From copilot-cli-toolkit
Conducts structured threat modeling using OWASP Four-Question Framework and STRIDE. Generates threat matrices with risk ratings, mitigations, prioritization for attack surface analysis and security architecture reviews.
npx claudepluginhub rjmurillo/ai-agentsThis skill uses the workspace's default tool permissions.
Systematic identification, documentation, and mitigation of security threats.
references/advanced-analysis.mdreferences/risk-rating-guide.mdreferences/security-defense-in-depth.mdreferences/security-least-privilege.mdreferences/security-owasp-top-10.mdreferences/security-zero-trust.mdreferences/stride-methodology.mdscripts/generate_mitigation_roadmap.pyscripts/generate_threat_matrix.pyscripts/validate_threat_model.pytemplates/threat-model-template.mdGenerates threat models using OWASP Four-Question Framework and STRIDE methodology, producing matrices with risk ratings, mitigations, and prioritization for attack surface analysis and security reviews.
Performs threat modeling with STRIDE, PASTA, attack trees; reviews security architecture, extracts requirements, prioritizes risks, designs mitigations for secure-by-design systems.
Applies STRIDE, attack trees, DREAD scoring, and five-stage process to identify threats, assess risks, and design mitigations for secure systems and architecture reviews.
Share bugs, ideas, or general feedback.
Systematic identification, documentation, and mitigation of security threats.
| Phrase | Context |
|---|---|
threat model | Starting or updating a threat model |
attack surface analysis | Identifying exposure points |
security architecture review | Reviewing design for vulnerabilities |
STRIDE analysis | Applying STRIDE methodology |
what can go wrong | Brainstorming security concerns |
| Input | Output | Destination |
|---|---|---|
| Architecture diagram or description | Threat matrix with STRIDE categories | .agents/security/threat-models/ |
| Component list | Trust boundary analysis | .agents/security/threat-models/ |
| Data flow description | Data flow diagram threats | .agents/security/threat-models/ |
| Prior threat model | Updated model with delta analysis | .agents/security/threat-models/ |
OWASP Four-Question Framework
=============================
Q1: What are we Q2: What can Q3: What do we Q4: Did we do
working on? go wrong? do about it? a good job?
| | | |
v v v v
+-----------+ +------------+ +-----------+ +----------+
| Phase 1 | | Phase 2 | | Phase 3 | | Phase 4 |
| Scope & | -----> | Threat | -----> | Mitigation| ----> | Validate |
| Decompose | | Identify | | Strategy | | Model |
+-----------+ +------------+ +-----------+ +----------+
| | | |
v v v v
Trust Boundaries STRIDE Matrix Prioritized Threat Model
Data Flows Kill Chains Mitigations Document
Assets Attack Trees Risk Ratings
Use this skill when:
Use security-detection instead when:
Use pre-mortem instead when:
OWASP Q1: What are we working on?
Determine what you are threat modeling:
| Scope Level | Examples | Typical Depth |
|---|---|---|
| Sprint | Single feature, API endpoint | 1-2 hours |
| Component | Auth module, payment service | Half day |
| System | Entire application | 1-2 days |
| Enterprise | Multiple systems | Multi-day workshop |
Document scope in the threat model header:
## Scope
- **Subject**: [Feature/Component/System name]
- **Boundaries**: [What is IN scope and OUT of scope]
- **Stakeholders**: [Who requested, who will review]
- **Date**: [When analysis performed]
- **Version**: [Model version for tracking changes]
Choose appropriate diagram type:
| Diagram Type | Best For | Tools |
|---|---|---|
| Data Flow Diagram (DFD) | Most threat models | Mermaid, draw.io |
| Component Diagram | Service boundaries | Mermaid, PlantUML |
| Sequence Diagram | Auth/data flows | Mermaid |
| Deployment Diagram | Infrastructure threats | Mermaid |
Required DFD Elements:
+----------+ HTTPS +----------+ SQL +----------+
| External | -------------> | Process | ------------> | Data |
| Entity | | | | Store |
+----------+ +----------+ +----------+
| |
| Trust Boundary |
+---------------------------+
List what attackers want:
| Asset Category | Examples |
|---|---|
| Data | PII, credentials, financial, health |
| Compute | CPU cycles, storage, network bandwidth |
| Access | Admin privileges, API keys, tokens |
| Reputation | Brand trust, user confidence |
| Availability | Service uptime, response time |
Identify where privilege levels change:
OWASP Q2: What can go wrong?
