| title | Security Architect Guide | ||||
|---|---|---|---|---|---|
| description | HVE Core support for security architects building security models, security plans, and compliance verification | ||||
| sidebar_position | 7 | ||||
| author | Microsoft | ||||
| ms.date | 2026-03-10 | ||||
| ms.topic | how-to | ||||
| keywords |
|
||||
| estimated_reading_time | 10 |
This guide is for you if you perform security model analysis, build security plans, assess risks, define compliance requirements, or review system security posture. Security architects have focused but deep tooling, with 9 addressable assets centered on security planning and risk management.
Caution
The security agents and prompts in HVE Core are assistive tools only. They do not replace professional security tooling (SAST, DAST, SCA, penetration testing, compliance scanners) or qualified human review. All AI-generated security plans, security models, risk registers, and incident response runbooks must be reviewed and validated by qualified security professionals before use. AI outputs may contain inaccuracies, miss critical threats, or produce recommendations that are incomplete or inappropriate for your environment. Never treat AI-generated security artifacts as authoritative without independent verification.
Tip
Install the HVE Core extension from the VS Code Marketplace for the flagship RPI workflow and core artifacts with zero configuration.
Your primary collections are security (security plan creation, risk registers, and incident response tools) and project-planning (broader project context). For clone-based setups, see the Installation Guide.
- Creates comprehensive security plans with security model analysis and mitigation strategies
- Generates and manages risk registers for component-level risk assessment
- Provides incident response runbook templates and playbooks
- Supports security architecture research through deep codebase analysis
- Reviews implementation against security requirements and best practices
Note
Security architects primarily operate in these lifecycle stages:
Stage 2: Discovery: Research security requirements, investigate threat landscape, gather evidence Stage 3: Product Definition: Define security models, security specifications, and compliance requirements Stage 7: Review: Validate implementation against security requirements Stage 9: Operations: Monitor security posture, update security models, manage incident response
- Stage 2: Discovery. Use the task-researcher agent to investigate the threat landscape, existing security controls, and compliance requirements for your system.
- Stage 3: Product Definition. Run the security-planner agent to generate a security plan with security models, attack vectors, and mitigation strategies.
- Stage 3: Product Definition. Run the sssc-planner agent to assess supply chain security posture against OpenSSF standards.
- Stage 3: Product Definition. Run the rai-planner agent if the project includes AI/ML components.
- Stage 3: Product Definition. Use
/risk-registerto assess and document component-level risks with severity ratings, likelihood, and mitigation plans. - Stage 7: Review. Validate implementation against security requirements using the task-reviewer agent for code-level security compliance checks.
- Stage 9: Operations. Maintain incident response readiness with
/incident-responseand update security models as the system evolves.
Select security-planner agent:
Generate a security plan for our customer-facing REST API gateway. Cover
OAuth 2.0 authentication with Azure AD B2C, PII data classification in
user profiles, PCI DSS compliance for payment flows, and security model
areas including injection attacks and broken access control.
/risk-register Assess and document risks for the payment processing
module. Focus on PCI DSS compliance gaps, injection vulnerabilities
in transaction inputs, and key management for encryption at rest.
/incident-response Create an incident response runbook for a data breach
involving customer PII exposure through a misconfigured storage bucket.
Include containment steps, GDPR notification timelines, forensic evidence
preservation, and post-incident review process.
Select sssc-planner agent:
Assess this repository's supply chain security posture
Select rai-planner agent:
Assess responsible AI risks based on the security plan
Select task-researcher agent:
Research security patterns for GraphQL APIs, focusing on query depth
limiting to prevent DoS, field-level authorization approaches, disabling
introspection in production, and input validation for nested mutation
arguments.
| Agent | Purpose | Docs |
|---|---|---|
| security-planner | Security plan and security model generation | Agent file |
| sssc-planner | Supply chain security assessment against OpenSSF standards | Agent file |
| rai-planner | Responsible AI risk assessment and RAI plan generation | Agent file |
| task-researcher | Security-focused codebase and threat research | Task Researcher |
| task-reviewer | Security compliance review | Task Reviewer |
| memory | Session context and preference persistence | Agent file |
Prompts complement the agents for targeted security workflows:
| Prompt | Purpose | Invoke |
|---|---|---|
| risk-register | Component risk assessment and documentation | /risk-register |
| incident-response | Incident response runbook creation | /incident-response |
| Do | Don't |
|---|---|
| Start with the security-planner agent for comprehensive models | Create ad-hoc security notes without structured security models |
Use /risk-register for each significant component |
Track risks informally or skip risk documentation |
| Research the threat landscape before defining mitigations | Assume security models from other projects directly apply |
| Update security models as the system architecture evolves | Treat security plans as static, one-time documents |
| Map security requirements to specific lifecycle stages | Isolate security from the broader product lifecycle |
| Run sssc-planner after security-planner for pipeline assessment | Skip supply chain assessment for non-deployable documentation repos |
| Use rai-planner for any project with AI/ML components | Apply RAI assessment to purely non-AI systems |
- Security Architect + TPM: Security requirements integrate into BRDs and PRDs. Security models inform product specifications and compliance gates. See the TPM Guide.
- Security Architect + Tech Lead: Security architecture decisions align with overall system design. Security models shape architectural choices. See the Tech Lead Guide.
- Security Architect + SRE: Operational security, incident response, and monitoring bridge security planning with production operations. See the SRE / Operations Guide.
Tip
Explore security tools: Security Collection Plan responsible AI assessments: RAI Planning Collection Review the security model documentation: Security Model See how security fits the project lifecycle: AI-Assisted Project Lifecycle
Important
Security-specific tooling covers Stage 2, Stage 3, Stage 7, and Stage 9 only. Stages 4 through 6 and Stage 8 rely on general-purpose agents (the task-researcher and task-reviewer agents) rather than dedicated security tooling. Specialized security coverage for decomposition, sprint planning, implementation, and delivery is a planned improvement.
🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.