Rewrite a threat report for a chosen audience: SOC, CISO, exec, board.
Project description
so-what-cli
Rewrite a threat report for a chosen audience: SOC, CISO, non-security exec, or board.
The same intel needs different products for different readers. SOC wants detections and IOCs. The CISO wants decision-grade business framing. The exec wants plain English. The board wants governance language. Most teams write one product and send it to all four, which is why nobody finds it useful.
This CLI does the translation. Reads markdown or text from a file (or stdin), runs it through a prompt tuned for the target audience, and writes back markdown, docx, or PDF. Pluggable LLM backend so it works with whatever you've got: Anthropic, OpenAI, or local Ollama.
Install
pip install so-what-cli # core
pip install 'so-what-cli[anthropic]' # Claude backend
pip install 'so-what-cli[openai]' # GPT backend
pip install 'so-what-cli[docx]' # docx output
pip install 'so-what-cli[pdf]' # pdf output (needs pandoc on PATH)
pip install 'so-what-cli[all]' # everything
Set one of the API keys, or run a local Ollama:
export ANTHROPIC_API_KEY=sk-ant-...
# or
export OPENAI_API_KEY=sk-...
# or, for local
ollama serve
ollama pull llama3.1:8b
Use it
# rewrite a vendor advisory for the CISO, tied to your asset profile
so-what advisory.md --audience ciso --asset-profile profile.yaml
# pipe a CISA KEV note through and get a SOC product
curl -s https://example.com/advisory.txt | so-what - --audience soc
# build a board pack one-pager as a docx
so-what advisory.md --audience board --format docx --output board.docx
# see what's in the prompt without spending tokens
so-what advisory.md --audience exec --asset-profile profile.yaml --dry-run
Flags worth knowing:
--audience(required):soc,ciso,exec,board.--asset-profile: YAML file describing your org. Seeexamples/asset-profile.yaml.--format:md(default),docx,pdf.--output: file path. Defaults to stdout for markdown.--backend:anthropic,openai,ollama. Defaults based on env vars present.--model: override the backend default.--dry-run: print the assembled system + user prompts. Don't call the model.--extra-context: free-text context (incident ref, prior assessment, anything).
Why the audiences are shaped the way they are
The prompts in src/so_what/audiences/ are opinionated. They follow:
- ICD-203 confidence language for assessments, plain hedging for facts. The IC's analytic standards are a useful baseline for any analyst writing under uncertainty.
- The cyclical arc from Heuer's tradecraft tradition: problem, impact in the reader's terms, mitigation. Compressed for executives, expanded for SOC.
- The banned-vocab list from
voice-DNA. No vendor breathless adjectives. No filler that signals AI-written copy. The brand here is analyst-grade output.
If you don't like one of the audience prompts, edit the markdown. The prompts are the product.
Asset profile
The profile YAML grounds the rewrite in your org. Required keys are org_name and industry. The recommended fields (regions, regulators, key vendors, crown jewels, internet-facing tech, identity provider, EDR) let the model tie threats to the specific assets that matter. Without a profile the output is generic; with one, it stops being generic.
See examples/asset-profile.yaml for the full shape.
What's in the repo
so-what-cli/
src/so_what/
cli.py
prompts.py # audience prompt loading + user prompt assembly
profiles.py # YAML asset profile loader
render.py # md/docx/pdf output
audiences/
soc.md # SOC / IR analyst voice + structure
ciso.md # decision-grade executive summary voice
exec.md # non-security exec, BLUF, business outcomes
board.md # board / audit committee, governance frame
backends/
anthropic_backend.py
openai_backend.py
ollama_backend.py
tests/
test_cli.py
fixtures/
sample-advisory.md
examples/
asset-profile.yaml
Testing
pip install 'so-what-cli[dev]'
pytest
The tests don't call any LLM. They check argparse, prompt loading, profile validation, and dry-run output assembly. Run them on every PR.
Status
Alpha. v0.1. Audience prompts validated against a synthetic sample advisory. Next: validate against 10 real public CVEs from the last 90 days and tune the prompts. PRs welcome on audience prompt quality, additional output formats, and additional backends.
License
MIT. See LICENSE.
Related
This is the OSS engine behind the hosted version at so-what.app. The hosted version adds a web UI, team accounts, saved asset profiles, and Slack delivery. The CLI is free and always will be.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file so_what_cli-0.1.0.tar.gz.
File metadata
- Download URL: so_what_cli-0.1.0.tar.gz
- Upload date:
- Size: 20.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
191fe75b4deb8817502cd914898236e435ab55c108b462e17dd394d5b8f262f5
|
|
| MD5 |
02367571f747ddecbfe0d7ed04b7d0f9
|
|
| BLAKE2b-256 |
715642a4edb927ad39a7d9ed1a5e0cb7d7ed4170a0db1058453454aeb78b3398
|
File details
Details for the file so_what_cli-0.1.0-py3-none-any.whl.
File metadata
- Download URL: so_what_cli-0.1.0-py3-none-any.whl
- Upload date:
- Size: 24.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1f4661aecd5dd85bd83d5e4eeb41cc7987dae37920be77482b369cffb2628d65
|
|
| MD5 |
41f16952396f6b9a3260882c33e629c6
|
|
| BLAKE2b-256 |
a6906a4f174c4624828a259c976d340cef8a8b579de096b31bd79ebea55c5a10
|
