Proposed product 3 of 3 · Eviction bridge · ECCN 4D004 if built

Closure — the AI orchestrator for synchronized eviction

The AI orchestrator for synchronized eviction. The planning-and-validation bridge between Fulcrum’s and Bulwark’s research output and the carrier-and-CISA operation that actually evicts a resident Salt-Typhoon-class attacker. Proposed design, not yet operational. If built, a dual-use coordination CLI that falls under EAR ECCN 4D004.

Status Proposed design, not operational. Closure’s plan-schema and validator contracts are scaffolded in source; integrated runs against a real carrier estate are not yet possible. If built per the design, the resulting software would fall under EAR ECCN 4D004 (intrusion-software command and control by association with the Fulcrum + Bulwark rulebook), with controls allowlist-gated, append-only audit-logged, and the eviction-plan artifact pinned to coordinated-handoff terminals for federal use.

Closure exists because of a single load-bearing line in the August 2025 CISA / NSA / FBI joint advisory AA25-239A: “Where possible, gaining a full understanding of the APT actors’ extent of access into networks followed by simultaneous measures to remove them may be necessary to achieve a complete and lasting eviction. Partial response actions may alert the actors to an ongoing investigation and jeopardize the ability to conduct full eviction.”1 Synchronized eviction is a planning problem. For a tier-1 carrier with thousands of POPs and a five-layer trust graph (BGP, OSPF/ISIS, MPLS LDP, TACACS+, SNMPv3), no public tool currently produces the simultaneous-cut plan at the scale and tempo a real eviction window requires. Closure is the proposed agent loop to fill that gap.

Phase 1 · Pre-eviction

Planner

  1. Inventory — enumerate the affected device estate from the carrier’s IPAM and PSIRT scan data.
  2. Map — build the trust graph: BGP / OSPF / ISIS adjacencies, MPLS LDP sessions, TACACS+ clients, SNMPv3 EngineID trust, console-server access paths.
  3. Plan — produce the simultaneous-cut schedule: maximum-parallelism set within ops-team capacity and dependency constraints (don’t clean device A before its upstream B).
  4. Coordinate — allocate personnel (field engineers, console-server techs, vendor TAC), pin the out-of-band comms plan (since on-band admin is potentially compromised), emit the cut-window briefing packet.

Phase 2 · Post-eviction

Validator

  1. Re-inventory — pull the carrier’s post-eviction running images, ROMMON hashes, golden-config fingerprints.
  2. Variant-hunt — re-run the Bulwark pipeline against the declared post-eviction image set; produce the unresolved-variant report.
  3. Drift audit — diff post-eviction configs against the carrier’s golden template; flag any persistence-kit indicators (GRE tunnels, sshd_operns/57722, AAA-server-IP changes, created users, Guest Shell enable).
  4. Document — emit the Milestone-3 sign-off packet against the six closure criteria below.

Closure does not touch the carrier’s production gear, hold carrier AAA credentials, sign Cisco TAC tickets, or dispatch field engineers. Both phases are research-flavored artifacts: the planner produces a coordination document, the validator produces a verification report. The carrier owns execution; Closure owns the bookends that make execution auditable. By design, the eviction-plan artifact and the validator report exit only through coordinated handoff to the carrier’s PSIRT, the CISA hardening-guidance lead, or (for federally-supervised LI rebuilds) the FBI / FCC liaison — broker channels structurally invalid in the EVRP enum, the same constraint that pins disclosure terminals for Fulcrum and Bulwark.

