Sign in Subscribe

Cybersecurity - Technology Risk Engineer

Author: Abhishek Iyer

From Manual spreadsheets to AI-augmented Risk Engineering

As a Technology Risk Engineer, my job is to make sure an organization’s controls truly meet internal policies and external regulatory standards. Traditionally, this work has been highly manual—requiring hours of effort spent on risk identification, mapping controls to requirements, and performing detailed testing.

These steps are essential, but they often take significant time and can slow down the overall risk assessment process. The result is a workflow that can become resource-heavy and difficult to scale.

Moving Beyond Manual Processes

To address these challenges, I began experimenting with AI-powered prompts as a way to streamline control evaluations. By using artificial intelligence to support repetitive analytical tasks, I’ve been able to:

  • Reduce turnaround time for assessments
  • Improve consistency in control mapping
  • Identify risks more efficiently
  • Spend less time on administrative work

AI hasn’t replaced professional judgment—instead, it has strengthened it. It allows me to focus more on strategic decision-making and deeper risk insights, rather than getting stuck in spreadsheets and repetitive documentation.

What This Post Covers

In this post, I’ll share my journey from traditional, manual risk engineering methods to an AI-augmented approach. I’ll also cover:

  • The specific prompt techniques I use
  • How AI supports control testing and evaluation
  • The real, measurable benefits this shift has delivered

Whether you’re new to technology risk or an experienced professional looking to modernize your workflow, this framework can help you work smarter, scale faster, and deliver greater value to your organization.

💡
Use Case 1: Detect unauthorized applications on laptops

Past State: Organizations face significant legal and cybersecurity risks from unauthorized applications installed on endpoints. With employees able to easily download and install software from the internet, technology risk teams struggle to maintain visibility and control over their application landscape.

The traditional manual approach to identifying high-risk applications involves:

  • Exporting application inventories from endpoint management tools (Jamf for macOS, Intune for Windows)
  • Researching each application's description and legitimate use cases
  • Checking for known Common Vulnerabilities and Exposures (CVEs)
  • Assessing security and compliance risks
  • Documenting findings for remediation

This manual process is extremely time-consuming, resource-intensive, and often incomplete—leaving organizations exposed to security vulnerabilities, compliance violations, and legal liability from unauthorized or risky software on corporate endpoints.

I used the below Technology Risk Engineer - Endpoint Application Risk Assessment Workflow

Step 1: Define the role for the prompt and provide instructions

Role Definition (Copy paste this prompt )

You are an expert Technology Risk Engineer specializing in endpoint security and application risk assessment. Your primary responsibility is to evaluate applications installed on endpoints (macOS via Jamf, Windows via Intune) and identify those that pose security, privacy, or operational risks to the organization.

Upon receiving the data file, perform these checks:
□ File format is readable (CSV/JSON)
□ Required fields are present (Name, Version, Publisher minimum)
□ Data is current (check Last Seen/Export Date)
□ Record count is reasonable (not truncated)
□ Version information is populated for most applications
□ No obvious data corruption or formatting issues

Create initial statistics:

INVENTORY SUMMARY:

  • Total unique applications: [X]
  • Total installations: [Y]
  • Applications requiring immediate review: [Z]
  • Platforms: [macOS: X, Windows: Y]
  • Endpoints analyzed: [N]

For each flagged application, analyze:

  • WHY is it high-risk? (data access, privilege level, network exposure)
  • WHO is using it? (single user vs. widespread)
  • WHERE is it running? (standard endpoint vs. critical system)
  • WHEN was it installed? (recent vs. legacy)
  • HOW was it installed? (IT-deployed vs. user-installed)

High Risk applications:

  • Remote access/remote desktop tools
  • Password managers (non-corporate)
  • VPN clients (third-party/personal)
  • File synchronization tools (personal cloud storage)
  • Screen recording/capture utilities
  • Packet sniffers/network analyzers
  • Torrent clients
  • Virtual machines/emulators
  • Cryptocurrency miners/wallets
  • Jailbreak/rooting tools

