This prompt template enables you to conduct a comprehensive security and technical audit of any software project, generating an After Action Review with actionable solutions at three levels: Good, Better, and Best.
I need you to conduct a comprehensive Platform After Action Review (AAR) for my project. Follow these exact steps:
## Step 1: Initial Discovery and Analysis
First, analyze the entire codebase systematically:
1. **Project Structure Analysis**
- Map out the complete directory structure
- Identify all major components (frontend, backend, database, APIs)
- Note the tech stack and frameworks used
- Document all configuration files
2. **Security Vulnerability Scan**
- Search for hardcoded credentials, API keys, secrets
- Identify authentication and authorization implementations
- Look for input validation and sanitization
- Check for command execution patterns
- Review CORS and security headers configuration
- Analyze file upload handling
- Check for SQL injection possibilities
- Review API endpoint security
3. **Architecture Analysis**
- Identify design patterns (or anti-patterns)
- Look for god objects and tightly coupled code
- Analyze separation of concerns
- Review dependency management
- Check for circular dependencies
- Evaluate modularity and reusability
4. **Performance Analysis**
- Check bundle sizes and code splitting
- Analyze database queries and N+1 problems
- Review caching implementations
- Check for memory leaks
- Analyze API response times
- Review resource usage patterns
5. **Scalability Assessment**
- Review concurrent user handling
- Check for horizontal scaling readiness
- Analyze database connection pooling
- Review queue and worker implementations
- Check for single points of failure
6. **DevOps and Infrastructure**
- Review CI/CD pipelines
- Check deployment configurations
- Analyze monitoring and logging
- Review backup strategies
- Check disaster recovery plans
- Analyze secrets management
7. **Testing Coverage**
- Identify existing tests (unit, integration, E2E)
- Calculate test coverage percentages
- Review test quality and assertions
- Check for security testing
- Analyze performance testing
8. **Best Practices Compliance**
- OWASP Top 10 compliance check
- Framework best practices adherence
- Code style and linting
- Documentation completeness
- Accessibility standards (WCAG)
## Step 2: Generate the AAR Document
Create a markdown file with the following structure:
# Platform Comprehensive After Action Review
**Date**: [Current Date]
**Platform**: [Project Name]
**Review Type**: Security & Technical Audit
**Severity**: CRITICAL
## Executive Summary
[Brief overview of findings, overall score, and critical issues]
## 1. Security Analysis - Score: X/10 π
### Critical Vulnerabilities Found
#### 1.1 [Vulnerability Name]
- [Detailed description]
- [Evidence with file paths and line numbers]
- [Potential impact]
**Solutions:**
**Good Solution - [Quick Fix Name]**
- **Implementation**: [Brief description]
- **Components**:
1. [Component 1]
2. [Component 2]
3. [Component 3]
- **Code Example**:
[language]
// Actual code implementation
- **Expected Results**:
- [Result 1]
- [Result 2]
- **Pros**: [List pros]
- **Cons**: [List cons]
**Better Solution - [Intermediate Fix Name]**
[Same structure as above with more comprehensive solution]
**Best Solution - [Enterprise-Grade Fix Name]**
[Same structure as above with most robust solution]
[Repeat for each vulnerability]
## 2. Architecture Analysis - Score: X/10 ποΈ
[Same structure as Security section]
## 3. Performance Analysis - Score: X/10 β‘
[Same structure]
## 4. Accessibility Analysis - Score: X/10 βΏ
[Same structure]
## 5. DevOps Analysis - Score: X/10 β
[Same structure]
## 6. Testing Analysis - Score: X/10 π§ͺ
[Same structure]
## 7. Best Practices Compliance - Score: X/10 π
[Same structure]
## Recommendations Priority Matrix
[Table of all recommendations sorted by priority and effort]
## Step 3: Solution Requirements
For EVERY issue identified, create exactly 3 solutions following these rules:
### Good Solution (Quick Fix)
- Implementable in 1-2 days
- Minimal architectural changes
- Addresses the immediate vulnerability/issue
- Uses existing libraries and patterns
- Include actual, working code examples
- Must pass basic security scans
### Better Solution (Proper Implementation)
- Implementable in 1 week
- May require some architectural changes
- Implements industry best practices
- Includes monitoring and logging
- Comprehensive code examples with error handling
- Must pass penetration testing
### Best Solution (Enterprise-Grade)
- Implementable in 2-4 weeks
- Can include architectural overhaul
- Implements cutting-edge security practices
- Includes AI/ML-powered features where applicable
- Production-grade code with full observability
- Must pass enterprise security audits
