Security architecture design — threat modeling, zero trust, identity, encryption, compliance. Use when the user asks to "design security architecture", "model threats", "implement zero trust", "design IAM", "plan encryption strategy", "map compliance requirements", or mentions STRIDE, OWASP, OAuth, RBAC, SOC2, ISO27001, PCI-DSS.
From maonpx claudepluginhub javimontano/mao-discovery-frameworkThis skill is limited to using the following tools:
examples/README.mdexamples/sample-output.htmlexamples/sample-output.mdprompts/metaprompts.mdprompts/use-case-prompts.mdreferences/body-of-knowledge.mdreferences/knowledge-graph.mmdreferences/security-frameworks.mdreferences/state-of-the-art.mdConducts market research, competitive analysis, investor diligence, and tech scans with sourced findings, contrarian views, and decision recommendations.
Builds Manim animations for technical concepts, graphs, system diagrams, and product walkthroughs. Activates for precise animated explainers instead of talking-head scripts.
Resolves freight exceptions including delays, damages, losses, and carrier disputes via classification workflows, escalation protocols, claims filing, and carrier-specific strategies.
Security architecture defines how systems protect data, verify identity, enforce access, and maintain compliance across the entire technology stack. The skill produces comprehensive security designs covering threat modeling, zero trust implementation, identity management, data protection, application security pipelines, and compliance mapping.
La seguridad que depende de un perímetro ya fue comprometida. Zero Trust no es un producto — es una filosofía de diseño. Threat modeling antes de diseñar, compliance como piso mínimo no techo máximo, y cada decisión de seguridad documentada antes de implementar.
The user provides a system or organization name as $ARGUMENTS. Parse $1 as the system/organization name used throughout all output artifacts.
Parameters:
{MODO}: piloto-auto (default) | desatendido | supervisado | paso-a-paso
{FORMATO}: markdown (default) | html | dual{VARIANTE}: ejecutiva (~40% — S1 threat model + S2 zero trust + S6 compliance) | técnica (full 6 sections, default)All deliverables map to the six NIST CSF 2.0 functions:
| Function | Focus | Key categories |
|---|---|---|
| Govern (new in 2.0) | Cybersecurity risk governance, strategy, supply chain risk | GV.OC (context), GV.RM (risk management), GV.SC (supply chain) |
| Identify | Asset management, risk assessment, improvement | ID.AM, ID.RA, ID.IM |
| Protect | Access control, awareness, data security, platform security | PR.AA, PR.AT, PR.DS, PR.PS |
| Detect | Continuous monitoring, adverse event analysis | DE.CM, DE.AE |
| Respond | Incident management, analysis, mitigation, reporting | RS.MA, RS.AN, RS.MI |
| Recover | Recovery execution, communication | RC.RP, RC.CO |
Use the Govern function to ensure security architecture has executive sponsorship and integrates into enterprise risk management. CSF 2.0 explicitly addresses supply chain security, zero trust, and AI-related risks.
Before generating architecture, detect the technology context:
!find . -name "*.tf" -o -name "Dockerfile" -o -name "*.yaml" -o -name "auth*" -o -name "security*" | head -20
If reference materials exist, load them:
Read ${CLAUDE_SKILL_DIR}/references/security-frameworks.md
Systematically identify threats using structured methodologies applied to the system's architecture.
Methodology selection:
Process:
Attacker profiles: External anonymous, authenticated user, malicious insider, supply chain compromise
Design identity-centric security that assumes no implicit trust regardless of network location.
Core principles: Verify explicitly, least privilege access, assume breach.
NIST SP 800-207 + SP 1800-35 Implementation Patterns:
Zero Trust Maturity Model:
| Level | Scope | Controls | Timeline |
|---|---|---|---|
| Crawl | Perimeter + identity | MFA everywhere, network segmentation, centralized IdP | 0-6 months |
| Walk | Micro-segmentation | Service mesh mTLS, per-service auth policies, device trust | 6-18 months |
| Run | Continuous adaptive trust | Real-time risk scoring, behavioral analytics, just-in-time access | 18-36 months |
Key decisions:
Design authentication, authorization, and secret management for human and machine identities.
Authentication: OAuth 2.0 / OIDC for user flows, client credentials for S2S, WebAuthn/FIDO2 for passwordless MFA: TOTP/WebAuthn for users, certificate-based for services, risk-based triggers SSO: Centralized IdP, federation with external IdPs (SAML, OIDC) Service identity: Workload identity (SPIFFE/SPIRE), short-lived certificates, zero long-lived secrets Secret management: HashiCorp Vault, AWS Secrets Manager. Rotation: 90 days for credentials, on-demand for incident.
