Cybersecurity engineers face a relentless pace — new vulnerabilities emerge daily, threat landscapes shift overnight, and compliance requirements seem to multiply with each passing quarter. ChatGPT can serve as an always-available thinking partner that helps you draft threat models, accelerate incident response playbooks, structure security policies, and sharpen your career trajectory. Whether you are defending cloud infrastructure, running red team exercises, or preparing for an audit, these 35 prompts give you a structured starting point to work smarter and move faster.
Threat Modeling & Architecture
Prompt 1: STRIDE Threat Model for a New System
You are a senior security architect. I am building a [describe system — e.g., REST API that handles payment data, backed by PostgreSQL and hosted on AWS ECS]. Using the STRIDE framework, generate a comprehensive threat model. For each threat category (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), list at least three specific threats relevant to my architecture, the likely attack vectors, and a recommended mitigation for each. Format the output as a structured table.
This prompt produces a ready-to-share artifact that can go directly into a design review, saving hours of blank-page drafting on a new project.
Prompt 2: Attack Surface Analysis
Act as a red team consultant. Given the following system description: [paste architecture diagram description or component list], enumerate every possible attack surface. Group findings by external-facing surfaces, internal trust boundaries, and data stores. For each surface, rate the inherent risk as High / Medium / Low and suggest one immediate hardening action.
Attack surface analysis done manually can take days; this prompt compresses the initial enumeration into minutes, giving your team a prioritized list to validate.
Prompt 3: Zero Trust Architecture Review
I want to evaluate our current network architecture against Zero Trust principles. Here is our current setup: [describe network segments, identity providers, access controls]. Identify gaps between our current state and a mature Zero Trust model based on NIST SP 800-207. Provide a phased roadmap — Quick Wins (0-3 months), Medium-Term (3-12 months), and Strategic (12+ months) — with justification for each phase.
This prompt bridges the gap between high-level Zero Trust strategy and actionable engineering work your team can actually schedule.
Prompt 4: Secure Design Checklist for Microservices
Generate a security design checklist for a microservices architecture deployed on Kubernetes. Cover authentication and authorization between services, secrets management, container image security, network policies, logging and observability, and supply chain security. For each item, note whether it is a preventive or detective control and reference the relevant CIS Benchmark or OWASP guideline where applicable.
Having a reference checklist tied directly to recognized standards makes it much easier to justify security requirements during sprint planning with development teams.
Prompt 5: Threat Intelligence Integration Plan
I want to integrate external threat intelligence feeds into our SIEM. Our SIEM is [product name, e.g., Splunk / Elastic / Microsoft Sentinel]. Describe a practical integration architecture, including which open-source and commercial threat intel sources are most valuable for a [industry, e.g., financial services] company, how to normalize and enrich incoming IOCs, and how to build detection rules that reduce false positives while maintaining high sensitivity.
This prompt gives you a concrete integration blueprint that you can adapt directly into a project proposal or engineering spec.
Incident Response
Prompt 6: Incident Response Playbook for Ransomware
Write a detailed incident response playbook for a ransomware attack affecting on-premises Windows servers and cloud-hosted file shares. The playbook should follow the NIST IR lifecycle (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident Activity). Include specific technical steps, decision trees for escalation, roles and responsibilities (CISO, IR lead, IT ops, legal, communications), and a timeline checklist. Make it suitable for a team of five security engineers.
A well-structured playbook drafted with ChatGPT can then be reviewed and refined by the team, dramatically cutting the time to produce a production-ready document.
Prompt 7: Post-Incident Report Template
Create a professional post-incident report template for a [type of incident, e.g., data breach involving 10,000 customer records exfiltrated via a compromised API key]. The report should include: executive summary, timeline of events, root cause analysis using the five-whys method, impact assessment (technical, business, regulatory), lessons learned, and corrective action items with owners and due dates. Write it in a tone appropriate for both a technical audience and the executive leadership team.
