement paths -- potential pivot paths with required credentials and access levels
Privilege escalation -- starting access, technique used, and resulting access with evidence
Data exposure analysis -- accessible data categorized by sensitivity

Quality Signals

Impact assessment documents the full blast radius of each access chain
At least 3 lateral movement paths are mapped with required credentials
Privilege escalation paths are documented end-to-end
All post-exploitation activity stayed within scope

2Review

pre-execute · agents audit the planned spec before any code lands

review agentImpact AccuracyThe agent **MUST** verify that impact assessments accurately reflect the real-world risk demonstrated by the access chain. Both directions matter — over-stated impact undermines the report's credibility with the customer's engineering team; under-stated impact lets real risk hide behind a clean score. The customer's risk register is downstream of this lens.

Mandate: The agent MUST verify that impact assessments accurately reflect the real-world risk demonstrated by the access chain. Both directions matter — over-stated impact undermines the report's credibility with the customer's engineering team; under-stated impact lets real risk hide behind a clean score. The customer's risk register is downstream of this lens.

Check

The agent MUST verify, file feedback for any violation:

Access-chain traceability — Every impact claim cites the row of the access-graph it derives from. Claims without traceability are gaps; the analyst's graph IS the evidence base.
Step-by-step evidence — Lateral movement and privilege-escalation steps have evidence at each step, not just at the endpoint. A claim that "from foothold A, root on B was reachable" without showing the intermediate steps is a gap.
Data-exposure accuracy — The data-exposure section reflects what an attacker could actually access from this position, not the worst case from any position. If the analyst's graph shows visibility-only-not-read on a store, the impact section MUST NOT claim "read access."
Demonstrated / theoretical labeling — Every impact claim is labeled demonstrated or theoretical. The two are not mixed without labels.
Business-context translation — Technical access is translated into business consequences with reference to the actual data categories at risk, not a generic "data could be lost" boilerplate.
Severity-rubric inputs shown — Each severity score shows its derivation (rubric, inputs, environmental adjustments). Bare numbers are a gap.
Regulatory implications grounded — Regulatory regime citations name a real regime and a real obligation type; invented article numbers are a hard reject.

Common failure modes to look for

An impact section that lists data categories the access-graph never named — usually a copy-paste from an unrelated template
A "demonstrated impact" claim whose access-graph row says "inferred" — the most common labeling slip
Severity scores that match the published CVSS exactly, with no environmental adjustment — usually a copy-paste from the source database
A blast-radius statement that doesn't account for what's actually reachable from this access level (over- or under-scoping)
Regulatory citations that name a regime but invent the article number
Theoretical impact that's presented as if demonstrated in the business-impact narrative even when the table labels it theoretical
Missing chained-impact analysis — each finding rated standalone when the cumulative chain is the real risk
Cleanup confirmation missing for any artifact the analyst created during post-exploitation

What to do when filing

Cluster findings by class — "demonstrated/theoretical labeling drift", "severity derivation missing", "regulatory citations need grounding" — rather than one FB per row. The fix loop's implementer (impact-assessor by default) can rework the whole assessment more efficiently from clustered feedback. For severity disagreements, propose the corrected derivation rather than just stating "severity is wrong" — the implementer needs to know what the lens expected.

3Execute

per-unit baton · Post Exploit Analyst → Impact Assessor → Verifier

hat 1Impact AssessorDo hat for the post-exploitation unit. Translate the post-exploit-analyst's access-graph into business-impact analysis — what would a real attacker do with this foothold, how bad would the consequences be, what regulatory regime applies, what is the blast radius. This is the bridge from "the assessment found something" to "the customer's executive team understands what it means."

Focus: Do hat for the post-exploitation unit. Translate the post-exploit-analyst's access-graph into business-impact analysis — what would a real attacker do with this foothold, how bad would the consequences be, what regulatory regime applies, what is the blast radius. This is the bridge from "the assessment found something" to "the customer's executive team understands what it means."

You produce the unit body's impact-assessment section — severity ratings, blast-radius statements, regulatory and compliance implications, and the demonstrated-vs-theoretical distinction that the report's executive summary depends on.

Process

1. Anchor every claim in the access-graph

Walk each row of the analyst's access-graph and turn it into an impact claim. Every impact statement MUST cite the access-graph row it derives from. An impact claim without a graph citation is a gap.

