50 GPT-5.5 Prompts for Cybersecurity Professionals: Threat Analysis, Incident Response, Vulnerability Assessment, and Security Automation

50 GPT-5.5 Prompts for Cybersecurity Professionals: Threat Analysis, Incident Response, Vulnerability Assessment, and Security Automation

By the ChatGPT AI Hub Editorial Team

Cybersecurity teams are under relentless pressure. Threat actors are faster, more organized, and increasingly AI-assisted. Meanwhile, security operations centers face a chronic shortage of skilled analysts, an avalanche of alerts, and compliance frameworks that demand meticulous documentation. GPT-5.5 changes the calculus. With its expanded reasoning capabilities, multi-step instruction following, and deep technical knowledge base, GPT-5.5 is not just a writing assistant for security teams — it is a force multiplier that can accelerate threat intelligence analysis, generate incident response playbooks, automate vulnerability triage, and produce audit-ready compliance documentation.

This article delivers 50 battle-tested, production-ready prompts organized across five critical cybersecurity domains. Each prompt is engineered for precision: they specify output format, technical depth, and contextual constraints that GPT-5.5 needs to produce genuinely useful results rather than generic advice. Whether you are a CISO building out an AI-augmented SOC, a penetration tester accelerating your reporting workflow, or a DevSecOps engineer integrating AI into your CI/CD pipeline, these prompts are your operational starting point.

Before diving in, one critical principle: GPT-5.5 performs best in cybersecurity contexts when you treat it as a senior analyst peer, not a search engine. Provide context, constrain the output format, specify your environment, and iterate. The prompts below are designed with that philosophy baked in.

Section 1: Threat Intelligence and Analysis Prompts

Threat intelligence work involves synthesizing massive volumes of indicators, TTPs (Tactics, Techniques, and Procedures), and adversary profiles into actionable intelligence. GPT-5.5 excels at structuring this analysis, mapping findings to frameworks like MITRE ATT&CK, and generating threat actor profiles that security teams can act on immediately. These GPT-5.5 cybersecurity prompts are designed to accelerate the intelligence cycle from raw data to decision-ready output.

Prompt 1: MITRE ATT&CK Threat Actor Profile

You are a senior threat intelligence analyst. Based on the following indicators of compromise (IoCs) and observed TTPs, generate a comprehensive MITRE ATT&CK-mapped threat actor profile. 

Observed behaviors:
- Spearphishing emails with malicious Office macros (initial access)
- Living-off-the-land binaries: certutil.exe, mshta.exe used for payload delivery
- Lateral movement via Pass-the-Hash
- C2 communication over DNS tunneling on port 53
- Data staged in %TEMP% before exfiltration via HTTPS POST to external IP

Output format:
1. Threat Actor Assessment (confidence level, likely attribution)
2. ATT&CK Technique IDs mapped to each observed behavior
3. Detection opportunities per technique
4. Recommended SIEM detection rules (Sigma format)
5. Priority mitigations from ATT&CK Mitigations library

Be specific. Include actual ATT&CK technique IDs (e.g., T1566.001).

Prompt 2: Threat Intelligence Report from Raw IOCs

Convert the following raw IOC list into a structured threat intelligence report suitable for sharing with partner organizations via STIX 2.1 format. 

IOCs:
[paste your IOC list here]

Include: threat classification, confidence scores (0-100), first/last seen estimates, recommended defensive actions, and a plain-language executive summary (max 150 words) suitable for non-technical leadership.

Prompt 3: Dark Web Threat Assessment

Act as a threat intelligence analyst reviewing dark web forum activity. I will provide you with translated excerpts from threat actor forums. Analyze the content and produce:

1. A threat severity rating (Critical/High/Medium/Low) with justification
2. Identification of targeted sectors or organizations
3. Likely attack vectors being discussed
4. Timeline assessment (imminent vs. planned vs. aspirational)
5. Recommended proactive defensive measures
6. Intelligence gaps that require further collection

Forum excerpts: [paste content here]

Flag any operational security implications for sharing this intelligence.

Prompt 4: Adversary Emulation Planning

You are a red team lead planning an adversary emulation exercise based on the threat actor APT29 (Cozy Bear). Generate a detailed adversary emulation plan that includes:

1. Target profile assumptions (mid-size financial services firm, hybrid AD/Azure environment)
2. ATT&CK Navigator layer recommendations
3. Specific tools and techniques to emulate (with justification for each selection)
4. Detection validation checkpoints for the blue team
5. Rules of engagement considerations
6. Success metrics for both red and blue teams

Format as a structured operational plan document.

Prompt 5: Malware Behavioral Analysis Summary

Analyze the following dynamic analysis sandbox report and produce a structured malware behavioral summary. 