Authorization Model Selection:
| Model | Granularity | Complexity | Best for |
|---|---|---|---|
| RBAC | Role-level | Low | Simple hierarchies, <20 roles |
| ABAC | Attribute-level | High | Multi-tenant, data-level access, regulatory |
| ReBAC | Relationship-level | Medium | Social graphs, document sharing (Google Zanzibar) |
Token decisions: JWT (stateless, verifiable, larger) vs. opaque (requires introspection, revocable). Use JWT for S2S, opaque for user sessions needing immediate revocation.
Design encryption, key management, and data loss prevention across the data lifecycle.
Encryption at rest: Database TDE, filesystem encryption, backup encryption — AES-256 minimum Encryption in transit: TLS 1.3 everywhere, certificate management (ACME/Let's Encrypt), certificate pinning for mobile Key management: Cloud KMS or HSM-backed. Key hierarchy: master key -> data encryption keys. Rotation: annual for master, monthly for DEKs. Tokenization: Replace sensitive data with non-reversible tokens for analytics and testing Data masking: Dynamic masking in non-prod environments, role-based visibility
Data Classification and Handling:
| Class | Examples | Encryption | Access | Retention |
|---|---|---|---|---|
| Restricted | PII, PHI, payment cards | At rest + in transit, customer-managed keys | Named individuals only | Minimum required by law |
| Confidential | Business plans, source code | At rest + in transit | Role-based | Per policy |
| Internal | Org communications | In transit | All employees | 1-3 years |
| Public | Marketing, docs | In transit (integrity) | Anyone | Indefinite |
Integrate security testing into the development lifecycle.
Shift-Left Cost Multiplier:
| Phase | Fix cost | Implication |
|---|---|---|
| Design (threat model) | 1x | Highest ROI — invest here |
| Code (SAST, code review) | 6x | Catch before merge |
| Testing (DAST, pen test) | 15x | Catch before release |
| Production (incident) | 100x | Most expensive, reputational damage |
Security pipeline:
Supply Chain Security (SLSA + SBOM):
| SLSA Level | Requirements | Effort |
|---|---|---|
| Level 1 | Build provenance (document the build process) | Low — start here |
| Level 2 | Hosted build service, signed provenance | Medium |
| Level 3 | Hardened builds, non-falsifiable provenance | High — when compliance requires |
SBOM format choice:
RASP (Runtime Application Self-Protection): Instrument runtime to detect/block SQL injection, deserialization, path traversal from inside the application. Complement WAF with runtime visibility for high-value applications.
Security Champions Program:
Map regulatory frameworks to technical controls with evidence collection and continuous compliance.
Compliance Framework Mapping Table:
| Control Area | SOC 2 (TSC) | ISO 27001 (Annex A) | PCI-DSS 4.0 | HIPAA | GDPR |
|---|---|---|---|---|---|
| Access control | CC6.1-CC6.3 | A.9 | Req 7-8 | 164.312(a) | Art 32 |
| Encryption | CC6.1, CC6.7 | A.10 | Req 3-4 | 164.312(a)(2)(iv) | Art 32 |
| Logging/monitoring | CC7.1-CC7.3 | A.12.4 | Req 10 | 164.312(b) | Art 30 |
| Incident response | CC7.4-CC7.5 | A.16 | Req 12.10 | 164.308(a)(6) | Art 33-34 |
| Vendor management | CC9.2 | A.15 | Req 12.8 | 164.308(b) | Art 28 |
| Change management | CC8.1 | A.14 | Req 6 | 164.308(a)(1) | — |
Control matrix: Framework requirement -> technical control -> evidence source -> testing frequency Continuous compliance: Automated policy checks (OPA, Cloud Custodian), drift detection Tooling: Vanta, Drata for automated evidence collection; manual for complex controls Audit readiness: Evidence repository, control owner assignments, pre-audit checklists
| Decision | Enables | Constrains | When to Use |
|---|---|---|---|
| Zero trust everywhere | Strong posture, lateral movement prevention | Implementation complexity, latency overhead | Regulated industries, high-value targets |
| RBAC only | Simple to implement and audit | Coarse-grained, role explosion at scale | Small teams, simple authorization |
| ABAC policies | Fine-grained, context-aware | Complex policy management | Multi-tenant, data-level access, regulatory |
| Customer-managed keys | Customer control, compliance enabler | Ops complexity on customer side | Data sovereignty, regulated customers |
| Automated compliance | Continuous assurance, audit efficiency | Tool cost, false positives | SOC 2, ISO 27001, PCI-DSS environments |
| Security champions | Distributed awareness, faster reviews | Training investment, time split | Scaling security beyond dedicated team |
Greenfield System: Design security from day one. Embed threat modeling in architecture review. Choose IdP and encryption strategy before first deployment.
