Core agents skills

​

• Threat-agent & attack-surface mapping: Identify relevant adversaries and map applications, infrastructure and supply-chain assets to pinpoint exposures.

• Vulnerability assessment & management: Scan systems, prioritise weaknesses and recommend remediation and mitigation plans.

• Scenario analysis & threat forecasting: Use intelligence and historic incidents to model emerging threats and inform proactive defences.

• Vendor & supply-chain risk: Evaluate supplier security posture and flag high-risk relationships.

• AI security & adversarial ML: Assess AI models for safety, fairness and robustness against adversarial attacks using NIST's taxonomy.

• IT Ops & service management: Analyse configuration, change, backup and incident-management practices across IT operations

• Cloud security: Review cloud configurations for misconfigurations, encryption and data-loss prevention.

• Identity & privileged-access management: Evaluate IAM and privileged-access controls for robust authentication and least-privilege enforcement.

 

Examples:

• Run a security assessment for a new deployment without involving the engineering team

• Prioritise vulnerability scan results by context and draft remediation actions

• Produce a threat model from architecture documentation

• Complete a vendor security questionnaire using existing policies and prior assessments

• Review cloud configurations against compliance requirements

 

Standards supported: ISO 27001, NIST SP 800-*, NIST AI RMF, NIS2, DORA, EU AI Act, HIPAA, PCI DSS.

 

Guardrails set by: CISO / Head of Security 

Output reviewed by: Security team

Core agents skills:

 

• Context establishment & ingestion: Agents ingest architecture documents, risk registers, service inventories and internal knowledge bases (e.g. wiki/Confluence pages) to understand objectives, regulatory environment and risk criteria.

• Risk identification: They analyse threats and vulnerabilities to identify potential risks and their relevance.

• Risk analysis & prioritisation: Agents assess likelihood and impact using qualitative, quantitative methods and maintain a live risk register.

• Risk appetite & treatment: They compare risks against your risk appetite and recommend treatments such as mitigation, avoidance, transfer or acceptance.

• Control alignment: Agents map risks to controls from standards, flagging gaps for remediation.

• Governance & reporting: They prepare dashboards and executive summaries

• Dependency analysis: When a new risk is identified, trace it across dependent systems and controls to show the full exposure.

 

Examples:

• Complete a technology risk assessment for a new system without a risk workshop

• Keep the risk register updated from live environment data

• Map controls to pre-defined standards and flag gaps automatically

• Draft responses to regulatory information requests

• Produce risk reporting for the board without manual data gathering

 

Standards & frameworks supported: ISO 27005, ISO 31000, ISO 42001, NIST SP 800-*, NIST AI RMF, MIT AI Risk DB.

 

Guardrails set by: CRO / Head of Technology Risk 

Output reviewed by: Risk team

Core agent skills:​

​

• Evidence assembly: Pull evidence continuously from source systems — access logs, change tickets, approval records, config snapshots. 

• Control drift detection: Monitor controls against their expected state and flag changes as they happen.

• Remediation planning: Map findings against the current control environment. Determine what needs updating vs what's new. 

• Impact analysis: Trace a finding across dependent controls to show the full picture — so fixes are coordinated, not one by one.

• Audit-readiness testing: Run the same tests auditors will, against the same criteria, before the audit starts.

• ITGC evaluation: Assess access management, change management, IT operations, backup & recovery and data protection controls against standard frameworks.

 

Examples:

• Assemble evidence packages without involving the tech team

• Detect control drift within days of a change

• Draft remediation plans that map existing vs new controls needed

• Trace findings across the control environment

• Run pre-audit tests against COBIT, ISO 27001 or SOC 2 before the auditor arrives

 

Standards & frameworks supported: ISO 31000, SOC 2, ISO 42001, ITIL, NIST SP 800-53, NIS2, DORA, EU AI Act.

 

Guardrails set by: CAO / Head of Internal Audit 

Output reviewed by: Audit team