Sandbox output: [paste JSON or text output from sandbox tool]

Produce:
1. Malware family classification (with confidence percentage)
2. Capabilities matrix (persistence, evasion, C2, lateral movement, exfiltration)
3. Indicators of compromise (file hashes, registry keys, network indicators, mutexes)
4. YARA rule skeleton based on unique strings/behaviors observed
5. Recommended containment actions ranked by priority

Prompt 6: Threat Hunting Hypothesis Generation

Generate 10 threat hunting hypotheses for a healthcare organization that has recently migrated 40% of its infrastructure to AWS. Hypotheses should:

- Be grounded in known threat actor behaviors targeting healthcare (reference specific groups)
- Map to specific MITRE ATT&CK techniques
- Include the data sources required to test each hypothesis
- Specify the detection logic in pseudocode
- Rate feasibility of hunting with Splunk SIEM (High/Medium/Low) based on typical log availability

Format as a hunting hypothesis register table.

Prompt 7: Geopolitical Threat Landscape Brief

Produce a 500-word threat landscape brief for a CISO at a US-based critical infrastructure company (energy sector). Cover:

1. Current nation-state threat actors with demonstrated capability and intent against this sector
2. Key TTPs observed in the past 12 months
3. Emerging attack vectors gaining traction
4. Three strategic recommendations for defensive posture improvement

Write in executive brief style — precise, no jargon, actionable.

Prompt 8: CVE Threat Context Enrichment

For CVE-[NUMBER], provide a threat intelligence enrichment that goes beyond the NVD description. Include:

1. Exploitation status (in-the-wild, PoC available, theoretical)
2. Threat actors known to weaponize this vulnerability
3. Attack chains where this CVE appears as a component
4. Affected versions with specific configuration conditions that increase risk
5. Compensating controls if patching is not immediately feasible
6. Detection signatures (Snort/Suricata format if applicable)

Base your analysis on known public threat intelligence sources and be explicit about confidence levels.

Section 2: Incident Response Prompts

Incident response is time-critical. During an active breach, security teams need structured thinking, clear communication, and repeatable processes — exactly the areas where AI threat analysis and GPT-5.5 provide maximum leverage. These prompts help IR teams generate playbooks, structure post-incident documentation, communicate with stakeholders, and conduct forensic analysis more efficiently. For teams building out their AI-augmented SOC capabilities,

Security professionals frequently need to document findings, write incident reports, and create knowledge base articles. Our collection of 50 GPT-5.5 prompts for technical writers covers API documentation, user guides, release notes, and knowledge base workflows that complement cybersecurity documentation needs. 50 GPT-5.5 Prompts for Technical Writers.

provide the foundational architecture for integrating these prompts into live response pipelines.

Prompt 9: Incident Response Playbook Generator

Generate a comprehensive incident response playbook for a ransomware attack targeting a Windows Server environment with Active Directory. 

The playbook must follow the NIST SP 800-61 framework phases (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident Activity).

For each phase include:
- Specific actions with responsible roles (IR Lead, SOC Analyst, System Admin, Legal, Communications)
- Decision trees for critical branching points
- Evidence preservation requirements
- Communication templates (internal escalation, executive notification, external notification)
- Tool recommendations with specific commands where applicable

Format as a numbered, actionable runbook. Include a RACI matrix for key decisions.

Prompt 10: Forensic Timeline Construction

You are a digital forensics examiner. I will provide you with Windows Event Log excerpts, network flow data, and endpoint telemetry. Construct a forensic timeline of the incident, identifying:

1. Patient zero (initial compromise vector with evidence)
2. Dwell time calculation
3. Lateral movement sequence with timestamps
4. Data access and exfiltration events
5. Persistence mechanisms established

Log data: [paste relevant log excerpts]

Present findings as a chronological timeline table with columns: Timestamp | Event | Evidence Source | ATT&CK Technique | Confidence Level

Prompt 11: Executive Incident Notification Template

Draft an executive-level security incident notification for the following scenario:

Incident type: Business Email Compromise (BEC) resulting in fraudulent wire transfer
Affected systems: Email platform (Microsoft 365), finance department accounts
Business impact: $[AMOUNT] fraudulent transfer initiated; transfer status [pending/completed]
Current status: Incident contained, investigation ongoing

Write two versions:
1. Internal board notification (formal, complete, includes technical summary)
2. External customer notification (if customer data was potentially exposed)

Both must comply with general breach notification best practices. Flag where jurisdiction-specific legal review is required.

Prompt 12: Containment Decision Framework

I am responding to an active intrusion in a manufacturing company's OT/IT environment. The threat actor has compromised 3 IT workstations and appears to be attempting lateral movement toward the OT network. 

