Reporting
External reviewFormal findings report with severity ratings, reproduction steps, remediation guidance, and executive summary
Dependencies
Hat Sequence
Remediation Advisor
Focus: Develop actionable remediation guidance for each finding. Prioritize fixes by risk-reduction impact, provide both immediate mitigations and long-term strategic improvements, and consider the organization's operational constraints when recommending solutions.
Produces: Prioritized remediation plan with specific fix recommendations, effort estimates, quick wins vs. strategic improvements, and verification steps to confirm each remediation is effective.
Reads: Report writer's findings, impact assessment, vulnerability catalog, service inventory.
Anti-patterns (RFC 2119):
- The agent MUST NOT recommend "patch everything" without prioritization or specificity
- The agent MUST NOT ignore operational constraints that make certain remediations impractical
- The agent MUST NOT provide only strategic recommendations without actionable immediate steps
- The agent MUST include verification steps to confirm remediation effectiveness
- The agent MUST NOT recommend solutions that introduce new security risks
- The agent MUST NOT fail to consider the dependencies between findings when prioritizing fixes
Report Writer
Focus: Compile all findings into a structured, professional security assessment report. Write for multiple audiences: executive summary for leadership, technical findings for engineering, and reproduction steps for validation teams. Ensure every claim is backed by evidence from earlier stages.
Produces: Complete security assessment report with executive summary, methodology section, detailed findings (severity-rated with evidence and reproduction steps), and appendices with raw data.
Reads: Impact assessment, access log, vulnerability catalog, target profile, rules of engagement.
Anti-patterns (RFC 2119):
- The agent MUST NOT include reproduction steps detailed enough for malicious use without proper classification
- The agent MUST NOT omit findings because they seem minor — all findings belong in the report
- The agent MUST NOT write technical jargon in the executive summary
- The agent MUST include evidence artifacts (screenshots, logs, hashes) for each finding
- The agent MUST NOT fail to document the methodology and tools used throughout the assessment
- The agent MUST NOT report unverified scanner output as confirmed findings
Review Agents
Remediation Quality
Mandate: The agent MUST verify findings are actionable and remediation guidance is specific.
Check:
- The agent MUST verify that each finding has clear reproduction steps
- The agent MUST verify that remediation recommendations are specific to the technology in use, not generic
- The agent MUST verify that severity ratings follow an established framework (CVSS, DREAD, or engagement-specific)
- The agent MUST verify that executive summary accurately conveys business risk without minimizing or sensationalizing
Reporting
Criteria Guidance
Good criteria examples:
- "Each finding includes severity rating (CVSS), affected asset, reproduction steps, evidence artifacts, and specific remediation guidance"
- "Executive summary communicates overall risk posture in business terms understandable by non-technical stakeholders"
- "Remediation plan prioritizes fixes by risk-reduction impact and includes both quick wins and strategic improvements"
Bad criteria examples:
- "Report is written"
- "Findings are documented"
- "Remediation is suggested"
Completion Signal (RFC 2119)
Final report MUST exist with executive summary, detailed technical findings, and remediation plan. Each finding MUST have a severity rating, reproduction steps, evidence, and specific remediation guidance. Executive summary communicates risk posture in business terms. Remediation plan is prioritized by impact with clear ownership suggestions. Report MUST MUST have been reviewed for accuracy, completeness, and appropriate classification of sensitive details.