Stats
Actions
Tags
From grimoire
Assesses network security posture to identify misconfigurations and compliance gaps before production launch or after incidents.
How this skill is triggered — by the user, by Claude, or both
Slash command
/grimoire:audit-network-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Systematically assess network security controls to identify misconfigurations, unauthorized access paths, and compliance gaps before attackers do.
Systematically assess network security controls to identify misconfigurations, unauthorized access paths, and compliance gaps before attackers do.
Adopted by: PCI DSS requires quarterly external scans and annual penetration tests; SOC 2 requires periodic network security review; FedRAMP mandates continuous monitoring Impact: Proactive audits find 3x more vulnerabilities than reactive incident investigation (Verizon DBIR 2023); average dwell time before detection is 204 days — audits compress this to zero Why best: Network misconfigurations are the #2 cause of breaches (DBIR 2023); automated scanning cannot replace structured audit methodology that tests intent vs. implementation
Sources: NIST SP 800-115 (2008); CIS Controls v8 Control 12-13 (2021); PCI DSS v4.0 Requirement 11
Define audit scope — Specify IP ranges, cloud accounts, VPCs, and services in scope. Document what is explicitly out of scope and why. Obtain written authorization before scanning; unauthorized scans violate cloud provider ToS and may trigger security alerts.
Enumerate network topology — Collect: network diagrams, routing tables, firewall rule sets, security group configurations, NACL policies. Compare documented architecture to actual configuration — discrepancies are immediate findings.
Scan for open ports and services — Run nmap against in-scope hosts: nmap -sV -sC -p- --open <target>. Identify services running on non-standard ports. Flag any management services (SSH port 22, RDP 3389, database ports) exposed to the internet.
Review firewall and security group rules — Audit every allow rule: source, destination, port, protocol. Flag rules with source 0.0.0.0/0 (any internet) on non-80/443 ports as critical findings. Check for redundant, overly broad, and stale rules (no traffic in 90 days).
Test network segmentation — From each segment, attempt to reach hosts in other segments that should be unreachable. Use tools like hping3 or netcat to test specific port connectivity. Verify database subnets are unreachable from internet-facing segments.
Assess DNS configuration — Check for DNS zone transfer (AXFR) enabled on authoritative servers. Review DNS records for dangling CNAME entries pointing to deprovisioned cloud resources (subdomain takeover risk). Verify DNSSEC where required.
Review TLS/certificate posture — Use testssl.sh or sslyze to assess all HTTPS endpoints: cipher suites (flag RC4, DES, 3DES, export ciphers), TLS version (require TLS 1.2+, flag SSLv3/TLS 1.0/1.1), certificate expiry, and HSTS header presence.
Analyze flow logs for anomalies — Review VPC Flow Logs / NSG Flow Logs for: unexpected cross-segment traffic, connections to known-malicious IPs (threat intel feed), port scanning patterns, and data exfiltration volumes (unusually high egress). Query 30-day window minimum.
Check network device and instance configurations — Verify: logging enabled on all network devices, NTP synchronized, management plane access restricted, default credentials changed, firmware/AMI patched within 30 days of CVE release for critical findings.
Produce findings report — Document each finding with: severity (Critical/High/Medium/Low), affected asset, description, evidence, remediation recommendation, and remediation timeline. Prioritize by risk: internet-exposed management services are Critical regardless of other controls.
npx claudepluginhub jeffreytse/grimoire --plugin grimoireGuides use of security scanning tools (Nmap, NSE) for network discovery, vulnerability assessment, and compliance validation. Useful for penetration testing and security auditing workflows.
Conducts network penetration tests on authorized targets using Nmap, Metasploit, and PTES methodology for host discovery, port scanning, vulnerability identification, and exploitation assessment.
Performs advanced network reconnaissance with Nmap including host discovery, port scanning, service enumeration, OS fingerprinting, and NSE scripting for authorized assessments.