What Fulcrum and Bulwark do about Salt Typhoon — and what they don’t.
An honest scope page. The proposed Fulcrum and Bulwark agents pre-empt the next variant before it gets weaponized. They do not strip a resident attacker off a tier-1 carrier’s edge router. This page walks the five-layer eviction stack from the Salt Typhoon thesis, marks for each layer what Fulcrum/Bulwark cover and what they don’t, and separates what the design structurally guarantees from what it can only make more likely.
The honest answer in three lines
Eviction of a resident Salt Typhoon attacker is not reliably guaranteed by Fulcrum, by Bulwark, by Cisco, by the FBI, or by the targeted carriers themselves.
Fulcrum and Bulwark are upstream tools. They reduce the inflow of new initial-access vectors and persistence variants by running the offensive-research workflow defensively, continuously, and at machine speed. That is layer L1, and partially L2, of the five-layer stack below.
Layers L3 (credentials), L4 (visibility), L5 (reinfection) require work outside Fulcrum and Bulwark’s scope — credential rotation at carrier scale, EDR/telemetry depth at the firmware layer, and post-eviction monitoring that only the carrier and the federal government can broker together. Milestone (3) of the open-letter contract exists precisely because no single technical vendor can supply that piece.
The five-layer eviction stack, revisited
Same decomposition as the home-page thesis: Salt Typhoon’s residency is not one bug; it is five interlocking layers. For each, what Fulcrum/Bulwark cover — and what they don’t.
Publicly disclosed CVEs on Cisco IOS XE / IOS / NX-OS, Ivanti, Palo Alto, Fortinet, Citrix NetScaler — every CVE in the joint advisory’s inventory was patched before being weaponized at scale.1
Run the seven-step variant-research pipeline (acquire → diff → search → fuzz → triage → PoC → coordinated disclosure) continuously against the vendor surface. Find the next variant of CVE-2018-0171 / CVE-2023-20198 before Salt Typhoon does, disclose it through PSIRT / HackerOne / CERT/CC. By design, the disclosure terminal is the only way a Bulwark run terminates — broker channels are structurally invalid in the rulebook schema.
Force a vendor to ship a patch on a specific timeline. Force a carrier to deploy the patch on a specific timeline. Discover novel zero-days outside the variant-class of an already-disclosed bug. The pipeline still depends on vendor PSIRT throughput and carrier patch cadence, both of which sit outside the agent loop.
Once Salt Typhoon is on a device it stays on the device via the Talos-documented playbook: GRE tunnels mirroring traffic out at the packet layer, sshd_operns on port 57722, Guest Shell container abuse, AAA / TACACS+ IP swaps, SNMP community rotation, log clearing. The ROMMONkit class (MITRE T1542.004) takes this further — firmware-level persistence at the boot loader that “may be difficult to detect” and cannot be validated clean by defenders without vendor support.23
Partial coverage at the research end of the layer: variant-hunt across IOS XE Guest Shell entry points, fuzz the Web Services Management Agent surface that gets abused for the persistence chain, surface ROMMON-update flows that would shorten the next persistence class’s shelf life. The output is published advisories, not in-place remediation.
Run on a victim device. Detect a Guest Shell container hiding tooling on a router in production. Strip a GRE tunnel from running-config. Verify a ROMMON image is unmodified — per MITRE’s own writeup and Cisco’s factory-reset documentation, defenders cannot independently validate ROMMON cleanliness without vendor support. Removal is a per-device operation owned by the carrier’s ops org.
Anne Neuberger’s White House briefing put the credential-surface compromise at roughly 100,000 router admin accounts across the affected carriers.4 Cisco Talos’s IR account is explicit that legitimate-credential reuse was the primary initial-access vector, not exploits.2 Patching a CVE does not rotate a stolen credential.
Nothing in this layer. Fulcrum and Bulwark are not identity / IAM tools. They do not see TACACS+ servers, AAA logs, or credential rotation schedules.