Legacy System with No Security Architecture: Start with threat model of current state. Prioritize: auth/authz gaps, data encryption, dependency vulnerabilities. Phase improvements aligned with existing roadmap.
Multi-Tenant SaaS: Tenant isolation is paramount. Data-level access control, tenant-scoped encryption keys, per-tenant audit logging. Test for cross-tenant data leakage explicitly.
Regulated Industry (Finance, Health): Compliance drives architecture. Map every control to framework requirement. Budget for audit prep and external assessments. Encryption and access logging are non-negotiable.
Acquisitions / Mergers: Multiple identity systems, inconsistent security postures. Prioritize identity federation, network segmentation between entities, unified compliance reporting.
Before finalizing delivery, verify:
graph TD
subgraph Core
SA[Security Architecture]
end
subgraph Inputs
I1[System Architecture / DFDs] --> SA
I2[Regulatory Requirements] --> SA
I3[Existing Security Controls] --> SA
I4[Identity Infrastructure] --> SA
end
subgraph Outputs
SA --> O1[Threat Model - STRIDE/PASTA]
SA --> O2[Zero Trust Design]
SA --> O3[IAM Architecture]
SA --> O4[Data Protection Strategy]
SA --> O5[AppSec Pipeline]
SA --> O6[Compliance Control Matrix]
end
subgraph Related Skills
RS1[devsecops-architecture] -.-> SA
RS2[infrastructure-architecture] -.-> SA
RS3[software-architecture] -.-> SA
RS4[cloud-native-architecture] -.-> SA
RS5[data-governance] -.-> SA
end
Formato MD (default):
# Security Architecture: {system_name}
## S1: Threat Modeling
### DFDs | Attack Surface | STRIDE Enumeration | Risk Scoring | Mitigations
## S2: Zero Trust Architecture
### NIST 800-207 | Micro-Segmentation | mTLS | Maturity Model
## S3: Identity & Access Management
### AuthN (OAuth/OIDC/FIDO2) | AuthZ (RBAC/ABAC/ReBAC) | Secret Management
## S4: Data Protection
### Encryption at Rest/Transit | Key Management | Classification | Masking
## S5: Application Security
### SAST/DAST/SCA | SLSA/SBOM | RASP | Security Champions
## S6: Compliance & Audit
### Framework Mapping (SOC2/ISO27001/PCI-DSS/HIPAA/GDPR) | Evidence | Continuous Compliance
Formato XLSX: Matriz de controles de seguridad: filas por framework regulatorio (SOC2, ISO27001, PCI-DSS, HIPAA, GDPR), columnas por area de control, con estado de implementacion, evidencia requerida, owner, y frecuencia de testing. Incluye hoja de threat model con scoring de riesgo.
{fase}_security_architecture_{cliente}_{WIP}.docx{fase}_security_architecture_{cliente}_{WIP}.html{fase}_security_architecture_{cliente}_{WIP}.pptx| Dimension | Peso | Criterio (7/10 minimo) |
|---|---|---|
| Trigger Accuracy | 10% | Se activa ante keywords de security architecture, threat modeling, zero trust, IAM, compliance; no ante pen testing |
| Completeness | 25% | Las 6 secciones cubren threat model, zero trust, IAM, data protection, appsec, y compliance con mappings |
| Clarity | 20% | Maturity model tiene niveles claros (crawl/walk/run); compliance mapping es framework-a-control especifico |
| Robustness | 20% | Edge cases (greenfield, legacy, multi-tenant, regulado, M&A) tienen estrategia de adopcion definida |
| Efficiency | 10% | Variante ejecutiva entrega threat model + zero trust + compliance en ~40% sin perder rigor |
| Value Density | 15% | Cada seccion produce controles implementables: policies, configurations, pipeline stages, control matrices |
Umbral minimo: 7/10 en cada dimension. Composite ponderado >= 7.0 para considerar el output aceptable.
| Format | Default | Description |
|---|---|---|
markdown | Yes | Rich Markdown + Mermaid diagrams. Token-efficient. |
html | On demand | Branded HTML (Design System). Visual impact. |
dual | On demand | Both formats. |
Default output is Markdown with embedded Mermaid diagrams. HTML generation requires explicit {FORMATO}=html parameter.
Primary: A-01_Security_Architecture.html — Executive summary, threat model, zero trust design, IAM architecture, data protection strategy, application security pipeline, compliance control matrix.
Secondary: Threat model diagrams (DFD), control matrix spreadsheet, compliance gap analysis, secret rotation runbook.
Autor: Javier Montaño | Última actualización: 12 de marzo de 2026