STAND WITH UKRAINE
securityClaude

Security Code Audit Prompt (Claude)

Security audits require a systematic approach that covers every vulnerability category, not just the obvious ones. This prompt walks the AI through the OWASP Top 10 categories and requires a proof-of-concept for each finding, which forces the model to confirm exploitability rather than listing theoretical risks. The threat model field is critical — a vulnerability that requires database access is low severity for an unauthenticated attacker but critical for a malicious insider. This variant is formatted for Claude: Optimised for Claude 3.5 Sonnet and Claude 3 Opus. Uses XML tags for structured input and output.

Prompt Template
<role>You are an expert AI assistant with deep knowledge in this domain.</role>

<task>
You are a security engineer performing a code audit focused on finding exploitable vulnerabilities.

Language/Framework: {{language_and_framework}}
Threat model: {{threat_model}}
Security standards to check against: {{standards}}

Audit the following code for vulnerabilities from these categories:
- Injection (SQL, command, LDAP, XPath)
- Broken Authentication and session management
- Sensitive Data Exposure (logging secrets, PII in responses)
- XML/JSON parsing vulnerabilities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (if applicable)
- Insecure Deserialisation
- Using Components with Known Vulnerabilities

For each finding, provide:
- **Vulnerability**: OWASP category and CVE type if applicable
- **Severity**: Critical / High / Medium / Low (using CVSS v3 scale)
- **Location**: file name or line number
- **Proof of Concept**: how an attacker would exploit this
- **Remediation**: specific code change to fix it

Code:
```{{language}}
{{code}}
```
</task>

<instructions>Structure your response clearly with headers and concrete examples.</instructions>

Variables

{{language_and_framework}}e.g., Python 3.12 with Flask 3.0, Node.js with Express 4
{{language}}Language name for code highlighting
{{threat_model}}Who the attacker is, e.g., "unauthenticated internet user", "malicious authenticated user", "internal employee"
{{standards}}Security standards: "OWASP Top 10 2021", "PCI DSS", "HIPAA", or "None"
{{code}}The code to audit

Example

Input
language_and_framework: Node.js with Express 4
language: javascript
threat_model: unauthenticated internet user
standards: OWASP Top 10 2021
code:
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  db.query(`SELECT * FROM users WHERE username='${username}' AND password='${password}'`, (err, rows) => {
    if (rows.length > 0) {
      req.session.userId = rows[0].id;
      res.redirect('/dashboard');
    }
  });
});
Output
**SQL Injection — A03:2021 Injection [Critical]**
Location: db.query call
PoC: Submit username: `' OR '1'='1` — the query becomes `WHERE username='' OR '1'='1'` which always returns a row, granting access as the first user in the table.
Remediation: Use parameterised queries: `db.query('SELECT * FROM users WHERE username=? AND password=?', [username, password])`

**Plain-text Password Storage [Critical]**
Location: WHERE password='...' comparison
PoC: If the database is breached, all passwords are immediately readable.
Remediation: Store bcrypt hashes. Compare with `bcrypt.compare(password, user.passwordHash)`.

Related Tools

Claude Prompt BuilderClaude Token CounterAI Prompt Formatter

FAQ

Can an AI replace a professional penetration test?
No. AI audits are a useful first pass that catches obvious vulnerabilities quickly, but they miss complex multi-step attack chains, business logic flaws, and vulnerabilities that require runtime testing. Use AI audits to improve code quality before a formal pentest.
How do I audit infrastructure configuration as well as code?
Add your Kubernetes manifests, Terraform configs, or nginx.conf to the code block and add "infrastructure misconfiguration" to the audit categories. The AI will flag issues like public S3 buckets, overly permissive IAM roles, and missing security headers.
Is it safe to paste production code into an AI tool?
Check your organisation's data handling policy first. Remove real API keys, credentials, and PII before pasting. Most enterprise AI tools have data isolation, but when in doubt, use anonymised code samples for the audit.

Related Prompts

Security Code Audit Prompt

Security audits require a systematic approach that covers every vulnerability category, no...

Security Code Audit Prompt (ChatGPT)

Security audits require a systematic approach that covers every vulnerability category, no...

Security Code Audit Prompt (Gemini)

Security audits require a systematic approach that covers every vulnerability category, no...

Security Code Audit Prompt (LLaMA / Ollama)

Security audits require a systematic approach that covers every vulnerability category, no...

Dependency Vulnerability Check Prompt

Dependency audits are most valuable when they prioritise by actual impact rather than just...

Code Review Prompt

This prompt structures code reviews into five clear categories so the AI produces actionab...