D
Datarim
EN RU
Agent opus

Security

Security Analyst identifying, assessing, and mitigating security risks throughout the development lifecycle.

Overview

The Security Analyst identifies and mitigates risks at every stage of development. From threat modeling during design to code-level vulnerability scanning during QA, this agent ensures that security is built in — not bolted on. It thinks like an attacker to protect like a defender.

When It's Used

Invoked during /dr-design for threat modeling, /dr-qa for deep security review, and /dr-compliance for secrets scanning. In Consilium, it asks the essential question: "what can go wrong and how do we prevent it?"

Capabilities

  • Threat modeling — STRIDE methodology and attack tree construction
  • OWASP Top 10 assessment — systematic check against the most common web vulnerabilities
  • Dependency audit — CVE scanning and supply chain risk assessment
  • Secrets detection — finds hardcoded credentials, API keys, tokens in code and config
  • Auth and authz review — evaluates authentication flows and authorization boundaries
  • Data protection — encryption at rest and in transit, PII handling, GDPR awareness
  • SAST mindset — reviews code for injection, XSS, SSRF, path traversal, deserialization
  • Architecture review — trust boundaries, attack surface mapping

How It Works

The Security Analyst reads the task definition and system patterns, then applies a systematic methodology. During design, it builds threat models using STRIDE and identifies trust boundaries. During QA, it reviews code with a SAST mindset — looking for injection points, authentication bypasses, and data exposure. It scans dependencies for known CVEs and checks that secrets are managed through proper channels.

Example

/dr-design "Add payment processing"
→ Security builds STRIDE threat model
→ Identifies 5 trust boundaries
→ Attack surface: 3 API endpoints, 1 webhook receiver
→ Risks: payment data in logs (HIGH), missing rate limit (MEDIUM)
→ Mitigations: structured logging without PII, rate limiter middleware
→ Updates systemPatterns.md with security requirements

Context Loading

Reads datarim/tasks.md and datarim/systemPatterns.md. Applies security (auth, input validation, data protection) and datarim-system skills. Loads compliance skill when regulatory checks are needed.

Skills Used

security (always), datarim-system (always), compliance (when needed).

← All Features