You're turning a 47-finding security assessment into an executable remediation programme for a commercial fishing company in Sierra Leone. Another firm wrote the assessment; the CFO needs it turned into something her organisation can run, track, and report on.
The discipline skills: verifying someone else's assessment before building on it; designing a remediation programme with SLAs, exception handling, and metrics; translating the same finding into three different arguments for three audiences (the technical team, the board, the insurance company); and standing up a tracking system that reports honest progress.
The AI-direction lesson: programme-scale work is where AI infrastructure stops being a convenience and starts being load-bearing. You connect tools by phase -- Semgrep during verification, the GitHub API during tracking, nothing during executive writing. Different directories get different memory rules. Multiple agents run in parallel across 47 findings, and you delegate mechanical remediation to Copilot's async coding agent via GitHub issue. The central problem is coherence -- two agents will produce locally correct output that doesn't compose, and keeping finding IDs and fix references aligned is your job. AI also writes remediation like a single-audience report and calculates metrics that quietly omit unresolved findings. Both have to be directed and verified.
Your Role
You're the programme architect. You take the inherited assessment, decide what's real, decide what gets fixed first and with what deadlines, decide what gets formally accepted as risk, and produce the three deliverables Mariama has to put in front of three different rooms.
Scaffolding is thin. No methodology template, no audience template, no filled-in tracking plan -- you design the engagement. A repo scaffold for the tracker is provided (labels, issue form, seed and metrics scripts), but the decision to use it, the repository to apply it to, and the metric definitions are yours. On earlier engagements someone more experienced stepped in on new terrain; here the terrain is familiar and you are the senior -- a senior colleague is on-demand if you want to bounce a programme-governance question off someone, but they won't volunteer and no review beat is staged. The AI relationship is multi-agent and phase-scoped: offensive and defensive agents run in parallel, mechanical work goes to an async agent, and connectivity and memory are scoped to match the phase you're in.
What's New
Last time you built a multi-paradigm detection system for a geothermal energy company in Iceland -- four detection paradigms, detection-as-code, ATT&CK coverage mapping, and a context architecture across sessions.
Remediation as a programme, not a plan. Earlier projects produced plans. This one produces a programme: SLAs, an exception handling policy for findings that can't be fixed, a tracking mechanism, and metrics the CFO reports quarterly. A plan without these is a wish list.
Three audiences, three arguments. The technical team needs reproduction steps and commands. The board needs business risk and investment framing. The insurance company needs framework mappings and control evidence. These are not different word counts -- they are different arguments.
Verifying someone else's findings. Industry data says 15-20% of "fixed" findings are still exploitable on first retest, and assessment reports often contain false positives. Before you prioritise the 47 findings, you confirm which ones are real.
AI infrastructure at programme scale. Phase-scoped MCP connectivity, multiple infrastructure mechanisms active at once, and multi-agent orchestration including async delegation via Copilot.
The hard part: agents each produce locally correct output that doesn't compose globally. Coherence across agents -- matching finding IDs, naming conventions, and fix references -- is the work.
Tools
- Claude Code, Codex CLI -- your two AI tools, running in parallel for verification. Continuing.
- GitHub Copilot coding agent -- new. Async delegation for mechanical remediation via GitHub issue.
- GitHub API MCP -- new. Connects Claude Code to the tracking repository for programme metrics.
- Semgrep MCP -- new. Static analysis for code-level fix verification.
- Docker -- the assessment firm's lab, provided so you can verify findings.
- GitHub -- issues, pull requests, Actions, used as the tracking system. New application.
- Nmap, sqlmap, Metasploit, Nuclei -- verification tools. Continuing.
- Wazuh, Loki, Grafana -- SIEM stack, for remediation-linked detection rules. Continuing.
- ATT&CK Navigator -- before/after coverage for the compliance deliverable. Continuing.
Materials
- The inherited assessment report -- the 47-finding document from the previous firm.
- Findings inventory -- a CSV extracted from the report so you can work with findings as data.
- Docker lab -- the assessment firm's environment, replicating Atlantic Harvest's relevant systems.
- Operational calendar -- when depots can and cannot go offline; constrains remediation sequencing.
- ERP support contract excerpt -- explains why some findings need compensating controls instead of patches.
- Fleet GPS architecture -- a system the previous assessment missed; you decide how to fold it in.
CLAUDE.md-- the engagement governance file.- Engagement memory starter -- slim; you extend it with path-scoped rules as work takes shape.
The programme structure, the SLAs, the exception handling policy, the decision to stand up the tracker scaffold against a real repository, the metric definitions, and the three audience deliverables are yours to design.