Security feature launch readiness evidence pack
so every product feature ships with a documented threat-model delta, scan record, exception decision, and named approver

A product manager pings the security lead in chat the day before launch and asks "any blockers?" The security lead glances at recent scans, says no, and the feature ships. Six weeks later, an external scanner picks up a regression on the new surface, and the audit cycle that follows has no record of who looked, what they looked at, or what they decided. Launch readiness has to be a documented gate, not a hallway response.

The application has a threat model from onboarding. The feature ships without recording what changed about it. When a downstream finding lands on the new authentication flow, the new data-handling path, or the new external endpoint, nobody can reconstruct whether the change was reviewed or whether the new trust boundary was assumed. The threat-model delta is the artefact that connects the launch decision to the architectural decisions it ratified.

Code scanning runs against the main branch the night before launch and never sees the feature branch. Authenticated DAST runs against last week's staging snapshot rather than the staging build carrying the new endpoints. External scanning checks the existing domain but misses the new subdomain the feature exposes. Pre-launch scanning has to land against the actual change scope, not against the steady-state baseline that was already clean.

A SAST finding on a public-facing path with regulated data ships at the same severity as the same finding on an internal experiment. The launch gate cannot tell the difference between findings that should block the release and findings that can carry forward. Calibration that bakes in the data classification, the exposure, and the reachability of the changed surface has to land at intake, not be re-argued every time a finding moves toward the gate.

A finding stays open because the engineering team commits to fixing it next sprint. There is no documented exception, no named compensating control, no recorded approver, and no expiry. Three quarters later, the finding is still open, the next launch reviewer has no record of why it shipped, and the audit finds an aged exception with no provenance. Launch exceptions belong in the structured eight-field exception register from day one.

The launch ships. Nobody signed off in writing. When a customer questionnaire asks who approved the security posture of the release, the security team reconstructs the answer from chat history and calendar invites. When an audit asks for the launch decision record, there is nothing structured to point at. The named approver, the timestamp, and the rationale have to land on the activity log so accountability survives the calendar quarter.

Six months after launch, an auditor asks for the security artefacts that accompanied the release. The security lead spends two days reconstructing the threat-model thinking, hunting for scan output, screenshotting the exception register, and writing a retrospective narrative that paraphrases what they remember of the launch decision. An evidence pack assembled at launch time from the engagement record is the only way this work scales beyond a handful of releases per quarter.

The launch engagement closes when the feature ships. The findings that shipped open under exceptions, the findings that carried forward, and the post-launch verification scans all live as orphan artefacts disconnected from the application's ongoing backlog. By the time the steady-state cadence picks them up, the launch context is gone and the original calibration has to be reconstructed. The transition out of launch readiness is part of the workflow, not a separate manual step.

The feature name, the parent application reference, the release identifier or change batch, the rollout shape (full release, gradual rollout, dark launch, feature flag, beta cohort), the target launch date, the named product owner on the engineering side, the named security owner on the workspace side, and the data classification or regulatory tags. The metadata anchors every downstream decision so the evidence pack ties back to the same release the audit asks about.

A structured record of what changed against the application baseline: new trust boundaries, new authentication surfaces, new data flows, new third-party dependencies, new permissions, new external endpoints, new privileged paths, and new logging coverage. The delta sits on the engagement as an attached document or as an organised set of intake findings so the next reviewer reads the change against the prior state.

The code scan against the feature branch (SAST plus dependency analysis), the authenticated DAST run against the staging build carrying the new endpoints, and the external scan against any new domain, subdomain, or public surface. Each scan record carries the scanner reference, the rule pack version, the scan timestamp, and the scan ID so the evidence trail is provenance-aware rather than asserting that scans happened.

Each finding carries the CVSS 3.1 vector, the workspace-calibrated severity, the data-classification adjustment, the exposure note, the reachability note, the named remediation owner, and the launch gate disposition (must close before launch, ship with exception, carry forward under SLA). The queue is the calibrated picture the launch decision reads against rather than a raw scanner dump.

For findings that ship open, the structured exception entry: the linked finding, the calibrated severity, the named compensating control with explicit rule, segment, or query reference, the residual likelihood, the residual impact, the business rationale, the documented expiry date, and the review cadence. The exception is attached to the launch engagement so the audit reads it back to the release that approved it.

A short narrative summarising the net launch risk in language the product owner and the named approver sign off against rather than as a pile of finding IDs. The named approver, the timestamp, the rationale, and the decision (approve, approve with exceptions, hold, reject) land on the activity log so the launch is a documented gating event rather than an asserted process.

Launch readiness depends on new application security onboarding for the application baseline the delta is measured against, on internal developer platform security guardrails for the paved-path posture engineering builds around, on asset criticality scoring for the data-classification context the launch-gate severity calibration reads against, and on the standing security finding disposition meeting for the cadenced review of aged launch exceptions.

Launch readiness feeds devsecops scanning for the steady-state cadence the feature transitions into, SDLC vulnerability handoff for the ongoing engineering-to-security loop, security finding fix verification for the post-launch retest discipline, and audit fieldwork evidence request fulfillment when the assessor asks for the documented per-change security review record.

The launch decision (approve, approve with exceptions, hold, reject) is recorded on the activity log with the named approver, the timestamp, and the rationale. The audit reads a documented gating event rather than reconstructing one from chat history six months later.

Every material change updates the threat model on the engagement. The next reviewer reads the change against the prior state. The application threat model stays alive rather than freezing at onboarding and aging into irrelevance.

Findings that ship open carry a structured exception with a named compensating control, an explicit expiry, and a review cadence. The exception register catches aged decisions on review rather than letting them drift forever.

The engagement record is the evidence pack. AI report generation drafts the narrative. Document management retains supporting artefacts. The audit cycle reads live workspace data rather than a parallel artefact assembled at audit time.

The launch engagement record, the threat-model delta attached as a document or structured finding bundle, the pre-launch code, authenticated DAST, and external scan runs against the change scope, the calibrated finding queue, the eight-field exception register entries, the AI-drafted residual risk narrative, the named-approver decision on the activity log, the post-launch retest record, and the framework-citation evidence-pack assembly.

SecPortal does not push tickets into Jira, Linear, ServiceNow, Asana, Shortcut, Slack, Teams, or PagerDuty. It does not host the feature flag, does not gate the release pipeline, does not drive the CI/CD deploy, does not control rollout percentage, and does not orchestrate dark launches. It is not a change-advisory-board tool, not a governance-risk-compliance platform, and not an identity provider. It does not provide enterprise SSO, SCIM, or SAML, and does not ship automated approval routing across external systems. The security-side launch evidence pack lives in SecPortal; the engineering-side change record lives in the engineering system; cross-references travel both ways through finding and engagement metadata.