For each element in your diagram, apply STRIDE:
| Category | Definition | Applies To | Example Questions |
|---|---|---|---|
| Spoofing | Pretending to be someone else | External entities, data flows | Can an attacker impersonate a user? |
| Tampering | Modifying data or code | Processes, data stores, data flows | Can data be modified in transit/at rest? |
| Repudiation | Denying an action | Processes | Can users deny performing actions? |
| Info Disclosure | Exposing information | Data stores, data flows | Can sensitive data leak? |
| Denial of Service | Making service unavailable | Processes, data stores | Can resources be exhausted? |
| Elevation of Privilege | Gaining unauthorized access | Processes | Can users escalate privileges? |
STRIDE Applicability Matrix:
| Element Type | S | T | R | I | D | E |
|---|---|---|---|---|---|---|
| External Entity | X | |||||
| Process | X | X | X | X | X | X |
| Data Store | X | X | X | |||
| Data Flow | X | X | X |
Use the generate script to create a structured matrix:
python .claude/skills/threat-modeling/scripts/generate_threat_matrix.py \
--scope "Authentication Service" \
--output .agents/security/threat-models/auth-threats.md
Manual Format:
## Threat Matrix
| ID | Element | STRIDE | Threat | Likelihood | Impact | Risk |
|----|---------|--------|--------|------------|--------|------|
| T001 | Login API | S | Credential stuffing | High | High | Critical |
| T002 | Session Store | T | Session fixation | Medium | High | High |
| T003 | Audit Log | R | Log tampering | Low | Medium | Medium |
For complex threats, use advanced techniques like attack trees and kill chains. See references/advanced-analysis.md.
OWASP Q3: What are we going to do about it?
Calculate risk for prioritization:
Risk = Likelihood x Impact
Likelihood Scale:
High (3) = Exploitable with public tools, no auth required
Medium (2) = Requires some skill or access
Low (1) = Requires significant effort or insider access
Impact Scale:
High (3) = Data breach, system compromise, regulatory violation
Medium (2) = Limited data exposure, service degradation
Low (1) = Minor inconvenience, no sensitive data
Risk Matrix:
| Impact: Low | Impact: Medium | Impact: High | |
|---|---|---|---|
| High Likelihood | Medium | High | Critical |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |
| Strategy | When to Use | Example |
|---|---|---|
| Mitigate | Risk can be reduced to acceptable level | Add input validation |
| Accept | Cost of mitigation exceeds risk | Low-impact, unlikely threat |
| Transfer | Someone else can manage risk better | Cyber insurance, third-party service |
| Eliminate | Remove the vulnerable component | Drop unused feature |
For each threat, document:
### T001: Credential Stuffing on Login API
**Risk**: Critical (High Likelihood x High Impact)
**Mitigations**:
1. **Implement rate limiting** (Mitigate)
- Max 5 attempts per IP per minute
- Progressive delays after failures
- Status: Planned for Sprint 23
2. **Add CAPTCHA after failures** (Mitigate)
- Trigger after 3 failed attempts
- Status: In progress
3. **Enable MFA** (Mitigate)
- TOTP or WebAuthn
- Status: Blocked on product decision
**Residual Risk**: Medium (after mitigations applied)
python .claude/skills/threat-modeling/scripts/generate_mitigation_roadmap.py \
--input .agents/security/threat-models/auth-threats.md \
--output .agents/security/threat-models/auth-roadmap.md
OWASP Q4: Did we do a good job?