Generate a containment decision framework that weighs:
- Business continuity risk (manufacturing cannot stop without $500K/hour loss)
- Evidence preservation requirements
- Further compromise risk
- Legal and regulatory notification triggers

Provide a decision tree with specific containment options (network isolation, account lockout, system shutdown) mapped to risk scenarios. Include the questions I need to ask before executing each option.

Prompt 13: Post-Incident Report Template

Generate a comprehensive post-incident report template for a data breach incident. The report must be suitable for:
- Internal security leadership review
- External regulatory submission (GDPR Article 33/34 compliant)
- Cyber insurance claim documentation

Sections required: Executive Summary, Incident Timeline, Root Cause Analysis (using 5 Whys methodology), Impact Assessment, Containment and Eradication Actions, Lessons Learned, Remediation Roadmap with owners and deadlines.

Include preliminary guidance notes in each section explaining what evidence and specifics to include.

Prompt 14: Threat Actor Eviction Checklist

Generate a comprehensive threat actor eviction checklist for an environment where an APT has maintained persistence for an estimated 6 months in a hybrid Active Directory/Azure AD environment.

The checklist must cover:
1. All persistence mechanism categories (registry, scheduled tasks, services, WMI subscriptions, Azure AD backdoors, OAuth app consents)
2. Credential reset prioritization matrix
3. Golden/Silver ticket invalidation procedures
4. Azure AD token revocation steps
5. Verification procedures to confirm eviction
6. Re-infection detection monitoring for 90 days post-eviction

Format as a checklist with completion checkboxes, responsible parties, and estimated time per task.

Prompt 15: Incident Communication During Active Breach

Generate a communications plan for the first 24 hours of an active ransomware incident at a hospital. Include:

1. Hour-by-hour communication schedule
2. Stakeholder matrix (who gets what information at what time)
3. Approved holding statements for media inquiries
4. Internal staff communication (what to tell employees about system outages)
5. Vendor/partner notification templates
6. Regulatory body notification checklist (HHS OCR for HIPAA)

Tone: Calm, factual, avoid speculation. Flag legal review requirements.

Prompt 16: Memory Forensics Analysis Guide

Act as a memory forensics expert using Volatility 3. I have captured memory from a potentially compromised Windows 10 endpoint. 

Provide a systematic analysis workflow including:
1. Recommended Volatility plugins to run in sequence with exact command syntax
2. What to look for in each plugin output (specific indicators of compromise)
3. How to identify process injection, hollow processes, and reflective DLL loading
4. Network artifact extraction procedure
5. How to extract and analyze suspicious executables from memory

Include actual Volatility 3 command examples throughout.

Section 3: Vulnerability Assessment and Penetration Testing Prompts

Vulnerability assessment is where AI assistance can dramatically compress the time between discovery and remediation. These vulnerability assessment AI prompts help security teams analyze scan outputs, prioritize findings, generate proof-of-concept documentation, and create remediation guidance that developers can actually act on. Teams leveraging

Cybersecurity analysis often requires processing large volumes of log data and building detection pipelines. Our collection of 50 GPT-5.5 prompts for data engineers covers ETL pipelines, data quality validation, and real-time streaming workflows that security teams can adapt for SIEM integration and threat data processing. 50 GPT-5.5 Prompts for Data Engineers.

are seeing 40-60% reductions in triage time for large scan outputs.

Prompt 17: Vulnerability Scan Output Analysis

Analyze the following Nessus scan output (XML or CSV format) and produce a prioritized vulnerability report. 

Scan output: [paste data]

Prioritization must account for:
1. CVSS score (base + temporal + environmental)
2. Exploitability (public exploit available, weaponized, in-the-wild)
3. Asset criticality (I will provide asset criticality tags)
4. Network exposure (internet-facing vs. internal)

Output: Executive summary table (top 10 critical findings), detailed finding cards for each Critical/High vulnerability with remediation steps, and a remediation roadmap prioritized by risk reduction impact.

Prompt 18: Penetration Test Report Generation

Generate a professional penetration test report for the following engagement:

Scope: External network penetration test, 5 IP ranges
Duration: 5 days
Findings summary: [list your findings with brief descriptions]

Report must include:
1. Executive Summary (non-technical, business risk focus, max 1 page)
2. Methodology section (aligned to PTES standard)
3. Individual finding cards with: Description, Evidence, Risk Rating, Business Impact, Remediation Steps, References
4. Risk heat map data (format for table)
5. Remediation roadmap with effort estimates
6. Attestation language for compliance purposes

Write in professional consulting report style.

