Cybersecurity analysts work in one of the most cognitively demanding fields in tech. You're constantly context-switching between threat hunting, incident response, vulnerability management, and stakeholder reporting — often simultaneously, often at 2 AM. The one thing you consistently don't have enough of is time.
ChatGPT won't replace your threat intelligence expertise or your hard-won instincts. But it can eliminate the hours you spend writing up incidents, drafting policy documents, explaining attack chains to non-technical stakeholders, and formatting reports that ultimately say the same things in different fonts.
These 35 prompts are organized by workflow — from threat analysis and log triage to executive reporting and team training. Every prompt is meant to be a starting point: replace the brackets with your actual context, and iterate from there.
Security note: Never paste real IP addresses, actual CVE exploitation details tied to live systems, client names, internal hostnames, or sensitive IOCs into ChatGPT. Use sanitized, anonymized, or placeholder data in all prompts. Treat ChatGPT as an external, non-confidential channel.
1. Threat Analysis and Intelligence
Prompt 1 — Attack Technique Explanation
Explain the [MITRE ATT&CK technique: T1059.001 / T1566 / T1078] in plain English. Include: what it looks like in a real attack scenario, what artifacts or logs would show evidence of it, and what detection or mitigation controls apply. Format as a brief threat brief for a SOC team.
Prompt 2 — IOC Enrichment Context
I have an IOC: [file hash / domain pattern / IP range type — use placeholder, not real data]. Describe what contextual questions I should ask to enrich this indicator, what threat intel sources are most relevant, and what false positive scenarios could explain this IOC appearing in logs.
Prompt 3 — Attack Chain Narrative
I'm building a threat narrative for an incident involving these stages: [initial access method] → [lateral movement technique] → [data staging behavior]. Write a clear, structured attack chain description that connects these stages logically. Use MITRE ATT&CK terminology where appropriate.
Prompt 4 — Threat Actor Profile Summary
Summarize what is publicly known about the threat actor group [APT28 / Lazarus Group / generic state-sponsored actor profile]. Include: known TTPs, target sectors, typical initial access vectors, and notable campaigns. Format as a 1-page briefing for a security steering committee.
Prompt 5 — Hypothesis-Driven Hunt Query Design
I'm threat hunting for [living-off-the-land binaries / credential dumping / abnormal service account activity]. Help me write 3 detection hypotheses with corresponding log sources, field names (generic SIEM format), and the behavioral logic behind each query. I'll adapt these to my actual SIEM syntax.
2. Incident Response Documentation
The most time-consuming part of IR is often writing the timeline and post-incident reports. These prompts speed up the paperwork.
Prompt 6 — Incident Timeline Draft
I'm documenting a security incident. Here are my raw notes in chronological order: [paste anonymized notes]. Convert these into a structured incident timeline with: timestamp, event description, evidence source, and analyst action taken. Use a table format.
Prompt 7 — Executive Incident Summary
Write a 1-page executive summary for a security incident involving [type: ransomware / phishing campaign / unauthorized access]. Audience: C-suite with no technical background. Include: what happened (plain English), business impact, what was done to contain it, and next steps. Avoid jargon.
Prompt 8 — Post-Incident Report Template
Create a post-incident report template for a [medium severity / high severity] security incident. Include sections for: executive summary, timeline, root cause analysis, impact assessment, containment and remediation actions taken, lessons learned, and follow-up recommendations.
Prompt 9 — Lessons Learned Facilitation Guide
Write a facilitation guide for a post-incident lessons learned meeting following [a ransomware attack / a phishing-triggered account compromise / an insider threat incident]. Include: discussion questions, how to avoid blame assignment, action item capture format, and a 60-minute agenda.
Prompt 10 — Containment Decision Checklist
Create a decision checklist for a SOC analyst determining whether to isolate a potentially compromised endpoint. Include questions covering: severity indicators, business impact of isolation, evidence preservation, stakeholder notification triggers, and rollback criteria.
3. Vulnerability Management
Prompt 11 — CVE Risk Explanation (Non-Technical)
Explain [CVE-YEAR-XXXXX placeholder] to a non-technical business stakeholder. Include: what the vulnerability allows an attacker to do, what systems are affected (generic terms), the CVSS score context, and why patching within [X days] is important. Avoid technical jargon.
