From underground to detection: daily attack-chain synthesis

The single most common gap between how defenders test and how attackers operate is composition. A scanner checks whether you are exposed to CVE-A, then whether you are exposed to CVE-B, and reports each in isolation. The attacker uses CVE-A to get a foothold, then CVE-B from inside that foothold, and the combination is far more than the sum of its parts. A foothold you would have shrugged at becomes total controller takeover when it is the first link in a chain. We run a daily process that reads each day's published threat intelligence, extracts the technique sequences real actors are using, and synthesizes them into composed detection chains, so the thing we test for is the chain, not the link. This is how that process works, and the Cisco Catalyst SD-WAN Manager double-CVE chain we built this week, anchored on CVE-2026-20182 and CVE-2026-20262, is the example.

Open any incident report from a real intrusion and you will not find a single exploit. You will find a path: an exposed management surface that gave initial access, a secret read off the first host, a lateral hop into the network using that secret, and an objective at the end, data theft or encryption. Each step might be individually unremarkable. The damage is in how they connect. Yet most security testing is organized around individual findings, because findings are easy to enumerate and chains are hard to model. The result is a structural blind spot: programs that are excellent at listing exposures and poor at seeing the sequences those exposures enable.

We attack that blind spot with cadence. Every day, the threat landscape publishes new material: vendor advisories, government catalogs of actively exploited vulnerabilities, threat-research writeups that describe, step by step, what a campaign actually did. That material is a stream of real technique sequences. Our job is to turn the stream into detection. Verifiable security.

The daily cycle, end to end

The process runs as a tight loop with three stages, and it is deliberately structured so that nothing fictional or speculative survives to the end.

Intel review. Ingest the day's published sources: newly catalogued actively-exploited vulnerabilities, vendor advisories with assigned identifiers, and threat-research describing observed campaigns. Pull out the concrete technique sequences, the ordered steps an actor took, expressed in a standard vocabulary so they can be compared and composed.
Novelty synthesis. Take those sequences and ask whether any composition of them is genuinely new relative to what we already model. A chain is only worth building if it represents a path we do not already test. We cross-check every candidate against our existing chain catalog so we are not re-deriving something we already cover. Net-new compositions move forward; duplicates are dropped.
Zero-false-positive validation. Before a synthesized chain becomes a real detection, every link has to be grounded in a real, named primitive, an actual CVE or an actual observable technique, and the whole chain has to survive the same evidence discipline we apply to every finding. A chain that cannot be tied to real, citable building blocks does not ship. This is the gate that keeps the cadence honest: speed never buys us the right to invent.

THE DAILY CHAIN-SYNTHESIS CYCLE published intel ──▶ [ INTEL REVIEW ] advisories, KEV extract ordered technique sequences threat-research │ ▼ [ NOVELTY SYNTHESIS ] compose; cross-check vs existing catalog net-new path? yes ─┐ no ─▶ DROP (already covered) ▼ [ ZERO-FALSE-POSITIVE VALIDATION ] every link tied to a REAL named primitive grounded? yes ─▶ SHIP chain no ─▶ DROP (no invention)

Three stages, run daily. The last stage is the one that matters: a chain ships only when every link is a real, citable primitive. Speed does not earn the right to invent.

The worked example: a double-CVE controller takeover

This week's cycle produced a chain we had not modeled before, composed from two separate, publicly assigned vulnerabilities in the same product, Cisco Catalyst SD-WAN Manager, the management plane formerly branded vManage. Individually, each is serious. Composed, they are a complete path from the outside to administrative control of the controller that manages an entire software-defined network fabric. Both were added to the U.S. CISA Known Exploited Vulnerabilities catalog in mid-June 2026, with active exploitation observed in the wild.

The composition is what is new. We already had detection for management-surface discovery, for authentication-bypass primitives, and for path-traversal file reads as separate capabilities. What this week added was the specific sequence in which an attacker would walk them against the SD-WAN Manager, anchored on two real identifiers: CVE-2026-20182, an authentication-bypass weakness rated CVSS 10.0 that lets an unauthenticated remote attacker obtain administrative privileges through the peering authentication mechanism, and CVE-2026-20262, a path-traversal arbitrary-file-write weakness in the web UI. No prior chain in our catalog composed two CVEs on the same controller into a single takeover path, which is exactly why it cleared the novelty stage.