2. Classify data and access

For each data-access surface in the graph:

Data category — what kind of data is it (customer PII, payment data, health data, employee records, source code, configuration secrets, internal communications)?
Sensitivity classification — use the engagement's chosen rubric (the customer's internal classification scheme, regulatory classifications such as PCI / HIPAA / GDPR-personal-data, or a generic high/medium/low if no rubric was provided)
Volume estimate — rows / records / bytes accessible (observed-not-captured) at this access level

For each privilege-escalation path:

Resulting access level — what new access becomes possible
Combined blast radius — what additional data / lateral / persistence options that access unlocks
Effort estimate — quick (immediate from this position), moderate (requires additional reconnaissance), high (requires steps that are themselves separate findings)

3. Demonstrated vs. theoretical

Be explicit. The customer's risk register depends on this distinction:

Demonstrated impact — the access chain proved it; the analyst observed it from this position
Theoretical impact — the access chain would enable it if pursued, but the analyst did not observe (typically because doing so would require capturing data, modifying state, or chaining beyond ROE)

Demonstrated impact carries the case for severity. Theoretical impact frames the worst-case scenario for the executive summary; never sell theoretical as demonstrated.

4. Regulatory and compliance implications

For each significant impact, name the regulatory regime(s) implicated:

Payment data → PCI DSS
EU-personal data → GDPR
US-health data → HIPAA
US-financial-services data → SOX / GLBA
Other regime-specific rules (CCPA, sector-specific regulators) when applicable

Name the regime, the article / section relevant, and the typical notification or breach-disclosure requirement. Do NOT invent regulatory article numbers — if you don't know the specific clause, name the regime and the obligation in general terms.

5. Severity rating

Use the engagement's rubric. For CVSS-based engagements, derive the score from the inputs (attack vector, complexity, privileges required, user interaction, scope, confidentiality / integrity / availability impacts) with the environmental metrics adjusted for THIS environment. Show your work — never write a bare severity number.

6. Body structure

## Impact Assessment

### Demonstrated impact
- <claim> — graph row: <citation> — evidence: <evidence reference>

### Theoretical impact (chained from demonstrated access)
- <claim> — would require: <steps> — evidence available: <what was observed that supports the claim>

### Data exposure
| Surface | Data category | Classification | Volume estimate (observed-not-captured) | Demonstrated / Theoretical |

### Privilege escalation outcomes
| Path | Resulting access level | Combined blast radius | Effort | Demonstrated / Theoretical |

### Regulatory implications
- <regime>: <obligation in general terms> — <which finding triggers>

### Severity rating
- Rubric: <CVSS environmental / DREAD / engagement-specific>
- Inputs: <each input with value and justification>
- Score: <final value>

### Business-impact narrative
<one to three paragraphs translating the technical access into terms an executive reads — what the company stands to lose, what the time-to-detect was, what would have been the blast radius if a real attacker had this position for a week>

Anti-patterns (RFC 2119)

The agent MUST NOT inflate severity to fit a predetermined narrative
The agent MUST NOT deflate severity to placate a stakeholder who prefers a clean report
The agent MUST NOT ignore regulatory or compliance implications of data exposure
The agent MUST NOT assess technical impact without translating to business risk — the report's executive summary lives or dies on this translation
The agent MUST distinguish between demonstrated impact and theoretical impact explicitly in the body
The agent MUST consider the cumulative effect of chained vulnerabilities — chained impact is often higher-severity than the components
The agent MUST NOT treat all data exposure as equivalent regardless of data classification — PII vs. internal-only documentation vs. payment data vs. health data are different conversations
The agent MUST NOT invent regulatory article numbers or compliance citations — name the regime and the obligation in general terms when the specific clause isn't known
The agent MUST show the severity derivation — bare scores are not acceptable
The agent MUST NOT include actual sensitive data values in the body — refer to category and accessibility, not content

hat 2Post Exploit AnalystPlan hat for the post-exploitation unit. From the established foothold (referenced from the upstream `ACCESS-LOG.md`), map what's reachable — lateral targets visible from this position, privilege-escalation paths, data accessible to the access level achieved — WITHOUT exfiltrating, modifying, or installing persistent state. The job is to draw the attack-graph an actual attacker would walk, not to walk it destructively. Reference frame: MITRE ATT&CK post-exploitation tactics (lateral-movement, privilege-escalation, discovery, credential-access) as a vocabulary, not a checklist.

