Corvus
Investigationaadbd18f
Insights

Analytical Assessment

Key judgments, estimative language, competing hypotheses, collection gaps, and forward indicators for Deutsche Bank AG. All confidence assignments follow ODNI ICD 203; ICD estimative language is italicised throughout.

Total Judgments
7
High Confidence
5
Moderate Confidence
2
Low Confidence
0
Techniques Applied
KAC · ACH · Premortem · Red Hat
§ 01

Estimative Language Spectrum

ODNI ICD 203 · probability of being true
almost certainly >95%
very likely >80%
likely 55–80%
probably ~55%
possibly 20–55%
unlikely <20%
remote <5%
KJ-01 KJ-02 KJ-03 KJ-04 KJ-05 KJ-06 KJ-07
High Moderate Low Markers are positioned by ICD estimative language, not raw confidence tier
§ 02

Key Judgments — Analytical Register

7 judgments · full reasoning + alternatives
KJ-01 High Confidence very likely >80%

Deliberately segregated enterprise network footprint

Statement · including alternatives considered

Deutsche Bank AG very likely operates a mature, deliberately segregated enterprise network footprint, evidenced by three distinct DB-owned ASNs (AS8373 EU, AS15769 London, AS2824 NA), Proofpoint-fronted DMARC strict-reject, and EV-certificated apex TLS; the alternative explanation — incidental network sprawl — is inconsistent with the consistent dns.admin@db.com POC and Reiner Schaefer admin attribution across all three RIRs.

Analytical reasoning

Three DB-owned ASNs (AS8373 EU/RIPE, AS15769 London/RIPE, AS2824 NA/ARIN) all share a single technical-contact pattern (dns.admin@db.com + Reiner Schaefer, ent_037) which is very likely intentional geographic separation rather than accidental sprawl. DMARC enforces p=reject; sp=reject; adkim=s via Proofpoint (ent_050), and the apex TLS cert is DigiCert EV with full O=DEUTSCHE BANK AG subject — collectively a posture inconsistent with the "incidental sprawl" hypothesis.

KJ-02 High Confidence very likely >80%

344 employee sessions infostealer-compromised; Citrix VPN is the hottest endpoint

Statement · including alternatives considered

Employee credential exposure via infostealer is very likely an active, current attack-surface for Deutsche Bank: the Hudson Rock Cavalier corpus enumerates 344 distinct DB-employee sessions — with the heaviest concentration on the dbrasweb.db.com Citrix RAS / Pulse Secure SSL VPN portal — even while individual MD-level checks (robert.pettinato@db.com) returned negative. Confidence is high because the load-bearing source (Hudson Rock B2) directly enumerates session counts per endpoint URL.

Analytical reasoning

Hudson Rock Cavalier enumerates 344 distinct DB-employee infostealer sessions among 4,771 total db.com-touching sessions (ent_034). The top-five exposed URLs are all DanaInfo-Citrix-RASweb endpoints behind dbrasweb.db.com (ent_021), with 81 sessions on ua.intranet.db.com/Citrix/RASweb alone. Even though individual MD-level lookups returned clean (ev_035, ent_042), the corpus-level signal is very likely a current operational risk — not a one-off historical artifact — because the captured paths are first-hop authentication URLs that only resolve from active stealer telemetry.

KJ-03 High Confidence very likely >80%

Email security strong; DNSSEC absent

Statement · including alternatives considered

Deutsche Bank's email-security posture is very likely strong by industry baseline (DMARC strict-reject + DKIM s-alignment + Proofpoint-fronted reporting), but the absence of DNSSEC on db.com and the SPF reliance on a single /16 ip4 mechanism without TLS-RPT leave residual hardening gaps; the alternative ("DMARC is misconfigured and unenforced") is inconsistent with the verbatim DNS-mail-auth excerpt.

Analytical reasoning

DMARC for db.com is very likely a hardened deployment: p=reject; sp=reject; adkim=s; fo=1; ri=3600 with Proofpoint-fronted rua/ruf reporting. SPF authorizes only ip4:160.83.0.0/16 ~all. The defensive gap is structural rather than operational: db.com RDAP reports delegationSigned=false — DNSSEC is not enabled, and no TLS-RPT or BIMI records were surfaced.

KJ-04 High Confidence almost certainly >95%

326 direct LEI children; corporate structure A1-corroborated

Statement · including alternatives considered

The 326 direct LEI children GLEIF lists under 7LTWFZYICNSX8D621K86 almost certainly reflect the current consolidated corporate structure: DWS Group, norisbank, Deutsche Bank Europe GmbH, Deutsche Bank Trust Company Americas, and Deutsche Cayman Ltd. (LEI lapsed 2024-01-15) are all corroborated by independent registry sources (HRB filings, Wikidata, SEC EDGAR mailing addresses).

Analytical reasoning

GLEIF's 326-child enumeration (US 91, DE 66, GB 27, LU 25, KY 17) is almost certainly the current authoritative structure: every spot-checked subsidiary (DWS Group ent_007, norisbank ent_008, Deutsche Bank Europe ent_009, Trust Company Americas ent_010, Deutsche Cayman Ltd. ent_014) has a separate primary-registry corroboration (HRB filing, Wikidata, SEC EDGAR mailing address, or Cayman company register). The competing hypothesis — that the LEI children list is stale — fails the spot-check at every node.