Prompt 12 — Vulnerability Prioritization Framework
Write a vulnerability prioritization framework for a mid-size enterprise security team with limited patching bandwidth. Include criteria for: CVSS score weighting, asset criticality, exploitability in the wild, compensating controls, and a scoring matrix to rank findings.
Prompt 13 — Patch Communication Email
Write an email from the security team to IT operations requesting emergency patching for a critical vulnerability affecting [web servers / VPN appliances / generic network device class]. Include: urgency rationale, patch window suggestion, rollback option mention, and escalation path if patching is delayed.
Prompt 14 — Scan Results Triage Summary
I ran a vulnerability scan and have [N] findings. Here are the top 10 by CVSS score: [paste anonymized finding titles and scores]. Write a triage summary that: groups findings by exploitability, identifies quick wins, flags findings requiring architecture review, and recommends a 30-day remediation sequence.
Prompt 15 — Risk Acceptance Documentation
Write a risk acceptance memo template for a vulnerability that cannot be patched within the standard SLA due to [legacy system constraints / vendor timeline / operational risk of patching]. Include: risk description, business justification, compensating controls, review date, and approver signature block.
4. Security Policies and Procedures
Prompt 16 — Policy First Draft
Draft a [password policy / acceptable use policy / incident response policy / data classification policy] for a [SMB / enterprise / healthcare organization / financial services firm]. Include: purpose, scope, requirements, enforcement, and review cycle. Format in standard policy document structure.
Prompt 17 — Procedure Walkthrough
Write a step-by-step procedure for [phishing email triage / endpoint isolation / evidence collection for forensic investigation]. Target audience: Tier 1 SOC analyst. Include decision points, tool references (use generic names), escalation triggers, and documentation requirements.
Prompt 18 — Security Awareness Training Module
Write the content for a 10-minute security awareness training module on [phishing recognition / social engineering / password hygiene / public Wi-Fi risks]. Include: 3 real-world scenario examples (generic/anonymized), a quiz with 5 questions and answer keys, and a key takeaway summary.
Prompt 19 — Tabletop Exercise Scenario
Write a tabletop exercise scenario for a [ransomware attack / supply chain compromise / insider threat / DDoS event]. Include: scenario setup, inject timeline (5 injects over 2 hours), discussion questions for each inject, and debrief questions. Audience: cross-functional team including IT, legal, and leadership.
Prompt 20 — BYOD Policy Draft
Draft a Bring Your Own Device (BYOD) policy for a [SMB / enterprise] organization. Cover: acceptable use, device enrollment requirements, data separation, remote wipe authorization, prohibited activities, and employee acknowledgment section.
5. Stakeholder Reporting and Communication
One of the most underrated analyst skills is translating technical findings into business language. These prompts close that gap.
Prompt 21 — Security Metrics Dashboard Narrative
Write a monthly security metrics narrative for a CISO report. Metrics: [mean time to detect: X days / mean time to respond: Y hours / phishing click rate: Z% / vulnerabilities closed vs. opened ratio]. Explain what each metric means, whether the trend is positive or concerning, and what action is recommended.
Prompt 22 — Board Security Briefing (Slide Notes)
Write speaker notes for a 10-minute board-level cybersecurity briefing. Cover: current threat landscape (industry-specific), top 3 risks to the organization, investment priorities, and 1 success story from the past quarter. Tone: strategic, not operational. No acronyms without explanation.
Prompt 23 — Risk Register Entry
Write a risk register entry for the following scenario: [description of a security risk in plain English]. Include: risk ID, risk description, likelihood (1–5), impact (1–5), inherent risk score, current controls, residual risk, and recommended treatment.
Prompt 24 — Security Questionnaire Response
I'm completing a vendor security questionnaire. The question asks: "[paste question]". Draft a response that is accurate, professional, and appropriately detailed without over-disclosing internal control specifics. I'll review and adjust based on our actual controls.
Prompt 25 — Audit Finding Response
Write a management response to an audit finding that states: "[paste finding]". The response should: acknowledge the finding, explain root cause (if known), describe remediation actions already taken or planned, and provide a target completion date. Tone: accountable, not defensive.
6. Penetration Testing and Red Team Support
Prompt 26 — Pentest Scope Document Template
Create a penetration test scope document template for an [internal network / web application / social engineering] engagement. Include sections for: test objectives, in-scope systems, out-of-scope systems, rules of engagement, emergency contacts, and success criteria.