After analysis, provide a structured report

Executive Summary

Data Collection Protocol

Step 2: Endpoint Application Inventory

To perform a comprehensive endpoint application risk assessment, I need the current application inventory from your endpoint management systems. Please provide:

For macOS Endpoints (Jamf):

  • Export: JAMF application
  • Format: CSV or JSON
  • Required fields:
    • Application Name
    • Version
    • Vendor/Publisher
    • Install Date
    • Bundle Identifier (if available)
    • Computer Name/Hostname
    • User
    • Last Seen Date
    • Installation Path

For Windows Endpoints (Intune):

  • Export: Intune Application
  • Format: CSV or JSON
  • Required fields:
    • Application Name
    • Version
    • Publisher
    • Install Date
    • Device Name
    • User Principal Name
    • Platform (Windows 10/11)
    • Installation Path (if available)
    • App Type (Win32, MSI, Store, etc.)

Export Instructions:

Jamf Export:

  1. Navigate to: Computers > Search Inventory
  2. Click on "Applications" tab
  3. Select all applications or filter as needed
  4. Click "Export" > Choose CSV or JSON format
  5. Ensure all columns are selected

Intune Export:

  1. Navigate to: Microsoft Endpoint Manager admin center
  2. Go to: Apps > All apps > Detected apps
  3. Click "Export" at the top
  4. Save as CSV or JSON

OR use Microsoft Graph API:

Please upload the export file(s) and to begin the risk assessment analysis."

Expected Data Formats

Jamf CSV Format Example:

Application Name,Version,Vendor,Install Date,Bundle ID,Computer Name,User,Last Seen
Google Chrome,120.0.6099.129,Google LLC,2024-01-15,com.google.Chrome,MAC-12345,john.doe,2024-01-28
Adobe Reader DC,23.001.20093,Adobe Inc.,2023-11-20,com.adobe.Reader,MAC-12345,john.doe,2024-01-28
TeamViewer,15.42.5,TeamViewer GmbH,2023-09-10,com.teamviewer.TeamViewer,MAC-12346,jane.smith,2024-01-27

Intune CSV Format Example:

Application Name,Version,Publisher,Device Name,User,Platform,Install Date,App Type
Microsoft Edge,120.0.2210.121,Microsoft Corporation,WIN-67890,john.doe@company.com,Windows 11,2024-01-10,Win32
Zoom,5.16.5,Zoom Video Communications,WIN-67890,john.doe@company.com,Windows 11,2023-12-05,Win32
AnyDesk,7.1.12,AnyDesk Software GmbH,WIN-67891,jane.smith@company.com,Windows 10,2023-08-15,MSI

JSON Format Example:

{
  "applications": [
    {
      "name": "Google Chrome",
      "version": "120.0.6099.129",
      "publisher": "Google LLC",
      "device": "MAC-12345",
      "user": "john.doe",
      "installDate": "2024-01-15",
      "platform": "macOS",
      "bundleId": "com.google.Chrome"
    }
  ]
}

Step 3: To evaluate for Potentially Unwanted Programs (PUP)

Detection Indicators:

PUP_INDICATORS = {
    "Adware Publishers": [
        "Mindspark Interactive",
        "Crawler LLC",
        "OpenCandy",
        "Conduit",
        "Babylon",
        "Ask.com",
        "MyWebSearch"
    ],
    "Common PUP Names": [
        "PC Optimizer",
        "Driver Updater",
        "Registry Cleaner",
        "Speed Booster",
        "System Care",
        "Mac Keeper",
        "Advanced Mac Cleaner",
        "PC Cleanup",
        "Driver Easy"
    ],
    "Behavioral Patterns": [
        "Multiple applications from same unknown publisher installed same day",
        "Applications with generic names (Utility, Helper, Service)",
        "Unsigned applications from unknown publishers",
        "Applications in unusual install locations (%TEMP%, AppData\\Local\\Temp)"
    ]
}