KJ-05 High Confidence very likely >80%

dbrasweb.db.com Citrix portal is the highest-value attack surface

Statement · including alternatives considered

The dbrasweb.db.com Citrix RAS / Pulse Secure SSL VPN portal is very likely the highest-impact attack surface in the report: it concentrates remote-access authentication for regional offices (KCH, DSJ site codes), it is publicly reachable, and it is the modal endpoint in the Hudson Rock employee-session corpus; the alternative — that login.isso.db.com (Autobahn SSO) is hotter — is inconsistent with the absence of login.isso.db.com from the top-five infostealer-touched URLs.

Analytical reasoning

Of the recon-surfaced authentication endpoints (login.isso.db.com Autobahn SSO, identity.db.com Keycloak, dbrasweb.db.com Citrix RAS, scfportal.db.com Salesforce), only dbrasweb.db.com shows direct infostealer overlap. Very likely the highest-impact remote-access target an adversary would prioritize, both because of pre-existing credential capture and because successful authentication lands inside ua.intranet.db.com with internal Citrix session access.

KJ-06 Moderate Confidence likely 55–80%

Dense SaaS dependency cluster — Salesforce, Atlassian, Markit, Frontify

Statement · including alternatives considered

Deutsche Bank's SaaS surface is likely a meaningful supply-chain dependency cluster: 16+ Salesforce org IDs, plus Atlassian, Adobe IdP, Pexip, Docker, Frontify (brand.db.com), and Markit On Demand (research.db.com hosted off-net) collectively shift partial attack surface to vendors; confidence is moderate because vendor security posture is not directly observable from passive recon.

Analytical reasoning

TXT-record enumeration surfaces a likely dense SaaS footprint: 16+ Salesforce org IDs, Atlassian, Adobe IdP, Pexip, Docker. URLScan corroborates that research.db.com is hosted on Markit On Demand (AS7334) and brand.db.com on Frontify (AWS eu-central-1). Confidence is held to moderate because the count of Salesforce org IDs implies multiple business units have provisioned independent tenants — each with its own trust posture that recon cannot observe.

KJ-07 Moderate Confidence likely 55–80%

Deutsche Cayman Ltd. LEI lapsed — compliance/reputation pressure point

Statement · including alternatives considered

The Deutsche Cayman Ltd. LEI lapse on 2024-01-15 is likely an indicator of compliance/transparency drift on a wind-down vehicle rather than active obfuscation; confidence is moderate because GLEIF lapse status alone does not distinguish between deliberate non-renewal, vendor failure, or wind-down progression.

Analytical reasoning

Deutsche Cayman Ltd. (ent_014, Cayman company 64883, registered at Intertrust Corporate Services since 1996) is likely in active wind-down: legal status is ACTIVE but LEI 529900PLMCWKG4WW7813 lapsed 2024-01-15 and was not renewed. This generates a small but real reputational/compliance pressure point given regulator focus on offshore-vehicle transparency — even though the entity remains legally valid.

§ 03

ACH — Competing Hypotheses

Analysis of Competing Hypotheses · leading hypothesis retained
ACH Analysis Note

Three competing hypotheses on security posture: (H1) mature/strong; (H2) mixed; (H3) weak/systemic gaps. Weighted inconsistency favors H2 — strong perimeter (DMARC strict-reject A1, segregated ASNs A1, Proofpoint A2) is consistent with H1 but the 344 stealer-touched employee sessions on dbrasweb.db.com (B2) are inconsistent with H1. H3 is inconsistent with the strict-reject DMARC and EV TLS (A1 records). H2 retained as leading hypothesis.

Full hypothesis register and diagnostic evidence matrix will be surfaced here in schema v1.1 when analysis.hypotheses[] is promoted to a first-class structured field. Currently embedded in key judgment statements above.

§ 04

Key Assumptions Check

Assumptions whose failure would invalidate judgments
KAC Analysis Note

Surfaced five assumptions; HIGH-sensitivity HIGH-confidence on GLEIF children currency and DMARC enforcement; MOD-sensitivity MOD-confidence on Hudson Rock corpus currency, which is the only assumption that materially limits a key_judgment.

§ 05

Premortem — Failure Modes

Scenarios in which the leading assessment is wrong
Premortem Analysis Note

Imagined failure: the 344 sessions are stale historical exposure already remediated. Refuting evidence would be a Hudson Rock decay-curve showing the corpus is shrinking, or rotation timestamps on dbrasweb session cookies. Recon could not confirm either, so H2 retained but with confidence-limit flagged on kj_002 (held at high because the corpus enumerates active session URLs, not just credentials).

§ 06

Collection Gaps & Priorities

1 tool gap · confidence ceilings affected
opensanctions_search Gap

Collection gaps are structural limitations that create confidence ceilings on specific key judgments. See key judgment bodies above for gap callouts. Structural gaps — those requiring active engagement, legal process, or privileged access rather than additional tooling — will persist regardless of tool expansion.

Future schema versions (analysis.collection_priorities[]) will surface a ranked collection priority list directly from the analyze skill, enabling operators to queue follow-on tasking from this view.

§ 07

Indicators to Watch

Forward-looking · hypothesis confirmation / falsification

Forward indicators pending schema promotion

Indicators to watch — the specific observable events or data points that would confirm or falsify each key judgment's leading hypothesis — are currently embedded as prose within judgment statements and premortem failure modes above. In schema v1.1, the analyze skill will emit a structured analysis.indicators_to_watch[] array that this section will render as a proper watchlist, linkable to specific judgments and refreshable per-investigation.

Operators should review key judgment statements (§ 02) and the premortem note (§ 05) directly for current forward indicators.