Rotate admin credentials. Audit TACACS+ for unauthorized accounts. Detect the AAA-server-IP swap Talos enumerated as part of the persistence kit. Credential rotation at carrier scale across acquired legacy networks is a multi-year program of its own and lives entirely outside the agent loop — this is carrier ops, federal authority, and (where the legacy systems can’t be modernized) physical replacement.
Salt Typhoon erased logs on its way out per the December 2024 CISA/FBI/NSA joint advisory; telecoms weren’t keeping adequate logs in the first place; network devices rarely run EDR; firmware implants live below the layer most security tooling can see.1 You cannot evict what you cannot detect, and you cannot detect what your tools can’t reach.
Append-only Firestore audit log of every agent run. That is a structural property of the design (specified in the rulebook + EVRP contracts in source). It guarantees the research workflow is fully auditable end-to-end; it does not guarantee anything about the carrier’s telemetry stack.
Provide telemetry on a deployed device. Recover logs Salt Typhoon already cleared (.bash_history, auth.log, lastlog, wtmp, btmp). Run EDR on a router. Audit a GRE tunnel that’s already mirroring traffic. The visibility gap is a carrier-side architecture problem, not a research-tool problem; CISA’s December 2024 hardening guidance is the operational document for this layer, not Fulcrum or Bulwark.
Patched devices restored from compromised backups. One surviving foothold re-pivoting to freshly cleaned neighbors. Config drift returning vulnerable images during maintenance windows. The attacker only needs to win once per cycle; the defender needs to win on every device, every cycle, forever. Censys reports over 200,000 public exposures of common edge-device families5 — the surface is wider than the carrier fleet alone.
By running continuously and unattended, Bulwark shrinks the inflow side: each variant disclosed and patched is one less re-pivot path for a surviving foothold. Coordinated-disclosure terminal pinned in code means findings exit through PSIRT/H1/CERT, not brokers.
Validate that a backup is uncompromised. Detect lateral re-pivot from a surviving foothold to a freshly cleaned neighbor. Touch the SS7/Diameter legacy layers cited by recent telecom reporting as “years and billions to replace.”5 Post-eviction monitoring is a carrier-and-CISA operation, not an agent-loop output.
What is reliably guaranteed — and what isn’t
Three buckets. The first is deterministic, baked into the rulebook schema. The second is probabilistic, dependent on how well a given fuzz campaign covers a given binary. The third is out of scope entirely.
| Claim | Kind | Why |
|---|---|---|
| Every finding exits through PSIRT / HackerOne / CERT/CC or a 90-day public advisory — never through a broker. | deterministic | The DisclosureTerminal enum in src/contracts/evrp.schema.json structurally enumerates the allowed terminals. Broker channels are schema-invalid, caught at load time by the hardening tests — not a policy a runtime can ignore. |
| Every agent run is append-only audit-logged in Firestore. | deterministic | Audit-log write is a precondition of run execution per the rulebook contract. A run with no audit row is structurally a no-run. |
| Allowlist gating — only authorized accounts launch Fulcrum/Bulwark profiles. | deterministic | Profile gating is enforced in code and verified by hardening tests. The default coding profile does not load Fulcrum or Bulwark tools even if a configured MCP server tries to surface them. |
| The pipeline finds the next variant of an already-disclosed bug class before it is weaponized. | probabilistic | Depends on fuzz coverage of the affected sinks, patch-diff completeness against the vendor image set, and the lead time between vendor disclosure and adversary weaponization. Improves with corpus size; never reaches 100%. |
| Vendor PSIRT ships a fix on a useful timeline for findings disclosed by the agent. | probabilistic | Outside the agent loop. Bulwark can drive the disclosure terminal; it cannot drive vendor engineering velocity. Track record varies by vendor. |
| Carriers deploy the patch before the next adversary weaponizes the same class. | probabilistic | Salt Typhoon weaponized CVE-2023-20198 fourteen months post-patch — the patching-lag layer is at the carrier, not at the research tool.6 |
| A resident Salt Typhoon attacker is removed from a given carrier’s production network. | out of scope | Requires per-device touch by the carrier’s ops org: clean-image reflash, factory reset (with the caveat that ROMMON cleanliness can’t be defender-validated without vendor support), full credential rotation, lateral-movement audit, post-eviction monitoring. None of these are agent-loop outputs. |
| Stolen credentials are rotated at carrier scale. | out of scope | Identity / AAA / TACACS+ operational work. Carrier and federal authority. The ~100,000 admin-credential surface Neuberger described is a multi-year program in its own right.4 |
| ROMMON / firmware implants are confirmed removed end-to-end. | out of scope | Per MITRE T1542.004 and Cisco’s own factory-reset documentation, defenders cannot independently validate ROMMON cleanliness without vendor support; factory-reset all secure on IOS XE 17.18.1a+ clears SPI NOR FLASH and ROMMON variables, but the validation gap remains.3 |
| SS7 / Diameter / legacy protocol-layer footholds are removed. | out of scope | Protocol-architecture problem, not an N-day problem. Public reporting puts replacement at “years and billions of dollars.”5 |
The pattern across the table: everything the design structurally guarantees lives in the rulebook — disclosure terminal, audit log, allowlist gating. Everything that depends on the world outside the agent loop — vendor velocity, carrier patch cadence, ops-team eviction — is probabilistic or out of scope. That distinction is what the milestone-based contract in the open letter exists to formalize.
