• Sensitive data, auth, or transaction flows are introduced/changed.
• Compliance or internal policy requires security validation.
• Potential abuse vectors are identified in design review.

• Identify exploitable weaknesses in auth, input handling, and data protection.
• Assess security risk impact and remediation priority.
• Support secure-release decisions with evidence.

1. Define threat scope and high-value assets.
2. Build attack surface map across endpoints, roles, and trust boundaries.
3. Execute checks for auth bypass, injection, data exposure, and misconfiguration.
4. Validate logging, rate limits, and defensive controls.
5. Reproduce vulnerabilities and estimate exploitability.
6. Deliver risk-ranked findings with fix and revalidation guidance.

Input:

• Feature: admin export API with role-based access

Output:

• Found horizontal privilege escalation via parameter tampering
• Risk: high (sensitive data exposure)
• Fix: enforce server-side ownership check + add audit rule

Input:

• "Do a security scan"

Output (problem):

• Scanner results copied without exploit verification
• False positives mixed with real risks

• Do not treat scanner output as final verdict.
• Do not test production attack scenarios without authorization.
• Do not understate exploitability of data exposure issues.
• Do not omit reproduction details for confirmed findings.
• Do not sign off security status without remediation retest.