security-assessment-orchestrator_skill

This skill produces a unified, NIST CSF 2.0 aligned security posture across app, cloud, and infrastructure to prioritize remediation.
  • Python

5

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill williamzujkowski/cognitive-toolworks --skill security-assessment-orchestrator

  • SKILL.md23.1 KB

Overview

This skill orchestrates comprehensive security assessments across application, cloud, container, IAM, network, OS, supply chain, and zero trust domains, aligned to NIST CSF 2.0. It produces prioritized, actionable remediation roadmaps, correlated attack paths, and a NIST CSF coverage and maturity report. Designed for pre-production reviews, compliance prep, post-incident analysis, and executive reporting.

How this skill works

The orchestrator maps the requested scope to domain-specific validator skills and invokes them at a chosen depth (quick, standard, comprehensive). It aggregates and deduplicates findings, correlates cross-domain issues into attack paths, scores risk using CVSS 4.0 plus business context modifiers, and generates a JSON report with executive summary, findings, attack paths, NIST CSF coverage, maturity assessment, and a prioritized remediation roadmap. Tiers scale from a fast critical-only scan to enterprise governance and continuous monitoring recommendations.

When to use it

  • Before production releases or major deployments for a full-stack security review
  • Preparing for compliance audits (NIST CSF 2.0, ISO 27001, SOC 2, FedRAMP)
  • After a security incident to identify root causes and chained attack paths
  • Quarterly or periodic posture reviews to measure maturity and track remediation progress
  • M&A or third-party due diligence requiring unified security metrics and coverage

Best practices

  • Provide read access and API/CLI credentials for target environments; confirm permissions before running
  • Choose depth appropriate to risk: quick-scan for triage, comprehensive for compliance or production assets
  • Supply accurate business context (internet-facing, business criticality, data sensitivity) so risk scoring uses correct multipliers
  • Use the orchestrator for cross-domain correlation; for single-domain checks, call the dedicated validator skill directly
  • Review assigned ownership and effort estimates and convert the roadmap phases into ticketed remediation work

Example use cases

  • Rapid critical-only scan before a production launch to identify top 3 urgent fixes
  • Full-stack comprehensive assessment for SOC 2 or ISO 27001 readiness with NIST CSF 2.0 mapping
  • Post-breach analysis that correlates IAM, cloud, and app findings into an attack path and remediation plan
  • Quarterly enterprise review producing board-level metrics, Cyber Risk Quantification, and continuous monitoring blueprint
  • M&A due diligence delivering a prioritized security remediation list and maturity benchmark

FAQ

Assessment scope, target environment, compliance requirement, depth level, and minimal business context (internet-facing, criticality). Read access and provider credentials are required for in-scope assets.

When will the orchestrator abort the assessment?

It will abort if required access is missing, fewer than three relevant domain skills apply, or compliance requirements are contradictory; in each case it emits an access or conflict checklist.

How are findings prioritized?

Severity-first (CVSS ≥9.0 top), then ROI within the same severity, with compliance-mapped findings and internet-facing production assets elevated per decision rules.

What outputs are produced?

A JSON report containing executive_summary, findings_by_domain, nist_csf_coverage, security_maturity_assessment, attack_paths, and a prioritized_roadmap.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
security-assessment-orchestrator skill by williamzujkowski/cognitive-toolworks | VeilStrat