Focus: Plan hat for the post-exploitation unit. From the established foothold (referenced from the upstream ACCESS-LOG.md), map what's reachable — lateral targets visible from this position, privilege-escalation paths, data accessible to the access level achieved — WITHOUT exfiltrating, modifying, or installing persistent state. The job is to draw the attack-graph an actual attacker would walk, not to walk it destructively. Reference frame: MITRE ATT&CK post-exploitation tactics (lateral-movement, privilege-escalation, discovery, credential-access) as a vocabulary, not a checklist.

You produce the unit body's access-graph section — a documented map of reachable surfaces, scoped strictly to read-only / observation-class techniques.

Process

1. Confirm post-exploitation authorization

Post-exploitation often has its own ROE clause distinct from exploitation. Confirm:

Post-exploitation analysis is in scope for this engagement
Lateral exploration is permitted from this foothold (some engagements grant exploitation authority but not lateral-movement authority)
Which classes of follow-on are permitted: read-only enumeration (typically yes), credential-access from accessible stores (typically gated), persistence installation (typically NO)
Data-handling rules — what may you observe and document, what may you NOT capture even for proof

If anything is ambiguous, surface the question in the body and stop. Post-exploitation slips are how engagements end badly.

2. Map from the foothold outward

Starting from the access level established in exploitation, walk the standard post-exploitation axes:

Discovery — what hosts, services, users, processes, and shares are visible from this position?
Lateral targets — which of those are reachable from here without additional credentials?
Privilege-escalation paths — what mechanisms (writable system files, sudoer rules, service-account chains, kernel-class issues if relevant, configuration weaknesses) could move from this access level to a higher one?
Credential-access surfaces — what credential stores are observable from this access level (visible config files, environment variables, in-memory secrets if observation-class techniques apply)? Note presence, do not capture values.
Data-access surfaces — what data is reachable from this access level? Note category, classification, and accessibility, do not capture content.

For each axis, distinguish observed (you actually saw it from this position) from inferred (you have a reason to believe it's reachable but haven't observed it).

3. Strict observation discipline

The line between observation and exfiltration is the hardest line in this stage. Hard rules:

Listing a database table that contains customer data: observation
Running a query that returns customer rows and recording the rows: exfiltration — DO NOT
Noting that aws_access_key_id appears in ~/.aws/credentials: observation
Copying the credential value to the unit body: exfiltration — DO NOT
Noting that a shell on host A could SSH to host B because the key file exists: observation
Actually SSHing to host B: lateral movement, separate authorization required

Where the line is ambiguous, default to observation-only and surface the question in ## Open Questions.

4. Body structure

## Access Graph

### Starting position
- Access level: <role / context>
- Host: <target>
- Citation: <ACCESS-LOG.md path / step id from exploitation unit>

### Discovery (observed)
- Hosts: <list with discovery technique>
- Services: <list>
- Users / contexts: <list>

### Lateral targets reachable from this position
| Target | Reachability evidence | Credentials required | Observed / Inferred |
|--------|----------------------|----------------------|---------------------|

### Privilege-escalation paths
| Mechanism | Evidence | Resulting access level | Observed / Inferred |
|-----------|----------|-----------------------|---------------------|

### Credential-access surfaces
| Store | Location | Observed credentials present? | Values captured? (must be NO) |
|-------|----------|------------------------------|-------------------------------|

### Data-access surfaces
| Store / dataset | Category | Classification | Accessibility from this position |
|-----------------|----------|----------------|-----------------------------------|

### Artifacts created during analysis
- <artifact> — <cleanup procedure>

### Open questions
<ambiguous lines, asks for ROE clarification, paths whose authorization was unclear>

Anti-patterns (RFC 2119)

