diff --git a/pkg/cli/log.go b/pkg/cli/log.go
index 7a2e3df..2268c1f 100644
--- a/pkg/cli/log.go
+++ b/pkg/cli/log.go
@@ -26,3 +26,8 @@ func LogWarn(msg string, keyvals ...any) { log.Warn(msg, keyvals...) }
 
 // LogError logs an error message.
 func LogError(msg string, keyvals ...any) { log.Error(msg, keyvals...) }
+
+// LogSecurity logs a security-sensitive message.
+//
+//	cli.LogSecurity("login attempt", "user", "admin")
+func LogSecurity(msg string, keyvals ...any) { log.Security(msg, keyvals...) }
diff --git a/pkg/cli/log_test.go b/pkg/cli/log_test.go
new file mode 100644
index 0000000..04b5f92
--- /dev/null
+++ b/pkg/cli/log_test.go
@@ -0,0 +1,30 @@
+package cli
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"forge.lthn.ai/core/go-log"
+)
+
+func TestLogSecurity_Good(t *testing.T) {
+	var buf bytes.Buffer
+	original := log.Default()
+	t.Cleanup(func() {
+		log.SetDefault(original)
+	})
+
+	logger := log.New(log.Options{Level: log.LevelDebug, Output: &buf})
+	log.SetDefault(logger)
+
+	LogSecurity("login attempt", "user", "admin")
+
+	out := buf.String()
+	if !strings.Contains(out, "login attempt") {
+		t.Fatalf("expected security log message, got %q", out)
+	}
+	if !strings.Contains(out, "user") {
+		t.Fatalf("expected structured key/value output, got %q", out)
+	}
+}