Prompt 19: Attack Surface Mapping

Given the following organization profile, generate a comprehensive external attack surface map:

Organization: Mid-size SaaS company, 500 employees
Known assets: Primary domain [domain.com], 3 subsidiary domains, AWS and Azure cloud presence, Salesforce, Microsoft 365, GitHub (public repos)
Industry: Financial technology

Identify:
1. Asset discovery methodology (passive and active techniques)
2. Likely exposed services and their associated risks
3. Third-party/supply chain attack vectors
4. Social engineering attack surface (employee exposure)
5. Prioritized areas for attack surface reduction

Include specific tools for each discovery category.

Prompt 20: Remediation Guidance for Developers

Convert the following penetration test findings into developer-friendly remediation tickets. For each finding, produce a Jira-style ticket that includes:

Finding: [paste finding details]

Ticket format:
- Title: [Specific, actionable]
- Severity: [with business justification]
- Description: [what the vulnerability is, in developer terms]
- Steps to Reproduce: [exact reproduction steps]
- Root Cause: [underlying code/config issue]
- Remediation: [specific code change or configuration fix with example]
- Verification: [how to confirm the fix works]
- References: [CWE, OWASP, relevant documentation]

Avoid security jargon. Write for a developer who is not a security specialist.

Prompt 21: Cloud Security Posture Assessment

Perform a structured cloud security posture assessment review for an AWS environment based on the following AWS Config and Security Hub findings:

Findings: [paste findings]

Map each finding to:
1. CIS AWS Foundations Benchmark control
2. AWS Well-Architected Framework security pillar
3. Risk rating with justification
4. Terraform or AWS CLI remediation command
5. Estimated remediation effort (hours)

Produce a prioritized remediation backlog table and an overall security posture score with methodology explanation.

Prompt 22: Web Application Security Code Review

Review the following code snippet for security vulnerabilities. Identify all security issues, classify each by CWE, provide CVSS 3.1 scoring rationale, and provide a secure code replacement.

Language: [Python/JavaScript/Java/etc.]
Context: [describe what this code does and where it runs]

Code:
[paste code here]

For each vulnerability found:
1. Vulnerability name and CWE ID
2. Explanation of why this is exploitable
3. Attack scenario (how an attacker would exploit this)
4. Secure replacement code with inline comments explaining the fix
5. Unit test cases to verify the fix

Prompt 23: Privilege Escalation Path Analysis

I have run BloodHound against an Active Directory environment and have the following attack path data. Analyze the privilege escalation paths and produce:

BloodHound data: [paste relevant paths or describe key relationships]

1. Top 5 highest-risk attack paths to Domain Admin with step-by-step exploitation explanation
2. Chokepoint analysis (which nodes/accounts, if secured, would break the most paths)
3. Specific remediation for each chokepoint (AD delegation fixes, ACL corrections, account hardening)
4. Detection opportunities for each attack path in Windows Event Logs
5. Quick wins vs. long-term remediation categorization

Section 4: Security Automation and DevSecOps Prompts

Security automation is where GPT-5.5 delivers some of its most measurable ROI for enterprise security teams. These security automation prompts cover SIEM rule development, SOAR playbook creation, security pipeline integration, and infrastructure-as-code security validation. The key to getting production-quality output from these prompts is providing specific platform context — GPT-5.5 generates materially different and better output when it knows you are using Splunk vs. Microsoft Sentinel, or Palo Alto XSOAR vs. Swimlane.

Prompt 24: SIEM Detection Rule Development

Generate production-ready Splunk SPL detection rules for the following attack scenarios. For each rule include:

Attack scenarios:
1. Kerberoasting attack (high volume TGS requests)
2. DCSync attack (replication rights abuse)
3. LSASS memory dumping via Task Manager or ProcDump
4. Suspicious PowerShell execution with encoded commands
5. Lateral movement via PsExec

For each SPL query:
- Write the detection logic with comments
- Specify required data sources and index names
- Define threshold tuning guidance to minimize false positives
- Include a risk score calculation
- Add a notable event title and description for SOC analysts
- Provide a false positive analysis section

Prompt 25: SOAR Playbook Design

Design a SOAR automation playbook for the following scenario using Palo Alto XSOAR:

Trigger: High-severity phishing email alert from Microsoft Defender for Office 365

Playbook must automate:
1. Email header analysis and sender reputation check
2. URL and attachment detonation in sandbox
3. User account review (recent logins, MFA status)
4. Automatic containment actions (block sender, quarantine email from all mailboxes)
5. Victim user notification and security awareness prompt
6. Ticket creation in ServiceNow with all evidence attached
7. Escalation logic (when to page human analyst)

Output as: Pseudocode workflow with decision nodes, integration points (API calls), and estimated automation percentage vs. human-required steps.

