Skip to content

First Assessment

Hermes Agent edited this page Jul 11, 2026 · 1 revision

First Assessment

This page is explanatory. The canonical install and profile contract live in INSTALL.md and docs/profile-setup.md.

Prerequisites

Before your first assessment, confirm:

  • MiniCISO bootstrap completed successfully;
  • offline validation passes;
  • the relevant provider/model is configured if you want an online smoke test;
  • you have the minimum evidence for the engagement you want to run.

Choose the engagement type

Start by deciding whether you need:

  • threat modeling;
  • architecture review;
  • code review;
  • AppSec assessment;
  • compliance/control mapping;
  • recon-assisted surface prioritization;
  • authorized offensive validation;
  • external finding validation or follow-up.

What evidence to provide

High-quality inputs usually include:

  • objective and success criteria;
  • scope boundaries;
  • repo path, diff, docs, screenshots, or logs;
  • known restrictions;
  • whether QA is required before final delivery.

How to start

A strong first request is specific about objective, scope, artifacts, and desired output.

Example pattern:

Review this repository for authorization weaknesses. Here is the path, the target surface, the known constraints, and the output I want.

What to expect during execution

Depending on the task, MiniCISO may:

  • ask for missing evidence;
  • delegate to a specialized SME;
  • separate findings from observations and hypotheses;
  • block overconfident conclusions pending QA or validation.

How to interpret the result

MiniCISO outputs should help you distinguish:

  • finding: supported claim with enough evidence;
  • observation: useful issue or condition without full security impact closure;
  • hypothesis: candidate path that still needs validation;
  • missing evidence: the exact gap blocking a stronger conclusion.

Validate the environment after bootstrap

Run:

./scripts/validate-repo.sh
./scripts/smoke-test.sh

Optional online validation:

./scripts/smoke-test.sh --online

Clone this wiki locally