CHAIN: SD-WAN MANAGER DOUBLE-CVE CONTROLLER TAKEOVER [1] DISCOVER management surface enumeration │ find the SD-WAN Manager admin plane on the edge ▼ [2] AUTH BYPASS authentication-bypass (CVE-2026-20182, CVSS 10.0) │ obtain administrative privileges unauthenticated ▼ [3] FILE WRITE path-traversal file-write (CVE-2026-20262, CWE-22) │ drop a payload outside the intended upload directory ▼ [4] CONTROLLER OWN the written file deploys; root on the controller the keys to the entire SD-WAN fabric Two real, separately-assigned CVEs on ONE controller, composed into a single outside-to-admin path. Each link is independently citable.

The chain is new; the links are not. Every step ties to a real, named primitive, which is the condition for a synthesized chain to ship.

The defensive value of modeling this as a chain rather than two findings is concrete. A team patching by severity might address the file-write and defer the auth-bypass, or vice versa, treating them as two items on a backlog. Seeing them as a composed path reframes the priority: together they are a controller takeover, and the controller is the keys to the network fabric. The chain tells you these two are not independent line items. They are one emergency. The public reporting bears this out: each was independently assigned, independently catalogued as exploited, and each carries its own remediation deadline, but an attacker reads them as one path.

A foothold you would have shrugged at becomes total takeover the moment it is the first link in a chain. The attacker thinks in paths. A defender who thinks in findings is always one composition behind.

Why we ground every link in a real primitive

It would be easy, and dishonest, to generate impressive-looking attack chains by stringing together plausible-sounding steps. The temptation in any threat-intelligence program is to let the narrative get ahead of the evidence, to describe a chain that "an attacker could" run without confirming that each step corresponds to a real, observable thing. We refuse that, and the refusal is the whole point of the validation stage.

Concretely, this means two disciplines. First, every link must map to a named primitive: a specific CVE with an assigned identifier, or a specific technique that is observable in the real world, not a hypothetical capability. Second, we keep a hard line between two categories of chain. There are chains every link of which is grounded and citable, which is what we ship as detection. And there are raw candidate sequences pulled straight from the intel stream that we have not yet grounded into testable primitives. Those candidates are genuinely useful, they tell us where to look next, but they are not detections, and we do not present them as if they were. Calling a candidate a detection would be a false positive at the level of the whole capability, and the same doctrine that governs a single finding governs a chain.

What the cadence buys a defender

The advantage of running this daily, rather than quarterly, is that the gap between "an actor starts using a technique sequence" and "your defensive program tests for it" shrinks from months to about a day. Active exploitation moves fast; the catalog of vulnerabilities under active attack updates constantly. The SD-WAN Manager pair is a clean illustration: both CVEs moved from advisory to actively-exploited to catalogued inside a single week. A chain library that is refreshed every day tracks that reality far more closely than one rebuilt on a release cycle.

Bring chain-thinking into your own program this quarter

Stop scoring findings purely in isolation. For every exposure, ask what it becomes when it is step one, or step three, of a sequence. The severity of a foothold depends on what it reaches.
Read the actively-exploited catalog as sequences, not a list. When two entries land for the same product in the same week, ask whether an attacker composes them, and prioritize accordingly.
Model the path to your crown-jewel systems explicitly. Controllers, identity providers, and management planes are the high-value ends of most chains. Map what reaches them and treat any two-step path to them as a single priority.
Refresh your chain models on the cadence of the threat, not the cadence of releases. If active-exploitation intel updates daily, a quarterly chain review is structurally behind.
Demand that every chain step be grounded in a real primitive. A chain you cannot tie to named, observable building blocks is a story, not a control. Keep candidates and detections clearly separate.

How Celvex runs it

Find. Prove. Fix. Verify.

Find

The daily cycle ingests published advisories, actively-exploited catalogs, and threat-research, extracts ordered technique sequences, and composes net-new chains after cross-checking against the existing chain catalog.

Prove

Each link is grounded in a named CVE or observable technique, and the chain is validated against the same evidence discipline as any finding before it becomes a detection rather than a candidate.

Fix

A confirmed chain reframes remediation priority: the two links that compose a controller takeover are surfaced as one emergency, with the break-the-chain step that gives the most leverage called out.

Verify

After the chain is broken, the cycle re-checks the composed path on the next pass and records that the sequence no longer completes against the scoped environment.

The honest framing is the one we hold ourselves to: we ship the chains whose every link is real and citable, and we keep raw candidate sequences from the intel stream clearly labeled as the leads they are. The cadence is what keeps us close to the threat. The grounding is what keeps us honest. Both are required.

Verifiable security. Find it. Prove it. Fix it. Verify the fix held. Composed the way the attacker actually works.

Sources

Find out what an attacker composes against your edge.

Free Exposure Check, no signup required. We map the exposures on the assets you scope in and show where two of them compose into a single path, then ship a signed Proof Capsule for the highest-confidence link.

Run a Free Scan →