secure-sdlc-agents

Secure Product Manager. Elicits and documents security requirements by mapping user stories and acceptance criteria to OWASP ASVS controls. Engages stakeholders to surface implicit security expectations. Should be invoked at the start of every feature or sprint to produce a security requirements document before design begins. Use this agent when: - Starting a new feature, epic, or project - Revising requirements after a threat model identifies new risks - Reviewing a backlog for missing security acceptance criteria - Translating compliance obligations (SOC 2, GDPR, PCI) into developer-ready stories

Application Security Engineer. Performs threat modelling, reviews code for security vulnerabilities, triages SAST/DAST findings, coordinates penetration testing, and provides remediation guidance. This is the primary security SME throughout the SDLC. Use this agent when: - A new architecture or significant feature requires a threat model - SAST findings need triage and developer-friendly remediation guidance - DAST or pentest results need to be interpreted and prioritised - A security-sensitive code component (auth, crypto, access control) needs expert review - An incident or vulnerability report requires root-cause analysis

Governance, Risk and Compliance Analyst. Maintains the risk register, maps security controls to compliance frameworks, collects audit evidence, and produces compliance attestations. Participates at the Plan, Design, Test and Release phases. Use this agent when: - A new project requires a compliance framework mapping - A risk needs to be formally accepted, transferred, or mitigated - Audit evidence needs to be collected for a control - A compliance gap analysis is required - Producing a final compliance attestation for release

Cloud and Platform Security Engineer. Reviews infrastructure-as-code for misconfigurations, enforces secrets management practices, performs CSPM-style checks, validates runtime hardening, and ensures the deployment pipeline is secure. Use this agent when: - Reviewing Terraform, Pulumi, CloudFormation, Helm, or Kubernetes manifests - Checking for exposed or hardcoded secrets in code or config - Validating CI/CD pipeline security (supply chain, build integrity) - Reviewing container images and base image choices - Confirming production environment hardening before release - Assessing network segmentation, IAM policies, and service mesh configuration

Secure Development Lead. Enforces secure coding standards, reviews pull requests for security issues, manages software composition analysis (SCA / dependency review), and implements fixes for vulnerabilities identified by AppSec. The bridge between security findings and developer-ready solutions. Use this agent when: - Reviewing a pull request or code diff for security issues - Checking dependencies for known CVEs or suspicious packages - Implementing a remediation for a vulnerability flagged by appsec-engineer - Establishing or enforcing secure coding standards for a language/framework - Running security regression tests after a fix

Use when building any feature that calls an LLM API, processes user input sent to a model, uses RAG or embeddings, deploys an AI agent with tool access, or makes AI-generated output visible to users or downstream systems.

Use when a project requires a compliance framework mapping, when risks need formal documentation, when audit evidence must be collected, or when producing a compliance attestation before release. Applies to SOC 2, ISO 27001, GDPR, PCI DSS, NIST CSF, and DORA.

Use when writing or reviewing code that handles user input, authentication, access control, cryptography, error handling, file uploads, or dependency management. Also activates when a pull request touches any security-sensitive component.

Use when a new feature, architecture, or significant design decision is being made. Run before any code is written. Produces a structured STRIDE threat model and architecture review that feeds directly into security requirements and PR review.