pf-security-audit

Post-scan security report generator — turns vulnerability scan CSV exports into executive summaries, technical finding reports, and compliance gap analyses in minutes instead of hours.

Alternative to the reporting layer of RapidFire Tools ($3,600–9,600/yr) and Tenable for MSPs who already have a scanner and need fast, professional client reports.

---

Installation

1. Download the pf-security-audit.plugin file
2. Open Claude Desktop and navigate to Settings > Plugins
3. Click Install Plugin and select the downloaded .plugin file
4. The plugin will be installed and available immediately

Note: All data stays local on your machine. No external API calls or cloud storage required.

The Problem This Solves

MSPs and vCISOs spend 3–6 hours per client manually formatting vulnerability scan exports into professional client-ready reports — executive summaries for the board, technical trackers for engineers, compliance gap analyses for auditors. This report-writing burden makes SMB security assessments unprofitable.

This plugin automates the entire post-scan reporting workflow. Provide your scan CSV. Get professional client documents.

Key Differentiators

• Included with your subscription — no per-client, per-seat, or per-scan fees
• Data stays local — scan results and data is processed within the Cowork environment
• Works with any scanner — accepts CSV exports from Nessus, OpenVAS, Qualys, or any generic CSV format
• Fully customizable — edit the DOCX templates to match your branding in minutes

Quick Start

# Step 1: Initialize (once)
/security:security-setup

# Step 2: Place your scan export in the inbound/ folder
# (Copy your Nessus/OpenVAS/Qualys CSV to pf-security-audit/inputs/ or workspace/inbound/)

# Step 3: Run the full pipeline
/security:security-pipeline acme-scan-2026-03-10.csv --framework NIST

# Or run individual steps:
/security:security-ingest acme-scan-2026-03-10.csv
/security:security-executive
/security:security-technical
/security:security-compliance NIST

Commands

Command	Description
/security:security-setup	Initialize workspace, install dependencies, copy templates
/security:security-ingest [file.csv]	Parse scan export into structured JSON
/security:security-executive	Generate executive summary DOCX
/security:security-technical	Generate technical findings XLSX
/security:security-compliance [NIST|CIS|HIPAA|PCI]	Generate compliance gap analysis DOCX
/security:security-pipeline [file.csv] [--framework X]	Run the full pipeline in one command
/security:security-status	Show pipeline progress and output files

AI-Powered Features

This plugin uses Claude AI to do the analysis work that takes security professionals hours to do manually:

1. Risk Posture Narrative (NIST SP 800-115) — Claude reads raw vulnerability counts and writes a plain-language risk summary following NIST SP 800-115 §5 assessment reporting methodology, grounded in FAIR risk terminology (Threat Event Frequency, Loss Magnitude).
2. Business Impact Translation (FAIR + MITRE ATT&CK) — Claude rewrites technical CVE descriptions into business-impact language using FAIR terminology and MITRE ATT&CK tactic/technique context, explaining WHY each finding matters for the client's operations.
3. Enhanced Remediation Guidance (NIST SP 800-40r4 SLAs) — Claude augments generic scanner solution text with specific, actionable fix steps including CWE root cause context, NIST SP 800-40 Rev 4 SLA timelines (Critical=48h, High=14d, Medium=30d, Low=90d), and SSVC prioritization decisions.
4. Compliance Framework Mapping (4 Frameworks) — Claude maps each vulnerability to applicable framework controls (NIST CSF 2.0 with SP 800-53 cross-references, CIS Controls v8 with IG1/IG2/IG3 grouping, HIPAA §164.308/310/312, PCI DSS v4.0), explains the gap in the framework's language, and writes remediation guidance aligned with the control objective.
5. CWE/OWASP Classification — Automatically classifies findings against CWE Top 25 2023 taxonomy and OWASP Top 10 2021 categories for root cause analysis.
6. CISA KEV Detection — Flags findings matching CISA Known Exploited Vulnerability patterns, indicating confirmed active exploitation in the wild.
7. SSVC Prioritization — Applies CISA's Stakeholder-Specific Vulnerability Categorization decision tree to produce actionable prioritization (immediate/out-of-cycle/scheduled/defer).
8. MITRE ATT&CK Mapping — Maps Critical/High findings to MITRE ATT&CK Enterprise techniques (T1190, T1068, T1078, etc.) for threat context.

Supported Scanners

Scanner	Format	Notes
Tenable Nessus	CSV export	Auto-detected by headers
OpenVAS / Greenbone	CSV export	Auto-detected
Qualys VMDR	CSV export	Auto-detected
Generic CSV	Any CSV	Auto-maps columns flexibly

Column headers are matched flexibly — exact header names are not required.