Prompt 27 — Finding Write-Up Template
Write a penetration test finding write-up for a [SQL injection / broken access control / misconfigured S3 bucket / default credentials] vulnerability. Use the standard format: title, severity, description, proof of concept (generic steps — no live payloads), business impact, and remediation recommendation.
Prompt 28 — Remediation Verification Checklist
Create a post-remediation verification checklist for a [SQL injection / XSS / SSRF] finding. Include: steps to confirm the fix was implemented, edge cases to re-test, regression risk considerations, and sign-off criteria for closing the finding.
Prompt 29 — Attack Surface Summary
I've completed external reconnaissance on a target (authorized engagement). My raw notes include: [paste anonymized/generic findings]. Write a structured attack surface summary covering: exposed services, technology stack inferences, potential entry points, and priority areas for deeper testing.
7. Career Development and Team Building
Prompt 30 — Interview Question Bank
Generate 15 technical interview questions for a [Tier 1 SOC analyst / threat intelligence analyst / penetration tester / security engineer] role. Include a mix of: behavioral questions, scenario-based questions, and technical knowledge questions. Add ideal answer indicators for each.
Prompt 31 — Certification Study Plan
Create a 90-day study plan for passing the [CISSP / CEH / CompTIA Security+ / OSCP / GCIH] exam. Include: week-by-week topic breakdown, recommended free and paid resources, lab practice suggestions, and a mock exam schedule for the final 2 weeks.
Prompt 32 — Mentorship Meeting Agenda
Write a structured agenda for a 45-minute monthly mentorship meeting between a senior security analyst and a junior analyst. Include: career progress check-in, skill gap discussion, project debrief, industry trend review, and action items for the next month.
Prompt 33 — Analyst On-Call Runbook
Create an on-call runbook template for a security analyst covering [after-hours alert triage / on-call escalation procedures]. Include: alert severity classification guide, escalation decision tree, stakeholder contact list format, documentation requirements, and end-of-shift handoff procedure.
8. Automation and Tool Development
Prompt 34 — SIEM Query Logic Draft
I need to detect [PowerShell encoded command execution / failed login spike / lateral movement via SMB]. Describe the detection logic in pseudocode: what fields to query, what threshold or behavioral pattern to look for, and what false positive conditions to exclude. I'll translate this to [Splunk SPL / KQL / Sigma rule format].
Prompt 35 — Python Script Specification
Write a specification (not the code — I'll write that) for a Python script that [parses a CSV of vulnerability findings and generates a prioritized remediation report / enriches a list of IP addresses with WHOIS data / converts SIEM alert exports to a structured JSON format]. Include: inputs, outputs, key functions, error handling requirements, and libraries to use.
Getting the Most From These Prompts
Sanitize everything first. Before pasting any operational data, strip real IPs, hostnames, customer names, CVE details tied to live systems, and internal tool names. Use placeholders. Treat every ChatGPT session as a public channel.
Specify your audience. "Write for a CISO" versus "write for a Tier 1 SOC analyst" will produce dramatically different outputs. Always name the audience.
Give context about your environment. SIEM platform, company size, compliance framework (SOC 2, ISO 27001, NIST), industry vertical — all of this shapes better output.
Use it for the second draft, not the first. For incident narratives and policy docs, it's often faster to jot rough notes yourself, then paste them into a "clean this up" prompt. The output will be far more accurate than starting from scratch.
Iterate ruthlessly. "Make it more concise," "add a table," "rewrite the risk section with lower severity tone" — all valid follow-up prompts.
Your Complete Cybersecurity Prompt Toolkit
Want all 35 prompts in a portable format — organized, searchable, and ready to use mid-incident?
The ChatGPT Prompt Toolkit for Cybersecurity Analysts includes:
- All 35 prompts in a PDF reference guide and Notion dashboard
- Fill-in-the-blank templates for incident reports, executive summaries, and policy docs
- Bonus: 10 prompts for cloud security and DevSecOps workflows
- Prompt chaining guide: building an end-to-end incident post-mortem from rough notes
Get the Cybersecurity Analyst Prompt Toolkit — $14.99
Grab it before your next on-call shift.
Top comments (0)