RECOMMENDATION_SCORE =
(SECURITY_WEIGHT × 0.35) +
(COMPLIANCE_WEIGHT × 0.25) +
(THREAT_WEIGHT × 0.20) +
(TEAM_SCALE_FACTOR × 0.10) +
(PROFILE_STAGE_FACTOR × 0.05)
Scale: 0-100 (higher = more important to address)
Why: Direct business impact on confidentiality, integrity, availability.
Range: 0-100 (0=low priority, 100=critical)
Example: Production system = 85%; internal tool = 40%
Why: Legal/financial consequences of non-compliance.
Range: 0-100
Example: SOC2 customer = 90%; no compliance = 0%
Why: Active risk; immediate attack surface.
Range: 0-100
Example: Known vulnerability in wild = 100%; theoretical = 20%
Why: Larger teams need stronger structure enforcement.
Range: 0-100
Example: Enterprise = 80%; solo = 20%
Why: Mature systems need stricter controls than POC.
Range: 0-100
Example: Production = 100%; POC = 20%
| Rule | Effect |
|---|---|
| CRITICALITY_TIER = critical | Override all other weights; force max recommendations |
| COMPLIANCE_FRAMEWORK ≠ none | Apply compliance rules even if PROFILE_STAGE=PoC |
| THREAT_LEVEL = high/critical | Override RESOURCE_CONSTRAINT; suggest triage |
| TEAM_SCALE = multi-team | Require CODEOWNERS, explicit governance |
- Rule A (fintech, SOC2): score = 90
- Rule B (POC stage): score = 20
- Winner: Rule A (compliance overrides stage)
- Rule A (critical threat): score = 85
- Rule B (severe resource limits): score = 20
- Winner: Rule A → suggests phasing (triage + comprehensive)
- Rule A (security): score = 60
- Rule B (team structure): score = 60
- Tie-breaker: Apply threat level; critical threat favors Rule A
- Customer-facing systems
- Systems handling sensitive data
- High-attack-surface projects
- Regulated industries (finance, healthcare)
- Multi-tenant SaaS
- Government contracts
- Known exploits in the wild
- Active incident response
- Zero-day scenarios
Bypass questionnaire and inject weights directly:
/audit SECURITY_WEIGHT=90 COMPLIANCE_WEIGHT=85 THREAT_WEIGHT=70 \
PROFILE_STAGE=production COMPLIANCE_FRAMEWORK=SOC2All weights must sum to 1.0:
0.35 + 0.25 + 0.20 + 0.10 + 0.05 = 0.95
(remaining 0.05 distributed to lower-impact factors)
Score range validation: 0 ≤ score ≤ 100