How to Use ChatGPT for a Security Audit (Step-by-Step)

Most small businesses never do a security audit. Not because they don't care — but because hiring a professional costs thousands of dollars and doing it yourself feels overwhelming.

AI changes that. ChatGPT and Claude can walk you through a basic security audit in an afternoon, for free. You won't get the depth of a professional penetration test, but you'll identify the most common vulnerabilities that account for the vast majority of real-world breaches.

This guide shows you exactly how to do it — with the specific prompts to use at each step.

What a Basic AI-Assisted Security Audit Covers

A DIY audit using AI tools can realistically cover:

• Password and credential hygiene
• User account and access review
• Network configuration basics
• Cloud app and data exposure
• Email security settings
• Software and patch status
• Basic policy gaps

What it cannot replace: professional penetration testing, code review, compliance audits (SOC 2, ISO 27001), or deep forensic analysis. For those, hire a professional.

Before You Start

You'll need:

• Access to ChatGPT (free tier works) or Claude
• Admin access to your main accounts (Google Workspace, Microsoft 365, or whatever you use)
• About 2–3 hours
• A notes document to record findings

Create a simple document with two columns: Finding and Action. You'll fill this in as you go.

Step 1 — Generate Your Custom Audit Checklist

Start by asking the AI to build a checklist tailored to your specific setup.

Prompt to use:

I run a small business with [X] employees. We use [list your tools — 
e.g. Google Workspace, Slack, GitHub, Stripe, QuickBooks]. 
We have [remote/office/hybrid] workers and our main risks are 
[client data/financial data/intellectual property].

Generate a prioritized security audit checklist for our specific setup, 
organized by risk level (critical, high, medium, low).

The more specific you are, the more useful the output. Don't use a generic prompt — tailor it to your exact stack.

What you'll get: A prioritized checklist of 20–40 items specific to your tools and team size. Work through this list during the rest of your audit.

Step 2 — Audit Your Passwords and Credentials

This is always where the most critical findings appear.

Prompt to use:

Help me audit password security for a small business. 
Give me:
1. A list of every account type that typically holds sensitive 
   business data (prioritized by risk)
2. The questions I should ask about each one
3. What good vs. bad looks like for each answer

Then work through the output manually — checking each account type for:

• Is MFA enabled?
• When was the password last changed?
• Is the password unique (not reused elsewhere)?
• Who has access — is it more people than necessary?

Follow-up prompt if you find issues:

I found that [X accounts] don't have MFA enabled and [Y people] 
have admin access who probably shouldn't. 
What's the fastest way to fix both issues this week?

Step 3 — Review User Access and Permissions

The principle of least privilege: every person should have access to only what they need to do their job — nothing more.

Prompt to use:

Help me conduct a user access review for a small business.
We have [X] employees in these roles: [list roles].
We use these tools: [list tools].

Give me a framework to review who has access to what, 
what questions to ask about each person's permissions, 
and how to identify over-privileged accounts.

What to actually check:

• Google Workspace or Microsoft 365 admin console: who has admin rights?
• Stripe or payment systems: who can initiate transfers?
• GitHub: who has write access to production code?
• AWS/cloud infrastructure: who has root or admin IAM access?

Follow-up prompt:

I found these over-privileged accounts: [describe what you found].
Give me a step-by-step plan to reduce permissions without 
disrupting anyone's work.

Step 4 — Check Your Email Security Settings

Email is the most common attack vector. Three technical settings — SPF, DKIM, and DMARC — protect your domain from being spoofed by attackers sending fake emails pretending to be from you.

Step 1 — Check your current status:
Go to mxtoolbox.com and run these three free checks:

• MX Lookup (enter your domain)
• SPF Record Lookup
• DMARC Lookup

Step 2 — Use AI to fix what's missing:

Prompt to use:

My domain is [yourdomain.com] and I use [Gmail/Outlook/Fastmail] 
for email hosting.

MXToolbox shows: [paste your results]

Explain what each missing record does and give me the exact 
DNS records I need to add to fix each issue. 
Format them as a table with: Type, Host, Value, TTL.

ChatGPT or Claude will generate the exact DNS records to copy-paste into your domain registrar. This takes about 20 minutes to implement and significantly reduces your exposure to email spoofing attacks.

Step 5 — Audit Cloud App Permissions

Every time someone on your team clicks "Sign in with Google" or "Connect to Slack," they grant a third-party app access to your data. These permissions accumulate over years and most businesses have dozens of forgotten apps with live access to sensitive data.

