Guided Security Review

What the workflow covers

• Application context intake: app name, system archetype, runtime environments, and domains.
• Architecture trust boundaries and critical asset ownership.
• Sensitive data flow mapping, retention, and offboarding controls.
• Identity reviewer accountability, SSO, and MFA posture.
• Runtime controls including private serverless networking and container platform hardening checks.
• CIA reflected in controls, including backup and DR, high availability and failover, and integrity safeguards.
• Expanded assurance controls for IAM, network segmentation, secrets, logging, backup/DR, SDLC, and vulnerability management.
• Bundled first-party scanner deployment posture for pipeline, cloud, Kubernetes, host, and network surfaces.

Operator flow

1. Open Security Reviews and enter application context (name, archetype, runtime environments, and domains).
2. Review the dynamically selected vetted controls and mark each as pass, fail, partial, unknown, or not applicable.
3. Attach reviewer notes and evidence links for all non-pass controls.
4. Use per-control framework mappings (CIS, NIST CSF, ISO 27001, OWASP Secure Coding) for audit traceability.
5. Let the platform score control gaps and generate prioritized remediation actions.
6. Finalize the review to lock the summary and export a JSON evidence bundle.

Permissions

• reviewer: can read and update reviews.
• tenant_admin: can read, update, finalize, and export reviews.
• platform_admin: inherits full review access for support and oversight workflows.

Evidence bundle

Exported bundles include the review template snapshot, answered controls, computed risk summary, prioritized remediation actions, and immutable lifecycle events for reviewer accountability.