AI is transforming cybersecurity work — from accelerating threat analysis to drafting incident reports that would otherwise take hours. Whether you're triaging alerts, writing detection rules, or briefing leadership, these prompts help you move faster without cutting corners.
Here are 35 copy-paste-ready ChatGPT prompts built for cybersecurity analysts.
Incident Response
Prompt 1 — Initial Incident Triage
I'm triaging a potential [incident type, e.g., ransomware infection] at [company name]. The initial indicators are: [list IOCs or observations]. Help me build a structured triage checklist covering: (1) immediate containment steps, (2) key questions to answer in the first 30 minutes, (3) evidence to preserve, and (4) stakeholders to notify. Format as a numbered checklist.
Prompt 2 — Incident Timeline Construction
I'm reconstructing the timeline for a [incident type] incident at [company name]. Here are the raw log entries and events I have so far: [paste log snippets or event list]. Organize these into a chronological timeline, flag any gaps I should investigate, and identify the likely initial access vector based on the available data.
Prompt 3 — Executive Incident Summary
Write a non-technical executive summary of the following security incident for [company name] leadership: [describe the incident in technical terms]. The summary should cover: what happened, business impact, what we did to respond, current status, and recommended next steps. Keep it under 300 words and avoid jargon.
Prompt 4 — Post-Incident Lessons Learned
I'm facilitating a post-incident review for a [incident type] that occurred on [date] at [company name]. The key facts are: [summarize what happened]. Help me draft a structured lessons-learned document covering: root cause, detection gaps, response gaps, what went well, and 3-5 specific remediation actions with owners and timelines.
Prompt 5 — Containment Decision Framework
During a live [incident type] incident, I need to decide whether to isolate [affected system/network segment] immediately or continue monitoring to gather more intelligence. The business context is [describe criticality, e.g., production database, payment system]. Help me think through the tradeoffs and recommend a decision framework for this containment decision.
Threat Intelligence
Prompt 6 — IOC Enrichment Summary
I have the following indicators of compromise (IOCs) from a recent alert: [list IPs, domains, hashes, or URLs]. Summarize what is known about these IOCs based on common threat intelligence knowledge, suggest likely threat actor groups or malware families they may be associated with, and recommend what additional context I should look up in threat intel platforms.
Prompt 7 — Threat Actor Profile
Create a concise threat actor profile for [threat actor name, e.g., APT29, Lazarus Group]. Include: primary motivation, target industries and geographies, known TTPs mapped to MITRE ATT&CK, commonly used malware and tools, and 3 detection/hunting recommendations specific to this actor.
Prompt 8 — Threat Briefing for Leadership
Write a 1-page threat briefing for [company name] leadership on the current threat landscape for [industry, e.g., financial services]. Cover: top 3 active threat groups targeting this sector, most common initial access vectors this quarter, and 3 prioritized defensive actions we should take based on this intelligence. Use plain language, no acronyms without explanation.
Prompt 9 — Malware Behavior Analysis
I'm analyzing a malware sample with the following observed behaviors: [list behaviors, e.g., creates scheduled task, beacons to IP every 60 seconds, encrypts files in AppData]. Map these behaviors to MITRE ATT&CK techniques, suggest what malware family this might belong to, and recommend specific detection rules I should write to catch similar behavior in future.
Prompt 10 — Threat Hunt Hypothesis
Help me develop 5 threat hunting hypotheses for [company name], a [industry] company with a [describe environment, e.g., hybrid cloud, Windows-heavy, 2,000 endpoints]. Each hypothesis should: state the assumed adversary behavior, reference the MITRE ATT&CK technique, specify what data source to hunt in, and describe the query logic or hunting approach.
Detection Engineering
Prompt 11 — SIEM Detection Rule Draft
Write a [Splunk/Elastic/Sentinel] detection rule for the following adversary behavior: [describe behavior, e.g., a process spawning cmd.exe with encoded PowerShell, then making an outbound connection within 30 seconds]. Include the query logic, suggested threshold, fields to extract, and 2-3 tuning suggestions to reduce false positives in a corporate Windows environment.
