alirezarezvani/ciso-review
c-level-advisor/c-level-agents/skills/ciso-review/SKILL.md
/cs:ciso-review <plan> — Risk-paranoid interrogation of any plan that touches data, compliance, or production access.
$ install --global
skillsauthnpx skillsauth add alirezarezvani/claude-skills ciso-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 3:31 AM152.0s1 file scanned
SKILL.md
- name:
- ciso-review
- description:
- /cs:ciso-review <plan> — Risk-paranoid interrogation of any plan that touches data, compliance, or production access.
/cs:ciso-review — CISO Forcing Questions
Command: /cs:ciso-review <plan>
The risk-paranoid threat-modeler. Six questions before any production change that touches customer data or compliance scope.
When to Run
- Before deploying any system that touches PII / PHI / cardholder data
- Before signing a new vendor with data access
- Before a compliance audit (SOC 2, ISO 27001, HIPAA, GDPR)
- Before any architecture decision crossing trust boundaries
- After any near-miss incident
The Six CISO Questions
1. Threat Model
What's the STRIDE threat model for this system, and which threat is most likely?
- Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege.
- Pick the top 3 by likelihood × impact.
2. Blast Radius
If this is fully compromised, what data is exposed and how many users are affected?
- Worst case in plain English.
- Quantify in dollars via FAIR-based ALE.
3. Detection
What signals indicate compromise, and how long until they're triggered (MTTD)?
- Logs alone are not detection.
- Define the detection rule, the alert, and the on-call.
4. Response
Is there an IR runbook for this scenario, and has it been tabletop-tested?
- If no runbook: build one before ship.
- If untested: tabletop before ship.
5. Regulatory Window
What's the regulator notification window if this scenario occurs?
- GDPR: 72h. HIPAA: 60d. State breach laws vary.
- Pre-write the customer comms template.
6. Vendor & Supply Chain
Which third-party vendors are in scope, and what's their security posture?
- Subprocessor list current?
- DPAs in place?
- Last security review per vendor?
Workflow
python ../../../skills/ciso-advisor/scripts/risk_quantifier.py
python ../../../skills/ciso-advisor/scripts/compliance_tracker.py
Output Format
# CISO Review: <plan>
**Date:** YYYY-MM-DD
## Threat Model
- Top threat: <STRIDE category> — <description>
- Likelihood: H/M/L | Impact: H/M/L
- ALE: $X / year
## Blast Radius
- Data exposed (worst case): <description>
- Users affected: N
- Estimated cost: $X
## Detection
- MTTD target: X hours
- Current MTTD: X hours
- Detection rule: <name>
## Response
- IR runbook: ✅ / ❌
- Last tabletop: <date>
## Regulatory
- Frameworks in scope: SOC 2 / ISO 27001 / HIPAA / GDPR
- Notification window: X hours/days
## Vendors
- New vendors added: N
- DPAs signed: N / N
- Security reviews complete: N / N
## Verdict
🟢 SHIP | 🟡 MITIGATE THEN SHIP | 🔴 BLOCK
Routing
/cs:cto-review— architecture alignment/cs:gc-review— DPA, regulatory implications/cs:decide— log risk acceptance/cs:boardroom— for CRITICAL risks
Related
- Agent:
cs-ciso-advisor - Skill:
ciso-advisor - Compliance:
../../../../ra-qm-team/
Version: 1.0.0
Related Skills
alirezarezvani/code-reviewer
tools
VerifiedTrustedCommunity
Code review automation for TypeScript, JavaScript, Python, Go, Swift, Kotlin, C#, .NET, Java, C, C++, Rust, Ruby, PHP, and Dart/Flutter. Analyzes PRs for complexity and risk, checks code quality for SOLID violations and code smells, generates review reports. Use when reviewing pull requests, analyzing code quality, identifying issues, generating review checklists.
16,546SKILL.mdUpdated May 10, 2026
alirezarezvani/research-ops-skills
tools
VerifiedTrustedCommunity
Use when planning, funding, scoping, or synthesizing enterprise research across workstreams — clinical study design, R&D program finance, market sizing/surveys, or product/user research. Triggers on "design this clinical study", "what sample size", "R&D budget", "burn rate", "capitalize or expense", "TAM SAM SOM", "market sizing", "survey design", "segment the market", "plan user interviews", "usability test", "synthesize research insights". Forks context to route to one of four Research-Operations sub-skills (clinical-research, research-finance, market-research, product-research) and returns a digest. Distinct from ra-qm-team (regulatory submission), finance (corporate close/valuation), research/grants (funding discovery), product-team (persona/journey/live experiments), and marketing-skill (campaign analytics).
16,359SKILL.mdUpdated May 28, 2026
alirezarezvani/research-finance
development
VerifiedTrustedCommunity
Use when managing the money for an internal R&D program or portfolio — building a multi-period program budget with the F&A (indirect) split, tracking burn rate and runway against value-inflection milestones, or routing R&D cost items to a capitalize-vs-expense determination. Every budget output surfaces its assumptions block; capitalize-vs-expense is decision-support only and routes to a named finance owner — it never books an entry or decides accounting treatment. Distinct from finance/financial-analysis (corporate DCF, close, valuation) and research/grants (funding discovery — this manages money already won).
16,359SKILL.mdUpdated May 28, 2026
alirezarezvani/product-research
development
VerifiedTrustedCommunity
Use when planning and synthesizing product/user research as a method-and-repository discipline — selecting the right method for the goal (generative interviews vs usability test vs concept test vs validation), computing method-based saturation/sample size with an explicit confidence level, or synthesizing coded observations into insights while flagging single-source anecdotes. Never fabricates user insight; an insight requires recurrence across independent participants. Distinct from product-team/ux-researcher-designer (persona/journey artifacts), product-discovery (discovery-sprint planning), and experiment-designer (live A/B) — this is the research-ops method + insight-repository layer.
16,359SKILL.mdUpdated May 28, 2026