← Back to Lessons Foundations

Meta-Prompting

Using AI to Create Better AI Inputs

10 min read

Meta-Prompting

Here's a technique that feels strange the first time you try it: ask the AI to write the prompt you'll use to ask the AI to do the actual work.

This is meta-prompting—prompting about prompting. And once you understand it, you'll wonder why you ever wrote complex prompts yourself.

Why This Works

AI understands AI better than you do.

The agent knows:

  • What instructions it needs to perform well
  • What format produces the best results
  • What causes confusion or ambiguity
  • What level of detail is optimal

When you describe your goal in plain language and ask the agent to generate a prompt for achieving that goal, the resulting prompt is often better than what you'd write yourself. The agent knows what will work for an agent.

The Basic Pattern

Instead of:

You: Write prompt → Test → Fail → Rewrite → Test → Adjust → Test → Succeed

Try:

You: Describe goal → Agent generates prompt → Test → Minor adjustments → Succeed

The iteration loop shrinks dramatically because the generated prompt starts closer to optimal.

Meta-prompting flow diagram

Pattern 1: Prompt Generation

You want a prompt for security code review. Rather than crafting it yourself:

Your request:

I need a prompt for reviewing Python code for security vulnerabilities.
The prompt should make the AI:
- Check for OWASP top 10 issues
- Provide specific file and line numbers
- Suggest fixes with corrected code
- Categorize findings by severity

Generate this prompt for me.

Agent generates:

Review the following Python code for security vulnerabilities.

For each issue found:
1. IDENTIFY: What vulnerability (OWASP category)
2. LOCATE: Specific file and line number(s)
3. SEVERITY: Critical/High/Medium/Low
4. EXPLAIN: Why this is a vulnerability
5. FIX: Provide the corrected code

Check specifically for:
- SQL injection
- Command injection
- XSS (if web-related)
- Insecure deserialization
- Hardcoded secrets
- Path traversal

Format output as:

## [SEVERITY] [VULNERABILITY TYPE]
**Location:** file.py:line
**Issue:** Description
**Fix:**
[corrected code]

Code to review:
[CODE]

The generated prompt is structured, comprehensive, and formatted for useful output. It took seconds to generate and would have taken you much longer to craft manually.

Pattern 2: Workflow Design

You need a workflow for adding new features. Ask the agent to design it:

Your request:

Design a complete workflow for adding a new feature from start to finish.
Include what commands to run at each phase and what success looks like.

Agent generates:

Feature Development Workflow

PHASE 1: PLANNING
Input: Feature description
Steps:
1. Analyze requirements - Understand scope
2. Check dependencies - What's affected
3. Create plan - Detailed implementation steps
Success: Clear plan with files to change identified

PHASE 2: IMPLEMENTATION
Input: Approved plan
Steps:
1. Load relevant context (existing patterns, related code)
2. Execute each step with verification
3. Run tests after each significant change
Success: Feature implemented, tests passing

PHASE 3: VALIDATION
Steps:
1. Run full test suite
2. AI code review for issues
3. Check test coverage on new code
Success: All tests pass, coverage adequate, no review issues

PHASE 4: COMPLETION
Steps:
1. Create commit with clear message
2. Create pull request with description
3. Clean up any temporary files
Success: PR ready for human review

Now you have a reusable workflow. The agent designed it based on best practices it's seen across millions of projects.

Pattern 3: Command Templates

You want to create a reusable command for your team. Have the agent design it:

Your request:

Design a command called /create-detection-rule.
It should gather necessary info and generate a complete
detection rule following Sigma format.

Agent generates:

/create-detection-rule

Parameters:
- technique: MITRE ATT&CK technique ID (e.g., T1003.001)
- log_source: Data source (e.g., sysmon, windows_security)
- severity: Detection severity (low/medium/high/critical)

Workflow:
1. Look up technique details from ATT&CK reference
2. Read existing detection rules in rules/ for patterns
3. Generate:
   - Sigma rule file with proper metadata
   - Detection logic targeting the technique
   - False positive guidance
   - Test case file with sample events
4. Validate rule syntax
5. Output: Files created, manual review checklist

Example usage:
/create-detection-rule technique=T1003.001 log_source=sysmon severity=high

The agent designed a command you can use repeatedly. It included parameters, workflow steps, and even an example—all generated in seconds.

