AI Prompts for Cyber Security Teams (7 Templates SOCs Actually Use)

AI is now on both sides of the cyber security fight. Defenders use it to triage alerts; attackers use it to write better phishing. These are the prompts I teach to security teams and the ones I use in my corporate cyber awareness workshops.

1. Phishing email teardown (for awareness training)

Act as a security analyst running an awareness session.
Analyze the email below. Identify every social engineering tactic
(urgency, authority, fear, curiosity, look-alike domain, etc.),
quoting the exact phrase. End with 3 questions an employee should
ask before clicking.
Email: """{paste}"""

2. Password / passphrase policy reviewer

Review our password policy below against NIST SP 800-63B (2024).
List gaps, ranked by risk. Suggest the minimum changes needed to be compliant.
Policy: """{paste}"""

3. Log triage

You are a SOC analyst. Given these logs, identify:
- Suspicious patterns
- Likely TTPs mapped to MITRE ATT&CK
- The 3 highest-priority alerts to investigate first
- A 1-paragraph incident summary I can paste in Slack

4. Vendor security questionnaire helper

Draft answers to the security questionnaire below.
Use our SOC 2 Type II controls (summary attached).
If a question can't be answered from the controls, mark "Needs SME input"
and tell me which team owns it.

5. Tabletop incident scenario generator

Design a 60-minute tabletop exercise for our exec team.
Scenario: ransomware via a compromised SaaS vendor.
Include: timeline, injects every 10 minutes, decision points,
success criteria, and 5 debrief questions.

6. Policy → plain English

Rewrite this security policy for non-technical staff.
8th-grade reading level. Use examples. End with a 5-item "do / don't" list.

7. Threat-model a new feature

We're shipping {feature}. Run a STRIDE threat model.
For each threat: likelihood, impact, mitigation, owner.
End with the top 3 risks I should escalate to the CISO.

Using AI safely while using AI

• Never paste customer PII, secrets, or source code into a public chat. Use enterprise tenants with data-retention off.
• Treat LLM output as a draft, not evidence. Verify everything that touches a control.
• Watch for prompt injection in any AI feature you ship — assume every input is hostile.
• Log AI usage the way you log database access. Auditors will ask.

AI doesn't replace your security team — it gives them leverage. The teams that win are the ones that train every employee (not just the SOC) to use AI safely and to recognize when AI is being used against them.