Resources · Checklist
Forty-five verifiable statements across seven sections, from scope to sign-off. Print it, walk it, and let the tier decide which items apply. Free to use and share.
Security architecture review
v1.0 · July 2026 · alvor.io
How to use it: assign a business impact tier first, then walk the sections. Not every item applies to every system; an item you skip should be skipped on purpose, out loud. An unchecked box is not a failure, it is a finding. The review is complete when section seven, not section one, is done.
You cannot review what you cannot see. This section fails fast.
Most real-world compromises are identity problems wearing a technical costume.
The attack surface is what is reachable, not what is intended.
Data is the thing the attacker wants and the regulator asks about.
Availability is a security property. Design the bad day before it happens.
If the system cannot testify about its own compromise, the design is incomplete.
This section is what separates a review from a conversation.
The checklist, as software
Diagrams on a live canvas, threats anchored to elements, named sign-offs, and a baseline that catches drift. The checklist stops being paper.