security-audit
Security Audit
This skill enables the agent to conduct a thorough security audit across web applications, APIs, cloud infrastructure, and backend services. The agent systematically examines authentication mechanisms, authorization controls, input validation, encryption practices, logging configurations, and deployment settings. Findings are mapped to industry frameworks such as the OWASP Top 10, CWE identifiers, and compliance standards including SOC 2 and PCI-DSS.
Workflow
-
Gather System Information — Collect details about the target environment including the technology stack, architecture diagrams, network topology, deployment model, and third-party integrations. Review configuration files, environment variables, and infrastructure-as-code templates to build a complete picture of the attack surface.
-
Define Audit Scope and Compliance Targets — Establish the boundaries of the audit by identifying which components, environments, and data flows are in scope. Map audit objectives to relevant compliance frameworks such as SOC 2 Type II, PCI-DSS, HIPAA, or internal security policies. Create a checklist derived from the OWASP Top 10 and CWE/SANS Top 25 to ensure systematic coverage.
-
Perform Automated Vulnerability Scanning — Run automated scanners against the target to identify known vulnerabilities. Use tools like OWASP ZAP for web applications, Trivy or Grype for container images, and ScoutSuite or Prowler for cloud infrastructure. Aggregate raw findings for manual review.
-
Conduct Manual Security Review — Manually inspect authentication flows, session management, role-based access controls, input sanitization routines, cryptographic implementations, error handling, and logging practices. Examine source code for hardcoded secrets, insecure deserialization, and business logic flaws that automated tools frequently miss.
-
Analyze and Classify Findings — Assess each finding for severity (Critical, High, Medium, Low, Informational) using CVSS scoring. Assign CWE identifiers and map findings to the relevant OWASP Top 10 category. Evaluate exploitability, blast radius, and business impact to produce a prioritized risk ranking.
-
Generate Audit Report with Remediation Plan — Produce a structured report containing an executive summary, detailed findings with evidence and reproduction steps, risk ratings, and specific remediation recommendations with estimated effort. Include a compliance gap analysis showing pass/fail status against the targeted framework controls.
Supported Technologies
More from seb1n/awesome-ai-agent-skills
summarization
Summarize text using extractive, abstractive, hierarchical, and multi-document techniques, producing concise outputs at configurable detail levels.
24proofreading
Proofread and correct text for grammar, spelling, punctuation, style, clarity, and consistency, with support for multiple style guides and readability analysis.
21note-taking
Capture, organize, and retrieve notes efficiently using structured formats, tagging, and file management for meetings, ideas, research, and daily logs.
20knowledge-graph-creation
Build structured knowledge graphs from unstructured text by extracting entities, mapping relationships, generating graph triples, and visualizing the result.
18data-visualization
Create clear, effective charts and dashboards from structured data using matplotlib, seaborn, and plotly.
16data-analysis
Analyze datasets to extract insights through statistical methods, trend identification, hypothesis testing, and correlation analysis.
15