Prompt 12 — Alert Tuning Recommendations
This SIEM alert is generating too many false positives: [paste alert name and logic]. The false positive pattern seems to be [describe FP pattern, e.g., IT admins running legitimate remote tools]. Suggest 3-5 specific tuning approaches to reduce noise while preserving true positive fidelity, and explain the tradeoff of each approach.
Prompt 13 — Detection Coverage Gap Analysis
Here is a list of MITRE ATT&CK techniques our team has detection coverage for: [list techniques]. Our environment is [describe: Windows endpoints, Azure AD, Okta SSO, etc.]. Identify the top 5 coverage gaps that pose the highest risk based on current threat trends, and suggest specific data sources and detection logic for each gap.
Prompt 14 — Sigma Rule Conversion
Convert the following detection logic into a valid Sigma rule format: [describe detection logic or paste an existing vendor-specific query]. Ensure the rule includes proper title, description, status, logsource, detection fields, and falsepositives section. Add inline comments explaining each detection condition.
Prompt 15 — Purple Team Exercise Design
Design a purple team exercise for [company name] focused on detecting [attack technique, e.g., credential dumping via LSASS]. Include: the specific attack steps the red team should execute, the telemetry blue team should observe at each step, success criteria for detection, and a table mapping each attack step to its MITRE ATT&CK sub-technique.
Vulnerability Management
Prompt 16 — Vulnerability Prioritization Rationale
I have [number] open vulnerabilities from our latest scan and need to prioritize remediation. The top findings are: [list CVEs with CVSS scores]. Our environment has [describe key assets, e.g., internet-facing web servers, Active Directory, AWS workloads]. Help me build a prioritization rationale that considers CVSS score, exploitability in the wild, asset criticality, and compensating controls.
Prompt 17 — Patch Communication to IT Teams
Write an internal communication to the IT operations team at [company name] requesting urgent patching of [CVE number] affecting [affected systems]. Include: a plain-language description of the vulnerability, why it's urgent (exploit status, CVSS), the specific systems affected in our environment, the patch or mitigation steps, and the requested completion deadline of [date].
Prompt 18 — Risk Acceptance Justification
Help me draft a risk acceptance memo for [company name] for the following vulnerability: [CVE number, description]. The system owner wants to delay patching until [date] because [business reason]. Include the risk justification, compensating controls in place, likelihood and impact assessment, and the approval chain this memo should follow.
Prompt 19 — Third-Party Vendor Security Assessment
Create a security questionnaire for assessing a new [vendor type, e.g., SaaS HR platform] vendor for [company name]. We need to evaluate their controls in these areas: data encryption, access control, incident response, vulnerability management, and compliance certifications. Generate 5 specific questions per area with the rationale for each question.
Prompt 20 — Vulnerability Scan Results Summary
I have the following vulnerability scan results from [scanner name] for our [environment description]: [paste summary or key findings]. Summarize the key risk themes, identify any critical or exploitable findings that need immediate action, and draft a 1-page executive summary I can share with the CISO.
Security Awareness and Policy
Prompt 21 — Phishing Simulation Debrief
Write a debrief message to send to [company name] employees who clicked a link in our simulated phishing email. The simulated email pretended to be [describe lure, e.g., an IT password reset request]. The message should: explain what they missed, describe the real-world risk, give 3 specific tips for spotting similar emails, and point them to our security awareness training without being condescending.
Prompt 22 — Security Policy Draft
Draft a [policy name, e.g., Acceptable Use Policy / Incident Response Policy / Remote Access Policy] for [company name], a [industry] company with [approximate headcount] employees. The policy should include: purpose, scope, policy statements, employee responsibilities, enforcement, and a review schedule. Write it in plain language appropriate for a non-technical audience.
Prompt 23 — Security Awareness Training Script
Write a 5-minute security awareness training script on [topic, e.g., social engineering, password hygiene, safe remote work] for [company name] employees. The script should: open with a realistic scenario, explain the threat in plain terms, give 3 actionable takeaways, and end with a memorable summary. Tone should be engaging and practical, not fear-based.
Prompt 24 — Security Champion Talking Points
I'm presenting security updates to [company name] department heads who are not technical. This month's key topics are: [list 2-3 security topics or recent events]. Write concise talking points for each topic that connect security risks to business outcomes, avoid technical jargon, and include one action item per topic that department heads can take back to their teams.
