A comprehensive prompt template for conducting white-box security assessments and generating production-ready security audit reports.
This prompt is designed to guide AI systems (like GPT-4, Claude, etc.) in performing thorough security audits of software projects. It transforms generic security scanning into a structured, evidence-based assessment that produces actionable security reports.
The prompt instructs an AI to:
- Perform comprehensive security analysis of codebases, infrastructure, and configurations
- Identify realistic, exploitable vulnerabilities with clear evidence and code references
- Generate production-ready
security.mdreports suitable for engineering teams, security leadership, and compliance officers - Map findings to compliance frameworks (SOC 2, ISO 27001, PCI-DSS, GDPR, NIST CSF)
- Provide actionable remediation guidance with code examples and prioritization
- Zero false positives: Every finding must be verifiable and exploitable
- Business context: Risks mapped to actual business impact (financial, regulatory, reputation)
- Evidence-based: All findings include exact file paths, line numbers, and code snippets
- Compliance-ready: Findings mapped to control frameworks
- Prioritized: Risks ranked by CVSS 3.1 + business impact
- Provide this prompt to an AI assistant along with your project's source code
- The AI will analyze your codebase following the methodology outlined in the prompt
- Review the generated
security.mdreport with detailed findings and remediation steps
The generated reports are designed for:
- Engineering Teams: Actionable remediation with code examples
- Security Leadership: Risk prioritization and strategic recommendations
- Compliance Officers: Control mapping to regulatory frameworks
- External Auditors: Evidence-based findings with clear traceability
- Product Management: Security vs. feature trade-offs
- OWASP Top 10 (2021) and API Security Top 10 (2023)
- Business logic vulnerabilities
- Authorization boundary violations
- Architectural weaknesses
- Supply chain risks
- Configuration drift
- Cloud-native security
- Container security
- CI/CD pipeline security
The prompt enforces:
- Precision over verbosity: Every sentence must add value
- Contextual relevance: No generic recommendations without evidence
- Architectural insight: Root cause analysis, not just symptoms
- Evidence-based findings: Concrete code references required
- Business context: Technical findings mapped to business impact
This prompt is provided as-is for use in security assessments and audit processes.