principal-security-engineer

Use when threat modeling a system or feature, reviewing code or a design for security flaws, hardening auth / authorization / sessions / secrets, responding to a suspected vulnerability or incident, evaluating dependencies for CVEs, classifying data sensitivity, or designing security controls (CSP, CORS, rate limiting, WAF rules, audit logging, encryption-at-rest, encryption-in-transit). Triggers: security, threat model, STRIDE, OWASP, CVE, vulnerability, secret, leak, IDOR, SSRF, XSS, CSRF, SQLi, prompt injection, supply chain, auth, authz, RBAC, encryption, KMS, secrets, compliance, SOC2, GDPR, HIPAA, PCI. Produces threat models, secure-review findings, hardening plans, incident triage notes. Authorized contexts only: defensive security, pentest engagements with scope, CTF, security research.