A polished post-incident report template reduces the cognitive load after a stressful incident and ensures nothing important is omitted when it matters most.
Prompt 8: Tabletop Exercise Scenario
Design a cybersecurity tabletop exercise scenario for a [industry] company with [number] employees. The scenario should simulate a sophisticated supply chain attack where a trusted vendor's software update contains a backdoor. Include: an inject timeline with five escalating injects, discussion questions for each inject, expected decisions the team must make, and facilitator notes. The exercise should last approximately two hours.
Tabletop exercises are critical for building organizational muscle memory, and a well-crafted scenario from this prompt can be adapted for annual drills.
Prompt 9: Forensic Investigation Checklist
I am responding to a suspected insider threat incident on a Windows 10 endpoint. Generate a forensic investigation checklist covering: initial triage steps (volatile data collection, memory acquisition), disk imaging procedures, key artifacts to collect (event logs, registry hives, browser history, file access logs), analysis priorities, chain of custody documentation requirements, and tools recommended for each step (open-source and commercial).
Having a step-by-step forensic checklist at your fingertips during an incident prevents evidence contamination and ensures the investigation holds up to legal scrutiny.
Prompt 10: SIEM Detection Rule Development
Write a set of five Sigma rules to detect common lateral movement techniques associated with [threat actor group or technique, e.g., pass-the-hash, Kerberoasting, LSASS memory dumping]. For each rule, include: the detection logic, relevant MITRE ATT&CK technique IDs, a tuning note to reduce false positives in a corporate Windows environment, and a response action recommendation.
Sigma rules in this format can be imported into most SIEMs with minimal modification, cutting detection engineering time significantly.
Security Policies & Documentation
Prompt 11: Acceptable Use Policy Draft
Draft a comprehensive Acceptable Use Policy (AUP) for a company with [number] employees that uses cloud-based SaaS tools, corporate laptops, and BYOD mobile devices. The policy should cover: acceptable and prohibited uses of company IT resources, internet and email usage, software installation rules, data handling expectations, social media guidelines, and consequences for violations. Write it in plain language that non-technical employees will understand, and flag sections that legal counsel should review.
A clear AUP is a foundational compliance document, and generating a solid first draft with ChatGPT gives legal and HR a concrete starting point rather than a blank page.
Prompt 12: Data Classification Policy
Create a data classification policy for a [industry] organization. Define four classification tiers (Public, Internal, Confidential, Restricted), with clear criteria for each tier, examples of data types that fall into each category, handling requirements (storage, transmission, sharing, disposal), and labeling guidelines. Include a quick-reference decision matrix that employees can use to classify data they create or receive.
A well-structured data classification policy is the backbone of DLP programs and helps engineers make consistent decisions about encryption and access control.
Prompt 13: Vendor Security Assessment Questionnaire
Generate a vendor security assessment questionnaire for evaluating a SaaS vendor that will process [type of data, e.g., employee HR records]. Include sections on: organizational security posture, data handling and encryption, access control and identity management, incident response capabilities, subprocessor management, compliance certifications, and business continuity. For each section, provide five targeted questions and note which questions are deal-breakers if answered unsatisfactorily.
This questionnaire can be sent directly to vendors and ensures your third-party risk management program covers all critical domains.
Prompt 14: Security Awareness Training Script
Write a 10-minute security awareness training module script on the topic of phishing and social engineering for non-technical employees. Include: a hook that opens with a realistic scenario, explanation of how phishing attacks work today (including spear phishing and vishing), three real-world examples adapted for a [industry] audience, interactive quiz questions, and five concrete actions employees should take immediately after spotting a suspicious message. Use a conversational, engaging tone — not corporate jargon.
Training content created with this prompt can be adapted into slide decks, video scripts, or e-learning modules, saving the security team significant content development time.
