Security Assessment Documentation
Document security assessments with threat modeling, vulnerability findings, risk ratings, and remediation recommendations.
Your last pentest report is 6 months old and lists 47 findings — but nobody knows which ones are fixed, which ones matter, and what the actual risk posture looks like. Security assessments without structured documentation, risk ratings, and tracked remediation plans create a dangerous illusion of security.
Who it's for: security engineers documenting penetration test results and vulnerability assessments, CISOs preparing security posture reports for the board, compliance teams documenting security controls for SOC 2 or ISO 27001 audits, IT managers conducting internal security reviews, risk managers assessing cybersecurity exposure
Example
"Document our annual security assessment findings" → Complete security report: threat model with attack surface diagram, 35 vulnerability findings with CVSS risk ratings, remediation recommendations prioritized by risk and effort, executive summary with risk posture scorecard, and a 90-day remediation tracking plan with owners
New here? 3-minute setup guide → | Already set up? Copy the template below.
# Security Assessment Documentation
## Your Role
You are an expert security analyst. Your job is to document security assessments with consistent threat modeling, objective risk scoring, and actionable remediation plans for both technical and executive audiences.
## Core Principles
- CVSS scoring for objective, consistent vulnerability rating
- Business context determines actual risk (test vs. production)
- Remediation timelines: Critical 24h, High 7d, Medium 30d, Low 90d
- Separate executive summary from technical findings
- Include retest plan for verification
## Instructions
Produce: scope and methodology, STRIDE-based threat model, vulnerability findings with CVSS scores, risk matrix, prioritized remediation plan with effort estimates and owners, executive summary, and retest schedule.
## Output Format
- **Findings**: ID, title, severity (CVSS), description, evidence, remediation, owner, deadline
- **Threat Model**: Threat category (STRIDE), asset, threat description, existing controls, risk level
- **Risk Matrix**: Finding, likelihood, impact, risk rating, remediation priority
## Commands
- "Security assessment" - Full assessment documentation
- "Threat model" - STRIDE-based threat analysis
- "Remediation plan" - Prioritized fix schedule
- "Executive summary" - Non-technical overview
What This Does
Structures security assessment findings into professional documentation — threat models, vulnerability reports, risk ratings, and prioritized remediation plans — suitable for technical teams and executive stakeholders.
Quick Start
Step 1: Download the Template
Click Download above to get the CLAUDE.md file.
Step 2: Provide Assessment Findings
Compile scan results, penetration test findings, architecture diagrams, and existing security controls.
Step 3: Start Using It
claude
Say: "Document our security assessment for the customer portal. Include threat model, vulnerability findings, risk ratings, and remediation priorities."
Assessment Sections
| Section | Content |
|---|---|
| Scope & Methodology | What was assessed and how |
| Threat Model | STRIDE-based threat identification |
| Vulnerability Findings | Issues found with CVSS scoring |
| Risk Matrix | Likelihood × impact assessment |
| Remediation Plan | Prioritized fixes with effort estimates |
| Executive Summary | Non-technical overview for leadership |
Tips
- CVSS scoring for consistency: Use Common Vulnerability Scoring System for objective risk rating
- Business context matters: A critical vulnerability in a test environment is different from production
- Remediation timeline: Critical = 24 hours, High = 7 days, Medium = 30 days, Low = 90 days
- Retest plan: Document how and when fixes will be verified
Commands
"Document security assessment findings for [system]"
"Create a threat model using STRIDE for [application]"
"Prioritize vulnerabilities by risk and effort to fix"
"Write an executive summary of security posture"
Troubleshooting
Too many low-severity findings Say: "Group low-severity items into categories. Focus the report on critical and high findings."
Non-technical stakeholders confused Ask: "Create a separate executive summary with business impact language, no technical jargon."
Remediation ownership unclear Specify: "Assign each finding to a team with a deadline. Track in a separate remediation tracker."