Persona + Skills Pack

A senior AppSec lead for your AI coding assistant.

Name: Security Reviewer Persona + Skills Pack
Brand: OpenCxMS Technologies
Price: 39 USD
Availability: InStock

Senior AppSec Lead for Claude Code, Cursor, Windsurf

A senior AppSec lead persona plus five Anthropic Agent Skills that produce paste-ready deliverables. Works across any SAST tool. Paired with CxMS Pro AI, it compounds your false-positive taxonomy into institutional memory.

Get Security Reviewer Persona + Skills Pack — $39 one-time See pricing

Works with Claude Code natively. Cursor, Windsurf, Codex CLI, GitHub Copilot, Cline, Continue.dev, Zed, Amazon Q through CxMS Pro AI’s MCP bridge.

Sound familiar?

Sprint start, Tuesday 9 AM. Semgrep fires 200 findings. You know 180 are false positives because you ruled them false positives last sprint. And the sprint before that. And the sprint before that.

You still have to prove each one. Again. Because nobody wrote down why it was safe, the doc got lost, or your AI started at zero this morning. So you spend two hours clicking through the same noise to find the five findings that actually matter.

Wednesday, a Log4Shell-class CVE drops. Dependabot opens 40 PRs overnight. Engineering wants to know by end-of-day which ones actually apply. Your threat model for the service is a 40-page STRIDE wall in a wiki nobody reads.

None of this is a tool problem. Your scanners are fine. Your AI is smart enough. What is missing is cross-session memory and a voice opinionated about reachability instead of noise.

What this is (and what it is not)

The Security Reviewer Persona + Skills Pack is a zip of Anthropic Agent Skills (SKILL.md files with frontmatter). It is not a SAST scanner. It is not a replacement for Semgrep, CodeQL, or Snyk. It is not an MCP server.

Loaded into Claude Code’s skills directory, it is a senior AppSec voice plus five production skills: Threat Model, Security Code Review, SAST Triage, CVE Applicability, Pentest Report Writer. Loaded into CxMS Pro AI, the persona becomes memory-aware. Triage rulings persist. Reachability decisions stick. Scoped-out components stay scoped out.

What you get

Cut SAST triage from 2 hours to 25 minutes by sprint 10

The SAST Triage skill takes output from Semgrep, CodeQL, Snyk Code, Checkov, SonarQube, or Fortify and produces a per-finding REAL / FALSE POSITIVE / DEFERRED ruling table with explicit reasoning. With CxMS Pro AI, every ruling carries forward. The prior ruling surfaces automatically next sprint.

Ship the threat model people actually read

The Threat Model skill uses the Microsoft four-question approach: Mermaid DFD, STRIDE per element (per process, data store, data flow), threats ranked by likelihood x impact x mitigation effort, existing controls mapped against gaps, and open questions for the product owner.

Tell the team if a Log4Shell-class CVE applies in 15 minutes

The CVE Applicability skill emits APPLIES / DOES NOT APPLY / PARTIAL verdicts. Checks CVSS, EPSS, CISA KEV, and reachability (does your code actually call the vulnerable function). A CVSS 9.8 on code you never import is a P3. A CVSS 6.1 on a parser handling every request is a P0.

Give the PR author a ruling, not a 'CRITICAL!!!' panic

The Security Code Review skill emits paste-ready PR comments. One finding per comment, specific file:line, CVSS plus practical severity, CWE citation, exact exploit conditions, suggested fix with a code block. Catches IDOR, injection, SSRF, weak crypto, secrets in logs, deserialization, races, mass assignment. Explains without condescension.

Stop rewriting the same pentest finding three times

The Pentest Report Writer emits PTES-aligned structure with three output flavors from one finding set: client-ready report, engineering ticket format, researcher response format. One finding. Three audiences. Zero rewriting.

One opinionated voice, not alternating panic and hand-waving

A senior AppSec persona curated from OWASP Top 10:2025, ASVS 5.0, NIST 800-53, CIS Controls, MITRE ATT&CK, and the CVSS/EPSS/KEV vocabulary.

Works with your tools

Works natively with Claude Code. Unzip into ~/.claude/skills/opencxms-persona-security-reviewer/ and Claude Code picks it up on next launch.

Works with Cursor, Windsurf, Codex CLI, GitHub Copilot, Cline, Continue.dev, Zed, and Amazon Q Developer through CxMS Pro AI’s MCP bridge.

Standalone: the pack drops in and runs today. No memory engine required.

With CxMS Pro AI: every triage ruling persists. Every reachability decision sticks. Every scoped-out component stays scoped out. The false-positive taxonomy you build today is why next quarter’s triage is 25 minutes instead of two hours.

Claude Code

Cursor

Windsurf

Codex CLI

GitHub Copilot

Cline

Continue.dev

Zed

Who this is for

✓Priya, AppSec lead at a 120-engineer org. Owns the SAST queue. Triaging two hours a sprint of findings she already ruled out last sprint.
✓Marcus, security-owning dev. Not a full-time AppSec specialist. Got 40 Dependabot PRs overnight from a Log4Shell-class CVE. Needs reachability decisions by end-of-day.
✓Ana, security architect. Writes threat models for every new service. Wants them structured for product owners, not just auditors.
✓Jamal, pentester. Spends more time reformatting findings for client-ready, engineering-ticket, and researcher-response audiences than he spent finding the vulnerabilities.
✓Leah, engineering manager. Wants her AI to explain vulnerabilities to PR authors in a way that teaches instead of condescends.

Pricing

Security Reviewer Persona + Skills Pack

$39 one-time

Single-seat perpetual license

7-day money back guarantee. No questions asked.

Get on Gumroad

Want persistent AI memory too? Add CxMS Pro for $49 one-time, or grab the Complete Bundle at $199.

FAQ

Does the Security Reviewer Persona + Skills Pack require CxMS Pro AI?

No. The pack is Anthropic Agent Skills. Drop it into Claude Code's skills directory and it works. CxMS Pro AI is the persistent-memory upgrade that makes SAST triage rulings compound across sprints.

Can the SAST Triage skill handle my specific SAST tool output?

Yes. The skill is tool-agnostic. Feed it findings from Semgrep, CodeQL, Snyk Code, Checkov, SonarQube, Checkmarx, Veracode, Fortify, or any tool that outputs a finding with location, category, and description.

Does the CVE Applicability skill do real reachability analysis?

The skill performs static reachability analysis given the codebase context your AI tool can read. For deeper dynamic analysis, you still need a runtime SCA tool.

How does this compare to Semgrep Assistant or Snyk DeepCode AI?

Semgrep Assistant starts at $500/month for teams and is Semgrep-only. Snyk DeepCode AI is Snyk-only. GitHub Copilot security requires the Advanced Security tier. This pack is $39 one-time, works across any SAST tool, and adds cross-sprint triage memory when paired with CxMS Pro AI.

Is this pack appropriate for compliance use cases (SOC 2, ISO 27001)?

The threat model, security code review, and pentest report skills produce artifacts that support compliance documentation. They do not replace a compliance program.

Will my code or findings leave my machine?

No. The pack is local files. Your AI tool's model calls are whatever you configured them to be. Nothing in the pack phones home.

What's the refund policy?

7-day money back guarantee. No questions asked. Packs are static files with no license check, so there is no deactivation step.

Stop re-teaching your AI every morning.

One purchase. Perpetual license. Seven-day money-back guarantee.

Get the Security Reviewer Pack on Gumroad

Built by OpenCxMS Technologies, Inc. — a Pennsylvania Public Benefit Corporation.