Prompt 26: Security Pipeline Integration

Generate a GitHub Actions workflow for a DevSecOps pipeline that integrates the following security tools:

1. SAST: Semgrep (custom rules for our Python/Django application)
2. SCA: Snyk for dependency scanning
3. Container scanning: Trivy for Docker image analysis
4. Secrets detection: TruffleHog
5. IaC scanning: Checkov for Terraform

Requirements:
- Fail the pipeline on Critical/High findings (configurable threshold)
- Generate a unified security report artifact
- Post findings summary as PR comment
- Send Slack notification for failures
- Exclude known false positives via suppression file

Provide the complete .github/workflows/security.yml file with all steps, environment variables, and configuration.

Prompt 27: Terraform Security Hardening

Review the following Terraform configuration for an AWS environment and identify all security misconfigurations. For each issue found:

Terraform code: [paste code]

1. Identify the misconfiguration with specific resource and attribute
2. Map to CIS AWS Benchmark control number
3. Provide the corrected Terraform code block
4. Explain the risk of the original configuration
5. Add appropriate Checkov or tfsec suppression comment format if it's an accepted risk

After individual findings, provide a summary of the overall security posture and top 3 architectural recommendations.

Prompt 28: Custom YARA Rule Development

Develop YARA rules to detect the following malware family based on the provided sample analysis:

Malware characteristics:
[describe strings, behaviors, file structure, network indicators]

Generate:
1. A high-confidence YARA rule targeting unique strings/byte sequences
2. A behavioral YARA rule using PE metadata and import characteristics
3. A memory scanning rule for runtime detection
4. Rule performance optimization notes (avoid slow conditions)
5. Test cases: files that should match and files that should not match
6. Integration guidance for deploying in Velociraptor or YARA-X

Include rule metadata: author, date, hash of reference sample, ATT&CK technique.

Prompt 29: Automated Threat Intelligence Integration

Write a Python script that:

1. Pulls threat intelligence from MISP instance via API
2. Filters IOCs by confidence score (>70) and last seen (<30 days)
3. Formats IOCs as Splunk threat intelligence lookups (CSV)
4. Uploads to Splunk Enterprise Security via REST API
5. Sends a summary report via email with new IOC counts by type

Requirements:
- Use proper error handling and logging
- Support proxy configuration
- Include rate limiting for API calls
- Store API credentials in environment variables (not hardcoded)
- Include unit tests for core functions

Provide complete, production-ready Python code with docstrings.

Prompt 30: Security Metrics Dashboard Design

Design a security operations metrics framework and Splunk dashboard specification for a SOC. 

Include metrics for:
1. Detection effectiveness (MTTD, alert fidelity rate, coverage by ATT&CK technique)
2. Response performance (MTTR, containment time, escalation rate)
3. Vulnerability management (mean time to patch by severity, patch compliance %)
4. Threat intelligence (IOC hit rate, intelligence-to-action time)
5. Security posture (critical asset exposure score, control effectiveness)

For each metric provide: definition, calculation formula, data source, target benchmark, and Splunk SPL query skeleton. Format as a dashboard specification document.

Section 5: Compliance, Audit, and Security Documentation Prompts

Compliance documentation is one of the most time-consuming aspects of enterprise security work, and it is an area where GPT-5.5 can reclaim dozens of hours per week for security teams. These prompts cover policy development, audit evidence preparation, risk assessment documentation, and regulatory gap analysis across major frameworks including NIST CSF, ISO 27001, SOC 2, PCI DSS, and HIPAA.

Prompt 31: NIST CSF Gap Analysis

Conduct a NIST Cybersecurity Framework 2.0 gap analysis based on the following organization profile and current control inventory:

Organization profile: [describe size, industry, critical assets]
Current controls: [list existing security controls and tools]

For each CSF 2.0 Function (Govern, Identify, Protect, Detect, Respond, Recover):
1. Assess current maturity level (1-4 scale with justification)
2. Identify specific subcategory gaps
3. Map gaps to specific control recommendations
4. Prioritize gaps by risk impact
5. Estimate implementation effort (Low/Medium/High)

Output as a gap analysis matrix table and an executive roadmap summary.

Prompt 32: Security Policy Development

Draft a comprehensive Information Security Acceptable Use Policy for a 1,000-employee technology company. The policy must:

1. Cover: corporate devices, personal devices (BYOD), cloud services, remote work, social media, data classification
2. Include specific prohibited activities with clear examples
3. Reference relevant compliance frameworks (SOC 2, ISO 27001)
4. Include an employee acknowledgment section
5. Define enforcement and exception processes
6. Be written at an 8th-grade reading level for broad comprehension
7. Include a policy review schedule and owner

Format as a complete, ready-to-publish policy document with version control header.