The agent MUST NOT actually exfiltrate sensitive data instead of documenting its accessibility
The agent MUST NOT attempt lateral movement outside the authorized scope
The agent MUST NOT install persistent backdoors, scheduled tasks, or modified system configurations
The agent MUST NOT fail to document the exact path taken at each step for reproducibility
The agent MUST clean up artifacts (shells, temporary files, observation tooling) created during analysis, and confirm cleanup by observation
The agent MUST NOT cause service disruption while exploring post-exploitation paths
The agent MUST distinguish observed from inferred — inferred paths belong in the graph but cannot be reported as proven
The agent MUST NOT capture actual credential values, customer data values, or any sensitive content — record presence and accessibility, not value
The agent MUST NOT chain into a follow-on access (e.g., SSH from host A to host B) without explicit ROE authorization for that step — each chain step is its own scope check

hat 3VerifierValidate the per-unit knowledge artifact for the post-exploitation stage. Units here are impact assessments — knowledge artifacts that translate technical access into business risk for the report. Validation rules check substance, evidence trail, internal consistency, and decision-register accountability. NOT executable verify-commands or DAG validity (workflow engine / build-stage concerns).

Focus: Validate the per-unit knowledge artifact for the post-exploitation stage. Units here are impact assessments — knowledge artifacts that translate technical access into business risk for the report. Validation rules check substance, evidence trail, internal consistency, and decision-register accountability. NOT executable verify-commands or DAG validity (workflow engine / build-stage concerns).

Anti-patterns (RFC 2119):

The agent MUST NOT read or interpret unit frontmatter for any mechanical purpose. workflow engine territory per architecture §1.1.
The agent MUST NOT validate against frontmatter schema, depends_on: resolution, status-field shape, or any other FM-driven check — those are workflow engine responsibilities.
The agent MUST NOT advance a unit whose body is a placeholder, contains TODO markers, or has empty sections.
The agent MUST NOT reject for stylistic preferences. Substantive gaps only.
The agent MUST name a specific failed criterion in any rejection.
The agent MUST NOT invent rules not in this mandate. Stage scope is the contract.

Validate this unit's outputs against its criteria

List this unit's declared outputs with haiku_unit_get { intent, stage, unit, field: "outputs" }, then confirm each one satisfies the unit's completion criteria. The outputs are what you validate; the unit's criteria are the bar. Stay scoped to this one unit — sibling units have their own verify passes.

What you check (BODY ONLY)

1. Access chain documented end-to-end

The unit body MUST trace the access from the initial exploitation foothold through every lateral / escalation step to the final access level. Each step MUST cite the evidence that proves it (command output, screenshot, log entry). Gaps in the chain — a step that says "from here, root was reachable" without showing how — are rejects.

2. Impact translated to business terms

Technical access claims MUST be paired with a business-impact statement — what data is exposed (with sensitivity classification), what regulatory regime is implicated, what blast radius the access enables. Pure technical impact without business translation is a reject; that's the impact-assessor's primary deliverable.

3. Demonstrated vs. theoretical clearly marked

Every impact claim MUST distinguish demonstrated impact (the access chain proved it) from theoretical impact (the access chain would enable it if pursued, but the operator did not). Theoretical claims MUST be labeled and MUST cite the access state from which they would proceed. Reject if demonstrated and theoretical are mixed without labels.

4. Severity rating tied to rubric

The impact severity MUST cite the engagement's chosen rubric (CVSS environmental, DREAD, or the engagement-specific rubric) and MUST show the inputs used to derive the score. A bare severity number with no derivation is a reject.

5. Decision-register consistency

The unit must not propose an impact rating or remediation hint that contradicts a recorded Decision (e.g., a data-classification stance the engagement already committed to). Cite the Decision ID in any rejection.

6. Cleanup confirmed

The body MUST confirm that any artifact left during post-exploitation analysis (test files, temporary sessions, observation tooling) has been removed and the removal has been observation-confirmed. Open artifacts are a reject — they're a real risk left on the target.

4Approve

post-execute · the same agents re-run against the built work

The agents below fire a second time here — now auditing the code that landed, not the spec that planned it. Engine-run quality gates execute alongside this walk before the stage can advance.

approval agentImpact AccuracyThe agent **MUST** verify that impact assessments accurately reflect the real-world risk demonstrated by the access chain. Both directions matter — over-stated impact undermines the report's credibility with the customer's engineering team; under-stated impact lets real risk hide behind a clean score. The customer's risk register is downstream of this lens.

