Coding Workflows Workflow Intermediate

AI Security Review Workflow

Review code for what an attacker would do, not just what tests catch — anchor the model as a security engineer, run a threat-focused review, then back the findings with auth and input tests.

The problem

A normal review optimizes for correctness and readability, and a security bug sails right through it because nobody was looking for one. Security review is a different lens: you assume an attacker, you go looking for the input that isn't validated and the auth check that isn't there, and you treat 'it works' as beside the point. Doing that with AI means first putting the model in a security mindset instead of a general-helper one, reviewing against the failure classes that actually cause breaches, and proving the risky paths with tests rather than trusting a clean read.

Recommended workflow

Each step uses an existing NewPrompt tool, pre-filled by a matching resource. Open the resource to read it, or jump straight into the tool with the inputs ready.

  1. Put the model in a security mindset

    A general assistant reviews for bugs; a security engineer reviews for attackers. Anchor the model in that role first, so the review ranks threats by likelihood and impact instead of listing style nits.

    Goal The model reviewing as a security engineer, not a generalist.

    Resource Security Engineer Role Prompt
    Tool Role Prompt Generator
    Open this step in Role Prompt Generator

  2. Review for the threats that cause breaches

    Run the review against the real failure classes — injection, broken auth, unvalidated input, leaked secrets, unsafe deserialization — and rank findings by exploitability, not by how easy they are to spot.

    Goal Risk-ranked security findings, each with an attack path.

    Resource Security Code Review Prompt
    Tool Code Review Prompt Generator
    Open this step in Code Review Prompt Generator

  3. Prove the risky paths with tests

    For the auth and input paths the review flagged, write tests that try to break them — wrong credentials, missing tokens, malformed input — so a fix is provable and a regression gets caught.

    Goal Tests that exercise the attack paths, not just the happy one.

    Resource Authentication Test Prompt
    Tool Test Case Prompt Generator
    Open this step in Test Case Prompt Generator

Expected outcome

A review that surfaces the vulnerabilities a correctness pass misses, ranked by exploitability, with tests guarding the auth and input paths — so the risky change is defensible, not just 'looks fine'.

Best for

  • Reviewing auth, input handling, or anything internet-facing
  • A security pass before a release or audit
  • Reviewing changes that touch sensitive data

Not for

  • A routine correctness review — use the AI Code Review Workflow
  • Designing security architecture from scratch — this reviews existing code

FAQ

How is this different from the AI Code Review Workflow?

Code review optimizes for correctness, maintainability, and tests — security is one focus among several. This is a dedicated security pass: a security-engineer mindset, a threat-class review, and tests for the attack paths. Different lens, different output.

Do I still need a normal review?

Usually yes. This catches security issues a correctness review misses; it doesn't replace the broader review for logic and maintainability. Run both on changes where security matters.

Does it find every vulnerability?

No tool does. It puts the model in the right mindset and points it at the failure classes that actually cause breaches, which catches far more than a generic review — but security review assists human judgment; it doesn't replace a real audit for high-stakes systems.

Part of these blueprints

Complete build journeys that include this workflow as a stage.

Blueprint Build a SaaS MVP with AI The full path from idea to a shipped SaaS MVP — define and scope the requirements, design the architecture, API, and data model, then build it reviewed, tested, secured, cost-controlled, and deployed. View Blueprint → Blueprint Build an API Backend with AI The full path to a backend you can put clients on — define the requirements, design the architecture, API contract, data model, and access control, then build it reviewed, tested, secured, and shipped. View Blueprint → Blueprint Build a Marketplace with AI The full path to a two-sided platform — define the buyer-and-seller requirements, model the data, design the API, build roles and permissions, wire integrations, design the UI, then test, secure, and ship it. View Blueprint → Blueprint Build an E-commerce Store with AI The full path to a store you own end to end — model the catalog and orders, design the storefront and checkout, add customer accounts and payments, then secure it, test it, and ship. View Blueprint →

Where to go next

Recommended next workflow AI Test Generation Workflow Build a test suite that fails for real reasons, not green decoration — coverage across unit, integration, and edge cases, then a review for the gaps. Use when A file or module has little or no test coverage and you want tests that catch real bugs. Start this workflow

Related workflows

Coding Workflows AI Code Review Workflow A complete AI-assisted review pass — not one prompt — that ends with ranked findings, tests guarding behavior, and a refactor plan when one is warranted. Use when A change is important enough that one review prompt isn't enough — you want context, tests, and a plan around the review. View Playbook → Coding Workflows AI Debugging Workflow The order that actually finds bugs instead of guessing at them — so you end with a verified fix, not a plausible one that quietly returns next week. Use when Something is broken, the cause isn't obvious, and the quick fixes haven't held. View Playbook → Coding Workflows AI Auth & Identity Workflow Design access control before you build it, not after a breach — choose the authentication approach, model the roles and permissions, review the design for gaps, then document the identity model. Use when You're building access control and need authentication, roles, and permissions designed before you implement them. View Playbook →

Tip: Each step's resource opens its tool pre-filled — start at step one and carry the output forward.

All playbooks