randori

Randori (乱取り) — PASTA Threat Modeling Plugin for Claude Code

AI-powered threat modeling implementing the full PASTA (Process for Attack Simulation and Threat Analysis) methodology. STRIDE classification, MITRE ATT&CK mapping, data flow diagrams, attack trees, and evidence-anchored threat scenarios — all from your source code.

Most teams skip threat modeling because it feels academic. Randori makes it a 10-minute conversation: type /randori:pasta, and Claude walks through all 7 PASTA stages, reads your code, builds DFDs, identifies threats with STRIDE, maps to ATT&CK techniques, and produces attack trees.

What You Get

• 7 PASTA stages (S1-S4 free, S5-S7 pro)
• STRIDE threat classification with code evidence
• MITRE ATT&CK technique mapping (T-codes)
• Data flow diagrams in Mermaid format
• Attack tree generation with AND/OR decomposition
• 5-factor probabilistic risk assessment (VerSprite model)
• OWASP Top 10 cross-reference
• CAPEC pattern mapping
• Resume support — pick up where you left off

Installation

claude mcp add-plugin randori-plugin --path /path/to/randori-plugin

Or clone and add manually:

git clone https://github.com/allsmog/randori-plugin.git

Then add to your Claude Code settings:

{
  "plugins": ["/path/to/randori-plugin"]
}

Quick Start

# Full PASTA threat model (stages 1-4)
/randori:pasta

# Individual stages
/randori:s1    # Define business objectives
/randori:s2    # Map technical scope
/randori:s3    # Decompose app + generate DFD
/randori:s4    # Threat analysis (STRIDE + ATT&CK)

# Generate report from completed stages
/randori:threat-report

Commands

Command	Description	Free
/randori:pasta	Full PASTA run (all available stages)	S1-S4
/randori:s1	Stage 1: Define business objectives	Yes
/randori:s2	Stage 2: Technical scope	Yes
/randori:s3	Stage 3: App decomposition + DFD	Yes
/randori:s4	Stage 4: Threat analysis (STRIDE)	Yes
/randori:s5	Stage 5: Vulnerability analysis	Pro
/randori:s6	Stage 6: Attack modeling	Pro
/randori:s7	Stage 7: Risk management	Pro
/randori:threat-report	Generate report	Yes

pasta flags

Flag	Effect
--stages s1,s2,s3,s4	Run specific stages only
--format json|md|mermaid	Output format
--resume	Resume from previous incomplete analysis

The 7 PASTA Stages

S1 Define Objectives     → Business context, risk profile
    ↓
S2 Technical Scope       → Components, actors, services
    ↓
S3 Decomposition         → DFD, trust boundaries, entry points
    ↓
S4 Threat Analysis       → STRIDE threats, ATT&CK, attack trees
    ↓
S5 Vulnerability Analysis → CVE/CWE correlation (Pro)
    ↓
S6 Attack Modeling       → Full attack trees, simulation (Pro)
    ↓
S7 Risk Management       → Mitigations, residual risk (Pro)

Free Tier (S1-S4)

Provides a complete foundational threat model:

• Business and security objectives
• Full technical scope inventory
• Data flow diagram with trust boundaries
• STRIDE-classified threat scenarios with code evidence
• MITRE ATT&CK technique mapping
• 5-factor probabilistic assessment
• Draft attack trees

Pro Tier (S5-S7)

Adds deep analysis via the Randori API:

• CVE/CWE correlation (NVD, OSV, EPSS, CISA KEV)
• Full attack trees with probability propagation
• Attack simulation with step-by-step paths
• Residual risk analysis
• Mitigation strategies with effort estimates
• Compliance-mapped recommendations

Agents

Agent	Role	Used In
threat-analyst	STRIDE threats + ATT&CK mapping	S4
attack-modeler	Attack trees + attack surface	S4, S6
risk-assessor	Probabilistic risk scoring	S4, S7
vuln-correlator	CVE/CWE correlation	S5

Skills

Skill	Description
STRIDE Classification	Complete STRIDE reference with code patterns, ATT&CK mappings, and CWE cross-references
PASTA Methodology	Full 7-stage methodology reference with inputs, outputs, and dependencies
MITRE ATT&CK Mapping	Enterprise technique reference organized by tactic
Attack Tree Generation	AND/OR tree construction with VerSprite node roles and probability propagation
DFD Generation	Data flow diagram creation in Mermaid format with trust zones

Output

Threat scenarios

Every threat includes:

[TS-001] Brute-force authentication bypass
- STRIDE: Spoofing
- ATT&CK: T1110 (Brute Force)
- OWASP: A07 (Auth Failures)
- Evidence: src/routes/auth.ts:45 — No rate limiting on login
- Probability: 0.72 (5-factor assessment)
- Impact: High

Data Flow Diagrams

Mermaid DFDs saved to .claude/dfd.mmd: