Hero's Journey Security Assessment API—Mythological Framework Meets SMB Cybersecurity
Source: Dev.to
What I Built
The Hero’s Journey Security Assessment API transforms enterprise‑grade security assessments into narrative‑driven experiences for small and medium businesses. Instead of intimidating compliance checklists, SMBs progress through a mythological journey—from “Call to Adventure” to “Return with Elixir”—while building real security maturity.
The Problem
33+ million U.S. small businesses face the same cyber threats as enterprises (ransomware, BEC, supply‑chain attacks) but lack access to security expertise. Existing frameworks like NIST CSF speak compliance, not survival. A shop owner who is also the IT department doesn’t need a 400‑page framework—they need a guide.
The Solution
Map the Hero’s Journey—a universal narrative structure—to security operations. Each story stage becomes an API endpoint that tracks progress, scores controls, and generates plain‑language reports.
Security Framework Integration
Each journey stage maps to concrete security controls (e.g., “Call to Adventure” → asset inventory, “Crossing the Threshold” → MFA/backup validation). The MVP demonstrates the assessment workflow; production implementations would integrate with actual security tooling via the evidence and findings fields. This ensures the narrative scaffolding is not just metaphorical, but a structured gateway into real‑world security practices.
Journey Stages
- Call to Adventure – Initial security awareness, asset inventory
- Crossing the Threshold – First protective controls implemented
- Tests, Allies, Enemies – Ongoing security challenges and partnerships
- The Ordeal – Incident response readiness
- Return with Elixir – Security maturity achieved, knowledge documented
API Documentation
- Base URL:
https://xdwe-j0cr-uydc.n7e.xano.io/api:wi5rBx5S - Swagger Docs: View Full Documentation
- Rate Limits: Managed by Xano’s platform infrastructure. Authentication is disabled for the demo; production would enable JWT auth via Xano’s built‑in user authentication.
Key Endpoints
Start a New Journey
POST /assessments
Content-Type: application/json{
"business_name": "Acme Retail",
"vertical": "retail",
"employee_count": 25
}Response
{
"business_id": 1,
"assessment_id": 1,
"stages": [
{"stage_name": "call_to_adventure", "score": 0},
{"stage_name": "crossing_the_threshold", "score": 0},
{"stage_name": "tests_allies_enemies", "score": 0},
{"stage_name": "the_ordeal", "score": 0},
{"stage_name": "return_with_elixir", "score": 0}
]
}Generate Narrative Report
GET /generate_assessment_report?assessment_id=1Response
{
"business": {
"name": "Acme Retail",
"vertical": "retail",
"employee_count": 25
},
"narrative_summary": {
"hero_name": "Acme Retail",
"current_chapter": "call_to_adventure",
"stages_completed": 1,
"overall_score": 75,
"journey_status": "Apprentice"
},
"journey_stages": [...],
"report_generated_at": 1765346205738
}Journey Status Thresholds
- Novice – Just beginning (score
How to Try It Yourself
- Create a new journey with
POST /assessments - Update stage scores with
PATCH /journey_stage/{id} - Generate your narrative report with
GET /generate_assessment_report
The AI Prompts I Used
Journey Begin Endpoint Prompt
Create an API that:
1. Accepts inputs: business_name (text), vertical (text), employee_count (integer)
2. Creates a new business record with those values
3. Creates a new assessment record linked to that business with:
- current_stage: "call_to_adventure"
- status: "in_progress"
- started_at: current timestamp
4. Creates 5 journey_stage records for this assessment:
- "call_to_adventure" (score: 0)
- "crossing_the_threshold" (score: 0)
- "tests_allies_enemies" (score: 0)
- "the_ordeal" (score: 0)
- "return_with_elixir" (score: 0)
5. Returns the assessment ID, business ID, and list of journey stages createdReport Generator Endpoint Prompt
Create an API that:
1. Takes assessment_id from the URL path parameter
2. Fetches the assessment record to verify it exists
3. Fetches the business record linked to this assessment
4. Fetches all journey_stage records for this assessment
5. Calculates overall progress:
- Count stages with score > 0 as "completed"
- Calculate average score across all stages
6. Generates a narrative summary object with:
- hero_name: the business name
- current_chapter: the current_stage from assessment
- stages_completed: count of stages with score > 0
- overall_score: average of all stage scores
- journey_status: "beginning" if avg = 60
7. Returns business info, assessment info, all journey stages, the narrative summary, and timestampHow I Refined the AI‑Generated Code
Initial AI Output
The Xano Logic Assistant generated a solid foundation:
- Database schema with proper relationships (business → assessment → journey_stages)
- CRUD endpoints for all tables
- Basic function stacks for custom logic
Human Refinements
-
Authentication Configuration – Changed critical endpoints to public for the demo while keeping production‑ready auth settings.
-
Error Handling – Added preconditions to validate that assessments and businesses exist before processing:
{ "precondition": "$assessment != null", "error_type": "not_found", "error": "Assessment not found." } -
Narrative Logic – Replaced pipe filters that caused syntax errors with explicit conditional checks:
{ "conditional": { "if": "$stage.score > 0", "then": { "var.update": "stages_completed_count", "value": "$stages_completed_count + 1" } } } -
Journey Status Thresholds – Updated status labels to narrative‑appropriate terms: Novice, Apprentice, Guardian, Hero.
-
Maintainability by Design – Journey stages are stored as database records, not hard‑coded. New stages can be added without code changes; scoring thresholds and status labels are configurable variables, making the framework extensible and adaptable.
My Experience with Xano
What Worked Well
- Logic Assistant saved hours by generating functional code from plain‑English descriptions.
- Multi‑step workflows that would normally require extensive manual configuration were produced automatically, allowing rapid prototyping and iteration.