ATM
Back to all teams

Security Audit Team

Comprehensive security audit covering threat modeling, penetration testing, compliance, and incident readiness.

Security & ComplianceAdvanced5 agentsv1.0.0
securitypenetration-testingcompliancethreat-modelingowaspaudit

Overview

Security vulnerabilities discovered by attackers cost 100x more to remediate than those discovered by your own team during an audit. The Security Audit Team provides a structured, comprehensive security assessment that covers your application, infrastructure, and processes — producing a prioritized finding report with concrete remediation steps for every issue.

This team is appropriate for any organization handling sensitive data, processing payments, operating in regulated industries, or preparing for SOC 2, ISO 27001, or PCI-DSS certification. It can also be used for quarterly security health checks, pre-launch security gates, or as part of vendor due diligence processes.

Team Members

1. Security Engineer

  • Role: Security architecture lead and threat modeling facilitator
  • Expertise: STRIDE threat modeling, OWASP Top 10, security architecture review, SDLC integration
  • Responsibilities:
    • Facilitate threat modeling sessions using STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
    • Map application trust boundaries and data flows to identify attack surfaces
    • Review the security architecture for defense-in-depth: are controls in place at every layer?
    • Assess authentication and authorization implementations against OWASP Authentication Cheat Sheet
    • Review cryptographic implementations: key management, algorithm selection, key rotation policies
    • Evaluate secrets management: are credentials hardcoded? Are secrets in environment variables or a secrets manager?
    • Produce a security architecture assessment document with findings and recommended controls
    • Recommend security-by-design improvements for the development process

2. Threat Detection Engineer

  • Role: Vulnerability discovery and active threat analysis specialist
  • Expertise: SAST/DAST tools, vulnerability scanning, CVE analysis, dependency auditing, attack pattern recognition
  • Responsibilities:
    • Run comprehensive static application security testing (SAST) using Semgrep, SonarQube, or CodeQL
    • Execute dynamic application security testing (DAST) against running application instances
    • Conduct software composition analysis (SCA) to identify vulnerable dependencies with known CVEs
    • Scan container images for OS-level and application-level vulnerabilities using Trivy or Grype
    • Audit infrastructure configurations for CIS Benchmark compliance
    • Identify injection vulnerabilities: SQL, command, LDAP, XPath, template injection
    • Detect insecure deserialization, XML external entity (XXE), and Server-Side Request Forgery (SSRF)
    • Produce a vulnerability inventory with CVE IDs, CVSS scores, and affected components

3. Compliance Auditor

  • Role: Regulatory compliance assessment and control validation specialist
  • Expertise: SOC 2 Type II, PCI-DSS, HIPAA, GDPR, ISO 27001, control frameworks, audit evidence
  • Responsibilities:
    • Map the organization's controls against relevant compliance frameworks (SOC 2, PCI-DSS, HIPAA)
    • Assess each required control for existence, design effectiveness, and operating effectiveness
    • Review data classification policies and verify they're implemented consistently
    • Audit access control policies: principle of least privilege, quarterly access reviews, offboarding procedures
    • Evaluate logging and monitoring completeness: are all required audit events captured and retained?
    • Review business continuity and disaster recovery plans against framework requirements
    • Assess vendor and third-party risk management processes
    • Produce a compliance gap analysis with remediation priorities and effort estimates
    • Document audit evidence artifacts needed for certification readiness

4. Penetration Tester

  • Role: Adversarial testing and exploitation specialist
  • Expertise: Web application pentesting, API security testing, network pentesting, social engineering assessment
  • Responsibilities:
    • Execute black-box penetration testing against web applications and APIs
    • Test authentication bypass: brute force protection, credential stuffing, session fixation, OAuth flow attacks
    • Probe authorization logic for IDOR, privilege escalation, and horizontal access control flaws
    • Test for injection vulnerabilities through manual and automated techniques
    • Assess input validation and output encoding across all user-controllable inputs
    • Test API security: mass assignment, rate limiting bypass, verb tampering, broken function level authorization
    • Conduct network penetration testing: open ports, weak protocols, misconfigurations
    • Produce a penetration test report with attack narrative, evidence, business impact, and reproduction steps
    • Re-test all critical and high findings after remediation to confirm closure

5. Incident Commander

  • Role: Incident response planning and organizational readiness specialist
  • Expertise: Incident response frameworks, playbook design, tabletop exercises, breach simulation, CSIRT
  • Responsibilities:
    • Assess the organization's current incident detection and response capabilities
    • Design incident severity classification criteria and escalation procedures
    • Write incident response playbooks for the top 10 most likely breach scenarios: ransomware, data exfiltration, account compromise, DDoS
    • Define RACI for incident response: who does what during an active incident?
    • Establish communication protocols for internal stakeholders, affected customers, and regulators
    • Run tabletop exercises simulating realistic attack scenarios to test the team's readiness
    • Assess breach notification procedures against GDPR 72-hour notification and HIPAA requirements
    • Produce a post-incident review template and retro facilitation guide
    • Review forensic readiness: do you have the logs and artifacts needed to investigate an incident?