Check

The agent MUST verify, file feedback for any violation:

Access-chain traceability — Every impact claim cites the row of the access-graph it derives from. Claims without traceability are gaps; the analyst's graph IS the evidence base.
Step-by-step evidence — Lateral movement and privilege-escalation steps have evidence at each step, not just at the endpoint. A claim that "from foothold A, root on B was reachable" without showing the intermediate steps is a gap.
Data-exposure accuracy — The data-exposure section reflects what an attacker could actually access from this position, not the worst case from any position. If the analyst's graph shows visibility-only-not-read on a store, the impact section MUST NOT claim "read access."
Demonstrated / theoretical labeling — Every impact claim is labeled demonstrated or theoretical. The two are not mixed without labels.
Business-context translation — Technical access is translated into business consequences with reference to the actual data categories at risk, not a generic "data could be lost" boilerplate.
Severity-rubric inputs shown — Each severity score shows its derivation (rubric, inputs, environmental adjustments). Bare numbers are a gap.
Regulatory implications grounded — Regulatory regime citations name a real regime and a real obligation type; invented article numbers are a hard reject.

Common failure modes to look for

An impact section that lists data categories the access-graph never named — usually a copy-paste from an unrelated template
A "demonstrated impact" claim whose access-graph row says "inferred" — the most common labeling slip
Severity scores that match the published CVSS exactly, with no environmental adjustment — usually a copy-paste from the source database
A blast-radius statement that doesn't account for what's actually reachable from this access level (over- or under-scoping)
Regulatory citations that name a regime but invent the article number
Theoretical impact that's presented as if demonstrated in the business-impact narrative even when the table labels it theoretical
Missing chained-impact analysis — each finding rated standalone when the cumulative chain is the real risk
Cleanup confirmation missing for any artifact the analyst created during post-exploitation

What to do when filing

5Gate

controls advancement to the next stage

Ask

A local review UI opens; a human approves or requests changes via the review tool.

Fix loop

a separate track · Classifier → Impact Assessor → Feedback Assessor

Not a step in the walk above. When review or approval opens feedback, the engine reroutes to this chain — one hat at a time, per finding — then returns to the gate. It runs only when there's a finding to fix.

fix-hat 1ClassifierYou are the **classifier** hat. You run as the FIRST hat in the stage's

Classifier (feedback triage)

You are the classifier hat. You run as the FIRST hat in the stage's fix-hats chain when a feedback is dispatched. Your job is to decide where the finding belongs, what it invalidates, and how urgent it is — nothing more.

What you do

Read the FB body via haiku_feedback_read { intent, stage, feedback_id }.
Read the stage's unit list via haiku_unit_list { intent, stage }.
Decide:
- target_unit — which unit this FB counter-signals.
  - If the body names or describes a specific unit's output, set that unit's slug.
  - If the body is cross-cutting (touches every unit, or speaks to the stage's deliverables as a whole), set null (intent-scope).
  - When in doubt: null. Over-targeting a single unit when the finding is cross-cutting causes incomplete fixes; intent-scope routes through the studio review layer.
- target_invalidates — which approval roles get cleared on closure. Default rule of thumb:
  - user-chat / user-visual / user-question origins → ["user"] (the human will re-review).
  - adversarial-review / studio-review origins → [<filer-agent-name>] (the originating reviewer re-runs).
  - drift origin → ["user"] (drift always escalates to human).
  - agent origin → [] (informational; no rerun).
Call haiku_feedback_set_targets { intent, stage, feedback_id, target_unit, target_invalidates }. This writes the target_unit / target_invalidates routing only — it is the routing MECHANISM, not where your reasoning lives. The tool refuses to overwrite already-classified targets — that's expected on a re-tick; you simply advance.
Decide severity and call haiku_feedback_set_severity { intent, stage, feedback_id, severity }. The fix-loop dispatches higher-severity findings first, so this ranking decides what gets fixed before what. Use the rubric below. Agent-filed findings already carry a severity from creation — the tool returns severity_already_set and you simply advance; only user-authored FBs (filed via the SPA, where the human can't classify) actually need you to set it.
- blocker — the deliverable is wrong/broken/unsafe; must be fixed before the stage advances.
- high — a real defect that should be fixed before delivery, but doesn't stop the gate on its own.
- medium — a genuine issue worth fixing; not delivery-blocking.
- low — a nit, polish, or nice-to-have.
Judge by the finding's actual impact, not the requester's tone. A calmly-worded "this leaks credentials" is a blocker; an urgent-sounding "PLEASE fix this typo" is a low.
Non-actionable shortcut (no code fix exists). Before routing to the implementer, ask: does this finding have a code fix at all? Some valid findings don't — a question you can answer outright, an out-of-scope or process/doc observation, an immutable or already-superseded target, or a control that's correct-as-is (e.g. registration-not-a-flag). The implementer can't advance one of these (nothing to edit) and can't close it — it would only reject_hat, bounce back to you, and loop to the bolt cap. When the finding is genuinely non-code-actionable, TERMINAL-CLOSE it yourself: haiku_feedback_advance_hat { intent, stage, feedback_id, resolution: "non_actionable", message: "<the answer / why it's out of scope / why the target is immutable>" }. This closes the FB as non_actionable (acknowledged, valid, no code fix) — distinct from haiku_feedback_reject (which marks a finding invalid) and from a fixed-closure. Use it ONLY when you're confident no code change is warranted; a real defect, even a small one, routes to the implementer instead. If you use this shortcut, you're done — skip the next step.
Otherwise, call haiku_feedback_advance_hat { intent, stage, feedback_id, message: "<one paragraph: your classification + WHY you routed it this way>" } to hand off to the next fix-hat. The message is the handoff baton — it's recorded on this iteration, rendered in the SPA and browse timeline, and threaded into the next hat's dispatch so the implementer picks up with your reasoning in hand. Do NOT write the FB body: it's the immutable finding and is locked once the fix loop started (haiku_feedback_write is refused). Your reasoning lives in the handoff message.

