Scope
What's in scope: product features + tool integrations + data sources. What's out: unrelated infra. Document upfront.
Advertisement
Methodology
Threat model per feature. Attack tree per threat. Test each leaf. Score severity + likelihood.
Advertisement
Cadence
Pre-launch: intensive. Post-launch: continuous. Every model/prompt change: focused re-test.
Reporting
Vulnerability report per finding: reproducer, impact, remediation. Track like CVEs internally.