Per-Hop Confidence in Multi-Channel Attribution: A Bayesian Framework for Time-Pressure Operational Doctrine in Cyber-Incident Response

We formalize multi-hop cyber-incident attribution as a chain of evidential channels (IP-to-address, address-to-AP, AP-to-device, device-to-actor) each with empirical false-positive rate. A Bayesian aggregation rule produces a chain-end posterior; a min-threshold doctrine reduces wrong-target high-force action 49x relative to naive IP-only doctrine on N=1,000 simulated incidents. Multi-corruption sweeps (k=0..4 hops corrupted) reveal that corruption-detection is the load-bearing capability: oracle defenders maintain perfect FP across all k while blind defenders degrade. Heterogeneous-hop adversary results show 92% of corruption budget concentrates at h1 (IP spoof), guiding defender investment. This paper is part of the AIACW (AI-Autonomous Cyber Weapons) ResearchProgramme, Wave 2 (papers P10-P20). Wave 1 (P1-P9) was deposited atpeer-review venues 2026-Q2 (NDSS, ACM CCS, IEEE S&P, USENIX Security,Oxford J. of Cybersecurity, ACM Computing Surveys). Wave 2 establishesthe empirical interior. P19 (cross-paper integration test) and P20(methodology meta-paper) provide programme-level validation anddocumentation.