Use AI to Draft Content
Product Security Hub includes AI-assisted content generation to help you draft CVSS justifications, requirement responses, and risk assessments. Instead of starting from a blank page, let AI create a first draft based on your product's context, then review and refine as needed.
Before You Begin
- You have created a product with basic details filled in
- You have threats, risks, or requirements that need content (from your architecture or threat model)
🔑 Key Concept: AI as Your Starting Point
Product Security Hub's AI doesn't replace your expertise—it accelerates your work. When you click AI Generate, Product Security Hub sends relevant context to an AI endpoint:
- • Your product name and description
- • The specific threat, requirement, or risk being documented
- • Related component and architecture information
- • Pre-defined prompts optimized for security documentation
Always review AI-generated content. The AI provides a starting point based on your product context, but you know your product best. Edit the content to ensure accuracy before saving.
Where You Can Use AI Generation
AI content generation is available for specific fields across these pages. Look for the orange AI Generate button next to supported fields:
Threats
On the Threat Detail page
AI Generate available for:
Generates justification text explaining your CVSS vector selections based on product context
Requirements
In the Requirements table
AI Generate available for:
Drafts a response explaining how your product meets the security requirement
Residual Risks
On the Risk Detail page
AI Generate available for:
Generates mitigation documentation and CVSS justification for residual risk assessment
Generate for a Single Field
The quickest way to use AI is to generate content for individual fields as you work through your documentation.
Navigate to a Threat, Requirement, or Risk
Open any item from your Threats, Requirements, or Residual Risks page to view its details.
Find the "AI Generate" Button
Look for the orange AI Generate button next to supported fields (PM Scoring Justification for threats, How Will This Be Met for requirements, or Mitigation Details/Scoring Justification for risks).
Click "AI Generate"
Product Security Hub sends your product context and field-specific prompts to the AI endpoint. After a moment, the generated content appears in the field.
Review and Edit
Read the generated content carefully. Edit it to match your specific product context, then save your changes.
💡 What Data is Sent to the AI
When you click AI Generate, Product Security Hub sends context relevant to the specific field:
- • For CVSS Justifications: Threat/risk description, STRIDE category, your selected CVSS vectors, component details
- • For Requirements: Requirement text, category, your product description, related components
- • For Mitigation Details: Risk description, linked threats, related requirements, product context
Batch Generate with "Generate for All"
If you have many items that need content, use the batch generation feature to generate content for multiple fields at once.
Click "Generate for All" in the Menu Bar
At the top of the Threats, Risks, or Requirements page, find the Generate for All option in the menu bar.
Select Fields to Generate
A popup modal appears where you can choose which fields you'd like to generate content for. Select the fields you need and click to start generation.
Wait for the Notification
The generation runs in the background. You can continue working on other tasks. When complete, a notification appears in the notification window.
Review the Generated Content
Navigate back to the page and click Generate for All again. The modal now shows the generated content for each field.
Accept or Reject Each Suggestion
Review each piece of generated content. Accept the ones that look good, or reject and regenerate as needed.
⏱️ Be Patient with Batch Generation
When generating content for many fields, Product Security Hub needs to send information to the AI endpoint for each one and wait for responses. This can take several minutes for products with many threats or requirements. The notification will let you know when it's complete.
Example Use Cases
PM Scoring Justification for Threats
When scoring a threat with CVSS 3.1 or 4.0, you need to justify your vector selections. The PM Scoring Justification field captures your rationale. Click AI Generate to draft justification text based on your threat description and product context:
Example AI-Generated Justification
"The Attack Vector is rated as Network (N) because the device's web configuration interface is accessible over the local network. Privileges Required is Low (L) as authenticated users with basic access can trigger the vulnerability. User Interaction is None (N) since exploitation does not require any action from a victim user."
How Will This Be Met for Requirements
For each security requirement, document how your product meets it in the How Will This Be Met column. This is your primary response field for compliance evidence. Click AI Generate to draft an initial response:
Example AI-Generated Response
"The device implements secure firmware updates using code signing with RSA-2048 certificates. All firmware images are verified against the manufacturer's public key before installation. Failed verification aborts the update process and logs the event to the security audit trail."
Mitigation Details for Residual Risks
When documenting residual risks, explain how the risk is being managed in the Mitigation Details field. Click AI Generate to draft mitigation documentation:
Example AI-Generated Mitigation
"This residual risk is mitigated through network segmentation controls that isolate the device from untrusted networks. Additionally, access control policies restrict configuration changes to authenticated administrators, and all configuration changes are logged for audit purposes."
Scoring Justification for Residual Risks
Residual risks also require CVSS scoring with justification. The Scoring Justification field explains your CVSS 3.1 or 4.0 vector selections. Click AI Generate to draft justification text:
Example AI-Generated Scoring Justification
"The residual risk is scored with Attack Complexity High (H) because successful exploitation requires specific configuration conditions and timing. Scope is Unchanged (U) as impact is limited to the vulnerable component. Availability Impact is Low (L) due to rate limiting controls that prevent complete denial of service."
How AI Generation Works
You Click
"Generate"
Product Security Hub Sends
Product context
AI Processes
With our prompts
Draft Returns
To the field
You Review
Edit & accept
Product Security Hub uses pre-defined prompts optimized for security documentation. The AI never sees your data outside of the generation request, and you always have final control over what content is saved.
Best Practices
Fill in product details first
The more context Product Security Hub has about your product, the better the AI-generated content will be. Complete your product description and architecture before generating.
Always review before accepting
AI provides a starting point, not a final answer. Read every generated response and edit it to accurately reflect your product.
Use batch generation strategically
Generate for All is great for initial documentation sprints. For ongoing maintenance, individual generation may be more efficient.
Regenerate if needed
If the first generation doesn't fit, you can regenerate. Sometimes small changes to your product description can improve results.
What's Next?
Now that you know how to use AI-assisted content generation, put it to work:
- 1 Run Your Threat Model
Use AI Generate for PM Scoring Justification on your threats
- 2 Manage Requirements
Generate "How Will This Be Met" responses for compliance evidence
- 3 Manage Residual Risks
Use AI Generate for Mitigation Details and Scoring Justification
Ready to accelerate your documentation?
See how AI-assisted content generation can save you hours of writing.