-
-
Notifications
You must be signed in to change notification settings - Fork 0
First Assessment
Hermes Agent edited this page Jul 11, 2026
·
1 revision
This page is explanatory. The canonical install and profile contract live in
INSTALL.mdanddocs/profile-setup.md.
Before your first assessment, confirm:
- MiniCISO bootstrap completed successfully;
- offline validation passes;
- the relevant provider/model is configured if you want an online smoke test;
- you have the minimum evidence for the engagement you want to run.
Start by deciding whether you need:
- threat modeling;
- architecture review;
- code review;
- AppSec assessment;
- compliance/control mapping;
- recon-assisted surface prioritization;
- authorized offensive validation;
- external finding validation or follow-up.
High-quality inputs usually include:
- objective and success criteria;
- scope boundaries;
- repo path, diff, docs, screenshots, or logs;
- known restrictions;
- whether QA is required before final delivery.
A strong first request is specific about objective, scope, artifacts, and desired output.
Example pattern:
Review this repository for authorization weaknesses. Here is the path, the target surface, the known constraints, and the output I want.
Depending on the task, MiniCISO may:
- ask for missing evidence;
- delegate to a specialized SME;
- separate findings from observations and hypotheses;
- block overconfident conclusions pending QA or validation.
MiniCISO outputs should help you distinguish:
- finding: supported claim with enough evidence;
- observation: useful issue or condition without full security impact closure;
- hypothesis: candidate path that still needs validation;
- missing evidence: the exact gap blocking a stronger conclusion.
Run:
./scripts/validate-repo.sh
./scripts/smoke-test.shOptional online validation:
./scripts/smoke-test.sh --online