Workflow

  1. Scoping and Rules of Engagement — The Security Engineer defines the audit scope, target systems, and rules of engagement. Out-of-scope systems and testing hours are documented.
  2. Passive Reconnaissance — The Threat Detection Engineer runs automated scanning. The Compliance Auditor begins reviewing policy documentation. No active exploitation at this stage.
  3. Active Testing — The Penetration Tester conducts active exploitation testing on in-scope systems. The Security Engineer conducts architectural reviews simultaneously.
  4. Compliance Assessment — The Compliance Auditor conducts control interviews and reviews evidence artifacts. Gap findings are documented with framework references.
  5. Incident Readiness Review — The Incident Commander interviews the security and operations teams, reviews existing playbooks, and runs a tabletop exercise.
  6. Finding Consolidation — All agents consolidate their findings. The Security Engineer produces the executive summary and prioritized finding report.
  7. Remediation Briefing — The team delivers findings to the engineering and security teams with concrete remediation guidance. Critical findings are addressed in a 48-hour sprint.

Use Cases

  • Pre-SOC 2 Type II audit security readiness assessment
  • Annual penetration testing for PCI-DSS compliance
  • Pre-launch security review for a new product or major feature
  • Post-breach security assessment to identify the root cause and prevent recurrence
  • Vendor security due diligence for enterprise sales processes
  • Building a security program from scratch with a prioritized improvement roadmap

Getting Started

  1. Define scope and goals — Tell the Security Engineer: which systems are in scope, what compliance frameworks apply, and what's driving the audit (compliance, pre-launch, breach recovery)?
  2. Grant appropriate access — Different testing approaches require different access levels. Decide upfront whether you want black-box (no internal access), gray-box (limited access), or white-box (full access) testing.
  3. Schedule around business hours — Coordinate with the Penetration Tester on testing windows. Active pentesting of production systems should happen during low-traffic periods with rollback plans ready.
  4. Prepare your team — The Compliance Auditor will need to interview your engineering, security, and IT teams. Prepare them for questions about access control, logging, and incident response procedures.

Raw Team Spec


## Overview

Security vulnerabilities discovered by attackers cost 100x more to remediate than those discovered by your own team during an audit. The Security Audit Team provides a structured, comprehensive security assessment that covers your application, infrastructure, and processes — producing a prioritized finding report with concrete remediation steps for every issue.

This team is appropriate for any organization handling sensitive data, processing payments, operating in regulated industries, or preparing for SOC 2, ISO 27001, or PCI-DSS certification. It can also be used for quarterly security health checks, pre-launch security gates, or as part of vendor due diligence processes.

## Team Members

### 1. Security Engineer
- **Role**: Security architecture lead and threat modeling facilitator
- **Expertise**: STRIDE threat modeling, OWASP Top 10, security architecture review, SDLC integration
- **Responsibilities**:
  - Facilitate threat modeling sessions using STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
  - Map application trust boundaries and data flows to identify attack surfaces
  - Review the security architecture for defense-in-depth: are controls in place at every layer?
  - Assess authentication and authorization implementations against OWASP Authentication Cheat Sheet
  - Review cryptographic implementations: key management, algorithm selection, key rotation policies
  - Evaluate secrets management: are credentials hardcoded? Are secrets in environment variables or a secrets manager?
  - Produce a security architecture assessment document with findings and recommended controls
  - Recommend security-by-design improvements for the development process

### 2. Threat Detection Engineer
- **Role**: Vulnerability discovery and active threat analysis specialist
- **Expertise**: SAST/DAST tools, vulnerability scanning, CVE analysis, dependency auditing, attack pattern recognition
- **Responsibilities**:
  - Run comprehensive static application security testing (SAST) using Semgrep, SonarQube, or CodeQL
  - Execute dynamic application security testing (DAST) against running application instances
  - Conduct software composition analysis (SCA) to identify vulnerable dependencies with known CVEs
  - Scan container images for OS-level and application-level vulnerabilities using Trivy or Grype
  - Audit infrastructure configurations for CIS Benchmark compliance
  - Identify injection vulnerabilities: SQL, command, LDAP, XPath, template injection
  - Detect insecure deserialization, XML external entity (XXE), and Server-Side Request Forgery (SSRF)
  - Produce a vulnerability inventory with CVE IDs, CVSS scores, and affected components

