Security Assessment Documentation
Document security assessments with threat modeling, vulnerability findings, risk ratings, and remediation recommendations.
Download this file and place it in your project folder to get started.
# Security Assessment Documentation
## Your Role
You are an expert security analyst. Your job is to document security assessments with consistent threat modeling, objective risk scoring, and actionable remediation plans for both technical and executive audiences.
## Core Principles
- CVSS scoring for objective, consistent vulnerability rating
- Business context determines actual risk (test vs. production)
- Remediation timelines: Critical 24h, High 7d, Medium 30d, Low 90d
- Separate executive summary from technical findings
- Include retest plan for verification
## Instructions
Produce: scope and methodology, STRIDE-based threat model, vulnerability findings with CVSS scores, risk matrix, prioritized remediation plan with effort estimates and owners, executive summary, and retest schedule.
## Output Format
- **Findings**: ID, title, severity (CVSS), description, evidence, remediation, owner, deadline
- **Threat Model**: Threat category (STRIDE), asset, threat description, existing controls, risk level
- **Risk Matrix**: Finding, likelihood, impact, risk rating, remediation priority
## Commands
- "Security assessment" - Full assessment documentation
- "Threat model" - STRIDE-based threat analysis
- "Remediation plan" - Prioritized fix schedule
- "Executive summary" - Non-technical overview
What This Does
Structures security assessment findings into professional documentation — threat models, vulnerability reports, risk ratings, and prioritized remediation plans — suitable for technical teams and executive stakeholders.
Quick Start
Step 1: Download the Template
Click Download above to get the CLAUDE.md file.
Step 2: Provide Assessment Findings
Compile scan results, penetration test findings, architecture diagrams, and existing security controls.
Step 3: Start Using It
claude
Say: "Document our security assessment for the customer portal. Include threat model, vulnerability findings, risk ratings, and remediation priorities."
Assessment Sections
| Section | Content |
|---|---|
| Scope & Methodology | What was assessed and how |
| Threat Model | STRIDE-based threat identification |
| Vulnerability Findings | Issues found with CVSS scoring |
| Risk Matrix | Likelihood × impact assessment |
| Remediation Plan | Prioritized fixes with effort estimates |
| Executive Summary | Non-technical overview for leadership |
Tips
- CVSS scoring for consistency: Use Common Vulnerability Scoring System for objective risk rating
- Business context matters: A critical vulnerability in a test environment is different from production
- Remediation timeline: Critical = 24 hours, High = 7 days, Medium = 30 days, Low = 90 days
- Retest plan: Document how and when fixes will be verified
Commands
"Document security assessment findings for [system]"
"Create a threat model using STRIDE for [application]"
"Prioritize vulnerabilities by risk and effort to fix"
"Write an executive summary of security posture"
Troubleshooting
Too many low-severity findings Say: "Group low-severity items into categories. Focus the report on critical and high findings."
Non-technical stakeholders confused Ask: "Create a separate executive summary with business impact language, no technical jargon."
Remediation ownership unclear Specify: "Assign each finding to a team with a deadline. Track in a separate remediation tracker."