Free vCISO skills, MIT licensed.
Open-source security tools for Claude Code, Cursor, and any AI agent. Built by practitioners who use them on real engagements.
Most ship alongside the launch of vCISO.ai. The roadmap below is what we are building.
Security work is increasingly sitting next to engineering work in AI agent contexts. Engineering teams that have a SOC 2 audit on the calendar are already using Claude Code or Cursor to draft architecture changes, refactor terraform, and review pull requests. The same agents can answer security questionnaire fields, draft policy edits, and surface compliance evidence if you give them the right tools. Most do not have those tools yet.
We build these skills because we use them on real engagements. The Scorecard came out of a pattern we ran on every Sprint kickoff: 20 questions across the Trust Services Criteria, scored, with a prioritized remediation list. Productizing it as a free tool was the obvious move. The same is true of the policy template kit, the threat-informed baseline generator, and the questionnaire responder. Each one solves a specific problem we have hit on dozens of engagements.
Everything ships MIT licensed. No registration, no email gate, no telemetry. The retainer business does not depend on artificial scarcity around tools. It depends on senior practitioners doing the work that automation cannot. The tools amplify the human work; they do not replace the call.
SOC 2 Readiness Scorecard
20-question web assessment with a scored PDF delivered to your inbox. Live now as a web tool. Claude Code skill packaging in progress.
Take the scorecardSOC 2 Policy Template Kit
10 markdown templates aligned to Trust Services Criteria, plus a Claude Code skill that fills them in from a company profile.
Threat-informed Baseline
Reads terraform, helm, or AWS Config exports and produces a NIST CSF gap report with MITRE ATT&CK overlay.
Security Questionnaire Responder
Drafts answers for SIG, CAIQ, and bespoke vendor questionnaires from a company profile and policy library.
Board Briefing Generator
Given current metrics and findings, drafts a 30-minute board deck with talking points and Q&A prep.
Be the first to use them.
Drop your email on the vCISO.ai waitlist and we will send a single message when each skill ships. No nurture spam.
Ready when you are
Your next move starts with a 30 minute call.
If vCISO is not a fit, we will say so on the call and point you toward someone who is. If we are, we will scope a Sprint, the 90-Day Foundation, or a retainer right then.