Claude Code replaced multiple tools in my security workflow. What started as a code assistant became my primary interface for code audits, penetration testing, and incident response, and other Security Engineering related task. This post covers the 7 features I use daily.
Table of Contents
1. CLAUDE.md
A markdown file that defines rules, context, and coding standards for Claude Code sessions.
I separate CLAUDE.md into two levels: global rules for communication style, and project-specific rules for role context.
Global CLAUDE.md (~/.claude/CLAUDE.md) — Applies to all sessions:
# Security Guidelines
## Communication Style
- Be concise and direct
- Avoid lengthy explanations unless asked
- Focus on actionable findings
## Output Format
- Use bullet points for lists
- Include severity ratings for vulnerabilities
- Provide remediation steps, not just findings
## Security Mindset
- Assume breach mentality
- Prioritize impact over exploitability
- Consider business context in recommendations
...Project-specific CLAUDE.md (in repo root) — Infrastructure context for attack path analysis:
For example, in a project called acme-payment-gateway, I provide Claude with the infrastructure context it needs to reason about attack paths:
# Attack Path Analysis - Production Environment
## Critical Assets
- **S3 Bucket**: `company_data_backup` — Contains customer PII
- **RDS**: `prod-payment` — Payment transaction database
- **EC2**: `bastion-prod` — Single SSH entry point
## Access Rules
- `company_data_backup` — Accessible only by DevOps team
- `prod-payment` — Accessible by payment-service IAM role only
- `bastion-prod` — SSH restricted to security-team security group
## Objective
Find attack paths from external entry points to critical assets.
...The global file sets how Claude communicates. The project file sets what Claude knows about the context.
2. Skills
Reusable prompt templates that encode specialized workflows and domain knowledge.
I use the security-code-audit-skills package for code security audits. These skills handle vulnerability scanning, data flow tracing, and security pattern analysis.
Skills I use most:
Skill | Purpose |
|---|---|
| Query security patterns and authentication flows |
| Full vulnerability scan of codebase |
| Trace data flow from source to sink |
Instead of writing prompts from scratch, I invoke the skill by creating custom commands:
/auditThis triggers a structured security review with consistent output format every time.
3. MCP (Model Context Protocol)
External tool integrations that extend Claude Code's capabilities beyond the filesystem.
MCP servers connect Claude Code directly to security tools and data sources. Here's my security-focused MCP setup:
Incident Response:
CrowdStrike Falcon MCP — Query EDR for endpoint detection and response
Research:
Tavily MCP — Threat intelligence and deep research
DeepWiki MCP — GitHub repo documentation before pentests
Pentesting:
Playwright MCP — Automate reconnaissance and site navigation
Burp Suite MCP — Automate pentest workflows
Configuration snippet:
{
"mcpServers": {
"falcon": {
"command": "uvx",
"args": ["falcon-mcp"],
"env": {
"FALCON_CLIENT_ID": "${FALCON_CLIENT_ID}",
"FALCON_CLIENT_SECRET": "${FALCON_CLIENT_SECRET}"
}
}
}
}
...4. Planning Mode
A mode where Claude explores and designs before writing code.
I use Planning Mode to generate pentest test cases from OpenAPI specs or endpoint lists. Instead of manually following the entire OWASP Testing Guide, Claude identifies which tests apply to each endpoint.
Workflow:
Provide OpenAPI spec or endpoint documentation
Claude generates relevant test cases for each endpoint
Review and adjust the plan
Execute tests one by one
Example prompt:
Given this OpenAPI spec, generate pentest test cases focused on:
- Authentication bypass
- Authorization flaws
- Input validation issues
Skip tests that don't apply to these endpoints.
...This cuts hours of manual test case writing.
5. Subagents
Parallel agents that handle independent tasks simultaneously.
During security reviews, I run multiple scans in parallel rather than sequentially. Subagents let me dispatch independent tasks without waiting.
Parallel security scans:
Run these in parallel:
1. Scan for hardcoded secrets with grepai
2. Check dependencies for known CVEs
3. Audit authentication flows with security-code-audit-askEach subagent works independently and reports back. What used to take 30 minutes sequentially now takes 10 because of the parallel agents execution.
6. Custom Commands
Stored prompts that trigger skills or tools with a single command.
I store frequently-used prompts as custom commands. This avoids rewriting the same instructions and ensures consistency.
My security commands:
Command | Action |
|---|---|
| Trigger security-code-audit-ask on current file |
| Generate test cases from provided spec |
| Format incident response findings |
Command definition:
---
name: audit
description: Security audit of current codebase
---
Run security-code-audit-ask on the current working directory. Focus on:
- Authentication and authorization
- Input validation
- Secret exposure
- Injection vulnerabilities
...7. Custom Tools
CLI tools integrated into Claude Code for specialized operations.
I integrate security-focused CLI tools that Claude can invoke directly.
My custom tools:
Tool | Purpose |
|---|---|
Semantic code search for security patterns | |
GitHub CLI | GHAS automation, security advisories, PR checks |
Example usage:
# Semantic search for authentication patterns
grepai "password comparison logic"
# Check GitHub security alerts
gh api repos/{owner}/{repo}/dependabot/alerts
Claude uses these tools during audits without me switching contexts.
Summary
My daily workflow combines these features:
CLAUDE.md — Sets security rules for every session
Skills — Encodes audit expertise in reusable prompts
MCP — Connects to EDR, Burp, and research tools
Planning Mode — Generates focused pentest test cases
Subagents — Parallelizes independent security scans
Custom Commands — Saves prompts as single-keyword triggers
Custom Tools — Integrates grepai and GitHub CLI
In Part 2, I'll cover advanced workflows that combine multiple features: automated pentest pipelines, incident response runbooks, and continuous security monitoring.
Further Reading
MCP Servers:
Skills & Agents:
Tools:
Config Management:
Config Reference:
