Security Engineer Role Bundle

A structured engineering guide for embedding security into products, pipelines, and infrastructure. This bundle replaces one-off security reviews with repeatable engagement patterns that produce hardened systems, verified remediations, and measurable reduction in vulnerability surface.

When to Use

Invoke this role bundle when any of the following conditions are true:

• Code review needed. A new feature, service, or significant code change requires security review before merging or deploying. The review needs to go beyond linting — it requires understanding of the application's threat model.
• CI/CD pipeline hardening. The engineering team wants to secure the software delivery pipeline: build integrity, secrets management, dependency verification, container image security, and deployment controls.
• Vulnerability response. A new CVE affects the organization's stack, a scanner has produced findings that need triage and prioritization, or a penetration test report needs remediation planning.
• Infrastructure security review. A new environment, cloud account, or infrastructure change requires security validation — IAM policies, firewall rules, container configurations, or network segmentation.

If the ask is a program-level concern (e.g., "assess our overall security maturity"), use the vciso role bundle instead. This bundle is for hands-on engineering work.

Skills: All skills referenced in this bundle are available: secure-code-review, cve-triage, pipeline-security, iam-review, threat-modeling, dependency-scanning, sast-config, secrets-management, container-security, patch-prioritization, scanner-tuning, firewall-review.