Prompt 15: Security Architecture Decision Record
Write an Architecture Decision Record (ADR) for the following security decision: [describe decision, e.g., choosing between hardware security keys and authenticator apps for MFA across 500 employees]. The ADR should include: context and problem statement, decision drivers, options considered with pros and cons, the recommended decision, consequences (positive and negative), and a review date. Format it in standard ADR markdown.
ADRs create an institutional memory of security decisions, which is invaluable during audits and when onboarding new team members.
Vulnerability Management
Prompt 16: Vulnerability Prioritization Framework
I have a vulnerability scan report with 200+ findings. Help me build a prioritization framework that goes beyond CVSS scores. Factor in: asset criticality, exploitability in the wild (EPSS scores), network exposure, existing compensating controls, and business context. Create a scoring matrix I can apply to each finding, and define SLA targets for Critical, High, Medium, and Low priorities. Also suggest how to communicate prioritization decisions to development teams.
Using a multi-factor prioritization framework helps security teams focus remediation effort where it matters most rather than chasing every high CVSS score.
Prompt 17: Patch Management Policy
Draft a patch management policy for an enterprise environment with Windows servers, Linux systems, network devices, and cloud workloads. Include: patch classification tiers, testing requirements before production deployment, emergency patching procedures for zero-days, maintenance window guidelines, exception handling process, and metrics to track program health (e.g., mean time to patch, patch compliance rate). Make it practical for a team of three security engineers managing 500 assets.
A clear patch management policy ensures consistent remediation timelines and provides documentation that satisfies auditors and regulators.
Prompt 18: CVE Analysis and Remediation Guidance
Analyze the following CVE: [paste CVE ID and description]. Provide: a plain-language explanation of the vulnerability and how it is exploited, affected software versions, detection methods (log indicators, network signatures, EDR queries), step-by-step remediation instructions for [specific OS or platform], temporary mitigations if patching is not immediately possible, and links to vendor advisories and proof-of-concept references I should monitor.
This prompt turns a raw CVE entry into an actionable remediation brief that can be assigned directly to system owners.
Prompt 19: Container Security Scanning Strategy
Design a container security strategy for a DevSecOps pipeline using [CI/CD tool, e.g., GitHub Actions / GitLab CI]. Include: where in the pipeline to integrate image scanning (build, registry, runtime), recommended open-source and commercial scanning tools for each stage, policies for blocking builds on critical findings, base image hardening guidelines, and a runtime security monitoring approach using tools like Falco or Sysdig. Provide example configuration snippets where possible.
Embedding security scanning into the pipeline rather than treating it as a gate after development reduces remediation cost and developer friction.
Prompt 20: Bug Bounty Program Design
Help me design a bug bounty program for a [company size and type] company launching for the first time. Cover: in-scope and out-of-scope assets, vulnerability classification and reward tiers, disclosure policy and response SLAs, rules of engagement for researchers, internal triage workflow when a report arrives, legal safe harbor language, and a recommended platform (HackerOne, Bugcrowd, Intigriti, or self-hosted). Include a sample program brief I can post publicly.
A well-designed bug bounty program turns the external research community into an extension of your security team at a fraction of the cost of traditional pentesting.
Security Awareness Training
Prompt 21: Phishing Simulation Campaign Plan
Design a three-month phishing simulation campaign for a company of [size] employees. Include: a monthly theme progression (basic credential phishing, spear phishing with personalization, business email compromise), email templates for each simulation, metrics to track (click rate, report rate, credential submission rate), follow-up training for employees who fall for simulations, and a reporting format for leadership. Ensure the campaign builds resilience rather than shaming employees.
A phased simulation campaign that pairs failures with immediate training drives measurable improvement in employee security behavior over time.
Prompt 22: Security Champion Program Blueprint
Create a blueprint for a Security Champion program targeting software developers at a [size] company. Include: how to recruit and select champions, a curriculum for their initial training (covering OWASP Top 10, secure code review, threat modeling basics), their ongoing responsibilities, how to recognize and reward their contributions, metrics to measure program impact, and a quarterly meeting agenda template.
