Prompt Design for Security Work
A practical framework for writing prompts that produce decision-ready security output.
Most low-quality outputs come from low-precision prompts. Use this framework to request answers that are scoped, verifiable, and actionable.
Prompt Framework
1) Scope Definition
State exactly what environment, assets, and timeframe are in scope.
- Asset boundary (
internet-facing,production,finance systems). - Time window (
last 7 days,since patch release). - Threat object (
CVE, actor, malware family, IOC cluster).
2) Evidence Requirements
Tell Canoma what quality bar you need before a claim is accepted.
- Request source-backed claims only.
- Ask to separate observed facts from assumptions.
- Require confidence level for key conclusions.
3) Decision Output Format
Define the output shape for the audience that will act on it.
- Executive summary for leadership.
- Technical details for SOC/VM.
- Prioritized next actions with owner suggestions.
Reusable Prompt Template
bash
Analyze [CVE/actor/issue] for [asset scope] over [time window]. Return:
- confirmed facts with source references,
- assumptions/uncertainties,
- priority-ranked actions for the next 24-72 hours.
Common Prompt Failures
| Weak input | Better input | Why it matters |
|---|---|---|
| "Are we at risk?" | "Are internet-facing Linux hosts at risk from CVE-2025-XXXX in the last 30 days?" | Adds asset and time boundaries |
| "Give me details" | "Provide exploit evidence, affected versions, and remediation complexity" | Forces actionable dimensions |
| "Summarize this threat" | "Summarize + include confidence + top 3 actions by urgency" | Converts summary to decisions |
Review Before Sharing
- At least one authoritative source backs each critical claim.
- Output includes explicit uncertainty where evidence is weak.
- Action items are prioritized and operationally feasible.