Command design diagram

Pattern 4: Prompt Chaining

Complex tasks often need multiple prompts, where the output of one becomes input to the next. Have the agent design the entire chain:

Your request:

Design a chain of prompts for analyzing a suspicious binary.
Each prompt should build on the previous one's output.

Agent generates:

Prompt Chain: Binary Analysis

PROMPT 1: Initial Triage
"Examine this binary and provide:
- File type and format
- Compile timestamp
- Import table summary
- String extraction highlights
- Initial risk assessment"
Output: Triage report

PROMPT 2: Behavioral Indicators (uses output of 1)
"Given this triage report: {output_1}
Identify:
- Potential capabilities (network, file, registry, process)
- Suspicious API usage patterns
- Indicators of packing or obfuscation
- Likely malware family if identifiable"
Output: Behavioral analysis

PROMPT 3: Detection Signatures (uses output of 1 & 2)
"Given triage: {output_1}
And behavioral analysis: {output_2}
Generate:
- YARA rule for file detection
- Sigma rule for behavioral detection
- IOCs in STIX format"
Output: Detection content

PROMPT 4: Report (uses all outputs)
"Synthesize all analysis into executive summary:
- What is this binary?
- What does it do?
- How do we detect it?
- Recommended response actions"
Output: Final report

Each prompt in the chain is designed to build on the previous one. The agent understood the analysis workflow and structured the prompts accordingly.

Pattern 5: Self-Improvement

Use the agent to improve its own prompts based on feedback:

Your request:

This prompt isn't working well—the AI misses edge cases.
Current prompt: "Review this code for issues."

Improve it based on that feedback.

Agent generates:

Analysis of current prompt:
- Too vague ("issues" is undefined)
- No structure for output
- No specific criteria
- No edge case guidance

Improved version:

"Review the following code changes.

CHECKLIST:
- [ ] Logic errors or bugs
- [ ] Boundary conditions (null, empty, max values)
- [ ] Error handling completeness
- [ ] Security vulnerabilities
- [ ] Performance concerns
- [ ] Code style violations

For each issue found:
1. File and line number
2. Issue description
3. Severity (Critical/Important/Minor)
4. Suggested fix

PAY SPECIAL ATTENTION TO:
- Null/empty input handling
- Boundary values (0, 1, max)
- Error conditions and exception paths
- Concurrent access scenarios

Code to review:
[CODE]"

The improved prompt directly addresses the weakness (missing edge cases) by adding explicit guidance.

The Meta-Meta Pattern

Here's where it gets recursive: you can ask the agent to create a prompt that generates other prompts.

Your request:

Create a master prompt template I can use to generate
other prompts for any security analysis task.

Agent generates:

Security Analysis Prompt Generator

To generate a prompt for any security task, fill in:

TASK: [What security analysis to perform]
INPUTS: [What data/files/code to analyze]
OUTPUTS: [What deliverables to produce]
CONSTRAINTS: [Any limits on scope, time, or approach]

Generated prompt template:

"Perform {TASK} on the following {INPUTS}.

Produce these deliverables:
{OUTPUTS formatted as checklist}

Constraints:
{CONSTRAINTS}

For each finding:
1. What you found
2. Where you found it
3. Why it matters
4. How to address it

Prioritize findings by risk.

[INPUT DATA]"

Now you have a template for generating prompts. Meta-meta-prompting.

Recursive prompting diagram

Why Security Practitioners Should Care

Meta-prompting is particularly powerful for security work because:

  1. Consistency at scale: Generate prompts for your entire team's detection rule development, ensuring consistent structure and quality.
  2. Institutional knowledge capture: Design prompts that encode your organization's threat model and priorities, then share them.
  3. Rapid adaptation: When a new threat emerges, generate a tailored analysis prompt in seconds rather than crafting one from scratch.
  4. Training acceleration: New team members can use well-designed prompts immediately, even before they've developed the expertise to write them.

Key Takeaways

AI generates prompts — Often better than manual because the agent knows what agents need.

Describe goals, not mechanics — Tell the agent what you want to achieve; let it figure out how to instruct itself.

Design workflows through conversation — Complex multi-step processes can be designed through dialogue.

Iterate with feedback — Use the agent to improve prompts based on what's not working.

Meta-prompt for scale — Create templates that generate prompts for your team.

The best prompts aren't written by humans. They're written by AI for AI.

Want to Go Deeper?

This lesson is just the beginning. The full courses take you from foundations to building real agents for security operations.

Explore Courses