Platform Security

Build me a configuration drift monitor in Tracecat. Store my approved macOS baseline in a Tracecat table, then pull configuration profile and policy status from Jamf on a schedule and diff each device against it. Do the same for cloud accounts using Wiz findings against my hardened account baseline. Open a Linear issue per drifted control with the device or account, the expected setting, and the observed one, then post a weekly drift summary to Slack. First help me understand how this maps to PR.PS-01 and what good configuration management looks like when baselines cover both endpoints and cloud accounts. Ask me where my baselines are documented today and which settings are non-negotiable. Talk me through whether drift checks belong in one scheduled workflow or separate workflows per platform.

Build me a patch SLA tracker in Tracecat. Pull open vulnerabilities from Microsoft Defender XDR and Snyk each day, assign each one a deadline from my vulnerability management plan based on severity and exposure, and keep the state in a Tracecat table. When a vulnerability passes its deadline, open a Jira ticket against the owning team and add it to the overdue list. Send each team lead a short weekly email with their overdue count and the three oldest items. First help me understand how this maps to PR.PS-02 and how routine and emergency patching timeframes are usually defined. Ask me what my SLA windows are per severity, and whether internet-facing assets get shorter ones. Talk me through tuning the dedupe logic so the same CVE on fifty hosts becomes one ticket, not fifty.

Build me a log coverage checker in Tracecat. Pull my asset inventory from Microsoft Defender XDR and my cloud workloads from Wiz, then query Splunk to see which hosts and services actually shipped logs in the last 24 hours. Diff the two lists, record gaps in a Tracecat table with first-seen and last-seen dates, and open one case per newly silent log source. Escalate anything silent for more than three days into a review with the owning team. First help me understand how this maps to PR.PS-04 and which log records continuous monitoring actually depends on. Ask me which Splunk indexes map to which asset classes, and whether any sources are expected to go quiet. Talk me through setting the silence threshold so weekend-idle systems do not flood the case queue on Monday.

Build me an unauthorized software sweep in Tracecat. Keep my approved software list in a Tracecat table. On a schedule, pull installed applications from Jamf and browser extensions from Secure Annex, and flag anything not on the list. Have the agent sort findings into known risky extensions, prohibited software, and tools that are merely unapproved, then open a case per device with removal steps and message the user in Slack with a deadline to remove it or request an exception. First help me understand how this maps to PR.PS-05 and the difference between blocking execution and detecting unauthorized installs after the fact. Ask me whether I have an allowlist today or need to build one from current inventory. Talk me through which findings justify an automatic uninstall through Jamf versus a user conversation first.

Build me a release security gate in Tracecat. When a release pull request opens in GitHub, trigger a workflow over a webhook that runs Semgrep on the diff and checks Snyk for new high severity dependency issues. Post the combined result back to the pull request as a comment, and open a Tracecat case for any finding that should block the merge. Track every release and its scan outcome in a table so I have an SDLC evidence trail. First help me understand how this maps to PR.PS-06 and where automated gates fit inside a secure development lifecycle. Ask me which repositories ship to production and what severity should block a merge. Talk me through whether the gate should fail closed on scanner errors or fail open with a logged exception.