Security Champion programs multiply the security team's reach inside engineering organizations and shift security left without adding headcount.
Prompt 23: Executive Security Briefing
Write a 5-minute executive briefing on the current threat landscape for a [industry] company. Translate technical risks into business impact language. Cover: the top three threat actors targeting our industry this quarter, recent high-profile incidents in our sector and their financial impact, our current security posture gaps, and two to three strategic investments we recommend to the board. Avoid jargon — speak in terms of revenue risk, regulatory exposure, and customer trust.
The ability to communicate security risk in business language is one of the most valuable skills a security engineer can develop, and this prompt helps you practice and refine it.
Prompt 24: Onboarding Security Training Module
Create a security onboarding checklist and training outline for new employees joining a [industry] company. Cover: account setup best practices, password manager adoption, MFA enrollment, recognizing phishing, data handling do's and don'ts, physical security (clean desk, tailgating), incident reporting procedures, and acceptable use policy highlights. Format it as a structured 30-minute self-guided module with knowledge check questions at the end.
A strong security onboarding experience sets the right tone from day one and reduces the window of vulnerability that comes with new employees joining the organization.
Prompt 25: Gamified Security Challenge Design
Design a Capture the Flag (CTF) challenge for internal security awareness targeting non-technical employees. Include five challenges covering: spotting a phishing email, identifying oversharing in a social media post, recognizing a pretexting phone call script, finding sensitive data left exposed in a shared drive, and creating a strong passphrase. For each challenge, provide the scenario, the correct answer, and a learning explanation. Keep difficulty appropriate for employees with no security background.
Gamified learning dramatically increases engagement compared to traditional compliance training and produces more lasting behavioral change.
Compliance & Audits
Prompt 26: SOC 2 Readiness Gap Analysis
I am preparing our company for a SOC 2 Type II audit covering the Security and Availability trust service criteria. Here is a summary of our current controls: [paste control inventory or describe current state]. Conduct a gap analysis against the SOC 2 criteria. For each gap identified, describe the control objective, our current state, what we need to implement, effort estimate (Low / Medium / High), and recommended owner. Prioritize gaps that auditors commonly flag as deficiencies.
A structured gap analysis like this one can shave months off audit preparation by giving your team a clear, prioritized remediation roadmap from the start.
Prompt 27: GDPR Data Processing Impact Assessment
Help me complete a Data Protection Impact Assessment (DPIA) for the following processing activity: [describe processing activity, e.g., implementing a new employee monitoring tool that tracks application usage]. Follow the structure required under GDPR Article 35. Include: description of the processing, necessity and proportionality assessment, identification of risks to data subjects, proposed mitigation measures, and a recommendation on whether residual risk is acceptable or requires consultation with a supervisory authority.
A well-executed DPIA not only satisfies GDPR requirements but also surfaces privacy risks that would otherwise become costly incidents.
Prompt 28: PCI DSS Compliance Checklist
Generate a practical compliance checklist for PCI DSS v4.0 for a company that processes [volume] credit card transactions per year and is classified as a [SAQ type, e.g., SAQ D merchant]. For each requirement, provide: a plain-language description of what is required, common implementation approaches, evidence artifacts auditors will request, and a self-assessment question our team can use to evaluate current state. Flag the requirements that have changed significantly in v4.0 compared to v3.2.1.
This checklist gives small security teams a structured way to self-assess PCI compliance without immediately engaging expensive QSA consultants.
Prompt 29: NIST CSF Maturity Assessment
Walk me through a self-assessment of our cybersecurity program using the NIST Cybersecurity Framework 2.0. For each of the six functions (Govern, Identify, Protect, Detect, Respond, Recover), provide five diagnostic questions I can use to assess our current maturity tier (1-4). For each question, describe what Tier 1 (Partial) through Tier 4 (Adaptive) looks like in practice. Output the assessment as a structured worksheet I can complete with my team.
