From appsec
This skill should be used when the user asks to "simulate attacks", "build attack trees", "model exploit chains", "score exploitability", or is running PASTA stage 6. Also triggers when the user asks about attack scenarios, red team simulation, DREAD scoring, or detection gap analysis in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 6 of 7).
npx claudepluginhub florianbuetow/claude-code --plugin appsecThis skill uses the workspace's default tool permissions.
Simulate realistic exploit chains by combining Stage 4 threats with Stage 5
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
Simulate realistic exploit chains by combining Stage 4 threats with Stage 5 vulnerabilities. Score each scenario by exploitability and impact, and assess whether existing controls detect or prevent each chain.
Read ../../shared/schemas/flags.md for the full flag specification. Key behaviors:
| Flag | Stage 6 Behavior |
|---|---|
--scope | Inherits from prior stages. Uses vulnerability inventory and threat catalog, not raw source. |
--depth quick | Top 3 most critical exploit chains only, basic scoring. |
--depth standard | Full attack trees for all high/critical pairs, DREAD scoring. |
--depth deep | Standard + detection gap analysis, control bypass assessment, multi-stage pivots. |
--depth expert | Deep + red team persona simulation with step-by-step exploit narratives. |
--severity | Filter to attack scenarios above the specified impact level. |
Read ../../shared/frameworks/pasta.md, Stage 6 section. PASTA is SEQUENTIAL.
Stage 6 consumes Stages 1-5 output and feeds Stage 7.
Required: Stage 5 output -- vulnerability inventory with CWE mappings and vulnerability-threat correlations. Also needs: business assets (Stage 1), entry points (Stage 2), components and trust boundaries (Stage 3), threat catalog (Stage 4). If unavailable, warn and assume.
Combine threats with vulnerabilities. Prioritize pairs targeting business-critical assets. Discard pairs fully mitigated by existing controls.
For each high-priority pair, build multi-step scenarios covering: entry point, exploitation, lateral movement, privilege escalation, objective reached, and exfiltration/impact. Construct attack trees showing alternate paths:
Goal: [Business-critical asset]
OR
+-- Path A: [Entry point] -> [Vuln-1] -> [Pivot] -> [Target]
+-- Path B: [Entry point] -> [Vuln-2] -> [Escalation] -> [Target]
| Factor | Criteria |
|---|---|
| Damage | 10 = full compromise, 1 = minor info leak |
| Reproducibility | 10 = every time, 1 = race condition |
| Exploitability | 10 = script kiddie, 1 = nation-state |
| Affected Users | 10 = all users, 1 = single user |
| Discoverability | 10 = publicly known, 1 = insider knowledge |
DREAD Score = Average of all five factors (0-10).
For each chain: is exploitation logged? Would alerts fire? Would WAF/IDS block it? Is rate limiting effective? Would post-exploitation behavior be detected?
For each security control: can it be bypassed via alternative paths? Does it cover all entry points? Are there timing windows? Can the attacker degrade it?
Order by: DREAD score, business impact, attack complexity (simpler = higher), detection coverage (undetectable = higher).
Stage 6 produces Attack Scenarios with Exploit Chains. ID prefix: PASTA (e.g., PASTA-ATK-001).
## PASTA Stage 6: Attack Simulation
### ATK-001: [Scenario Name]
**Target**: [Asset] | **Actor**: [Profile] | **DREAD**: X.X
**Chain**: Entry point -> Vuln exploited -> Access gained -> Pivot -> Objective
| Damage | Reproducibility | Exploitability | Affected Users | Discoverability | Score |
|--------|----------------|---------------|---------------|----------------|-------|
| X | X | X | X | X | X.X |
**Detection**: Logging [Y/N], Alerting [Y/N], WAF [Y/N]
**Gaps**: [Missing controls]
### Attack Scenario Summary
| ID | Scenario | DREAD | Target Asset | Complexity | Detected |
|----|----------|-------|-------------|------------|----------|
| ATK-001 | ... | X.X | ... | Low/Med/High | Yes/No |
### Detection Gap Summary
| Gap | Scenarios Affected | Recommendation |
|-----|-------------------|----------------|
Findings follow ../../shared/schemas/findings.md with:
dread: Full DREAD scoring objectreferences.mitre_attck: technique IDs, references.cwe: exploited CWE IDsmetadata.tool: "pasta-attack-sim", metadata.framework: "pasta", metadata.category: "Stage-6"Stage 7: Risk & Impact Analysis (pasta-risk). Pass attack scenarios, DREAD
scores, and detection gaps. Stage 7 combines technical exploitability with Stage 1
business impact to produce risk-weighted scores and a remediation roadmap.