Sample workflow · design illustration salt-typhoon-cut-plan.yaml Illustrative Closure plan for the synchronized-eviction operation against a notional carrier’s IOS XE estate. Not output from a real engagement; shown to communicate the design and the data Closure would consume + produce. 
# salt-typhoon-cut-plan.yaml — sample Closure synchronized-eviction plan.
# Phase 1 (planner) output: consumed by carrier ops + CISA IR lead.

operation:
  name:            carrier-x-salt-typhoon-eviction
  intent:          synchronized-eviction
  cut_window:      2026-08-15T03:00Z — 2026-08-15T07:00Z
  audit:           firestore://closure_ops/{op_id}

estate:
  # Discovered from carrier IPAM + Bulwark persistence-indicator scan.
  # 412 devices on Cisco IOS XE / IOS Classic / NX-OS; 17 EOL platforms.
  total_devices:   412
  platforms:
    - family: ios-xe
      version_floor: 17.18.1a   # for factory-reset all secure
      count:         361
    - family: ios-classic
      version:       12.x        # EOL; physical replacement
      count:         17
    - family: nx-os
      count:         34

trust_graph:
  ibgp_peers:      derived://carrier_x_bgp_topology
  igp:             ospf-area-0, isis-l2
  aaa_dependency:  tacacs-east, tacacs-west
  snmpv3_engines:  4 distinct EngineID trust groups
  # Dependency ordering: clean PE before CE within the same trust group;
  # clean TACACS+ servers ahead of any device that authenticates against them.

cut_schedule:
  # Maximum-parallelism within ops-team capacity (60 simultaneous
  # console-server sessions, 24 field-engineer truck rolls in window).
  - wave: 1
    scope:          tacacs-server-rebuild   # clean AAA first
    parallelism:    2 servers
    duration:       45 minutes
  - wave: 2
    scope:          pe-routers-east
    parallelism:    60 console sessions
    duration:       80 minutes
  - wave: 3
    scope:          pe-routers-west + ce-routers-region-1
    parallelism:    60 console sessions
    duration:       80 minutes
  - wave: 4
    scope:          eol-platforms-physical-swap
    parallelism:    24 field engineers
    duration:       180 minutes

personnel:
  carrier_ops:     60 console-server techs
  field:           24 field engineers (national-guard signal units possible)
  vendor_tac:      6 Cisco TAC engineers on-shift (ROMMON validation)
  federal_ir:      CISA Cyber Hunt and Incident Response Team liaison
  comms_lead:      out-of-band; PKI-backed bridge call

comms_plan:
  # On-band admin email + chat assumed compromised per CISA AA25-239A.
  primary:         pki-bridge://ops.carrier-x.local
  fallback:        paper-sop-distributed-at-each-pop
  forbidden:       [admin-email, slack, teams, on-band-jabber]

handoff:
  # Plan artifact pinned to coordinated handoff — same EVRP constraint
  # that pins Fulcrum / Bulwark disclosure terminals.
  allowed:         [carrier-psirt, cisa-hardening-lead, fbi-ci-liaison]
  forbidden:       [broker, public-release-pre-cut]

constraints:
  ear:              ECCN 4D004
  allowlist_gated:  true
  rulebook:         src/contracts/agent-rules.schema.json

# Illustrative output — design mock-up, not a real run.
$ trenchwork closure plan salt-typhoon-cut-plan.yaml --carrier carrier-x
[closure 11:02:11] inventory loaded — 412 devices, 17 EOL platforms
[closure 11:02:12] trust graph resolved — 4 SNMPv3 engine groups, 2 TACACS+ servers
[closure 11:02:13] cut schedule generated — 4 waves, 6h 5m total
[closure 11:02:13] personnel allocation feasible within stated capacity
[closure 11:02:13] OOB comms plan: pki-bridge primary, paper-SOP fallback
[closure 11:02:14] handoff terminals: carrier-psirt, cisa-hardening-lead
[closure 11:02:14] audit log: firestore://closure_ops/2026-08-10T11:02:11Z

# … carrier and CISA execute the cut against this plan …

$ trenchwork closure validate --op-id 2026-08-10T11:02:11Z --post-eviction-images ./carrier-x-post/
[closure 18:44:02] post-eviction image set: 412 devices reported
[closure 18:44:08] variant-hunt across declared image set: 0 unresolved (C3)
[closure 18:44:11] golden-config drift audit: 412/412 clean against template (C1)
[closure 18:44:14] persistence-kit indicators: 0 GRE tunnels / 0 sshd_operns / 0 guestshell (C1)
[closure 18:44:15] image SHA-512 estate scan: 412/412 vendor-matched (C2)
[closure 18:44:16] credential rotation log: signed by carrier-x identity lead (C4)
[closure 18:44:16] burn-in window: 90 days — tracking
[closure 18:44:16] milestone-3 packet drafted: carrier-psirt + cisa-hardening-lead signers required

If built, sale and use would be scoped under EAR ECCN 4D004 as a coordinated extension of the Fulcrum + Bulwark rulebook, with controls allowlist-gated, append-only audit-logged, and the planner artifact and validator report pinned to the same coordinated-handoff terminals.

Open portal → Email the operator

Fulcrum Details →

Driver
Operator
Cadence
Per-engagement
Scope
Chosen target
Intent
CNE / CNA-shaped, disclosure-pinned
Surface
Variant research, exploit dev

Bulwark Details →

Driver
Schedule
Cadence
Continuous, unattended
Scope
Vendor surface deployed at scale
Intent
CND, coordinated-disclosure-pinned
Surface
Pre-empting the next variant

Closure this page

Driver
Planner + validator
Cadence
Per-eviction-operation
Scope
Affected device estate
Intent
Eviction bridge, coordinated-handoff-pinned
Surface
Synchronized-cut planning + post-eviction validation

What “evicted” actually means — the definition Closure validates against

The product Closure produces evidence; the definition of what that evidence is evidence for is the work of this section. In December 2024, Verizon, AT&T, and Lumen publicly stated they had “purged” or “contained” the Salt Typhoon intrusion. In December 2024, CISA and the FBI publicly said Salt Typhoon was still active in U.S. telecom networks.2 The carrier and the government cannot both be right at the same time, and the structural reason they cannot agree is the absence of a shared definition of closure. The criteria below are the definition Closure’s validator phase produces evidence against.

What the carriers said (December 2024)

Per CyberScoop reporting: AT&T, Verizon, and Lumen “publicly stated they had ‘purged’ or ‘contained’ the breach.” — Carrier public statements, December 2024, summarized by CyberScoop.3

When the Senate Commerce Committee demanded documentation supporting these claims, AT&T and Verizon failed to provide any.4 The carrier statements were public assertions, not auditable evidence.

What CISA and the FBI said (same week)

“I think it would be impossible for us to predict a time frame on when we’ll have full eviction.” — Jeff Greene, Executive Assistant Director for Cybersecurity, CISA, December 3, 2024 press briefing.2

Greene’s framing — “Each victim is unique. These are not cookie-cutter compromises in terms of how deeply compromised the victim might be”2 — implies a yes/no claim doesn’t survive a per-victim assessment. The carriers and the government were both speaking truthfully because “purged” / “contained” / “evicted” were undefined terms.

The six closure criteria

Closure is a conjunction of conditions. All of the following must hold simultaneously for a given affected estate. Any one failing means the estate is not closed, regardless of public posture.

  1. No persistence-kit indicators on any device in the estate.

    Zero GRE tunnels not in the golden configuration, zero non-canonical SSH listeners (including sshd_operns on TCP 57722), zero unexpected local user accounts, zero AAA / TACACS+ server IP changes against the golden, zero ACL drift admitting non-baseline source IPs, zero SNMP community-string changes, zero Guest Shell enable events not in the operational baseline.5 The validator’s post-eviction config diff must produce empty output on the persistence-indicator section.

  2. Image SHA-512 hashes match Cisco’s published values across the entire estate.

    Every device’s running image is hashed against Cisco’s published SHA-512 at software.cisco.com. Mismatches escalate to Cisco TAC for ROMMON validation per MITRE T1542.004.6 Closure requires 0/N mismatches against the estate inventory.

  3. All Salt-Typhoon-class CVE variants have been disclosed and patched.

    The post-eviction variant-hunt against the carrier’s declared post-eviction image set returns zero unresolved variants for the CVE classes Salt Typhoon weaponized (CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, plus the IOS XE web-UI sink class generally). Re-running the Bulwark pipeline against the post-eviction image set is the test.

  4. Every credential that ever touched the affected estate has been rotated.

    Local secrets (enable secret, local users, line passwords), shared secrets (TACACS+ / RADIUS), cryptographic material (SSH host keys, device certs), routing-protocol authentication keys (BGP / OSPF / EIGRP HMAC keys), and SNMPv3 user credentials. Server-side: AAA-server passwords, service-account credentials used by mgmt tooling.7 Closure requires a documented rotation log timestamped after the cut-window, signed by the carrier’s identity-management lead.

  5. A 90-day post-eviction telemetry burn-in shows no re-pivot indicators.

    NetFlow / IPFIX exported from every edge interface to behavioral analytics; centralized syslog with hash-chain integrity; per-minute running-config diff against golden. Closure requires the full 90-day window to elapse with no alerts on: GRE tunnel creation anywhere in the estate, guestshell enable, new high-port SSH listeners, new username entries, AAA-server-IP changes. Closure is not granted on the day of the cut; it is granted at the end of the burn-in if the burn-in is clean.

  6. Signaling and lawful-intercept layers rebuilt where in scope.

    If SS7 / Diameter signaling-plane abuse is in scope, the SS7 firewall / DEA screening is in place per GSMA FS.11 / FS.19, and partner-validation policies have been applied at the IPX boundary. If lawful-intercept infrastructure is in scope, the LI mediation rebuild is complete with new HSM-backed LEA-delivery keys under FBI / FCC supervision. Closure requires the relevant federal-program lead to sign off on the scoped layers.

Who has to sign the closure artifact

Carrier-self-declaration doesn’t produce closure: the carrier is one of the disputed parties. The closure artifact has to be signed by mutually-disinterested parties whose institutional positions don’t depend on the public-relations outcome.

Required

Carrier PSIRT lead

The carrier’s own incident-response leadership signs that the technical work was performed against the affected estate — cut-window, reflash, credential rotation, golden-config rebuild, lateral audit, telemetry burn-in.

Required

CISA hardening-guidance lead

CISA’s hardening-guidance authority corroborates that the carrier’s declared work product matches the operation CISA AA25-239A required — including the simultaneous-eviction discipline.1

Required

Federal IR liaison

CISA’s Cyber Hunt and Incident Response Teams (or NSA Cybersecurity Collaboration Center, scope-dependent) signs the burn-in telemetry review — 90-day window with no re-pivot indicators.

Conditional

Vendor TAC engineer of record

For estates where ROMMON validation was required, the Cisco TAC engineer who ran the ROMMON-level inspection signs that the affected devices were either reflashed to a verified-clean image or physically replaced.

Conditional

FBI / FCC LI supervisor

For estates where lawful-intercept infrastructure was in scope, the FBI and FCC liaisons sign the LI rebuild and recertification under their statutory authority.

Conditional

State fusion-center lead

For Army National Guard or state-government estates where fusion-center integration was a downstream-exposure risk per the June 2025 DHS memo,8 the fusion-center cybersecurity lead signs the data-exposure assessment.

None of these signers is Trenchwork. Closure isn’t something a research vendor declares; it is something the operating institutions document under their own institutional authority, against criteria the validator artifact gives them auditable evidence for.

Failure modes the definition rules out

A definition of closure that lets the December-2024 dispute happen again is not a useful definition. These are the patterns the criteria above are calibrated to refuse.

Failure mode 1

“We found and removed the GRE tunnel.”

Single-indicator remediation. Criterion C1 requires zero indicators across the full Talos persistence-kit inventory, not just the one that was caught. Finding one GRE tunnel doesn’t demonstrate absence of sshd_operns, Guest Shell, AAA-server-IP swaps, or any of the other indicators that travel together in the documented kit.

Failure mode 2

“We reflashed the device.”

Per-device cleaning without simultaneous-cut discipline. CISA AA25-239A states explicitly that partial response actions may alert the actors to an ongoing investigation and jeopardize the ability to conduct full eviction.1 Closure requires the cut-window evidence, not the per-device evidence in isolation.

