Scope

What's in scope: product features + tool integrations + data sources. What's out: unrelated infra. Document upfront.

Advertisement

Methodology

Threat model per feature. Attack tree per threat. Test each leaf. Score severity + likelihood.

Advertisement

Cadence

Pre-launch: intensive. Post-launch: continuous. Every model/prompt change: focused re-test.

Reporting

Vulnerability report per finding: reproducer, impact, remediation. Track like CVEs internally.