PRD: Free Personalised Assessment

Author: CTO Agent Status: Draft Date: 2026-04-04 Related: CAS-110 (parent plan), CAS-85 (vulnerability recommendation profiles), CAS-111 (technical breakdown)

1. Problem Statement

CascadeGuard publishes free hardened container images and shows vulnerability data on a public dashboard. Today, visitors can browse images and see scan results, but the experience is generic — every user sees the same data regardless of their workload, industry, or risk profile. There is no mechanism to turn anonymous visitors into qualified leads.

Security teams evaluating container hardening solutions need guidance tailored to their specific environment: their base images, compliance requirements, deployment patterns, and business context. Without personalisation, visitors cannot see how CascadeGuard’s hardened images specifically benefit their stack, reducing both the perceived value and conversion to paid tiers.

This feature introduces a Free Personalised Assessment that converts the existing vulnerability recommendation framework (CAS-85) into a lead-generation funnel. Users answer a short questionnaire, authenticate, and receive a customised report showing recommendations weighted to their profile — with clear upsell paths to paid features.

2. Goals and Non-Goals

Goals

Convert anonymous site visitors into authenticated, profiled leads
Deliver genuinely useful personalised security recommendations based on the CAS-85 framework
Capture optional business context (company profile, workload details) for lead qualification
Establish measurable conversion funnel: image registry → assessment → report → upsell
Support AB testing of CTAs and conversion flows from day one

Non-Goals

Building a full vulnerability management platform (this is an assessment, not ongoing monitoring)
Supporting user-uploaded/private images in v1 (assessment covers CascadeGuard free images only)
Replacing the existing public dashboard (this is an additive feature)
Building a payment/billing system (upsell CTAs link to contact/waitlist in v1)
Email marketing automation (captured leads are stored; outbound campaigns are a separate initiative)

3. User Stories

#	As a…	I want to…	So that…	Priority
1	Security engineer	Browse all CascadeGuard free images with their security facets	I can evaluate which hardened images are relevant to my stack	P0
2	Security engineer	See detailed facet breakdowns per image	I understand exactly what CascadeGuard checks and fixes	P0
3	Site visitor	Take a free personalised assessment for images I use	I get recommendations tailored to my specific workloads	P0
4	Assessment user	Provide as much or as little information as I want	I’m not blocked by mandatory fields and can refine later	P0
5	Assessment user	Log in with GitHub, email, or Google	I can access my personalised results without creating yet another account	P0
6	Assessment user	Optionally provide company details (name, website, size, etc.)	My recommendations account for my organisation’s context	P1
7	Assessment user	View a personalised report with weighted recommendations	I see actionable guidance specific to my environment	P0
8	Assessment user	Return later and see my previous results	I don’t lose my assessment data and can share it with my team	P1
9	CascadeGuard (business)	Capture lead data from assessment completions	We can qualify and follow up with interested prospects	P0
10	CascadeGuard (business)	AB test CTA wording and placement	We optimise conversion at each funnel stage	P1
11	Assessment user	Upgrade to include public images in future assessments	I get broader coverage beyond CascadeGuard’s free images	P2
12	Assessment user	Try scanning my own image from the report	I can see CascadeGuard’s value on my actual workload	P1

4. Architecture

System Context

graph TB
    User([Site Visitor]) --> FE[Frontend - Next.js]
    FE --> Auth[Auth Provider<br/>GitHub / Email / Google]
    FE --> API[CascadeGuard API]
    API --> DB[(Cloudflare D1)]
    API --> Engine[Assessment Engine]
    Engine --> Profiles[CAS-85 Profile Framework]
    Engine --> ScanData[Scan Results DB]
    FE --> AB[AB Testing Service]

User Journey Flow

graph LR
    A[Image Registry Page] --> B[Facet Detail Pages]
    B --> C[CTA: Free Assessment]
    C --> D[Auth: GitHub/Email/Google]
    D --> E[Assessment Wizard]
    E --> F[Company Profile - Optional]
    F --> G[Personalised Report]
    G --> H1[Upsell: Public Images]
    G --> H2[Upsell: Try Scan]

Component Design

Image Registry Page — Public page listing all CascadeGuard free/managed images with security facets aligned to CAS-85 question categories. Each facet links to a detail page. Public images we do not manage appear with minimal upstream-only info.

