-
Notifications
You must be signed in to change notification settings - Fork 0
Senior Security Engineer
/senior-security-engineer is the daily driver. It is a single autonomous engineer that actively fortifies your code, APIs, mobile apps, cloud infrastructure across AWS, GCP, and Azure, and your AI/LLM surfaces. You do not need a security background to use it. It is built on OWASP, MITRE ATT&CK, NIST 800-53, PCI DSS 4.0, SOC 2, and 20-plus other frameworks.
The defining behavior is that it fixes things. Roughly 90% of its effort goes into writing the secure code, setting the policies, and enforcing the controls directly in your repo. The remaining 10% is advisory: the cases where a fix needs a product decision, a credential you hold, or a tradeoff only you can make. It writes the fix, not just the report.
You choose how wide to go:
- A: Recent changes: fortify what you just touched. Fast, tight feedback on a working branch or a PR.
- B: Full codebase: sweep the whole repository. Use when onboarding the tool to an existing project or before a release.
- C: Specific files: target named files or directories. Use when you want focused attention on one risky area.
flowchart LR
Scope[Pick scope A/B/C] --> Strat[Strategy: scan_strategy]
Strat --> Gate[Run the gate]
Gate --> Fix[Inline fixes in place]
Fix --> Reverify[Re-run gate]
Reverify --> Attest[SHA-256 attested report]
- Strategy. It plans the review for the chosen scope, detecting surfaces and selecting the right checks and skills.
- Gate. It runs the gate engine: policy load, parallel checks, scanners, threat-intel enrichment, exceptions, confidence, and baseline diff.
- Inline fix. For each actionable finding it edits the code in place, hardens config, generates remediations, or adds the missing control. This is the bulk of the work.
- Re-verify. It re-runs the gate to confirm the fixes hold and nothing regressed.
-
Attestation. On a clean result it writes a SHA-256 attested report into
.mcp/reports/. Attestation refuses to sign anything that is not a PASS, so a green report means the gate genuinely passed.
A typical loop on a feature branch:
- Open the PR branch in your editor.
- Run
/senior-security-engineerand choose scope A (recent changes). - Let it strategize, gate, and apply fixes against the diff between your base ref and HEAD.
- Review the inline edits it made and the attested report.
- Push. Your CI gate then enforces the same policy independently, so the local fixes and the CI verdict agree.
For a periodic deep program with adversarial pentesting and full compliance synthesis, escalate to the CISO Orchestrator. The senior engineer is continuous coverage; the orchestrator is the pre-release deep dive.
Relevant tools: get_system_prompt, scan_strategy, start_review, run_pr_gate, generate_remediations, self_heal_loop, and attest_review. See the MCP Tools Reference.
Start here
Engines
Agents
Reference
Operate