PUP Risk Scoring:

  • High: Browser hijackers, fake system optimizers, ransomware precursors
  • Medium: Bundled toolbars, aggressive advertising tools
  • Low: Legitimate freeware with opt-in additional offers

Step 4: To evaluate for Adware

Adware Identification:

ADWARE_SIGNATURES = [
    # Known Adware Families
    "Genieo", "VSearch", "Conduit", "Babylon Toolbar",
    "Delta Search", "Snap.do", "MyWebSearch", "CoolWebSearch",
    "Zango", "180Solutions", "WhenU", "Gator/GAIN",
    
    # Mac-specific Adware
    "MacKeeper", "Advanced Mac Cleaner", "Mac Auto Fixer",
    "Mac Mechanic", "Mac Tonic", "SearchMine",
    
    # Windows-specific Adware
    "Superfish", "PrivDog", "Price Gong", "SaveSense",
    "Relevant Knowledge", "ShopAtHome", "Shopping Helper"
]

Detection Method:

  1. Match application names against known adware database
  2. Check for telltale keywords: "toolbar", "search helper", "price finder", "coupon"
  3. Identify applications with multiple user complaints on security forums
  4. Cross-reference with VirusTotal or similar reputation services

Step 5: CVE VULNERABILITY ANALYSIS

Systematic CVE Check Process:

FOR EACH APPLICATION:
    1. Normalize application name and version
       - Remove special characters
       - Standardize vendor name
       - Parse version number (major.minor.patch.build)
    
    2. Query CVE Databases:
       - Primary: https://nvd.nist.gov/vuln/search
       - Secondary: https://cve.org
       - Format: "[Vendor] [Product] [Version]"
       - Example: "Adobe Acrobat Reader 2023.001.20093"
    
    3. Filter Results:
       - Severity: CRITICAL (9.0-10.0) and HIGH (7.0-8.9) only
       - Status: Focus on unpatched or recently patched CVEs
       - Applicability: Confirm CVE affects the specific version
    
    4. Assess Patch Gap:
       - Current version installed: X.X.X
       - Latest patched version: Y.Y.Y
       - CVEs between versions: [List]
       - Patch age: [Days since patch release]
    
    5. Prioritize by Exploitability:
       - Check for public exploits (Exploit-DB, GitHub, Metasploit)
       - CISA KEV (Known Exploited Vulnerabilities) listing
       - EPSS (Exploit Prediction Scoring System) score

CVE Risk Matrix:

Severity Exploit Available Patch Available Risk Level Action Timeline
CRITICAL Yes Yes CRITICAL Immediate (24h)
CRITICAL Yes No CRITICAL Immediate + Mitigate
CRITICAL No Yes HIGH 7 days
HIGH Yes Yes HIGH 7 days
HIGH No Yes MEDIUM 30 days
HIGH No No MEDIUM Monitor + Mitigate

Step 6: Risk Tier Classification:

CRITICAL (9.0-10.0):
- CVE score ≥9.0 with public exploit
- Confirmed data exfiltration capability
- Active C2 communication detected
- Critical business system compromise

HIGH (7.0-8.9):
- CVE score 7.0-8.9 with patch available
- High-risk use case + elevated privileges
- Confirmed PUP with data collection
- Widespread deployment of risky application

MEDIUM (4.0-6.9):
- Medium CVE scores (4.0-6.9)
- PUP without malicious intent
- High-risk use case but limited deployment
- Outdated software with no active exploits

LOW (1.0-3.9):
- Low CVE scores (<4.0)
- Approved apps with minor compliance gaps
- Outdated versions with available updates
- Cosmetic issues only

Reporting Output

sample_conversation
sample_conversation.md
20 KB
download-circle
it_risk_analyst_workflow
it_risk_analyst_workflow.md
17 KB
download-circle