What the public record says about whether anyone can evict
The honest baseline: no public source has confirmed eviction of Salt Typhoon from a tier-1 U.S. carrier at time of writing, and several officials have explicitly said the timeline is unknowable.
The CISA / FBI position (December 2024)
“I think it would be impossible for us to predict a time frame on when we’ll have full eviction.” — Jeff Greene, Executive Assistant Director for Cybersecurity, CISA, December 3, 2024 press briefing.7
At the same briefing, CISA and an unnamed FBI official confirmed Salt Typhoon was still active in U.S. telecom networks. Greene’s framing: “Each victim is unique. These are not cookie-cutter compromises in terms of how deeply compromised the victim might be.”7
The carrier position vs. the government position
AT&T, Verizon, and Lumen publicly stated they had “purged” or “contained” the breach.5 Per CyberScoop reporting, U.S. officials “continue to insist that Salt Typhoon remains active in U.S. networks,” and the carrier statements “contain legalese, measuring one point in time.”5 When Senate Commerce demanded documentation of remediation from the AT&T and Verizon CEOs, neither company provided it.8
The regulatory position (November 2025 rollback)
The FCC’s post-incident Communications-Service-Provider Cybersecurity Reporting Requirements — the only enforceable federal rule put in place after Salt Typhoon — were partially rolled back in November 2025 under FCC Chair Brendan Carr.8 The FCC’s own draft ruling conceded the underlying vulnerabilities “are still being exploited.”5
The reading: when CISA, the FBI, the affected carriers, and the FCC cannot collectively close on a timeline or a verification standard for eviction, no single research vendor — Trenchwork included — can responsibly claim to do so unilaterally. That is the honest baseline this page exists to establish.
How this connects to the milestone-based reward
The three-milestone restructure in the open letter is calibrated against exactly this scope reality:
Milestone (1) — continuous patch-diff coverage of the Salt Typhoon vendor surface. Bulwark delivers this if built: continuous Ghidra-headless patch-diff across Cisco IOS XE 16.x / 17.x, IOS Classic 12.x, NX-OS 9.x / 10.x, Smart Install. Auditable from append-only Firestore logs. Deterministic that the work happens; probabilistic that any one cycle catches the variant Salt Typhoon would have weaponized next.
Milestone (2) — coordinated disclosure of N variants in the Salt Typhoon TTP class. Bulwark delivers this: every finding exits through PSIRT / HackerOne / CERT/CC by structural property of the EVRP enum. Broker channels are schema-invalid. N set by the program officer; the proposal floor is twelve over a contract year.
Milestone (3) — confirmed eviction from at least one participating tier-1 U.S. carrier. Fulcrum and Bulwark cannot deliver this alone. Carrier participation is required, and the only entity that can credibly broker carrier participation is the federal government — CISA, FBI, the State Department Rewards for Justice program officer, the carrier’s own PSIRT. The milestone is structured to be paid on documentation: carrier PSIRT sign-off corroborated by CISA’s hardening-guidance lead, not on a self-declaration.