Feature Comparison

Feature	This Plugin	RapidFire Tools	Tenable Nessus
Executive DOCX	✓ AI-generated with FAIR terminology	✓ Templated	Limited
Technical XLSX	✓ With CWE/OWASP/ATT&CK/SSVC columns	✓	CSV only
Compliance gap report	✓ NIST/CIS/HIPAA/PCI DSS	✓ GRC add-on	Limited
CWE/OWASP classification	✓ Automatic	Manual	Partial
CISA KEV detection	✓ Pattern matching	No	Yes (paid)
SSVC prioritization	✓ Decision tree	No	No
MITRE ATT&CK mapping	✓ Critical/High findings	No	Partial
Remediation SLAs	✓ NIST SP 800-40r4	No	No
Customizable branding	✓ Edit templates	Limited	No
Data privacy (local)	✓	Cloud-based	Cloud-based
Annual cost	included with your subscription	$3,600–9,600	$3,990+
Scanning engine	✗ (needs scanner)	✓	✓

Workflow & Data Flow

inbound/*.csv
    ↓
[security-ingest]
    ↓
processing/security-findings.json
    ↓ ↓ ↓ (parallel)
[security-executive]  [security-technical]  [security-compliance]
    ↓                       ↓                        ↓
executive-summary.docx  technical-report.xlsx  compliance-gap.docx

Stages 2–4 are independent. You can run only the reports you need.

Estimated Cost per Use

Disclaimer: Token estimates are approximate and based on typical usage patterns measured from skill prompt sizes. Actual costs vary with input data size, conversation length, and complexity. Estimates use Claude Sonnet 4.6 pricing ($3/1M input, $15/1M output). Cowork and Claude Desktop subscription users (Pro/Max/Team) are not charged per-token — these estimates apply only to direct Anthropic API usage. Running stages individually in fresh sessions uses fewer input tokens than running the full pipeline sequentially, because pipeline mode accumulates conversation history across stages.

Per skill (run individually in a fresh session):

Stage	Skill Prompt	User Input	Total Input	Output	Est. Cost
security-ingest	~9.0K	~2.0K	~14.0K	~2.0K	~$0.07
security-technical	~5.8K	~800	~9.6K	~5.8K	~$0.12
security-executive	~5.7K	~800	~9.5K	~5.7K	~$0.11
security-compliance	~9.1K	~800	~13.0K	~6.0K	~$0.13
Standalone total			~46.1K	~19.5K	~$0.43

Full pipeline (all stages in one session — context accumulates):

Stage	Base Input	+ History	Total Input	Output	Est. Cost
security-ingest	~14.2K	0	~14.2K	~2.0K	~$0.07
security-technical	~9.8K	~4.0K	~13.8K	~5.8K	~$0.13
security-executive	~9.7K	~10.6K	~20.3K	~5.7K	~$0.15
security-compliance	~13.1K	~17.1K	~30.2K	~6.0K	~$0.18
Pipeline total			~78.4K	~19.5K	~$0.53

Running the full pipeline once typically costs $0.37–$0.69 in API tokens (Claude Sonnet 4.6).

Known Limitations & Workarounds

1. No scanning engine — This plugin requires an existing vulnerability scanner (Nessus, OpenVAS, Qualys) to produce the input CSV. It does not scan networks independently. Workaround: Nessus Essentials is free for up to 16 IPs.

2. No real-time CVE API — CVE details and remediation guidance are based on scan export data and Claude's training knowledge. Live NVD database lookups are not available. Workaround: All outputs include "Verify at NVD.gov" disclaimer.

3. No persistent database — The plugin cannot maintain vulnerability trending across multiple scans or show quarter-over-quarter risk improvement. Workaround: Archive scan exports and prior reports in archive/ folder for manual comparison.

4. Session-based operation — Files in processing/ are ephemeral (reset on new session). Completed reports are saved to pf-security-audit/outputs/ for persistence. Workaround: Always use the persistent outputs/ folder for client delivery.

5. Framework versions are embedded — NIST CSF 2.0 and CIS Controls v8 mapping knowledge is in the skill prompt. New framework versions require plugin update. Workaround: Quarterly review recommended. Plugin changelog will note framework updates.

6. HIPAA applicability — HIPAA Guidance mapping is appropriate only for covered entities handling ePHI. The plugin cannot verify covered entity status. Workaround: HIPAA reports include mandatory covered entity disclaimer.

Context & Performance Guide

• Small scan (<50 findings): Full pipeline runs in one session, no optimization needed.
• Medium scan (50–200 findings): Normal operation. All stages complete within context window.
• Large scan (200–500+ findings): security-ingest uses batch processing for column detection. The executive summary uses only top 5 Critical/High findings.

Requirements

• Python 3.8+
• python-docx (auto-installed by setup)
• openpyxl (auto-installed by setup)
• A vulnerability scanner that exports CSV (Nessus, OpenVAS, Qualys, or similar)

Legal Notice

All reports generated by this plugin are for informational purposes only and do not constitute professional security advice. CVE details should be verified against NVD.gov before remediation. Engage a qualified security professional for critical decisions.

HIPAA Guidance analysis does not constitute legal advice. Consult legal counsel to confirm covered entity status and compliance obligations.

Important Disclaimers

• AI-Generated Content: This plugin uses AI (LLM) technology which can produce inaccurate or incomplete outputs. All content should be treated as a starting point and reviewed for accuracy before use.
• Not Professional Advice: Outputs do not constitute legal, financial, tax, medical, or other professional advice. Consult qualified professionals before making decisions based on generated content.
• No Compliance Guarantee: References to industry standards, regulations, or guidelines are for informational purposes only. This plugin does not guarantee compliance with any law or regulation. Users are responsible for verifying all outputs meet their specific regulatory requirements.
• No Endorsement or Affiliation: Mention of third-party products, standards, or organizations does not imply endorsement, partnership, or certification by those entities.