A NIST CSF self-assessment creates a shared language for discussing security maturity with both technical teams and executive leadership.
Prompt 30: Audit Evidence Collection Tracker
Create an audit evidence collection tracker for an upcoming [ISO 27001 / SOC 2 / PCI DSS] audit. The tracker should include: control ID, control description, evidence artifact required, evidence owner, due date, collection status, auditor-facing notes field, and a dashboard summary row. Provide it in a format I can easily adapt to a spreadsheet, and include 20 sample rows covering common controls across access management, change management, logging, and incident response.
A well-organized evidence tracker prevents the last-minute scramble that plagues audit preparation and ensures nothing falls through the cracks.
Career Development
Prompt 31: Cybersecurity Career Roadmap
I am a [current role and years of experience] cybersecurity professional. My goal is to become a [target role, e.g., Principal Security Architect / CISO / Red Team Lead] within [timeframe]. Analyze my current skill set: [list skills and certifications]. Identify skill gaps between where I am and where I want to be, recommend specific certifications and learning resources to close those gaps, suggest projects or experiences that would strengthen my profile, and create a 12-month development plan with quarterly milestones.
A personalized, structured career roadmap keeps you focused on high-leverage development activities rather than collecting certifications that do not move you toward your goals.
Prompt 32: Security Interview Preparation
Prepare me for a technical interview for a [target role, e.g., Senior Security Engineer at a fintech company]. Generate 15 technical interview questions covering: network security, cloud security (AWS/Azure/GCP), application security, incident response, and security architecture. For each question, provide a model answer that demonstrates both depth of knowledge and clear communication. Also give me three questions I should ask the interviewer to evaluate whether the role and team are a good fit for me.
Preparing with realistic, role-specific questions — and knowing what to ask in return — significantly increases both interview performance and job satisfaction after you accept an offer.
Prompt 33: Personal Brand Building for Security Professionals
Help me build a professional brand as a cybersecurity expert. My areas of expertise are [list specializations, e.g., cloud security, threat intelligence, AppSec]. Suggest: a LinkedIn profile optimization strategy, topics I should write about to demonstrate expertise (blog post ideas, LinkedIn articles, conference talk abstracts), communities and conferences I should engage with, an open-source contribution strategy, and a 90-day content plan to establish visibility in my niche.
Building a visible professional brand in cybersecurity opens doors to speaking opportunities, job offers, consulting work, and community influence that accelerate a career beyond what credentials alone can achieve.
Prompt 34: Salary Negotiation Preparation
I am negotiating a compensation package for a [job title] role at a [company size and type] company in [location]. My current total compensation is [amount]. The offer is [describe offer]. Help me: research how to benchmark this offer against market data, identify every negotiable element beyond base salary (signing bonus, equity, remote work, professional development budget, extra PTO, hardware allowance), draft a professional counter-offer email, and prepare responses to the three most common pushbacks a recruiter will give.
Security engineers who negotiate confidently and professionally typically earn significantly more over their careers, and preparation with this prompt removes the anxiety from the conversation.
Prompt 35: Mentorship and Team Development Plan
I am a senior security engineer who has just been asked to mentor two junior engineers on my team. Engineer A has six months of experience and wants to specialize in cloud security. Engineer B has one year of experience and is interested in threat intelligence. Create a six-month mentorship plan for each, including: monthly learning objectives, recommended hands-on projects and labs, books and courses to assign, skills to assess at the 90-day mark, and guidance on how to balance structured mentorship with letting them grow independently. Also give me five principles for being an effective technical mentor.
Investing intentionally in junior team members multiplies the team's overall capability and is one of the highest-leverage activities a senior engineer can do for their organization.
Want all 35 prompts in a convenient, copy-paste format? Get the complete AI Prompt Toolkit for this profession →
Top comments (0)