Facet Detail Pages — Per-facet deep-dive for each managed image: what we check, what we found, what it means for the user.

Assessment Wizard — Short questionnaire (~10 business + ~10 workload questions from CAS-85 framework). All inputs optional with prominent guidance: “Provide as much or as little as you like — you can always add more later for more tailored results.”

Company Profile (Optional) — Captures: company name, website, years trading, company size, annual turnover. All fields optional. Shown as a separate step in the wizard to keep the core assessment lightweight.

Assessment Engine — Takes profile answers + selected images, runs them through the CAS-85 scoring model, produces weighted recommendations. Extends the CAS-85 recommendation profile framework.

Personalised Report — Full customised report showing recommendations weighted to user’s profile. Includes facet-by-facet breakdown, risk priorities, and actionable next steps.

Upsell CTAs — From the report: (a) upgrade to include other public images in future assessments, (b) try scanning their own image (the try-scan feature).

Technology Choices

Decision	Choice	Rationale
Auth provider	NextAuth.js (GitHub, Google, Email)	Already proven in Next.js ecosystem; supports all required providers
Assessment engine	Server-side API (Hono on Cloudflare Workers)	Consistent with existing API architecture per ADR-004
Database	Cloudflare D1	Aligned with ADR-004 migration from Turso
AB testing	PostHog or custom feature flags	Open-source, self-hostable, good Next.js integration
Scoring model	CAS-85 framework weights	Reuses existing work; single source of truth for recommendations

ADR References

ADR-004: Migrate database from Turso to Cloudflare D1

5. Threat Model

Assets

Asset	Classification	Storage
User email addresses	PII	Encrypted at rest in D1
Company profile data	Business confidential (user-provided)	Encrypted at rest in D1
Assessment answers	Internal	D1
OAuth tokens	Credentials	Server-side session only, never stored
Personalised reports	Internal	Generated on-demand, cached in D1

Threat Actors

Automated scrapers: Harvest assessment data or abuse the engine for free vulnerability intelligence
Credential stuffers: Attempt account takeover on authenticated assessment accounts
Competitors: Scrape personalised recommendations to reverse-engineer scoring model

Attack Surface

Authentication endpoints (OAuth callbacks, email magic links)
Assessment submission API (accepts user input)
Report generation API (resource-intensive, potential for abuse)
Company profile fields (free-text input, potential for injection)

Threats (STRIDE)

#	Category	Threat	Mitigation	Status
T1	Spoofing	Attacker impersonates user via stolen OAuth token	Short-lived sessions, no persistent token storage, PKCE for OAuth	Mitigated
T2	Tampering	Attacker modifies assessment answers in transit	HTTPS enforced, server-side validation of all inputs	Mitigated
T3	Repudiation	User denies taking assessment (e.g., for data deletion)	Audit log of assessment creation with timestamp and auth method	Mitigated
T4	Info Disclosure	Assessment data leaked via API	Auth required for all personalised endpoints, user can only access own data	Mitigated
T5	Denial of Service	Abuse report generation to exhaust compute	Rate limiting per user, generation queue with backpressure	Mitigated
T6	Elevation of Privilege	User accesses another user’s assessment	User-scoped queries, no sequential IDs (UUIDs), auth middleware on all endpoints	Mitigated

Risk Acceptance

Scoring model reverse-engineering: Accepted. The assessment provides genuine value; the scoring weights are not a trade secret worth protecting at the cost of user experience. Competitors would need significant effort to reconstruct the full model.

6. Security Requirements

Authentication: OAuth 2.0 (GitHub, Google) + email magic link via NextAuth.js; PKCE required
Authorization: User-scoped data access; users can only read/modify their own assessments
Data encryption: TLS in transit; D1 encryption at rest
Input validation: Server-side validation on all assessment and company profile fields; sanitise free-text inputs
Audit logging: Log assessment creation, report generation, and auth events
Rate limiting: Per-user and per-IP rate limits on assessment submission and report generation
Secrets management: OAuth client secrets via Cloudflare Workers secrets; no secrets in code
Dependency scanning: Existing Trivy/Dependabot pipeline covers new dependencies
Container security: N/A for v1 (frontend + Workers, no new containers)