That is why the $10M reward is structured as $0 on missed milestones, full reward only on documented completion of all three. Milestone (3) is not something a research vendor can promise unilaterally — the reward exists to fund the work that gets it there and to align Trenchwork with the federal authority required to verify it. Anything else would be overclaiming, and CLAUDE.md’s no-slop rule applies to this page too.
What the carrier-and-federal operation under Milestone (3) actually does, step by step — the per-device eviction sequence, the cases where physical access (truck roll to a POP, console-server reflash, or full hardware replacement) is the only option, the signaling-layer and lawful-intercept rebuilds, and the forward-looking prevention controls that stop the next Salt Typhoon — lives on the dedicated eviction runbook. The runbook is the work product the reward exists to fund.
How to read the claims on this page
Same taxonomy as the rest of the site. Inline N superscripts resolve to the References section.
- Documented
- Joint government advisories, MITRE ATT&CK technique writeups, vendor documentation (Cisco factory-reset, ROMMON), regulatory filings (FCC docket). Treat as facts.
- Reported
- Anne Neuberger’s 100,000-credential figure, Jeff Greene’s briefing quotes, Senate Commerce hearings, the carrier “purged”/“contained” statements. Treat as facts conditional on the briefer’s reliability.
- Argued
- Trenchwork’s own scope assertions: “Fulcrum and Bulwark cannot deliver Milestone (3) alone,” “deterministic vs. probabilistic vs. out-of-scope is the right taxonomy.” These are positions, not facts. Disagreement is invited.
- Reference gaps
- No public source confirms successful eviction at any tier-1 U.S. carrier; the table reflects that absence. If a verified eviction is documented after this page is written, the table needs updating — corrections invited via the errata channel on the home page.
References
- CISA, FBI, NSA, and international partners. Joint Cybersecurity Advisory: Enhanced Visibility and Hardening Guidance for Communications Infrastructure (December 2024) and
AA25-239A(August 27, 2025). cisa.gov — AA25-239A. - Cisco Talos. Weathering the storm: In the midst of a Typhoon. February 2025. blog.talosintelligence.com/salt-typhoon-analysis/. Primary source for the credential-first finding, the JumbledPath description, GRE tunnel persistence, Guest Shell abuse, alternate-port sshd, and the running-config / log-clearing inventory.
- MITRE ATT&CK. Pre-OS Boot: ROMMONkit, Sub-technique T1542.004. attack.mitre.org/techniques/T1542/004/. Source for the “may be difficult to detect” characterization and the defender-side validation gap.
- Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. White House press briefing on Salt Typhoon scope — nine confirmed U.S. telecommunications-carrier compromises and the ~100,000-router admin credential figure. December 2024. Verify against the official briefing transcript at whitehouse.gov.
- CyberScoop. A house full of open windows: Why telecoms may never purge their networks of Salt Typhoon. cyberscoop.com/salt-typhoon-chinese-hackers-us-telecom-breach. Source for the Verizon/AT&T/Lumen “purged” statements and the official counter-assessment, plus the Censys 200,000-exposure figure and the SS7/Diameter legacy-replacement framing.
- BankInfoSecurity / Information Security Media Group. Patching Lags for Vulnerabilities Targeted by Salt Typhoon. 2025. bankinfosecurity.com/patching-lags-for-vulnerabilities-targeted-by-salt-typhoon-a-27371.
- CyberScoop. U.S. government says Salt Typhoon is still in telecom networks. December 3, 2024. cyberscoop.com/u-s-government-says-salt-typhoon-is-still-in-telecom-networks. Source for the Jeff Greene quotes including “impossible for us to predict a time frame on when we’ll have full eviction” and “each victim is unique … not cookie-cutter compromises.”
- U.S. Senate Committee on Commerce, Science, and Transportation. Cantwell statement on the FCC’s rollback of post-Salt-Typhoon network-protection rules (November 2025) and prior testimony record on AT&T / Verizon documentation gaps. commerce.senate.gov — Cantwell statement on FCC rollback.