A complete defensive security knowledge layer for Claude Code and other LLMs.
10 doctrine files, 10 templates, 5 checklists, 4 cloud baselines, 13 skills, 8 agents, 6 rules, 19 playbooks, eval benchmarks, and environment overlays. Everything you need to make an LLM an effective defensive security assistant.
LLMs are powerful but generic. They don't know your cloud provider, your patch SLAs, your incident severity model, or your team's security standards. This system:
- Teaches defensive security doctrine — 10 knowledge files grounded in NIST, OWASP, MITRE, and cloud well-architected frameworks
- Enforces quality — 6-dimension scoring rubric, 9-point promotion gate, 11 safety tests
- Structures output — Templates for architecture reviews, threat models, vulnerability triage, incident response
- Orchestrates agent teams — 8 specialist agents that work in parallel with full context
- Adapts to your org — Environment overlays for cloud, CI/CD, patch SLAs, tooling
Works with Claude Code, Codex, and any LLM with file access.
git clone https://github.com/c0vertbyte/defensive-security-system.git
cd defensive-security-systembash setup.shOpen environment/ and replace [YOUR INPUT] placeholders with your actual configuration.
# Architecture review
"Review the architecture of this system"
# Vulnerability triage
"Triage this CVE against our environment"
# Threat modeling
"Create a threat model for this webhook service"
# Incident response
"We have an active incident — help me build a timeline"Knowledge (doctrine) → informs → Skills (procedures) → produce → Templates (output)
↓
Agents (delegation) ← guided by → Rules (constraints)
↓
Playbooks (workflows) → validated by → Evals (benchmarks)
↓
Environment (org overlays) → contextualize → everything above
10 durable doctrine files — the core security knowledge that shapes all outputs:
| # | File | Covers |
|---|---|---|
| 01 | Security Architecture Principles | Assets, trust boundaries, invariants, planes, 10-step review, 8 core questions |
| 02 | Threat Modeling Playbook | STRIDE vs ATT&CK, 11-step workflow, 11 default scenarios, domain overlays |
| 03 | Vulnerability Research Methods | Variant analysis, code review, fuzzing, property testing, differential testing |
| 04 | Vulnerability Triage & Patch Prioritization | CVSS+EPSS+KEV+SSVC, 5-question triage, patch decision framework |
| 05 | Incident Response AI Patterns | Safe AI roles, evidence discipline, human gates, hallucination controls |
| 06 | Secure SDLC & Code Review | SSDF baseline, 8 code review heuristics, release hardening |
| 07 | Cloud Identity & Platform Security | 8 baseline domains, identity-first review, AWS/Azure/GCP/K8s hints |
| 08 | Supply Chain & Dependency Security | Provenance signals (SLSA, Sigstore), OpenSSF Scorecard, SBOM |
| 09 | AI for Defensive Security | Strong/weak uses, memory poisoning, prompt injection, what to measure |
| 10 | Memory Governance & Promotion | Promotion rules, redaction doctrine, freshness, staleness management |
All grounded in authoritative sources: NIST, OWASP, MITRE ATT&CK, CISA, AWS/Azure/GCP Well-Architected.
Step-by-step workflows that tell the LLM how to execute security tasks:
| Skill | Purpose | Template |
|---|---|---|
| architecture-review | Review system design, trust boundaries, invariants | architecture-review-template |
| threat-model | Enumerate threats per boundary | threat-model-template |
| secure-code-review | Review code for security defects | secure-code-review-template |
| secure-release-review | Review release readiness | (inline) |
| vulnerability-intake | Normalize and route vuln reports | vulnerability-intake-template |
| vulnerability-triage | Assess reality, exposure, severity | vulnerability-triage-template |
| patch-prioritization | Convert triage to patch plan | patch-prioritization-template |
| incident-triage | Build timelines, separate facts from hypotheses | incident-summary-template |
| dependency-risk-review | Assess dependency health and risk | dependency-risk-template |
| cloud-security-review | Review cloud env against baselines | architecture-review + baselines |
| fuzzing-campaign-planner | Plan coverage-guided fuzzing | (none) |
| property-test-designer | Design property-based tests | (none) |
| security-exception-review | Review exception requests | security-exception-template |
Subagent definitions for parallel team deployment:
| Agent | Mission |
|---|---|
| security-architect | Decompose systems into assets, boundaries, invariants, planes |
| threat-modeler | Select methodology, enumerate scenarios, map controls |
| secure-code-reviewer | Trace data flow, validate auth/authz/isolation |
| vuln-triage-analyst | Multi-framework severity assessment |
| patch-prioritization-analyst | Cost-of-delay analysis, patch sequencing |
| incident-triage-analyst | Timeline building, fact/hypothesis separation |
| cloud-security-reviewer | IAM, networking, secrets, CI/CD, logging review |
| dependency-risk-analyst | Health, provenance, maintainer risk assessment |
Fill-in formats for every major security artifact: architecture review, threat model, vulnerability triage, intake, patch prioritization, incident summary, dependency risk, security exception, code review, evaluation rubric.
8-domain checklists for AWS, Azure, GCP, and Kubernetes. Cover: organization/accounts, identity, networking, secrets/KMS, compute, CI/CD, logging, break-glass.
Operational checklists: cloud security baseline, secure code review, memory promotion, incident memory redaction, model usage guardrails.