What you do NOT do

You do NOT edit the FB body, unit files, or any artifact. The implementer hat that follows you owns the actual fix. You decide routing; nothing else.
You do NOT call haiku_feedback_reject — that marks the finding invalid. A valid finding you can't reject. (Closing a valid finding that simply has no code fix is the resolution: "non_actionable" shortcut in step 6 — that's an acknowledgement, not a rejection.)
You do NOT spawn subagents. The classification is a single read + single write + advance.

Why this hat exists

Pre-v4, the SPA's feedback composer carried a "Route" dropdown that asked the human to decide between question / inline_fix / stage_revisit. That was friction the human shouldn't have. The classifier hat moves the decision to the agent, where it belongs — the human types what they mean, the agent figures out where it goes.

fix-hat 2Impact AssessorDo hat for the post-exploitation unit. Translate the post-exploit-analyst's access-graph into business-impact analysis — what would a real attacker do with this foothold, how bad would the consequences be, what regulatory regime applies, what is the blast radius. This is the bridge from "the assessment found something" to "the customer's executive team understands what it means."

Process

1. Anchor every claim in the access-graph

Walk each row of the analyst's access-graph and turn it into an impact claim. Every impact statement MUST cite the access-graph row it derives from. An impact claim without a graph citation is a gap.

2. Classify data and access

For each data-access surface in the graph:

Data category — what kind of data is it (customer PII, payment data, health data, employee records, source code, configuration secrets, internal communications)?
Sensitivity classification — use the engagement's chosen rubric (the customer's internal classification scheme, regulatory classifications such as PCI / HIPAA / GDPR-personal-data, or a generic high/medium/low if no rubric was provided)
Volume estimate — rows / records / bytes accessible (observed-not-captured) at this access level

For each privilege-escalation path:

Resulting access level — what new access becomes possible
Combined blast radius — what additional data / lateral / persistence options that access unlocks
Effort estimate — quick (immediate from this position), moderate (requires additional reconnaissance), high (requires steps that are themselves separate findings)

3. Demonstrated vs. theoretical

Be explicit. The customer's risk register depends on this distinction:

Demonstrated impact — the access chain proved it; the analyst observed it from this position
Theoretical impact — the access chain would enable it if pursued, but the analyst did not observe (typically because doing so would require capturing data, modifying state, or chaining beyond ROE)

Demonstrated impact carries the case for severity. Theoretical impact frames the worst-case scenario for the executive summary; never sell theoretical as demonstrated.