Prompt 33: SOC 2 Audit Evidence Preparation

I am preparing for a SOC 2 Type II audit. Generate a comprehensive evidence collection checklist for the following Trust Services Criteria:

Criteria in scope: Security (CC), Availability (A), Confidentiality (C)

For each criteria category:
1. List specific evidence artifacts required
2. Identify the system/tool where evidence should be pulled from
3. Specify the time period for evidence collection
4. Note format requirements (screenshot, export, attestation)
5. Flag artifacts that typically require auditor walk-through vs. document submission

Include a 90-day pre-audit preparation timeline with weekly milestones.

Prompt 34: Risk Assessment Documentation

Generate a formal information security risk assessment document for the following scenario:

Asset: Customer PII database (PostgreSQL, AWS RDS)
Threat scenarios to assess: SQL injection, insider threat data theft, cloud misconfiguration exposure, ransomware encryption

For each threat scenario, complete a risk assessment using:
1. NIST SP 800-30 methodology
2. Likelihood rating (1-5) with justification
3. Impact rating (1-5) with business impact description
4. Inherent risk score
5. Current controls with effectiveness rating
6. Residual risk score
7. Risk treatment recommendation (Accept/Mitigate/Transfer/Avoid)
8. If Mitigate: specific control recommendations with cost/benefit note

Output as a formal risk register table.

Prompt 35: PCI DSS Compliance Checklist

Generate a PCI DSS v4.0 compliance assessment checklist for a Level 2 merchant with the following environment:

Payment environment: E-commerce website, Stripe payment processor (SAQ A-EP applicable), internal order management system that stores last 4 digits of PAN

For each applicable PCI DSS requirement:
1. Specific sub-requirements that apply to this environment
2. Evidence of compliance required
3. Common gaps for this merchant profile
4. Compensating control options where direct compliance is challenging
5. Self-assessment vs. QSA assessment determination

Flag requirements where the Stripe integration reduces scope vs. requirements that remain in scope.

Prompt 36: Vendor Security Assessment Questionnaire

Generate a comprehensive third-party vendor security assessment questionnaire for evaluating a SaaS vendor that will process our employee HR data. 

The questionnaire must cover:
1. Data handling and classification practices
2. Access control and authentication (with specific MFA requirements)
3. Encryption standards (in transit and at rest)
4. Incident response and breach notification commitments
5. Subprocessor management
6. Penetration testing and vulnerability management program
7. Compliance certifications (SOC 2, ISO 27001, etc.)
8. Business continuity and disaster recovery
9. Data retention and deletion procedures
10. Right to audit provisions

Format as a scored questionnaire (each section weighted) with yes/no/partial response options and a space for evidence documentation.

Prompt 37: Security Awareness Training Content

Develop a 30-minute security awareness training module on phishing recognition for non-technical employees. 

Content must include:
1. Learning objectives (3-5 measurable outcomes)
2. Module outline with time allocation per section
3. Real-world phishing example scenarios (5 examples ranging from obvious to sophisticated)
4. Interactive quiz questions (10 questions with answer explanations)
5. A one-page quick reference card employees can keep
6. Metrics for measuring training effectiveness

Write in an engaging, non-condescending tone. Avoid technical jargon. Include a note on where to report suspected phishing in [your organization's ticketing system].

Prompt 38: Business Continuity and DR Security Requirements

Generate security requirements for a business continuity and disaster recovery plan for a financial services firm. Address:

1. Security controls that must remain operational during a disaster scenario
2. Secure backup procedures and integrity verification
3. Access control considerations during emergency operations (break-glass procedures)
4. Communication security during incident response
5. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) security implications
6. Third-party DR site security requirements
7. Testing requirements for security controls in DR scenarios

Format as a security requirements specification document with priority ratings.

Section 6: Advanced and Specialized Security Prompts

The following prompts address specialized areas including AI security, OT/ICS security, zero trust architecture, and security program management. These represent emerging and high-value use cases for GPT-5.5 in enterprise security contexts.

Prompt 39: Zero Trust Architecture Assessment

Assess the following network architecture against NIST SP 800-207 Zero Trust Architecture principles and CISA Zero Trust Maturity Model:

Current architecture: [describe your current network segmentation, identity infrastructure, and access control model]

Provide:
1. Zero Trust maturity rating per pillar (Identity, Devices, Networks, Applications, Data) on CISA's 1-5 scale
2. Priority gaps with specific remediation recommendations
3. Implementation roadmap (Phase 1: Quick wins, Phase 2: Core capabilities, Phase 3: Advanced)
4. Technology recommendations per pillar with vendor-neutral and specific vendor options
5. Estimated investment range and ROI justification for leadership

Prompt 40: OT/ICS Security Assessment

Generate an OT/ICS security assessment framework for a manufacturing facility with the following environment:

OT environment: Siemens S7 PLCs, Wonderware SCADA, Historian server, OSIsoft PI, purdue model network segmentation (partial)
IT/OT integration points: Data historian, remote access via Citrix, vendor remote maintenance connections

