This skill should be used when the user asks to "design security architecture", "model threats", "implement zero trust", "design IAM", "plan encryption strategy", "map compliance requirements", or mentions STRIDE, OWASP, OAuth, RBAC, SOC2, ISO27001, PCI-DSS, or zero trust. Designs comprehensive security architecture covering threat modeling, zero trust implementation, identity management, data protection, application security pipelines, and compliance mapping. Use this skill whenever security controls or compliance need to be designed or evaluated, even if they don't explicitly ask for "security-architecture". [EXPLICIT]
From jm-adknpx claudepluginhub javimontano/jm-adk-alfaThis skill is limited to using the following tools:
agents/guardian.mdagents/lead.mdagents/specialist.mdagents/support.mdevals/evals.jsonknowledge/body-of-knowledge.mdknowledge/knowledge-graph.mdprompts/meta.mdprompts/primary.mdprompts/variations/deep.mdprompts/variations/quick.mdreferences/security-frameworks.mdtemplates/output.docx.mdtemplates/output.htmlSearches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Security architecture defines how systems protect data, verify identity, enforce access, and maintain compliance across the entire technology stack. The skill produces comprehensive security designs covering threat modeling, zero trust implementation, identity management, data protection, application security pipelines, and compliance mapping. [EXPLICIT]
La seguridad que depende de un perímetro ya fue comprometida. Zero Trust no es un producto — es una filosofía de diseño. Threat modeling antes de diseñar, compliance como piso mínimo no techo máximo, y cada decisión de seguridad documentada antes de implementar.
The user provides a system or organization name as $ARGUMENTS. Parse $1 as the system/organization name used throughout all output artifacts. [EXPLICIT]
Parameters:
{MODO}: piloto-auto (default) | desatendido | supervisado | paso-a-paso
{FORMATO}: markdown (default) | html | dual{VARIANTE}: ejecutiva (~40% — S1 threat model + S2 zero trust + S6 compliance) | técnica (full 6 sections, default)All deliverables map to the six NIST CSF 2.0 functions:
| Function | Focus | Key categories |
|---|---|---|
| Govern (new in 2.0) | Cybersecurity risk governance, strategy, supply chain risk | GV.OC (context), GV.RM (risk management), GV.SC (supply chain) |
| Identify | Asset management, risk assessment, improvement | ID.AM, ID.RA, ID.IM |
| Protect | Access control, awareness, data security, platform security | PR.AA, PR.AT, PR.DS, PR.PS |
| Detect | Continuous monitoring, adverse event analysis | DE.CM, DE.AE |
| Respond | Incident management, analysis, mitigation, reporting | RS.MA, RS.AN, RS.MI |
| Recover | Recovery execution, communication | RC.RP, RC.CO |
Use the Govern function to ensure security architecture has executive sponsorship and integrates into enterprise risk management. CSF 2.0 explicitly addresses supply chain security, zero trust, and AI-related risks. [EXPLICIT]
Before generating architecture, detect the technology context:
!find . -name "*.tf" -o -name "Dockerfile" -o -name "*.yaml" -o -name "auth*" -o -name "security*" | head -20
If reference materials exist, load them:
Read ${CLAUDE_SKILL_DIR}/references/security-frameworks.md
Systematically identify threats using structured methodologies applied to the system's architecture. [EXPLICIT]
Methodology selection:
Process:
Attacker profiles: External anonymous, authenticated user, malicious insider, supply chain compromise
Design identity-centric security that assumes no implicit trust regardless of network location. [EXPLICIT]
Core principles: Verify explicitly, least privilege access, assume breach.
NIST SP 800-207 + SP 1800-35 Implementation Patterns:
Zero Trust Maturity Model:
| Level | Scope | Controls | Timeline |
|---|---|---|---|
| Crawl | Perimeter + identity | MFA everywhere, network segmentation, centralized IdP | 0-6 months |
| Walk | Micro-segmentation | Service mesh mTLS, per-service auth policies, device trust | 6-18 months |
| Run | Continuous adaptive trust | Real-time risk scoring, behavioral analytics, just-in-time access | 18-36 months |
Key decisions:
Design authentication, authorization, and secret management for human and machine identities. [EXPLICIT]
Authentication: OAuth 2.0 / OIDC for user flows, client credentials for S2S, WebAuthn/FIDO2 for passwordless MFA: TOTP/WebAuthn for users, certificate-based for services, risk-based triggers SSO: Centralized IdP, federation with external IdPs (SAML, OIDC) Service identity: Workload identity (SPIFFE/SPIRE), short-lived certificates, zero long-lived secrets Secret management: HashiCorp Vault, AWS Secrets Manager. Rotation: 90 days for credentials, on-demand for incident.
Authorization Model Selection:
| Model | Granularity | Complexity | Best for |
|---|---|---|---|
| RBAC | Role-level | Low | Simple hierarchies, <20 roles |
| ABAC | Attribute-level | High | Multi-tenant, data-level access, regulatory |
| ReBAC | Relationship-level | Medium | Social graphs, document sharing (Google Zanzibar) |
Token decisions: JWT (stateless, verifiable, larger) vs. opaque (requires introspection, revocable). Use JWT for S2S, opaque for user sessions needing immediate revocation.
