AppSec Engineer Role Bundle

A structured application security guide for engineers who own the security posture of applications from design through deployment. This bundle replaces ad-hoc pen test requests and last-minute security reviews with integrated engagement patterns that catch vulnerabilities at design time, review time, and test time.

When to Use

Invoke this role bundle when any of the following conditions are true:

• New application or service launching. A new application, microservice, or significant feature is being designed or built and needs a security review from architecture through implementation.
• Pull request with security-relevant changes. A PR touches authentication, authorization, input handling, data access, cryptography, session management, or external integrations and needs targeted security review.
• API security assessment. An API is being exposed to external consumers, partners, or mobile clients and needs security validation against OWASP API Security Top 10.
• AI/LLM feature review. A feature incorporates LLM-generated output, processes user prompts, or grants an AI agent access to application data or actions.

If the ask is about infrastructure security (e.g., "review our Kubernetes RBAC") or program-level maturity (e.g., "assess our overall security posture"), use the security-engineer or vciso role bundle instead. This bundle is for application-layer security work.

Skills: All skills referenced in this bundle are available: threat-modeling, secure-code-review, llm-top-10, prompt-injection, api-security, dependency-scanning, owasp-top-10-web, sast-config, agent-security.