Assessment must cover:
1. IEC 62443 compliance gap analysis (focus on zones and conduits)
2. Network segmentation assessment methodology
3. Asset inventory approach for OT environments
4. Vulnerability management challenges specific to OT (patching constraints)
5. Detection capabilities appropriate for OT (passive monitoring emphasis)
6. Incident response considerations unique to OT environments
7. Top 5 highest-risk scenarios with specific mitigations

Prompt 41: AI/ML Model Security Assessment

Generate a security assessment framework for evaluating risks to AI/ML models in production. Cover:

1. OWASP ML Security Top 10 mapping to our use case: [describe your AI application]
2. Adversarial attack vectors (model evasion, poisoning, extraction, inversion)
3. Data pipeline security requirements
4. Model access control and API security
5. Monitoring requirements for model drift and adversarial inputs
6. Supply chain risks (pre-trained model integrity, framework vulnerabilities)
7. Compliance considerations (EU AI Act, NIST AI RMF)

Produce a risk register format output with likelihood/impact ratings.

Prompt 42: Security Architecture Review

Perform a security architecture review of the following system design document:

System description: [paste architecture description or diagram description]

Evaluate against:
1. STRIDE threat model (identify threats per component)
2. Defense-in-depth principles
3. Principle of least privilege implementation
4. Secure communication patterns
5. Authentication and authorization architecture
6. Data protection at rest and in transit
7. Logging and monitoring coverage

Output: Threat model diagram description, security findings table (threat | component | severity | mitigation), and architectural recommendations prioritized by risk.

Prompt 43: Red Team Exercise Debrief Report

Generate a red team exercise debrief report template based on the following engagement summary:

Engagement type: Full-scope red team (physical, social engineering, network, application)
Duration: 3 weeks
Objective: Assess ability to detect and respond to a targeted APT simulation

Report sections required:
1. Executive narrative (what happened, what it means for the business)
2. Attack chain visualization description
3. Detection and response performance scorecard
4. Finding-by-finding analysis with blue team response timeline
5. Crown jewel access assessment
6. Comparative benchmarking (industry context)
7. Strategic recommendations (people, process, technology)

Write in a tone that is constructive, not adversarial toward the defensive team.

Prompt 44: Security Budget Justification

Help me build a business case and budget justification for the following security investment:

Investment: Extended Detection and Response (XDR) platform, estimated $800K/year
Current environment: 2,500 endpoints, 50-person company, 4-person security team, currently using legacy AV and basic SIEM

Build the justification using:
1. Risk quantification (FAIR methodology framework)
2. Current state risk exposure in financial terms
3. Expected risk reduction with the investment
4. Operational efficiency gains (FTE hours saved, MTTD/MTTR improvement)
5. Compliance benefits (map to specific audit findings or requirements)
6. Peer benchmarking data references
7. ROI calculation with payback period

Format for CFO and board presentation.

Prompt 45: Threat Modeling for New Features

Conduct a threat model for the following new application feature using the STRIDE methodology:

Feature description: [describe the new feature, data flows, user types, and integration points]

Produce:
1. Data flow diagram description with trust boundaries identified
2. STRIDE analysis table (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege) per component
3. Risk-ranked findings
4. Security requirements derived from threat model
5. Abuse cases (3-5 specific attack scenarios)
6. Recommended security controls mapped to each threat
7. Security acceptance criteria for the feature's definition of done

Format suitable for inclusion in a product backlog or security review gate.

Prompt 46: Cryptography Implementation Review

Review the following cryptographic implementation for security weaknesses:

Code/configuration: [paste code or describe implementation]
Context: [describe what data is being protected and the threat model]

Assess:
1. Algorithm selection appropriateness (flag deprecated algorithms: MD5, SHA1, DES, RC4, RSA <2048)
2. Key management practices
3. Random number generation
4. Padding oracle vulnerabilities
5. Certificate validation
6. Quantum-resistance considerations for long-lived data

Provide specific remediation for each finding with code examples in [language].

Prompt 47: Security Champions Program Design

Design a Security Champions program for a 200-person software development organization. Include:

1. Program objectives and success metrics
2. Security Champion selection criteria and recruitment approach
3. Training curriculum (monthly topics for 12 months, 2 hours/month)
4. Responsibilities and time commitment expectations
5. Recognition and incentive structure
6. Integration with SDLC (where champions add value at each stage)
7. Communication channels and knowledge sharing mechanisms
8. Program governance and executive sponsorship requirements

Format as a complete program design document with implementation timeline.

Prompt 48: Ransomware Readiness Assessment

Generate a ransomware readiness assessment questionnaire and scoring framework for an enterprise organization. 

