CLASSIFICATION · PUBLIC // APACHE-2.0 SKILL FILE · BREACHGUARD/001

Audit before you trust.

A methodology-driven security-audit skill for Claude. Structure first, findings second, false-positive verification before every conclusion. 283 lenses across 27 domains. No hand-waving, no slop.

Download .skill View source
01 · the problem

Most audits ship with a 40 % false-positive rate.

The industry has accepted that security scanners flag noise. Developers have learned to ignore half of what they see. Auditors stamp "LGTM" on findings they can't verify. The signal-to-noise ratio got so bad that security teams measure success by ticket closure, not by what actually broke in production.

Conventional audit output

"SQL injection possible in line 42" — no data flow.

"Weak crypto detected" — no exploit path.

"Authentication bypass risk" — no attacker model.

"Review required" — nothing you can act on.

breachguard output

HIGH / HIGH / TRUE_POSITIVE — Cloudflare tunnel exposes localhost MCP server publicly.

Attacker model: unauthenticated-remote / network-only / public-api.

Evidence: DIRECT — cp.spawn('cloudflared', ...) at McpBridge.ts:249.

Fix: Warning dialog, token rotation, crypto.timingSafeEqual(). ~4h.

02 · methodology

Five phases. Six gates. No shortcuts.

Each audit follows the same protocol. Skip a phase, you lose calibration. Skip a gate, you ship a false positive. The structure is the deliverable.

01
Intake
Scope, attacker-models, critical paths. What's in, what's out, who's attacking.
02
Context
Entrypoints, trust boundaries, actors, storage. The map before the walk.
03
Lens
Apply relevant lenses from the 283-pattern catalog. Breadth before depth.
04
FP-Verify
Six gates: Sink · Source · Reach · Validation · Control · Impact. Fail-closed on uncertainty.
05
Report
Calibrated severity. Explicit coverage limits. Fix estimates. Release-gate verdict.
03 · scale

A catalog, not a checklist.

283
specialist lenses
27
domains
12
operating modes
6
role personas
20
bug classes
A finding without an attacker model is a vibe, not a vulnerability.
04 · anatomy of a finding

Every finding, the same scaffold.

Severity is calibrated against confidence. Gates are visible. Evidence is classified (direct / inference / heuristic). A reviewer can see, from the structure alone, whether to act, investigate further, or ignore.

HIGH · HIGH · TRUE_POSITIVE
F-NEW-1 — Cloudflare tunnel exposes localhost MCP server publicly
Lenssharp-edges, supply-chain
Filesrc/mcp/McpBridge.ts:249-296
Attacker-Modelunauthenticated-remote / network-only / public-api
Exploitabilityconditional
EvidenceDIRECT — spawn('cloudflared', ['tunnel', '--url', ...])
sink ✓ source ✓ reach ✓ validation ~ control ✓ impact ✓

The MCP server has token auth and a 1 MB body limit — adequate for localhost. The moment startTunnel() runs, trycloudflare.com exposes the endpoint over HTTPS with Bearer-token as the only gate. CORS restrictions protect browsers; curl and Python ignore CORS entirely.

UI warning on tunnel start, token rotation on enable/disable, crypto.timingSafeEqual() instead of string compare, absolute-path config for cloudflared binary. Estimated ~4h.

05 · fp-verification

Six questions. Fail-closed on any maybe.

A finding that can't answer all six passes through the report as UNCERTAIN with the specific gate(s) that failed. This is calibration made legible. Nothing is silently promoted to TRUE_POSITIVE.

GATE · 01
Sink
Is there a dangerous destination that data reaches? Exec, eval, file write, network request, SQL parser.
GATE · 02
Source
Does attacker-controlled data enter the system? User input, network response, file content.
GATE · 03
Reachability
Is the vulnerable code actually reachable? Dead code, feature flags, debug-only paths.
GATE · 04
Validation
Is there an effective check between source and sink? Sanitizers, escaping, canonicalization.
GATE · 05
Attacker Control
Can the attacker actually shape the data? Or is it constrained by prior validation upstream?
GATE · 06
Impact
If exploited, what breaks? Confidentiality, integrity, availability. Privilege level. Data class.
06 · positioning

What it is. What it isn't.

breachguard is

  • A Claude skill — a .skill archive you load once
  • A methodology framework with enforceable gates
  • A first-pass audit that surfaces hot-spots and attacker paths
  • Useful for security, performance, architecture, compliance review
  • Honest about its own scope limits in every report
  • Apache-2.0 licensed, inspected source

breachguard is not

  • A replacement for a professional security firm or pentest
  • A CVE scanner — use Semgrep / Snyk / Dependabot for that
  • A mobile-app-specific tool — see OWASP MAS skill
  • An LLM prompt-injection scanner — see dedicated skill
  • A certification of absence — only a structured surfacing
  • A silver bullet. There are none in this field.
07 · installation

Load it. Use it.

OPTION · A
Claude.ai / Desktop
Settings
  → Skills
  → Upload
  → breachguard.skill

Enable the skill in your workspace. Auto-activates on security-audit intent.

OPTION · B
Claude Code
unzip breachguard.skill \
  -d ~/.claude/skills/

Copies the skill into your user skills directory. Restart Claude Code to pick up.

OPTION · C
Project-specific
mv breachguard.skill \
  <project>/.claude/skills/

Scopes the skill to a single project. Useful when auditing a repo locally.