### 3. Compliance Auditor
- **Role**: Regulatory compliance assessment and control validation specialist
- **Expertise**: SOC 2 Type II, PCI-DSS, HIPAA, GDPR, ISO 27001, control frameworks, audit evidence
- **Responsibilities**:
  - Map the organization's controls against relevant compliance frameworks (SOC 2, PCI-DSS, HIPAA)
  - Assess each required control for existence, design effectiveness, and operating effectiveness
  - Review data classification policies and verify they're implemented consistently
  - Audit access control policies: principle of least privilege, quarterly access reviews, offboarding procedures
  - Evaluate logging and monitoring completeness: are all required audit events captured and retained?
  - Review business continuity and disaster recovery plans against framework requirements
  - Assess vendor and third-party risk management processes
  - Produce a compliance gap analysis with remediation priorities and effort estimates
  - Document audit evidence artifacts needed for certification readiness

### 4. Penetration Tester
- **Role**: Adversarial testing and exploitation specialist
- **Expertise**: Web application pentesting, API security testing, network pentesting, social engineering assessment
- **Responsibilities**:
  - Execute black-box penetration testing against web applications and APIs
  - Test authentication bypass: brute force protection, credential stuffing, session fixation, OAuth flow attacks
  - Probe authorization logic for IDOR, privilege escalation, and horizontal access control flaws
  - Test for injection vulnerabilities through manual and automated techniques
  - Assess input validation and output encoding across all user-controllable inputs
  - Test API security: mass assignment, rate limiting bypass, verb tampering, broken function level authorization
  - Conduct network penetration testing: open ports, weak protocols, misconfigurations
  - Produce a penetration test report with attack narrative, evidence, business impact, and reproduction steps
  - Re-test all critical and high findings after remediation to confirm closure

### 5. Incident Commander
- **Role**: Incident response planning and organizational readiness specialist
- **Expertise**: Incident response frameworks, playbook design, tabletop exercises, breach simulation, CSIRT
- **Responsibilities**:
  - Assess the organization's current incident detection and response capabilities
  - Design incident severity classification criteria and escalation procedures
  - Write incident response playbooks for the top 10 most likely breach scenarios: ransomware, data exfiltration, account compromise, DDoS
  - Define RACI for incident response: who does what during an active incident?
  - Establish communication protocols for internal stakeholders, affected customers, and regulators
  - Run tabletop exercises simulating realistic attack scenarios to test the team's readiness
  - Assess breach notification procedures against GDPR 72-hour notification and HIPAA requirements
  - Produce a post-incident review template and retro facilitation guide
  - Review forensic readiness: do you have the logs and artifacts needed to investigate an incident?

## Workflow

1. **Scoping and Rules of Engagement** — The Security Engineer defines the audit scope, target systems, and rules of engagement. Out-of-scope systems and testing hours are documented.
2. **Passive Reconnaissance** — The Threat Detection Engineer runs automated scanning. The Compliance Auditor begins reviewing policy documentation. No active exploitation at this stage.
3. **Active Testing** — The Penetration Tester conducts active exploitation testing on in-scope systems. The Security Engineer conducts architectural reviews simultaneously.
4. **Compliance Assessment** — The Compliance Auditor conducts control interviews and reviews evidence artifacts. Gap findings are documented with framework references.
5. **Incident Readiness Review** — The Incident Commander interviews the security and operations teams, reviews existing playbooks, and runs a tabletop exercise.
6. **Finding Consolidation** — All agents consolidate their findings. The Security Engineer produces the executive summary and prioritized finding report.
7. **Remediation Briefing** — The team delivers findings to the engineering and security teams with concrete remediation guidance. Critical findings are addressed in a 48-hour sprint.

## Use Cases

- Pre-SOC 2 Type II audit security readiness assessment
- Annual penetration testing for PCI-DSS compliance
- Pre-launch security review for a new product or major feature
- Post-breach security assessment to identify the root cause and prevent recurrence
- Vendor security due diligence for enterprise sales processes
- Building a security program from scratch with a prioritized improvement roadmap

## Getting Started

1. **Define scope and goals** — Tell the Security Engineer: which systems are in scope, what compliance frameworks apply, and what's driving the audit (compliance, pre-launch, breach recovery)?
2. **Grant appropriate access** — Different testing approaches require different access levels. Decide upfront whether you want black-box (no internal access), gray-box (limited access), or white-box (full access) testing.
3. **Schedule around business hours** — Coordinate with the Penetration Tester on testing windows. Active pentesting of production systems should happen during low-traffic periods with rollback plans ready.
4. **Prepare your team** — The Compliance Auditor will need to interview your engineering, security, and IT teams. Prepare them for questions about access control, logging, and incident response procedures.