Failure mode 3

“The vulnerability that got them in is patched.”

Vector-patching without credential rotation. Per Talos, the primary initial-access vector across investigated incidents was stolen credentials, not CVEs.5 Patching the CVE doesn’t rotate the credential. Criterion C4 requires the full credential-rotation log, signed.

Failure mode 4

“We don’t see them anymore.”

Visibility-as-evidence. Salt Typhoon’s persistence kit explicitly includes log clearing and Guest Shell-hidden processes that don’t surface in standard auditing commands.5 “We don’t see them” is consistent with both successful eviction and successful evasion. Criterion C5 requires the positive-evidence 90-day burn-in with full NetFlow / append-only syslog / config-drift diffing, not the absence of an alert.

Failure mode 5

“Containment” vs “eviction” vs “purged.”

Vocabulary substitution. The carriers’ December-2024 statements use these three terms in ways that do not map onto each other. Closure is a single binary — the conjunction of C1 through C6 holds, signed by the required signers, evidenced by the validator artifact — or it doesn’t hold. The public-statement vocabulary is allowed to keep its variety; the closure assertion has one form.

Failure mode 6

“The signaling layer is somebody else’s problem.”

Scope-by-omission. Closure can be partial-scope — e.g., excluding SS7/Diameter if the operation is IP-layer only — but the omission must be declared in the artifact. Criterion C6 is conditional; if SS7 / Diameter is excluded, the artifact says so and the carrier signs that the LI / signaling planes are explicitly out-of-scope for this closure claim.

How Closure composes with the other two products

Fulcrum produces the variant inventory for a chosen target. Bulwark produces the continuous variant feed across the whole vendor surface. Both leave their output at the coordinated-disclosure terminal — PSIRT, HackerOne, CERT/CC — where it becomes patches that ship to the carrier. Closure takes the carrier’s estate after those patches and after a Salt-Typhoon-class compromise, plans the synchronized cut that CISA AA25-239A requires, and validates the post-eviction state with a Bulwark-flavored variant-hunt against the new images. The three together are the full upstream-to-handoff chain that Milestone (3) of the open-letter contract is structured to pay on.

References

  1. CISA, NSA, FBI, and international partners. Joint Cybersecurity Advisory AA25-239A. August 27, 2025. cisa.gov/news-events/cybersecurity-advisories/aa25-239a. Source for the simultaneous-eviction discipline and the “partial response alerts the actor” constraint.
  2. CyberScoop. U.S. government says Salt Typhoon is still in telecom networks. December 3, 2024. cyberscoop.com/u-s-government-says-salt-typhoon-is-still-in-telecom-networks. Source for the Jeff Greene quotes.
  3. CyberScoop. A house full of open windows: Why telecoms may never purge their networks of Salt Typhoon. cyberscoop.com/salt-typhoon-chinese-hackers-us-telecom-breach. Source for the carriers’ “purged/contained” statements and the official counter-assessment.
  4. U.S. Senate Committee on Commerce, Science, and Transportation. Statements on AT&T / Verizon failure to provide remediation documentation; Cantwell statement on the November 2025 FCC rollback. commerce.senate.gov — Cantwell on FCC rollback.
  5. Cisco Talos. Weathering the storm: In the midst of a Typhoon. February 2025. blog.talosintelligence.com/salt-typhoon-analysis/. Primary source for the persistence-kit inventory and the credentials-as-primary-vector finding.
  6. MITRE ATT&CK. Pre-OS Boot: ROMMONkit, Sub-technique T1542.004. attack.mitre.org/techniques/T1542/004/.
  7. Cisco. IOS XE Software Hardening Guide. sec.cloudapps.cisco.com/security/center/resources/IOS_XE_hardening.
  8. Department of Homeland Security · Office of Intelligence and Analysis. Salt Typhoon: Data Theft Likely Signals Expanded Targeting. Memo dated June 11, 2025. Source for the fusion-center / state-cybersecurity-partner downstream-exposure risk. See Salt Typhoon Research for the National Guard case study.