From appsec
This skill should be used when the user asks to "calculate risk scores", "prioritize mitigations", "generate remediation roadmap", "analyze business impact", or is running PASTA stage 7. Also triggers when the user asks about risk-weighted findings, compliance gap analysis, or executive security summary in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 7 of 7).
npx claudepluginhub florianbuetow/claude-code --plugin appsecThis skill uses the workspace's default tool permissions.
Produce business-weighted risk scores by combining Stage 6 exploitability with
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
Produce business-weighted risk scores by combining Stage 6 exploitability with Stage 1 business impact. Deliver a prioritized remediation roadmap balancing risk reduction against effort. This is the final PASTA stage.
Read ../../shared/schemas/flags.md for the full flag specification. Key behaviors:
| Flag | Stage 7 Behavior |
|---|---|
--scope | Inherits from prior stages. Synthesizes all prior outputs. |
--depth quick | Top 5 risk-ranked findings with one-line mitigations only. |
--depth standard | Full risk scoring, mitigation roadmap, and compliance mapping. |
--depth deep | Standard + residual risk assessment, systemic issues, cost-benefit per mitigation. |
--depth expert | Deep + executive summary, quantified risk, formal compliance gap report. |
--severity | Filter final output to findings at or above the threshold. |
--format md | Standalone markdown report for stakeholder distribution. |
--fix | Chain into fix mode for highest-priority findings. |
Read ../../shared/frameworks/pasta.md, Stage 7 section. PASTA is SEQUENTIAL.
Stage 7 consumes all prior stage outputs to produce the final deliverable.
Required: Stage 6 output -- attack scenarios, DREAD scores, detection gaps. Also needs: business assets and compliance (Stage 1), entry points (Stage 2), components (Stage 3), threats (Stage 4), vulnerabilities (Stage 5). If unavailable, warn and assume.
Risk Score = Exploitability (DREAD, 1-10) x Business Impact (1-10).
| Impact Level | Score | Criteria |
|---|---|---|
| Critical | 9-10 | Regulatory breach, massive financial loss, existential threat |
| High | 7-8 | Significant data breach, major outage, legal liability |
| Medium | 4-6 | Limited exposure, partial degradation, reputational harm |
| Low | 1-3 | Minor disclosure, negligible business effect |
Order by composite risk score (descending). Break ties by: compliance implications, attack complexity (simpler ranks higher), detection coverage (undetectable ranks higher).
| Effort | Definition | Timeline |
|---|---|---|
| Quick win | Single file change, config update, dependency bump | Same day |
| Short-term | Targeted code changes, new middleware or control | 1-2 sprints |
| Long-term | Architectural change, new service, framework migration | Quarterly |
Prioritize by risk-reduction-per-effort. Identify mitigations resolving multiple findings.
Cross-reference with Stage 1 compliance requirements: which findings violate regulatory controls, which would be flagged in audit, mandated timelines, documentation needed.
After proposed mitigations: what risk remains, what needs formal acceptance, what compensating controls exist, what monitoring is needed.
Non-technical summary: overall posture, top 3 immediate actions, phased effort estimate, compliance status and regulatory exposure.
Stage 7 produces the Final PASTA Report. ID prefix: PASTA (e.g., PASTA-001).
## PASTA Stage 7: Risk & Impact Analysis
### Executive Summary
**Risk Posture**: [Critical / High / Moderate / Low]
[2-3 sentence summary]
**Immediate Actions**: [N] | **Total Findings**: [N] (X critical, Y high, Z medium)
**Effort**: [quick wins: N, short-term: N, long-term: N]
### Risk-Ranked Findings
| Rank | ID | Finding | Risk Score | Exploitability | Business Impact | Effort |
|------|-------|---------|-----------|---------------|----------------|--------|
| 1 | PASTA-001 | SQL injection in search | 81 | 9.0 | 9 (breach) | Quick win |
### Remediation Roadmap
#### Quick Wins (Immediate)
| Finding | Mitigation | Risk Reduction | Effort |
|---------|-----------|---------------|--------|
#### Short-Term (1-2 Sprints)
| Finding | Mitigation | Risk Reduction | Effort |
|---------|-----------|---------------|--------|
#### Long-Term (Quarterly)
| Finding | Mitigation | Risk Reduction | Effort |
|---------|-----------|---------------|--------|
### Compliance Gaps
| Regulation | Requirement | Finding | Status | Deadline |
|-----------|------------|---------|--------|----------|
### Residual Risk
| Risk | After Mitigation | Compensating Controls | Accepted |
|------|-----------------|----------------------|----------|
Findings follow ../../shared/schemas/findings.md with:
dread: DREAD scoring from Stage 6references.cwe: from Stage 5, references.owasp: OWASP mapping, references.mitre_attck: from Stage 4metadata.tool: "pasta-risk", metadata.framework: "pasta", metadata.category: "Stage-7"This is the final PASTA stage. The output is the complete threat model deliverable: actionable, prioritized, and tied to business value. Track remediation progress and schedule periodic reassessment as the application evolves.