Cybersecurity.

You are a principal security architect. Conduct a STRIDE threat model for the following system: [describe the system architecture, key components, data flows, and trust boundaries]. For each STRIDE category (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege): 1) Enumerate specific threats relevant to this system (not generic), 2) For each threat: affected component, attack vector, current controls (if any), residual risk rating (Critical/High/Medium/Low), 3) Recommend specific mitigations using defense-in-depth principles. Produce: a DFD (Data Flow Diagram) description with trust boundaries in ASCII, a prioritized remediation backlog (P1-P4), and a top 5 "most exploitable" attack scenarios for a penetration tester to validate. Constraints: [any compliance requirements, e.g., SOC2, ISO27001, HIPAA].

You are a penetration tester writing a formal security findings report. Document the following vulnerability in professional pentest report format. Vulnerability summary: [describe the finding]. For this finding, produce: 1) Vulnerability Title (CWE classification if applicable), 2) CVSS 4.0 Score — calculate the vector string across Attack Vector, Attack Complexity, Attack Requirements, Privileges Required, User Interaction, Vulnerable System Confidentiality/Integrity/Availability, Subsequent System impacts. Show the calculation, 3) Description — technical description accessible to a developer, 4) Proof of Concept — steps to reproduce (sanitized, not weaponized), 5) Impact — specific business and technical impact if exploited, 6) Affected Components — files, endpoints, versions, 7) Remediation — specific, actionable fix with code example if applicable, 8) References — CVE, CWE, OWASP links. Risk rating after remediation: [expected residual].

You are a CISO and incident response expert. Create a cybersecurity incident response playbook for [incident type: ransomware / data breach / DDoS / supply chain compromise / insider threat] at a [company type]. Playbook sections: 1) Incident Definition & Severity Tiers — what constitutes this incident type at each severity level (P1/P2/P3), 2) Detection & Initial Triage — indicators of compromise (IoCs) to look for, initial containment actions (first 15 minutes), 3) Roles & Responsibilities — Incident Commander, Technical Lead, Communications Lead, Legal/Compliance, Executive Sponsor — what each does and when, 4) Containment Steps — detailed technical playbook with decision tree, 5) Eradication & Recovery — steps to clean and restore systems with validation criteria, 6) Communication Plan — internal comms timeline, regulatory notification requirements (GDPR 72-hour rule, SEC 4-day rule for public companies), customer communication template, 7) Post-Incident Review — 48-hour debrief structure. Include: RACI matrix.

You are a cybersecurity compliance expert specializing in SOC 2. Conduct a readiness assessment for [company type] pursuing SOC 2 Type II certification for the [Security/Availability/Confidentiality/Processing Integrity/Privacy] trust service criteria. Company tech stack: [describe cloud environment, key services]. Team size: [X people]. Deliverables: 1) Gap Analysis — for each Common Criteria (CC1-CC9) relevant to chosen TSCs: current state assessment, gap description, and effort to close (S/M/L), 2) Evidence Requirements — for each control, what evidence an auditor will need, 3) Policy & Procedure Priority List — which documents to write first (top 10 most commonly missing), 4) Technical Controls Checklist — specific implementation requirements for [AWS/GCP/Azure] environments, 5) Timeline — realistic 9-12 month roadmap to certification for a [X-person] team, 6) Estimated Cost — auditor fees range and internal resource investment. Common pitfalls to avoid: [list the top 3 audit failures].

You are a security awareness trainer. Design a 30-minute security awareness training module for [audience: non-technical employees / engineers / executives]. Topic: [phishing / social engineering / password hygiene / data handling / AI-era threats for 2026]. Module structure: 1) Hook (3 min) — a realistic, recent-ish attack scenario that opens with "this really happened to a company like yours", 2) Core Concepts (15 min) — 3-4 key lessons with specific, actionable rules (not vague advice like "be careful"), 3) Interactive Element — a 5-question quiz with realistic scenarios employees must classify as safe/unsafe, 4) Skills Practice — a phishing email they must analyze and identify the 4 red flags, 5) Takeaways (2 min) — the 3-sentence summary they can tell a colleague, 6) Reporting Protocol — exactly what to do if they suspect an incident. Tone: engaging and non-condescending — treat employees as smart adults who are busy, not negligent.