- Future-proof and scalable
## Step 4: Solution Constraints
All solutions must:
1. **Be Brutally Honest**
- Call out bad practices directly
- Don't sugarcoat security vulnerabilities
- Acknowledge technical debt
2. **Be Grounded in Reality**
- Reference actual files and line numbers
- Use the project's existing patterns
- Work with current dependencies
- Consider team expertise
3. **Not Add Technical Debt**
- Follow SOLID principles
- Include proper error handling
- Add appropriate tests
- Document thoroughly
4. **Be Security-First**
- Every solution must consider security implications
- Include input validation
- Implement proper authentication/authorization
- Consider OWASP Top 10
5. **Be Desktop-Focused** (if web app)
- Remove mobile-specific code
- Optimize for desktop performance
- Use desktop-appropriate UI patterns
6. **Pass Security Audits**
- Solutions must withstand penetration testing
- Include security headers
- Implement rate limiting
- Use secure defaults
7. **Preserve Functionality**
- Don't remove features
- Maintain backward compatibility
- Keep user workflows intact
## Step 5: Code Example Requirements
Every code example must:
- Be complete and runnable
- Include all imports
- Handle errors properly
- Include comments for complex logic
- Follow project conventions
- Be tested and verified
## Step 6: Output Format
- Place all solutions directly under each issue
- Don't mention time estimates or effort levels
- Focus on implementation details
- Include configuration changes needed
- Reference specific files in the project
- Provide clear implementation steps
## Additional Context:
- Project Type: [Web App/API/Mobile/Desktop]
- Tech Stack: [List all technologies]
- Team Size: [Number of developers]
- Security Requirements: [Compliance needs]
- Performance Requirements: [Specific metrics]
- Budget Constraints: [If any]
-
Preparation:
- Have your complete codebase accessible
- Know your tech stack and requirements
- Understand your security compliance needs
-
Execution:
- Copy the master prompt above
- Fill in the placeholders in "Additional Context"
- Provide access to your codebase
- Run the analysis
-
Iteration:
- After initial AAR generation, ask for specific sections to be expanded
- Request additional vulnerabilities to be checked
- Ask for alternative solutions if needed
-
Implementation Guidance:
- Start with "Good" solutions for critical vulnerabilities
- Plan "Better" solutions for next sprint
- Reserve "Best" solutions for major releases
After the initial AAR, you can use these prompts:
1. "Focus deeper on the authentication system and provide more detailed solutions"
2. "Add performance benchmarks for each solution"
3. "Include cost estimates for cloud resources needed"
4. "Generate a migration plan from Good to Better to Best solutions"
5. "Create test cases for each security vulnerability"
6. "Provide Docker configurations for each solution level"
7. "Add monitoring and alerting configurations"
8. "Include rollback strategies for each solution"API-First Projects:
- Add API versioning analysis
- Include rate limiting strategies
- Focus on endpoint security
Microservices:
- Add service mesh analysis
- Include distributed tracing
- Focus on inter-service communication
Real-time Applications:
- Add WebSocket security
- Include connection pooling
- Focus on message queue security
ML/AI Applications:
- Add model security analysis
- Include data poisoning prevention
- Focus on inference optimization
HIPAA Compliance:
- Add PHI data handling analysis
- Include audit logging requirements
- Focus on encryption at rest
PCI-DSS Compliance:
- Add payment data handling
- Include network segmentation
- Focus on key management
SOC 2 Compliance:
- Add access control analysis
- Include change management
- Focus on availability metrics
- Be Specific: Provide exact file paths and project structure
- Share Context: Explain business requirements and constraints
- Iterate: Don't accept the first version - ask for clarifications
- Validate: Test the suggested code examples
- Prioritize: Focus on critical vulnerabilities first
- Document: Keep the AAR updated as you implement fixes
If your AAR reveals these, prioritize immediate fixes:
- Hardcoded credentials
- No authentication on endpoints
- SQL injection vulnerabilities
- Unencrypted sensitive data
- No rate limiting
- Missing security headers
- Outdated dependencies with CVEs
- No input validation
- Broad CORS policies
- No logging/monitoring
This AAR prompt template will help you:
- Identify all security vulnerabilities
- Get actionable, tiered solutions
- Improve code quality systematically
- Prepare for security audits
- Build more secure applications
Remember: Security is not a one-time fix but an ongoing process. Use this AAR template regularly (quarterly recommended) to maintain high security standards.