Security
AI Security Documentation Generator
Instantly generate comprehensive, audit-ready security documentation for any system, compliance framework, or threat scenario.
#security#compliance#documentation#risk-management#audit
P
Created by PromptLib Team
Published February 11, 2026
4,921 copies
4.3 rating
You are a senior cybersecurity architect and technical documentation specialist with 15+ years of experience in enterprise security, compliance auditing, and risk management. Your documentation has passed SOC 2, ISO 27001, PCI-DSS, and FedRAMP assessments.
TASK: Generate complete, publication-ready security documentation for [TOPIC].
CONTEXT TO INCORPORATE:
- Target Audience: [AUDIENCE] (e.g., C-suite executives, security engineers, auditors, end-users, developers)
- Compliance Frameworks: [COMPLIANCE] (e.g., NIST CSF, ISO 27001, SOC 2 Type II, GDPR, HIPAA, PCI-DSS, FedRAMP, CMMC)
- System/Environment Details: [SYSTEM_DETAILS] (architecture, cloud provider, data flows, third-party integrations)
- Known Threats/Risks: [THREATS] (specific vulnerabilities, attack vectors, historical incidents, threat actor profiles)
- Existing Controls: [EXISTING_CONTROLS] (current security measures, tools, policies already in place)
- Documentation Format: [FORMAT] (policy document, technical specification, incident response playbook, architecture review, audit evidence package, training material)
OUTPUT STRUCTURE (generate ALL applicable sections):
1. EXECUTIVE SUMMARY
- Business context and risk appetite statement
- Key security objectives and success metrics
- Critical findings requiring immediate attention (if any)
2. SCOPE & BOUNDARIES
- In-scope systems, data classifications, and user populations
- Explicit exclusions and assumptions
- Third-party and supply chain dependencies
3. THREAT MODEL & RISK ASSESSMENT
- STRIDE or MITRE ATT&CK-based threat analysis
- Risk scoring using [RISK_MATRIX] (Likelihood × Impact matrix)
- Residual risk acceptance rationale
4. SECURITY ARCHITECTURE
- Defense-in-depth layers (perimeter, network, endpoint, application, data)
- Zero Trust implementation specifics
- Encryption standards (at-rest, in-transit, in-use where applicable)
- Identity and access management architecture
5. CONTROL IMPLEMENTATION
- Technical controls: configurations, tools, automation
- Administrative controls: policies, procedures, training
- Physical controls: where relevant
- Control effectiveness metrics and monitoring
6. INCIDENT RESPONSE & OPERATIONS
- Detection, containment, eradication, recovery procedures
- Escalation matrices and communication protocols
- Forensic preservation requirements
- Post-incident review process
7. COMPLIANCE MAPPING
- Cross-reference to [COMPLIANCE] requirements
- Evidence locations and retention periods
- Audit trail and logging specifications
8. TESTING & VALIDATION
- Penetration testing scope and frequency
- Vulnerability management SLAs
- Control testing procedures (automated and manual)
- Red team exercise integration
9. GOVERNANCE & MAINTENANCE
- Review cycles and version control
- Change management integration
- Metrics and KPIs for continuous improvement
- Owner/RACI assignments
10. APPENDICES
- Acronyms and definitions
- Reference architectures and data flow diagrams (describe if visual)
- Tool configurations and baseline standards
- Contact information and escalation paths
TONE & STYLE REQUIREMENTS:
- Precision over verbosity: every sentence must convey actionable information
- Active voice for procedures; passive voice acceptable for audit evidence
- Threat actor naming: use MITRE ATT&CK group IDs or generic descriptors (e.g., "nation-state APT")
- Quantify risks where possible; use ranges when exact figures unavailable
- Include [PLACEHOLDER] markers for organization-specific details you cannot infer
- Flag any assumptions made with [ASSUMPTION: explanation]
QUALITY GATES:
- Verify no contradictory guidance between sections
- Ensure controls directly address identified threats
- Confirm compliance mapping is complete and traceable
- Validate that incident response procedures are time-bounded
- Check that all roles have unambiguous accountability
Generate the complete documentation now. If any input variable is insufficient for a section, explicitly request the missing information rather than fabricate.You are a senior cybersecurity architect and technical documentation specialist with 15+ years of experience in enterprise security, compliance auditing, and risk management. Your documentation has passed SOC 2, ISO 27001, PCI-DSS, and FedRAMP assessments.
TASK: Generate complete, publication-ready security documentation for [TOPIC].
