Investigation Colophon · Methodology · Provenance

About this investigation

Full audit trail of how this report was produced — target identification, analytical techniques applied, tools that ran, gaps recorded, and the schema and skill versions used. Reproducibility is a forensic posture.

Confirmed Target · Type: Org

Deutsche Bank AG

db.com

German multinational investment bank and financial services company headquartered in Frankfurt, Germany, providing corporate and investment banking services globally.

Domain registered September 1997
Headquartered in Frankfurt, Germany
Listed on Frankfurt Stock Exchange and NYSE (ticker: DB)

§ 01

Investigation Metadata

Provenance

Investigation ID: aadbd18f-91be-494a-bf5c-b2dc08c97758
Created: 2026-05-26 19:00:00 UT
Recon Started: —
Recon Completed: 2026-05-26 19:30:00 UT · 30m 0s
Analysis Completed: 2026-05-26 19:45:00 UT · 12m 0s
Total Duration: 42m 0s · within 60-minute walltime budget
Wave Budget: 210 enabled tools × multiplier 5 = 350 tool calls per wave
Stopping Rule M: 4 consecutive empty calls · fired in Wave
Artifact Location: D:/RECON/deutsche-bank-ag-aadbd1

§ 02

Analytical Methodology

Structured analytic techniques · ICD 203

KAC Applied

Surfaced five assumptions; HIGH-sensitivity HIGH-confidence on GLEIF children currency and DMARC enforcement; MOD-sensitivity MOD-confidence on Hudson Rock corpus currency, which is the only assumption that materially limits a key_judgment.

ACH Applied

Three competing hypotheses on security posture: (H1) mature/strong; (H2) mixed; (H3) weak/systemic gaps. Weighted inconsistency favors H2 — strong perimeter (DMARC strict-reject A1, segregated ASNs A1, Proofpoint A2) is consistent with H1 but the 344 stealer-touched employee sessions on dbrasweb.db.com (B2) are inconsistent with H1. H3 is inconsistent with the strict-reject DMARC and EV TLS (A1 records). H2 retained as leading hypothesis.

Premortem Applied

Imagined failure: the 344 sessions are stale historical exposure already remediated. Refuting evidence would be a Hudson Rock decay-curve showing the corpus is shrinking, or rotation timestamps on dbrasweb session cookies. Recon could not confirm either, so H2 retained but with confidence-limit flagged on kj_002 (held at high because the corpus enumerates active session URLs, not just credentials).

Red Hat Applied

Applied per org-target rule. Six red vectors composed and ranked by impact: dbrasweb credential-stuffing > spear-phish > Salesforce multi-tenant > Markit supply-chain > CSC registrar > numis.com legacy seam. Ten blue controls paired or baseline.

§ 03

Coverage

Schema v1.0

Entities

Relationships

Evidence

Judgments

Timeline

Geo

Confidence Distribution · Key Judgments

5 · High

2 · Moderate

High · multi-source, no surviving alternatives Moderate · KAC stress or ACH margin Low · sparse base or explicit caveat

§ 04

Tools Engaged

210 enabled · 26 fired · 1 gap

wikipedia_summary 2

gleif_search 1

rdap_domain 5

dns_mail_auth 1

certspotter_enumerate 1

rdap_ip 1

greynoise_community 1

vt_ip 1

ipapi_lookup 1

hackertarget_asn 1

rdap_asn 3

vt_domain 1

gleif_record 4

gleif_direct_children 1

wikidata_sparql 1

nominatim_search 5

hudsonrock_domain 1

urlscan_search 1

github_repo_search 1

hunter_domain_search 1

hudsonrock_email 1

sec_company_concept 1

serper_search 1

opensanctions_search 1

wayback_cdx_search 1

cisa_kev_lookup 1

opensanctions_search gap

§ 05

Tool Gaps

1 methodology steps could not run

opensanctions_search: Methodology step · wave_1/wave_2/wave_3 · Three attempts all failed with "fetch failed" — upstream OpenSanctions service degraded throughout the investigation window. Manual cross-reference: Deutsche Bank AG is NOT on any major sanctions list (OFAC/SDN, EU, UK HMT, UN); historical regulatory enforcement actions (2017 NYDFS USD 425M, 2015 USD 2.5B Libor settlement, 2017 DoJ USD 7.2B RMBS settlement, 2023 ECB on-site inspection) are NOT sanctions. Should be re-screened against fresh cache.

Integrity Hash

sha256:6f8dbd4d0ff799bf0d4d2f97168ae6e512c1864d392fd21ce586a8c332a2683b