7. Implementation Plan

Phase 1 — Core Assessment Flow (MVP)

Step	Scope
1	Image registry page with security facets (CAS-85 aligned)
2	Facet detail pages per managed image
3	Authentication integration (GitHub, email, Google)
4	Assessment wizard UI (business + workload questions, all optional)
5	Company profile step (optional fields)
6	Assessment engine API (scoring via CAS-85 framework)
7	Personalised report view

Phase 2 — Conversion Optimisation

Step	Scope
1	AB testing framework for CTAs
2	CTA wording experiments (“Customise these recommendations”, “Get your free report”, etc.)
3	Upsell CTAs on report (public image upgrade, try-scan)
4	Assessment return flow (saved results, “add more info” prompt)
5	Lead capture analytics and funnel metrics dashboard

Dependencies

CAS-85 (vulnerability recommendation profiles): Hard dependency. The assessment engine requires the facet/profile scoring framework from CAS-85 to be merged. Image registry and facet pages can begin independently.
ADR-004 (D1 migration): Assessment data model should target D1, not Turso.
Try-scan feature: Soft dependency for the “scan your own image” upsell CTA.

Paperclip Task Breakdown

CAS-110 — Parent: Free Personalised Assessment
CAS-85 — Vulnerability recommendation profiles (dependency)
CAS-111 — Technical breakdown
CAS-115 — This PRD

Implementation subtasks to be created after PRD approval.

8. Data Collection Principles

All data collection in the assessment flow follows these principles:

Everything is optional — No field beyond authentication is required to generate a report
Progressive disclosure — Prominent guidance: “Provide as much or as little as you like — you can always add more later for more tailored results”
Value exchange is clear — Each question explains how the answer improves recommendations
Authentication is the only gate — Required for personalisation (saving results, returning later), but the assessment questions themselves have no mandatory fields
Company profile is a separate step — Not mixed into the assessment wizard; users can skip entirely

Company Profile Fields (All Optional)

Field	Type	Purpose
Company name	Text	Lead qualification
Website	URL	Industry/size inference for better recommendations
Years trading	Number	Risk profile maturity indicator
Company size	Select (ranges)	Scale-appropriate recommendations
Annual turnover	Select (ranges)	Budget-appropriate recommendations

9. CTA Strategy and AB Testing

Key CTAs to Test

Location	Default Wording	Purpose
Facet detail pages	”Customise these recommendations for your workloads — free”	Drive assessment starts
Assessment completion	”Get your personalised report”	Drive report generation
Report page	”Upgrade to include public images”	Upsell to broader coverage
Report page	”Try scanning your own image”	Upsell to try-scan feature
Report page	”Share with your team”	Viral loop / additional leads

AB Testing Approach

Integrate PostHog (or equivalent) for feature flags and experiment tracking
Test CTA wording, placement, colour, and timing independently
Primary metrics per experiment: click-through rate, assessment completion rate, report generation rate
Secondary metrics: time-to-complete, drop-off step, return rate
Minimum experiment duration: 2 weeks or 100 conversions per variant (whichever comes first)

10. Success Metrics

Metric	Target	Measurement
Assessment start rate	>5% of image registry visitors	Analytics: CTA click / page view
Assessment completion rate	>60% of started assessments	Analytics: report generated / wizard started
Authentication conversion	>70% of users who reach auth step	Analytics: auth success / auth prompt shown
Optional company profile fill rate	>30% of authenticated users	Analytics: any company field filled / authenticated
Report-to-upsell click rate	>10% of report viewers	Analytics: upsell CTA click / report view
Lead capture volume	>100 profiled leads/month by month 3	Database: authenticated users with ≥1 assessment
Return user rate	>20% of users return within 30 days	Analytics: repeat sessions with assessment activity

11. Open Questions

Email gate: Should we require email before showing the report, or make the report free and gate only PDF export/save? (Board decision needed)
V1 image scope: Start with CascadeGuard free images only, or include a subset of popular public images? (Board decision needed)
Assessment engine hosting: Run scoring in Workers (latency-optimised) or as a separate service? (CTO to decide based on CAS-85 framework complexity)
Data retention: How long do we keep assessment data for inactive users? (Privacy/legal input needed)

Techcle Wiki

Explorer

Free Personalised Assessment