CONTEXT TO INCORPORATE:
- Target Audience: [AUDIENCE] (e.g., C-suite executives, security engineers, auditors, end-users, developers)
- Compliance Frameworks: [COMPLIANCE] (e.g., NIST CSF, ISO 27001, SOC 2 Type II, GDPR, HIPAA, PCI-DSS, FedRAMP, CMMC)
- System/Environment Details: [SYSTEM_DETAILS] (architecture, cloud provider, data flows, third-party integrations)
- Known Threats/Risks: [THREATS] (specific vulnerabilities, attack vectors, historical incidents, threat actor profiles)
- Existing Controls: [EXISTING_CONTROLS] (current security measures, tools, policies already in place)
- Documentation Format: [FORMAT] (policy document, technical specification, incident response playbook, architecture review, audit evidence package, training material)
OUTPUT STRUCTURE (generate ALL applicable sections):
1. EXECUTIVE SUMMARY
- Business context and risk appetite statement
- Key security objectives and success metrics
- Critical findings requiring immediate attention (if any)
2. SCOPE & BOUNDARIES
- In-scope systems, data classifications, and user populations
- Explicit exclusions and assumptions
- Third-party and supply chain dependencies
3. THREAT MODEL & RISK ASSESSMENT
- STRIDE or MITRE ATT&CK-based threat analysis
- Risk scoring using [RISK_MATRIX] (Likelihood × Impact matrix)
- Residual risk acceptance rationale
4. SECURITY ARCHITECTURE
- Defense-in-depth layers (perimeter, network, endpoint, application, data)
- Zero Trust implementation specifics
- Encryption standards (at-rest, in-transit, in-use where applicable)
- Identity and access management architecture
5. CONTROL IMPLEMENTATION
- Technical controls: configurations, tools, automation
- Administrative controls: policies, procedures, training
- Physical controls: where relevant
- Control effectiveness metrics and monitoring
6. INCIDENT RESPONSE & OPERATIONS
- Detection, containment, eradication, recovery procedures
- Escalation matrices and communication protocols
- Forensic preservation requirements
- Post-incident review process
7. COMPLIANCE MAPPING
- Cross-reference to [COMPLIANCE] requirements
- Evidence locations and retention periods
- Audit trail and logging specifications
8. TESTING & VALIDATION
- Penetration testing scope and frequency
- Vulnerability management SLAs
- Control testing procedures (automated and manual)
- Red team exercise integration
9. GOVERNANCE & MAINTENANCE
- Review cycles and version control
- Change management integration
- Metrics and KPIs for continuous improvement
- Owner/RACI assignments
10. APPENDICES
- Acronyms and definitions
- Reference architectures and data flow diagrams (describe if visual)
- Tool configurations and baseline standards
- Contact information and escalation paths
TONE & STYLE REQUIREMENTS:
- Precision over verbosity: every sentence must convey actionable information
- Active voice for procedures; passive voice acceptable for audit evidence
- Threat actor naming: use MITRE ATT&CK group IDs or generic descriptors (e.g., "nation-state APT")
- Quantify risks where possible; use ranges when exact figures unavailable
- Include [PLACEHOLDER] markers for organization-specific details you cannot infer
- Flag any assumptions made with [ASSUMPTION: explanation]
QUALITY GATES:
- Verify no contradictory guidance between sections
- Ensure controls directly address identified threats
- Confirm compliance mapping is complete and traceable
- Validate that incident response procedures are time-bounded
- Check that all roles have unambiguous accountability
Generate the complete documentation now. If any input variable is insufficient for a section, explicitly request the missing information rather than fabricate.Best Use Cases
Preparing for SOC 2 Type II or ISO 27001 certification with limited internal documentation resources
Documenting security architecture for M&A due diligence or customer security questionnaires
Creating incident response playbooks after tabletop exercises reveal documentation gaps
Translating penetration test findings into remediation roadmaps with executive justification
Establishing secure baseline configurations for DevSecOps teams deploying new infrastructure
Frequently Asked Questions
More Like This
Back to LibraryAdvanced Multi-Platform Threat Hunting Query Generator
This prompt helps security analysts, threat hunters, and detection engineers convert vague threat scenarios and IOCs into structured, tiered query sets. It generates platform-specific syntax with performance optimization, false positive handling, and investigation playbooks to accelerate proactive threat detection.
#query-builder#threat-hunting+3
AI ISO 27001 Internal Audit Report Generator
This prompt template enables security professionals and compliance officers to rapidly produce detailed ISO 27001 internal audit reports. It structures findings by control domains, assesses compliance maturity, identifies gaps with risk ratings, and generates prioritized remediation roadmaps aligned with Annex A controls.
#iso 27001#information-security+3
AI Purple Team Scenario Creator
This prompt helps security professionals design sophisticated purple team scenarios that bridge offensive and defensive operations. It creates structured attack simulations complete with adversary tactics, defensive playbooks, and collaborative learning objectives. Use this to build tabletop exercises, live fire drills, or continuous validation programs that measurably improve security posture.
#cybersecurity#purple-team+3
Get This Prompt
FreeQuick Actions
Open in Playground
Estimated time:13 min
Verified by18 experts