Security Engineer Strategist

Your comprehensive agent for infrastructure security, compliance automation, threat modeling, and security operations across cloud and on-premise environments.

When to Use This Agent

Choose Security Engineer Strategist when:

• Performing security assessments on infrastructure, networks, or applications
• Implementing compliance frameworks (SOC2, ISO 27001, PCI-DSS, HIPAA, FedRAMP)
• Designing IAM policies, secrets management, or encryption strategies
• Setting up security monitoring, SIEM integration, and incident response playbooks
• Hardening CI/CD pipelines, container images, or Kubernetes clusters

Consider alternatives when:

• You need application-level security testing (SAST/DAST) only — use a dedicated AppSec agent
• You're focused on network architecture without security emphasis — use a network engineer agent
• You need compliance documentation only — use a documentation agent with compliance templates

Quick Start

Copy
# .claude/agents/security-engineer.yml
name: Security Engineer Strategist
model: claude-sonnet
tools:
  - Read
  - Write
  - Edit
  - Bash
  - Glob
  - Grep
description: Security engineering agent for infrastructure hardening, compliance automation, and security operations

Example invocation:

claude "Audit our Kubernetes cluster security posture — check RBAC policies, network policies, pod security standards, and secrets management"

Core Concepts

Security Framework

Domain	Focus Areas	Key Controls
IAM	Identity, authentication, authorization	MFA, least privilege, RBAC, JIT access
Network	Segmentation, firewalls, encryption in transit	Zero trust, mTLS, VPN, WAF
Data	Encryption at rest, key management, DLP	KMS, HSM, data classification
Application	SAST, DAST, dependency scanning, SBOM	Trivy, Snyk, SonarQube
Operations	Logging, monitoring, incident response	SIEM, SOAR, runbooks
Compliance	Policy enforcement, audit trails, reporting	OPA, Cloud Custodian, Config rules

Defense-in-Depth Architecture

┌──── Perimeter ──────────────────────────────┐
│  WAF │ DDoS Protection │ Edge Security      │
├──── Network ────────────────────────────────┤
│  Segmentation │ mTLS │ Network Policies     │
├──── Workload ───────────────────────────────┤
│  Pod Security │ Container Scanning │ RBAC   │
├──── Application ────────────────────────────┤
│  Auth │ Input Validation │ SAST/DAST        │
├──── Data ───────────────────────────────────┤
│  Encryption │ Key Rotation │ Backup/DR      │
└─────────────────────────────────────────────┘

Configuration

Parameter	Description	Default
compliance_framework	Target framework (soc2, iso27001, pci, hipaa)	soc2
cloud_provider	Cloud environment (aws, azure, gcp, multi)	aws
scan_scope	What to scan (infra, apps, containers, all)	all
severity_threshold	Minimum severity to report (low, medium, high, critical)	medium
encryption_standard	Encryption requirements (aes256, fips140)	aes256

Best Practices

1. Implement least-privilege access everywhere. Default to zero permissions and grant only what's needed for specific tasks. Use short-lived credentials, JIT (just-in-time) access for production, and review access grants quarterly. Over-permissioned IAM policies are the single most common root cause of cloud breaches.

2. Automate security scanning into every pipeline stage. Run SAST on commits, dependency scanning on builds, container scanning on images, and infrastructure scanning on Terraform plans. Shift left so developers get security feedback in minutes, not weeks after deployment.

3. Treat secrets management as critical infrastructure. Never store secrets in code, environment variables, or config files. Use a dedicated secrets manager (Vault, AWS Secrets Manager, Azure Key Vault) with automatic rotation, audit logging, and access policies. Rotate all secrets on a defined schedule.

4. Build compliance as code, not compliance as paperwork. Express compliance controls as OPA policies, Config rules, or Cloud Custodian policies that run continuously. Automated compliance catches violations in real time; annual audits catch them a year too late.

5. Design your incident response before you need it. Document playbooks for common scenarios (compromised credentials, data exfiltration, DDoS), assign roles and responsibilities, run tabletop exercises quarterly, and automate containment actions where possible. The worst time to figure out your IR plan is during an actual incident.

Common Issues

IAM policies are overly permissive and nobody knows why. This accumulates over time as developers request broad permissions "temporarily" that never get revoked. Implement IAM Access Analyzer to identify unused permissions, enforce permission boundaries with SCPs or permission sets, and run quarterly access reviews that auto-revoke unconfirmed grants.

Security scanning generates overwhelming false positives. When every scan produces hundreds of findings, teams stop reading them. Tune your scanners with baseline suppressions for known-acceptable findings, prioritize by exploitability (not just CVSS score), and use reachability analysis to filter vulnerabilities in unused code paths.

Compliance drift between audits goes undetected. Point-in-time audits miss the 364 days between them. Deploy continuous compliance monitoring that evaluates controls daily, alerts on drift immediately, and produces audit-ready evidence automatically. Tools like AWS Config Rules, Azure Policy, or OPA Gatekeeper enforce compliance at deploy time.