📄 SAMPLE REPORT — Fictional “Helios Payments” engagement. Your actual report will reflect your repo, your data flows, your stack.   ← Back to velosec.co

Helios Payments Platform — Security Review

Engineering Deep-Dive · ATT&CK v18.1 · All 47 Findings

Threat Model + AppSec + IaC · Updated May 2026 · with Architecture Context

3 Critical 9 High 18 Medium 12 Controls Verified 78% ATT&CK Coverage

Audience: Engineering + Security Leadership  ·  Use ← → arrow keys or buttons to navigate

Agenda

01
Architecture Inventory & Trust Boundaries
Components, trust boundaries, data flow context
02
Full Architecture Diagram (Mermaid)
Interactive architecture visualization with trust zones
03
Threat Intelligence (ATT&CK v18.1)
Active groups, top techniques by usage
04
STRIDE Threat Model
Each threat with architecture context, KQL + Bicep
05
OWASP Top 10 & API Top 10
Application-layer findings with CWE + ATT&CK mapping
06
Pipeline & IaC Findings
CI/CD and infrastructure-as-code hardening
07
ATT&CK Coverage, Risk Matrix & Roadmap
Coverage matrix, detection gaps, P0-P3 remediation, 90-day plan

Numbers at a Glance

3Critical
9High
18Medium
17Low / Info
21STRIDE Threats
14OWASP Findings
12IaC/Pipeline
6New in v18.1
ATT&CK v18.1 Coverage: 11 tactics covered, 34 techniques mapped to findings, 6 new in v18.1 (Cloud Identity, Inhibit Recovery)
01

Architecture Inventory & Trust Boundaries

23 components · 7 trust boundaries · 4 trust zones

Component Inventory

ComponentRoleTrust ZoneBoundary
Example ComponentRole descriptionZone nameTB-N

Trust Boundaries

TB-IDBoundaryRisk Note
TB-1Boundary descriptionRisk note

Architecture Diagram

graph TD
    subgraph EXT["External"]
        U(["Users"])
    end
    subgraph IDN["Identity"]
        IDP["Identity Provider"]
    end
    subgraph APP["Application Tier"]
        GW["API Gateway"]
        SVC["Service"]
        DB[("Database")]
    end
    subgraph INFRA["Infrastructure"]
        COMP["Compute"]
        STG[("Storage")]
    end
    subgraph MON["Monitoring"]
        LOG["Logging"]
    end

    U -->|Auth| IDP
    IDP -->|Token| GW
    GW --> SVC
    SVC --> DB
    SVC --> STG
    COMP --> STG
    LOG -.-> SVC

    %% Replace this diagram with actual architecture.
    %% Use subgraphs for trust zones.
    %% Color affected nodes on per-finding slides.

7 trust boundaries · 4 trust zones · 23 components

02

Threat Intelligence

ATT&CK v18.1 · Active groups · Top techniques by usage

Active Threat Groups

GroupIDRelevant TechsPrimary Tacticsv18.1 Status

Top 10 Techniques by Threat Group Usage

TechniqueNameTacticScoreSystem Relevance
03

STRIDE Threat Model

21 threats · 6 categories · KQL + Bicep + APIM for each

THREAT-001 — {{Finding Title}}

THREAT-001 — Critical P0

Component: {{Component}} / {{Trust Boundary}}

{{Description of the threat}}

ATT&CK:
T{{ID}} — {{Technique Name}} | {{tactic}}

Mitigations:
M{{ID}} — {{Mitigation Name}}

Detection:
{{Data Component}} → {{Azure Log Source}}

📍 Architecture Context

graph LR
    A["Component A"] --> B["Component B"]
    B --> C["Component C"]
    style A fill:#f85149,color:#fff,stroke:#f85149
    %% Color the AFFECTED component(s) with severity color:
    %%   Critical: fill:#f85149  High: fill:#d29922  Medium: fill:#bc8cff

Remediation

  • {{Remediation step 1}}
  • {{Remediation step 2}}
  • {{Remediation step 3}}

Sentinel KQL

// {{KQL query for detection}}
05

OWASP Top 10 & API Top 10

14 application-layer findings · CWE + ATT&CK mapped

06

Pipeline & IaC Findings

12 infrastructure-as-code and CI/CD findings · Bicep fixes

07

ATT&CK Coverage, Risk & Roadmap

Coverage matrix · detection gaps · P0-P3 remediation · 90-day plan

Risk Heat Map — All 47 Findings

FindingLikelihoodImpactRisk

Critical Findings (3)

Critical
3
High
9
Medium
18
Low / Info
17

P0 — Block Release / Fix Immediately

IDActionOwner

P1 / P2 / P3 Remediation

P1 — Fix Within Sprint

P2 — Fix Within Quarter

P3 — Backlog

90-Day Execution Timeline

Days 1–14

{{PHASE_1_ACTIONS}}

Days 15–30

{{PHASE_2_ACTIONS}}

Days 31–60

{{PHASE_3_ACTIONS}}

Days 61–90

{{PHASE_4_ACTIONS}}

Success Metrics: {{SUCCESS_METRICS}}

Questions?

Helios Payments Platform — Security Review · Engineering Deep-Dive

ATT&CK v18.1 · 47 Findings · May 2026

3 Critical P0 9 High 78% ATT&CK Coverage 90-Day Remediation Plan

VELO · Vulnerability Evaluation & Lifecycle Orchestration · Classification: Internal / Restricted

1 / N