Planning Poker Template
Security Review Prioritization
Prioritize security findings by risk before they become incidents
Use planning poker with a risk deck to reach team consensus on the severity of security findings. Having both security engineers and developers vote together surfaces implementation details that affect exploitability, while business representatives weigh the impact of a breach. Simultaneous reveal prevents senior engineers from anchoring the group on their initial assessment.
Deck type
risk
Duration
45 minutes
Team size
3–8 people
Estimation focus
Exploitability and business impact
Steps
- 01List security findings from a recent audit or penetration test
- 02Summarize each finding: attack vector, affected data, existing controls
- 03Vote on risk level — Low, Medium, High, or Critical
- 04Reveal and resolve splits by discussing likelihood vs impact
- 05Assign an owner and target remediation date for each finding
- 06Schedule a follow-up to verify fixes
When to use
After a security audit, penetration test, or significant architecture change. Run this with both engineering and a security representative — do not let one team prioritize unilaterally.
Related templates
Open this template in a room
Create a free Plandeck room pre-configured with this template. No signup required.