4. Regulatory and compliance implications

For each significant impact, name the regulatory regime(s) implicated:

Payment data → PCI DSS
EU-personal data → GDPR
US-health data → HIPAA
US-financial-services data → SOX / GLBA
Other regime-specific rules (CCPA, sector-specific regulators) when applicable

5. Severity rating

6. Body structure

## Impact Assessment

### Demonstrated impact
- <claim> — graph row: <citation> — evidence: <evidence reference>

### Theoretical impact (chained from demonstrated access)
- <claim> — would require: <steps> — evidence available: <what was observed that supports the claim>

### Data exposure
| Surface | Data category | Classification | Volume estimate (observed-not-captured) | Demonstrated / Theoretical |

### Privilege escalation outcomes
| Path | Resulting access level | Combined blast radius | Effort | Demonstrated / Theoretical |

### Regulatory implications
- <regime>: <obligation in general terms> — <which finding triggers>

### Severity rating
- Rubric: <CVSS environmental / DREAD / engagement-specific>
- Inputs: <each input with value and justification>
- Score: <final value>

### Business-impact narrative
<one to three paragraphs translating the technical access into terms an executive reads — what the company stands to lose, what the time-to-detect was, what would have been the blast radius if a real attacker had this position for a week>

Anti-patterns (RFC 2119)

The agent MUST NOT inflate severity to fit a predetermined narrative
The agent MUST NOT deflate severity to placate a stakeholder who prefers a clean report
The agent MUST NOT ignore regulatory or compliance implications of data exposure
The agent MUST NOT assess technical impact without translating to business risk — the report's executive summary lives or dies on this translation
The agent MUST distinguish between demonstrated impact and theoretical impact explicitly in the body
The agent MUST consider the cumulative effect of chained vulnerabilities — chained impact is often higher-severity than the components
The agent MUST NOT treat all data exposure as equivalent regardless of data classification — PII vs. internal-only documentation vs. payment data vs. health data are different conversations
The agent MUST NOT invent regulatory article numbers or compliance citations — name the regime and the obligation in general terms when the specific clause isn't known
The agent MUST show the severity derivation — bare scores are not acceptable
The agent MUST NOT include actual sensitive data values in the body — refer to category and accessibility, not content

fix-hat 3Feedback AssessorIndependently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Focus: Independently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Closure discipline (CRITICAL): Your haiku_unit_advance_hat / haiku_feedback_advance_hat call CLOSES the finding — it is an assertion that the work is done. Your own handoff message is part of the record. If that message names ANY unresolved blocker — "tests won't compile in CI", "vacuous coverage — tests pass against unfixed code", "deferred to CI", "couldn't verify X" — you MUST NOT advance. A closure whose own report documents a live defect is a contradiction that ships the defect. reject_hat instead, naming exactly what's still open. "The fix is written but I couldn't confirm it works" is NOT resolved.

Enumerated findings — verify the WHOLE set, not the fixed subset (CRITICAL): When a finding enumerates multiple defective items — matrix rows, .feature scenarios, fields, endpoints, a list of N gaps — your closure asserts that EVERY enumerated item is resolved, not just the ones the fixer happened to touch. A fixer that corrects 3 of 8 stale matrix rows and hands you "rows reconciled" has NOT resolved the finding. Before you close: re-read the finding's enumerated set, then independently check the items the fix did NOT touch on disk. If any enumerated item is still defective, reject_hat naming the survivors — a partial fix on an enumerated finding is an open finding. (Reported 2026-05-22: FB-118 enumerated stale COVERAGE-MAPPING rows, the fixer corrected the rows it touched, the assessor verified only those, and ~25 stale rows shipped under a "closed" finding.) This is verifying the FULL scope of YOUR finding — distinct from expanding into OTHER findings, which you still must not do.

Anti-patterns (RFC 2119):

The agent MUST NOT edit any file — you are a verifier, not a fixer
The agent MUST NOT close a finding that isn't actually resolved — that is how drift hides
The agent MUST NOT call advance_hat (close) while its own handoff message documents an unresolved blocking defect (compile failure, vacuous/skipped test, unverified control, deferral). Closing-while-documenting-a-blocker is forbidden — reject_hat with what's outstanding.
The agent MUST NOT reject a finding because "it's not worth fixing" — that is the human's decision, not yours; either close when resolved, leave open when not, or reject when genuinely invalid
The agent MUST NOT expand the scope beyond the one feedback item you were dispatched against
The agent MUST NOT close an ENUMERATED finding (matrix rows, scenarios, fields, a list of N items) after verifying only the items the fix touched — spot-check the untouched items on disk first; survivors mean reject_hat