Assessment domains:
1. Backup integrity and recoverability testing
2. Network segmentation and lateral movement prevention
3. Endpoint detection and response capabilities
4. Email and web filtering effectiveness
5. Privileged access management
6. Incident response plan (ransomware-specific)
7. Cyber insurance coverage adequacy
8. Employee awareness

For each domain: 5-10 specific assessment questions, scoring rubric (0-3 per question), weighting by domain, and benchmark scores (good/average/poor). Include a scoring calculator structure and improvement roadmap template.

Prompt 49: Security Metrics for Board Reporting

Generate a board-level cybersecurity reporting framework and sample metrics dashboard for a publicly traded company. 

Requirements:
- Metrics must communicate risk in business terms, not technical metrics
- Include both lagging indicators (what happened) and leading indicators (predictive)
- Address SEC cybersecurity disclosure requirements
- Cover: threat landscape, security posture, incident performance, investment effectiveness, compliance status
- Each metric must have: definition, current value field, trend indicator, benchmark, and so-what narrative guidance

Format as a board presentation structure with talking points for the CISO.

Prompt 50: Comprehensive Security Program Maturity Assessment

Conduct a comprehensive security program maturity assessment using the following framework:

Assessment dimensions:
1. Strategy and governance
2. Risk management
3. Asset management
4. Threat intelligence
5. Vulnerability management
6. Security operations and monitoring
7. Incident response
8. Identity and access management
9. Data protection
10. Third-party risk management
11. Business continuity
12. Security culture and awareness

For each dimension:
- Current maturity level (1-5, CMM-style) based on inputs I provide
- Key strengths to preserve
- Priority improvement areas
- 12-month improvement targets
- Specific initiatives to close gaps

Inputs: [describe your current program state per dimension]

Output: Maturity spider chart data, narrative assessment, and a prioritized 12-month security roadmap with quarterly milestones.

Advanced Prompt Engineering Techniques for Cybersecurity

The 50 prompts above are starting points. To extract maximum value from GPT-5.5 in security contexts, apply these engineering principles consistently:

Context Injection Pattern

Always begin security prompts with role assignment and environment context. GPT-5.5 produces significantly more precise output when it understands the operating environment, tool stack, and audience. Compare these two approaches:

Chain-of-Thought for Complex Analysis

For multi-step security analysis tasks, explicitly instruct GPT-5.5 to reason through the problem step by step before producing conclusions. Add the instruction: "Before providing your analysis, reason through the attack chain step by step, considering alternative explanations for each artifact. Then provide your assessment with confidence levels." This dramatically reduces hallucinated conclusions in forensic analysis scenarios.

Constraint-Based Output Formatting

Security outputs need to be actionable and integration-ready. Always specify: output format (JSON, table, numbered list, code block), length constraints, technical depth level, and intended audience. GPT-5.5 will honor these constraints with high fidelity, producing outputs that can be directly imported into ticketing systems, documentation platforms, or security tools.

Iterative Refinement Workflow

The most effective security teams using GPT-5.5 treat it as an iterative collaboration. Start with a broad prompt to generate structure, then drill into specific sections with follow-up prompts. For example, generate a full incident response playbook, then follow up with: "Expand the containment phase for a scenario where we cannot take systems offline due to OT dependencies. Add specific decision criteria and alternative containment methods."

Conclusion: Building an AI-Augmented Security Practice

The 50 prompts in this collection represent a systematic approach to integrating GPT-5.5 into every layer of the cybersecurity function. From the tactical — generating a YARA rule from a malware sample in minutes — to the strategic — building a board-ready security metrics framework — GPT-5.5 is most powerful when security professionals treat it as a knowledgeable peer that needs good context to deliver its best work.

Several principles should guide your adoption strategy. First, verify all technical outputs against authoritative sources before deploying in production. GPT-5.5 has broad and deep security knowledge, but it is not infallible, and in security contexts, errors have consequences. Second, build a prompt library tailored to your specific environment, tool stack, and compliance requirements. The prompts above are templates — the real value comes from customizing them with your organizational context. Third, invest in prompt engineering skills within your security team. The gap between a mediocre prompt and an excellent one is not effort — it is knowledge of how to structure context and constraints.

The security teams that will outperform their peers over the next three to five years are not those who resist AI augmentation, nor those who blindly trust it. They are the teams that develop systematic, rigorous practices for human-AI collaboration in security workflows — using tools like GPT-5.5 to compress the time between detection and response, between vulnerability discovery and remediation, between compliance gap and documented control.

Start with the five prompts most relevant to your current pain points. Iterate. Customize. Build your library. The adversaries you face are already using AI to accelerate their operations. Your AI-augmented security practice is not optional — it is existential.