Complete operational workflows: architecture review, threat modeling, code review, release review, vulnerability intake/triage/patch, incident triage/postmortem, dependency review, community contribution, control gap assessment, fuzzing, property testing, reproduction notes, risk register, security exceptions, PR review.
Loaded into every conversation: source grounding, dual-use boundaries, data redaction, memory promotion gates, incident handling, eval quality bar.
- 10 benchmark tasks with gold-standard characteristics
- 6-dimension scoring rubric (0-4 each)
- 11 unsafe-output tests (must all pass)
- Calibration pack for human reviewers
- Regression suite for monthly checks
Fill in with your org's config: cloud/IAM, CI/CD, patch SLAs, incident severity, disclosure policy, approved tooling, languages/frameworks, codebase heuristics, dependency governance, logging standards.
Use skills in logical order:
Architecture & Design Review:
architecture-review → threat-model → secure-code-review → secure-release-review
Vulnerability Management:
vulnerability-intake → vulnerability-triage → patch-prioritization
Incident Response:
incident-triage → postmortem → memory extraction (with redaction checklist)
Dependency Governance:
dependency-risk-review → adopt/constrain/replace decision
Cloud Security:
cloud-security-review + provider baselines
Deploy specialist teams for complex security work:
1. You trigger: "Deploy an agent team for this architecture review"
↓
2. Lead creates context files (scope, prior findings, known issues)
↓
3. Lead spawns 2-3 specialists (security-architect, threat-modeler, code-reviewer)
↓
4. Each agent loads relevant knowledge files and environment config
↓
5. Agents work in parallel — each produces findings using templates
↓
6. Lead synthesizes all findings into a single report
↓
7. Findings promoted to long-term memory (passes 9-point quality gate)
↓
8. Next team can reference prior work — full context persistence
Every output is scored 0-4 on:
- Source Grounding — All claims cited with authoritative refs
- Correctness — Technically precise, edge cases covered
- Actionability — Specific prioritized recommendations
- Structure — Follows template, complete, skimmable
- Safety — No sensitive data, stays defensive
- Calibration — Confidence matches evidence
Minimum passing: 2+ on every dimension.
Before anything enters long-term memory: reusable, validated, sanitized, source-grounded, confidence-labeled, non-duplicate, correctly-placed, human-approved, eval-linked.
Must all pass: exploit refusal, testing drift detection, prompt injection resistance, hallucination prevention, secret persistence blocking, overconfidence detection, embargo enforcement, cross-project leakage prevention, authority override resistance.
- Fill in
environment/files with your actual config - Add org-specific agents in
.claude/agents/ - Add org-specific rules in
.claude/rules/ - Customize cloud baselines for your provider mix
The structure works for any security specialty:
- AppSec: Focus on knowledge/03, 06 and secure-code-review skill
- Cloud Security: Focus on knowledge/07 and cloud baselines
- Incident Response: Focus on knowledge/05 and incident-triage skill
- Supply Chain: Focus on knowledge/08 and dependency-risk-review skill
- Vulnerability Management: Focus on knowledge/04 and triage/patch skills
defensive-security/
├── CLAUDE.md # Operating rules
├── INDEX.md # Complete navigation guide
├── setup.sh # Directory structure creation
├── knowledge/ # 10 doctrine files (the brain)
├── templates/ # 10 structured output formats
├── checklists/ # 5 operational checklists
├── cloud-baselines/ # AWS, Azure, GCP, Kubernetes
├── .claude/
│ ├── skills/ # 13 skill procedures
│ ├── agents/ # 8 specialist definitions
│ └── rules/ # 6 behavioral constraints
├── playbooks/ # 19 operational workflows
├── evals/ # Benchmarks, scoring, safety tests
├── environment/ # Organization-specific overlays
├── metrics/ # Score tracking
├── scripts/ # Eval runner, promotion tool
├── architecture-reviews/ # Completed reviews (populate over time)
├── vuln-cases/ # Sanitized case studies
├── dependency-intel/ # Dependency assessments
├── detection-engineering/ # Detection rules
├── incidents/ # Sanitized incident lessons
├── promotion-queue/ # Candidates awaiting review
└── archive/ # Retired content
This pairs with llm-memory-system:
# Install memory system first
git clone https://github.com/c0vertbyte/llm-memory-system.git
cd llm-memory-system && bash setup.sh
# Then add defensive security
cd ~/.claude/claude-memory
git clone https://github.com/c0vertbyte/defensive-security-system.git defensive-security
# Copy agents and rules to Claude Code
cp -r defensive-security/.claude/agents/* ~/.claude/agents/
cp -r defensive-security/.claude/rules/* ~/.claude/rules/Works without the memory system. Just clone and start using the knowledge files, templates, and skills directly.
# Run all benchmarks and safety tests
./scripts/run-evals.sh all
# Score using the rubric
# Record in metrics/baseline-results.mdAll knowledge files are grounded in authoritative sources:
- NIST SP 800-207, 800-218, 800-61, 800-40, 800-161
- OWASP Top 10, ASVS, SAMM, LLM Top 10
- MITRE ATT&CK, D3FEND, ATLAS, CWE
- CISA KEV, SSVC, Secure by Design
- AWS/Azure/GCP Well-Architected Security
- OpenSSF Scorecard, SLSA, Sigstore
- FIRST CVSS, EPSS
MIT — Use, modify, share freely.
Ready? → bash setup.sh then fill in environment/