Run the validation script:
python .claude/skills/threat-modeling/scripts/validate_threat_model.py \
.agents/security/threat-models/auth-threats.md
Validation Checks:
Request review from:
Threat models are living documents. Update when:
| Script | Purpose | Usage |
|---|---|---|
generate_threat_matrix.py | Create structured threat matrix | python scripts/generate_threat_matrix.py --scope "Name" --output path.md |
generate_mitigation_roadmap.py | Create prioritized roadmap | python scripts/generate_mitigation_roadmap.py --input threats.md --output roadmap.md |
validate_threat_model.py | Validate model completeness | python scripts/validate_threat_model.py <model.md> |
| Code | Meaning |
|---|---|
| 0 | Success / Validation passed |
| 1 | General failure |
| 10 | Validation failed (missing required elements) |
Use the template at: templates/threat-model-template.md
### T{NNN}: {Threat Title}
**Element**: {Component name from DFD}
**STRIDE**: {S/T/R/I/D/E}
**Description**: {What the threat is}
**Attack Scenario**:
1. Attacker does X
2. System responds with Y
3. Attacker achieves Z
**Likelihood**: {High/Medium/Low} - {Justification}
**Impact**: {High/Medium/Low} - {Justification}
**Risk**: {Critical/High/Medium/Low}
**Mitigations**:
- [ ] {Mitigation 1} - {Status}
- [ ] {Mitigation 2} - {Status}
**Residual Risk**: {After mitigations}
**References**: {CVEs, OWASP links, etc.}
| Agent | Relationship |
|---|---|
| security | Invoke for detailed vulnerability analysis |
| architect | Review threat model during design |
| analyst | Research specific attack patterns |
| qa | Include threat scenarios in test strategy |
Query Forgetful memory for prior threat models:
mcp__forgetful__execute_forgetful_tool("query_memory", {
"query": "threat model authentication",
"query_context": "Finding prior security analysis"
})
Store threat model summaries:
mcp__forgetful__execute_forgetful_tool("create_memory", {
"title": "Auth Service Threat Model Summary",
"content": "Key threats: credential stuffing, session hijacking...",
"context": "Security analysis Q1 2026",
"keywords": ["threat-model", "authentication", "STRIDE"],
"tags": ["security"],
"importance": 8,
"project_ids": [1]
})
| Avoid | Why | Instead |
|---|---|---|
| Threat model once and forget | Security landscape evolves | Schedule regular updates |
| Skip trust boundary analysis | Miss privilege escalation paths | Always map boundaries first |
| Generic threats only | Not actionable | Be specific to your system |
| No risk ratings | Cannot prioritize | Rate every threat |
| Mitigations without owners | Never implemented | Assign owners and deadlines |
| Copy-paste from templates | Miss system-specific threats | Use templates as starting points |
| Criterion | Verification |
|---|---|
| All components have threats | Validation script check |
| All STRIDE categories considered | Validation script check |
| All Critical/High risks have mitigations | Validation script check |
| Risk ratings consistent | Manual review |
| Peer review completed | Stakeholder sign-off |
python .claude/skills/threat-modeling/scripts/validate_threat_model.py <model.md>
Exit code 0 indicates a valid, complete threat model.
| Extension | How to Add |
|---|---|
| Custom STRIDE questions | Add to references/stride-methodology.md |
| New risk rating methodology | Add to references/risk-rating-guide.md |
| Additional threat categories | Extend STRIDE sections in template |
| Custom validation rules | Modify validate_threat_model.py |
| Integration with SAST tools | Add script in scripts/ |
| Skill | Relationship |
|---|---|
security-detection | Triggers threat model review on sensitive file changes |
codeql-scan | Validates code against identified threats |
adr-review | Security agent reviews architecture decisions |