How to check:

• Google: myaccount.google.com/permissions
• Microsoft: myapplications.microsoft.com
• Slack: your-workspace.slack.com/apps/manage

Prompt to use:

I'm auditing third-party app permissions for our business. 
Here is a list of apps currently connected to our Google Workspace:
[paste the list]

For each one:
1. Assess the risk level of the permissions granted
2. Tell me if this type of app typically needs those permissions
3. Flag any that look suspicious or unnecessary

Rule of thumb: Any app your team hasn't used in 90 days should be revoked. Any app with broad permissions (read all email, access all files) that isn't a core business tool should be reviewed carefully.

Step 6 — Check for Exposed Secrets and Data

For businesses with code repositories:

Prompt to use:

We have GitHub repositories for our business. 
Give me a checklist of the most common ways sensitive data 
gets accidentally committed to Git repos, and how to check 
for each type of exposure.

Then use Trufflehog (free, open source) to actually scan your repos for exposed API keys, passwords, and tokens.

For businesses using cloud storage:

Prompt to use:

Help me audit our Google Drive / Dropbox for data exposure risks.
What should I check for, and what does over-sharing look like?
Give me the specific settings to review and what good vs. 
risky looks like for each.

Step 7 — Generate Your Findings Report

Once you've worked through the checklist, use AI to turn your notes into a proper report.

Prompt to use:

I've completed a basic security audit of our small business. 
Here are my findings:

[paste your notes]

Turn this into a professional security audit report with:
1. Executive summary (3-4 sentences for non-technical stakeholders)
2. Critical findings requiring immediate action
3. High priority findings for this month
4. Medium priority findings for next quarter
5. Recommended actions for each finding with estimated time to fix

This gives you a document you can share with your team, board, or clients to show your security posture — and a clear action plan to work from.

Step 8 — Create a Remediation Plan

Prompt to use:

Based on these audit findings: [paste findings]

Create a 30-day remediation plan that:
- Prioritizes by risk level
- Assigns realistic time estimates
- Groups quick wins (under 30 minutes) separately
- Identifies anything that needs outside help

What to Do After the Audit

A security audit is only useful if you act on it. Set three calendar reminders:

• This week: Fix all critical findings
• This month: Fix all high priority findings
• In 6 months: Run the audit again

Security is not a one-time task. Repeat this audit every 6 months, or after any major change — new employees, new tools, new office, or after any security incident.

Limitations of AI-Assisted Audits

Be honest about what this covers and what it doesn't:

If your business handles regulated data (healthcare, finance, legal), processes payments, or operates in a regulated industry, complement this with a professional assessment. Use AI to get your basics right first — it makes professional audits faster and cheaper.

Full Prompt Cheat Sheet

Save these prompts for your audit:

Checklist generation:
Generate a prioritized security audit checklist for a [X-person] business using [tools list] with [data type] as our main risk.

Password audit:
Help me audit password and MFA status across all our business accounts. Give me a prioritized list of account types and what to check for each.

Access review:
Help me identify over-privileged user accounts in a [X-person] business. What should I check and what does least-privilege look like for each role?

Email security:
Generate the exact SPF, DKIM, and DMARC DNS records for [domain] using [email provider].

Cloud permissions:
Assess the risk of these third-party apps connected to our Google Workspace: [list]. Flag anything suspicious.

Report generation:
Turn these audit findings into a professional security report with executive summary, prioritized findings, and remediation timeline: [findings].

Frequently Asked Questions

Is it safe to share business information with ChatGPT?
Avoid pasting sensitive data — real passwords, API keys, customer data, or confidential documents. Describe your situation in general terms instead. For example, say "we have an over-privileged admin account" rather than pasting actual credentials.

How long does a DIY AI security audit take?
Expect 2–4 hours for a thorough first audit. Subsequent audits are faster because you already have a baseline. Many businesses find the first audit takes a full day when they go deep on remediation.

How often should I do this?
Every 6 months at minimum. Also run a partial audit after any significant change: new employee, new tool, team member departure, or suspected security incident.

Can I use this for compliance purposes?
A DIY AI audit does not satisfy formal compliance requirements (SOC 2, ISO 27001, HIPAA, PCI-DSS). It's a good foundation and preparation step, but regulated industries need certified assessors for compliance audits.

Disclosure: This article contains affiliate links. We may earn a commission if you purchase through our links, at no extra cost to you. We only recommend tools we've genuinely evaluated.

AI Security Desk — aisecuritydesk.bearblog.dev