CONCEPT Cited by 1 source

Assume-compromise posture

Assume-compromise posture is the security-team discipline of, on any critical vulnerability disclosure, starting from the assumption that compromise has already occurred and working systematically to either confirm or rule out exploitation — before, during, and after public disclosure of the bug. Canonical wiki articulation from the 2026-05-07 Copy Fail response post: "Our security team operates on a simple principle for critical vulnerabilities: assume compromise until you can prove otherwise. The investigation started from the assumption that exploitation could have occurred before the vulnerability was public, and we worked systematically to either confirm or rule it out."

Mechanism

Five parallel investigative pillars, executed on every critical vulnerability (not reserved for exceptional cases):

1. Retroactive kernel / application log search for the exploit's distinctive signature. Cloudflare's window for Copy Fail: 48 hours back across fleet-wide centralised logging. The signature doesn't need to be CVE-specific — behavioural detection (concepts/behavioral-detection-vulnerability-agnostic) provides vulnerability-agnostic coverage.
2. Access log reconstruction for potentially-affected systems — who connected, when, what commands they ran. Gives a complete forensic picture of interactive activity (distinct from automated exploit traffic).
3. Binary integrity validation. Cryptographic hashes of system binaries compared against known-good package manifests. For page-cache-poisoning exploits (Copy Fail) the on-disk hashes remain clean because the exploit taints only the in-memory page cache — so this check is complementary, not a substitute, for behavioural detection.
4. Persistence-mechanism audit. Look for common post-exploitation persistence (cron jobs, systemd units, shell profile modifications, loaded kernel modules, etc.).
5. Network-connection audit. Unusual egress, lateral- movement indicators, unexpected inbound connections.

All five pillars must come back clean before "no compromise" is asserted. Any single pillar raising a signal triggers a full incident-response escalation.

Load-bearing framings

• The framing is precautionary, not accusatory. The team operates as if exploitation has already occurred regardless of the specific CVE's public status; the goal is to generate evidence strong enough to rule it out.
• Pre-disclosure exploitation is the concern. Copy Fail's 48-hour retroactive window explicitly covers the period before public disclosure — the assumption being that well-resourced adversaries may have known about the vulnerability before Xint Code's 2026-04-29 publication.
• Standard procedure, not exceptional. "This is our standard procedure for any critical vulnerability." (verbatim) The posture is a baseline, not a high-stakes escalation.
• Clean result is signal, not fatigue. Cloudflare's 2026-05-07 conclusion — "Everything was clean" — is a concrete attestation based on five independent investigative pillars, not a default assertion.

Preconditions

For this posture to actually work:

• Fleet-wide centralised logging that retains kernel-level events for at least the retroactive- search window (48 hours minimum, weeks preferable).
• Behavioural detection already deployed, so vulnerability-agnostic coverage exists before disclosure.
• Known-good binary manifests — package checksums available for comparison against running systems.
• Documented normal access patterns — baseline against which access-log anomalies can be scored.
• Operational headcount — five-pillar investigation across a large fleet within hours requires dedicated security engineers on call.

When it breaks down

• Silent exploits. Exploits that leave no kernel-log signature and produce no behavioural-chain anomaly are invisible to this posture; the pillars assume the attacker produces some forensic trace.
• Short log retention. If logs have rotated out before investigation, the retroactive search has no substrate.
• Missing baselines. Without a "normal looks like this" reference, anomalies don't surface.
• Stealth persistence. Post-exploitation persistence that avoids known mechanisms (cron, systemd, shell profiles) evades pillar 4; specific adversaries deliberately evade common-persistence checks.

Contrast with adjacent postures

Posture	Default assumption	Investigation cost
Patch-and-forget	Compromise didn't occur because we patched	Low
Incident-response-if-alerted	Compromise didn't occur unless alert fires	Low-medium
Assume-compromise	Compromise occurred; must prove otherwise	High but bounded per CVE
Full continuous adversary simulation	Compromise is ongoing	Very high

Seen in

• 2026-05-07 — Cloudflare Copy Fail response. Canonical wiki first-class page for the posture. Five-pillar investigation executed within hours of 2026-04-29 disclosure: 48-hour kernel-log search, access-log reconstruction, binary-integrity hash validation, persistence-mechanism audit, network-connection audit. Result: "Everything was clean." (Source: sources/2026-05-07-cloudflare-copy-fail-linux-vulnerability-response)

Related

• patterns/fleet-wide-retroactive-threat-hunt
• concepts/behavioral-detection-vulnerability-agnostic
• concepts/copy-fail-cve-2026-31431
• companies/cloudflare