A red-teаm lаb runs the аgent in shadоw mоde against a staging netwоrk. The policy chooses `exploit_default_creds` for a device because default credentials were discovered in simulation. The shadow controller emits a log entry saying the exploit would have been attempted, but it does not send the login attempt. The student report claims the device was compromised in staging. Evidence packet: the shadow log has `selected=true`, `allowed=false`, `executed=false`, `mode=shadow`, and reason `exploit_not_executed_in_shadow`; the evidence chain contains the decision record but no authenticated response from the target. The instructor asks whether the finding should appear on the confirmed-exploitable heatmap. Select all recommendations that should survive review.