Design encryption, key management, and data loss prevention across the data lifecycle. [EXPLICIT]
Encryption at rest: Database TDE, filesystem encryption, backup encryption — AES-256 minimum Encryption in transit: TLS 1.3 everywhere, certificate management (ACME/Let's Encrypt), certificate pinning for mobile Key management: Cloud KMS or HSM-backed. Key hierarchy: master key -> data encryption keys. Rotation: annual for master, monthly for DEKs. Tokenization: Replace sensitive data with non-reversible tokens for analytics and testing Data masking: Dynamic masking in non-prod environments, role-based visibility
Data Classification and Handling:
| Class | Examples | Encryption | Access | Retention |
|---|---|---|---|---|
| Restricted | PII, PHI, payment cards | At rest + in transit, customer-managed keys | Named individuals only | Minimum required by law |
| Confidential | Business plans, source code | At rest + in transit | Role-based | Per policy |
| Internal | Org communications | In transit | All employees | 1-3 years |
| Public | Marketing, docs | In transit (integrity) | Anyone | Indefinite |
Integrate security testing into the development lifecycle. [EXPLICIT]
Shift-Left Cost Multiplier:
| Phase | Fix cost | Implication |
|---|---|---|
| Design (threat model) | 1x | Highest ROI — invest here |
| Code (SAST, code review) | 6x | Catch before merge |
| Testing (DAST, pen test) | 15x | Catch before release |
| Production (incident) | 100x | Most expensive, reputational damage |
Security pipeline:
Supply Chain Security (SLSA + SBOM):
| SLSA Level | Requirements | Effort |
|---|---|---|
| Level 1 | Build provenance (document the build process) | Low — start here |
| Level 2 | Hosted build service, signed provenance | Medium |
| Level 3 | Hardened builds, non-falsifiable provenance | High — when compliance requires |
SBOM format choice:
RASP (Runtime Application Self-Protection): Instrument runtime to detect/block SQL injection, deserialization, path traversal from inside the application. Complement WAF with runtime visibility for high-value applications.
Security Champions Program:
Map regulatory frameworks to technical controls with evidence collection and continuous compliance. [EXPLICIT]
Compliance Framework Mapping Table:
| Control Area | SOC 2 (TSC) | ISO 27001 (Annex A) | PCI-DSS 4.0 | HIPAA | GDPR |
|---|---|---|---|---|---|
| Access control | CC6.1-CC6.3 | A.9 | Req 7-8 | 164.312(a) | Art 32 |
| Encryption | CC6.1, CC6.7 | A.10 | Req 3-4 | 164.312(a)(2)(iv) | Art 32 |
| Logging/monitoring | CC7.1-CC7.3 | A.12.4 | Req 10 | 164.312(b) | Art 30 |
| Incident response | CC7.4-CC7.5 | A.16 | Req 12.10 | 164.308(a)(6) | Art 33-34 |
| Vendor management | CC9.2 | A.15 | Req 12.8 | 164.308(b) | Art 28 |
| Change management | CC8.1 | A.14 | Req 6 | 164.308(a)(1) | — |
Control matrix: Framework requirement -> technical control -> evidence source -> testing frequency Continuous compliance: Automated policy checks (OPA, Cloud Custodian), drift detection Tooling: Vanta, Drata for automated evidence collection; manual for complex controls Audit readiness: Evidence repository, control owner assignments, pre-audit checklists
| Decision | Enables | Constrains | When to Use |
|---|---|---|---|
| Zero trust everywhere | Strong posture, lateral movement prevention | Implementation complexity, latency overhead | Regulated industries, high-value targets |
| RBAC only | Simple to implement and audit | Coarse-grained, role explosion at scale | Small teams, simple authorization |
| ABAC policies | Fine-grained, context-aware | Complex policy management | Multi-tenant, data-level access, regulatory |
| Customer-managed keys | Customer control, compliance enabler | Ops complexity on customer side | Data sovereignty, regulated customers |
| Automated compliance | Continuous assurance, audit efficiency | Tool cost, false positives | SOC 2, ISO 27001, PCI-DSS environments |
| Security champions | Distributed awareness, faster reviews | Training investment, time split | Scaling security beyond dedicated team |
Greenfield System: Design security from day one. Embed threat modeling in architecture review. Choose IdP and encryption strategy before first deployment.
Legacy System with No Security Architecture: Start with threat model of current state. Prioritize: auth/authz gaps, data encryption, dependency vulnerabilities. Phase improvements aligned with existing roadmap.
Multi-Tenant SaaS: Tenant isolation is paramount. Data-level access control, tenant-scoped encryption keys, per-tenant audit logging. Test for cross-tenant data leakage explicitly.
Regulated Industry (Finance, Health): Compliance drives architecture. Map every control to framework requirement. Budget for audit prep and external assessments. Encryption and access logging are non-negotiable.
Acquisitions / Mergers: Multiple identity systems, inconsistent security postures. Prioritize identity federation, network segmentation between entities, unified compliance reporting.
Before finalizing delivery, verify:
| Format | Default | Description |
|---|---|---|
markdown | ✅ | Rich Markdown + Mermaid diagrams. Token-efficient. |
html | On demand | Branded HTML (Design System). Visual impact. |
dual | On demand | Both formats. |
Default output is Markdown with embedded Mermaid diagrams. HTML generation requires explicit {FORMATO}=html parameter. [EXPLICIT]
Primary: A-01_Security_Architecture.html — Executive summary, threat model, zero trust design, IAM architecture, data protection strategy, application security pipeline, compliance control matrix.
Secondary: Threat model diagrams (DFD), control matrix spreadsheet, compliance gap analysis, secret rotation runbook.
Author: Javier Montano | Last updated: March 18, 2026