A practitioner's prompt library for vulnerability management — the prompts I use to put an LLM to work on real VM workflows: triage, prioritization, remediation, risk decisions, and reporting.
These are not generic "act as a security expert" one-liners. Each prompt is structured the way the work actually runs: exploitation-aware prioritization (EPSS, CISA KEV, NIST LEV, SSVC), business-risk framing, and outputs you can paste straight into a ticket, a change record, or a leadership update.
Model-agnostic. They work with Claude, ChatGPT, or Copilot; they're written with clear roles, inputs, and output contracts so you get consistent results regardless of model. Use the most capable current model you have access to.
- Pick the prompt for your task from the index below.
- Replace the
{{placeholders}}with your data. - Paste it in. Most prompts ask for structured output so the result drops straight into your workflow.
Every prompt follows the same format (TEMPLATE.md): when to use it, expected inputs, the output contract, the prompt itself, and tuning notes.
- CVE triage — one CVE in, a composite patch-now / this-cycle / standard verdict out, with the reasoning shown.
- Prioritize a scan list — paste a list of findings, get a ranked remediation queue.
- Exploitation assessment — assess real-world exploitability across the signals that matter.
- Executive summary — turn a technical finding into a business-risk narrative leadership will read.
- Engineer brief — a tight, actionable brief for the person who has to fix it.
- Remediation plan — draft a detect / fix / validate / rollback plan.
- PowerShell remediation stub — generate a script skeleton in that same pattern.
- Risk acceptance write-up — a structured, defensible exception with compensating controls and an expiry.
- Patch Tuesday briefing — turn the month's bulletins into a prioritized briefing.
- KPI / KRI narrative — turn a metrics dump into a leadership narrative.
These prompts are written to work on sanitized or public inputs (CVE IDs, plugin titles, generalized counts). Before pasting real vulnerability data, host names, or internal context into any third-party model, follow your organization's AI-use policy: redact identifiers, avoid sensitive system details, and use an approved, data-protected endpoint. The model should help you reason and write, not become a place your scan data leaks.
Built by Joe Cook. Companion to cve-explorer and remediation-playbooks.