Prompt 25 — Tabletop Exercise Scenario
Design a cybersecurity tabletop exercise scenario for [company name] leadership, simulating a [scenario type, e.g., ransomware attack, data breach, business email compromise]. The exercise should unfold in 3 phases with inject events at each phase. Include facilitator notes, key discussion questions for each phase, and evaluation criteria for assessing the team's response decisions.
Compliance and Audit
Prompt 26 — Control Gap Assessment Narrative
We are preparing for a [framework] audit (e.g., SOC 2 Type II, ISO 27001, PCI DSS) at [company name]. Our current gaps are: [list known control gaps]. Write a structured gap assessment narrative for each gap that includes: current state, required state, risk if not remediated, proposed remediation, and target completion date. Use formal audit documentation language.
Prompt 27 — Audit Evidence Request Response
Our auditor has requested the following evidence: [list evidence items, e.g., access control logs, vulnerability scan reports, training completion records]. Help me draft an organized evidence package cover letter and index that describes each piece of evidence, references the specific control it satisfies, and notes any gaps or explanations needed.
Prompt 28 — Regulatory Change Impact Analysis
Analyze the security and compliance implications of [regulation or framework update, e.g., NIS2 Directive, new SEC cybersecurity disclosure rules] for [company name], a [industry] company operating in [geography]. Identify the top 5 changes that impact our current security program, what new requirements we need to meet, and a 90-day action plan to close the most critical gaps.
Prompt 29 — Third-Party Risk Report
Create a third-party risk summary report for [company name]'s top [number] critical vendors. For each vendor, the report should cover: what data or access they have, their compliance certifications, last assessment date, open findings, and an overall risk rating (High/Medium/Low) with justification. Format as a table followed by narrative recommendations.
Prompt 30 — Security Metrics Dashboard Narrative
I need to present the following security metrics to the board of [company name] this quarter: [list metrics, e.g., mean time to detect, mean time to respond, open critical vulns, phishing click rate, patch compliance %]. Write a narrative that contextualizes each metric, compares it to last quarter, and translates the numbers into business risk language that non-technical board members will understand.
Career and Communication
Prompt 31 — Technical Finding Explanation
Explain the following technical security finding in plain language for a non-technical business stakeholder: [describe finding, e.g., SQL injection vulnerability in customer portal, unencrypted S3 bucket containing PII]. Include: what it is, how it could be exploited, what data or systems are at risk, and what we're doing to fix it. Keep it under 150 words.
Prompt 32 — Security Roadmap Presentation
Help me structure a 12-month security roadmap presentation for [company name] leadership. Our top priorities are: [list 4-5 initiatives, e.g., EDR deployment, zero trust network access, SOC 2 certification]. For each initiative, help me articulate: the business risk it addresses, the expected outcome, key milestones, resource requirements, and how success will be measured.
Prompt 33 — Analyst Job Interview Prep
I have an interview for a [Level, e.g., Senior] Cybersecurity Analyst role at a [industry] company. The job description emphasizes [key skills from JD, e.g., threat hunting, SIEM engineering, cloud security]. Give me 10 likely behavioral and technical interview questions, a suggested answer framework for each, and 3 questions I should ask the interviewer to assess the team's maturity.
Prompt 34 — Stakeholder Security Update Email
Write a monthly security update email from the security team at [company name] to all employees. This month's highlights are: [list 2-3 security events or topics, e.g., phishing campaign targeting our industry, new MFA rollout, results of last month's phishing simulation]. Tone should be professional but approachable, and each item should end with one clear action the reader should take.
Prompt 35 — Security Tool Evaluation Framework
I'm evaluating [number] vendors for [tool category, e.g., EDR, CASB, SIEM] at [company name]. Our key requirements are: [list 4-5 requirements]. Help me build an evaluation scorecard with weighted criteria, suggested demo questions for each vendor, a proof-of-concept test plan, and a recommendation memo template I can use to present the final selection to leadership.
Get the Complete Cybersecurity Analyst AI Toolkit
Get the complete AI Prompt Toolkit for Cybersecurity Analysts →
Works with Claude, ChatGPT, and DeepSeek. Copy-paste ready.
Top comments (0)