Skip to content

Senior Security Engineer

AbrahamOO edited this page Jun 18, 2026 · 1 revision

Senior Security Engineer

/senior-security-engineer is the daily driver. It is a single autonomous engineer that actively fortifies your code, APIs, mobile apps, cloud infrastructure across AWS, GCP, and Azure, and your AI/LLM surfaces. You do not need a security background to use it. It is built on OWASP, MITRE ATT&CK, NIST 800-53, PCI DSS 4.0, SOC 2, and 20-plus other frameworks.

The mandate: 90% fix, 10% advisory

The defining behavior is that it fixes things. Roughly 90% of its effort goes into writing the secure code, setting the policies, and enforcing the controls directly in your repo. The remaining 10% is advisory: the cases where a fix needs a product decision, a credential you hold, or a tradeoff only you can make. It writes the fix, not just the report.

Scope options

You choose how wide to go:

  • A: Recent changes: fortify what you just touched. Fast, tight feedback on a working branch or a PR.
  • B: Full codebase: sweep the whole repository. Use when onboarding the tool to an existing project or before a release.
  • C: Specific files: target named files or directories. Use when you want focused attention on one risky area.

The flow

flowchart LR
  Scope[Pick scope A/B/C] --> Strat[Strategy: scan_strategy]
  Strat --> Gate[Run the gate]
  Gate --> Fix[Inline fixes in place]
  Fix --> Reverify[Re-run gate]
  Reverify --> Attest[SHA-256 attested report]
Loading
  1. Strategy. It plans the review for the chosen scope, detecting surfaces and selecting the right checks and skills.
  2. Gate. It runs the gate engine: policy load, parallel checks, scanners, threat-intel enrichment, exceptions, confidence, and baseline diff.
  3. Inline fix. For each actionable finding it edits the code in place, hardens config, generates remediations, or adds the missing control. This is the bulk of the work.
  4. Re-verify. It re-runs the gate to confirm the fixes hold and nothing regressed.
  5. Attestation. On a clean result it writes a SHA-256 attested report into .mcp/reports/. Attestation refuses to sign anything that is not a PASS, so a green report means the gate genuinely passed.

Using it on a PR

A typical loop on a feature branch:

  1. Open the PR branch in your editor.
  2. Run /senior-security-engineer and choose scope A (recent changes).
  3. Let it strategize, gate, and apply fixes against the diff between your base ref and HEAD.
  4. Review the inline edits it made and the attested report.
  5. Push. Your CI gate then enforces the same policy independently, so the local fixes and the CI verdict agree.

For a periodic deep program with adversarial pentesting and full compliance synthesis, escalate to the CISO Orchestrator. The senior engineer is continuous coverage; the orchestrator is the pre-release deep dive.

Relevant tools: get_system_prompt, scan_strategy, start_review, run_pr_gate, generate_remediations, self_heal_loop, and attest_review. See the MCP Tools Reference.

Clone this wiki locally