Structured security analysis using OWASP Four-Question Framework and STRIDE methodology. Generates threat matrices with risk ratings, mitigations, and prioritization. Use for attack surface analysis, security architecture review, or when asking what can go wrong.
Performs structured security analysis using OWASP and STRIDE methodologies to generate threat matrices with mitigations.
/plugin marketplace add rjmurillo/ai-agents/plugin install project-toolkit@ai-agentsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Systematic identification, documentation, and mitigation of security threats.
| Phrase | Context |
|---|---|
threat model | Starting or updating a threat model |
attack surface analysis | Identifying exposure points |
security architecture review | Reviewing design for vulnerabilities |
STRIDE analysis | Applying STRIDE methodology |
what can go wrong | Brainstorming security concerns |
| Input | Output | Destination |
|---|---|---|
| Architecture diagram or description | Threat matrix with STRIDE categories | .agents/security/threat-models/ |
| Component list | Trust boundary analysis | .agents/security/threat-models/ |
| Data flow description | Data flow diagram threats | .agents/security/threat-models/ |
| Prior threat model | Updated model with delta analysis | .agents/security/threat-models/ |
OWASP Four-Question Framework
=============================
Q1: What are we Q2: What can Q3: What do we Q4: Did we do
working on? go wrong? do about it? a good job?
| | | |
v v v v
+-----------+ +------------+ +-----------+ +----------+
| Phase 1 | | Phase 2 | | Phase 3 | | Phase 4 |
| Scope & | -----> | Threat | -----> | Mitigation| ----> | Validate |
| Decompose | | Identify | | Strategy | | Model |
+-----------+ +------------+ +-----------+ +----------+
| | | |
v v v v
Trust Boundaries STRIDE Matrix Prioritized Threat Model
Data Flows Kill Chains Mitigations Document
Assets Attack Trees Risk Ratings
Use this skill when:
Use security-detection instead when:
Use pre-mortem instead when:
OWASP Q1: What are we working on?
Determine what you are threat modeling:
| Scope Level | Examples | Typical Depth |
|---|---|---|
| Sprint | Single feature, API endpoint | 1-2 hours |
| Component | Auth module, payment service | Half day |
| System | Entire application | 1-2 days |
| Enterprise | Multiple systems | Multi-day workshop |
Document scope in the threat model header:
## Scope
- **Subject**: [Feature/Component/System name]
- **Boundaries**: [What is IN scope and OUT of scope]
- **Stakeholders**: [Who requested, who will review]
- **Date**: [When analysis performed]
- **Version**: [Model version for tracking changes]
Choose appropriate diagram type:
| Diagram Type | Best For | Tools |
|---|---|---|
| Data Flow Diagram (DFD) | Most threat models | Mermaid, draw.io |
| Component Diagram | Service boundaries | Mermaid, PlantUML |
| Sequence Diagram | Auth/data flows | Mermaid |
| Deployment Diagram | Infrastructure threats | Mermaid |
Required DFD Elements:
+----------+ HTTPS +----------+ SQL +----------+
| External | -------------> | Process | ------------> | Data |
| Entity | | | | Store |
+----------+ +----------+ +----------+
| |
| Trust Boundary |
+---------------------------+
List what attackers want:
| Asset Category | Examples |
|---|---|
| Data | PII, credentials, financial, health |
| Compute | CPU cycles, storage, network bandwidth |
| Access | Admin privileges, API keys, tokens |
| Reputation | Brand trust, user confidence |
| Availability | Service uptime, response time |
Identify where privilege levels change:
OWASP Q2: What can go wrong?
For each element in your diagram, apply STRIDE:
| Category | Definition | Applies To | Example Questions |
|---|---|---|---|
| Spoofing | Pretending to be someone else | External entities, data flows | Can an attacker impersonate a user? |
| Tampering | Modifying data or code | Processes, data stores, data flows | Can data be modified in transit/at rest? |
| Repudiation | Denying an action | Processes | Can users deny performing actions? |
| Info Disclosure | Exposing information | Data stores, data flows | Can sensitive data leak? |
| Denial of Service | Making service unavailable | Processes, data stores | Can resources be exhausted? |
| Elevation of Privilege | Gaining unauthorized access | Processes | Can users escalate privileges? |
STRIDE Applicability Matrix:
| Element Type | S | T | R | I | D | E |
|---|---|---|---|---|---|---|
| External Entity | X | |||||
| Process | X | X | X | X | X | X |
| Data Store | X | X | X | |||
| Data Flow | X | X | X |
Use the generate script to create a structured matrix:
python .claude/skills/threat-modeling/scripts/generate_threat_matrix.py \
--scope "Authentication Service" \
--output .agents/security/threat-models/auth-threats.md
Manual Format:
## Threat Matrix
| ID | Element | STRIDE | Threat | Likelihood | Impact | Risk |
|----|---------|--------|--------|------------|--------|------|
| T001 | Login API | S | Credential stuffing | High | High | Critical |
| T002 | Session Store | T | Session fixation | Medium | High | High |
| T003 | Audit Log | R | Log tampering | Low | Medium | Medium |
For complex threats, use advanced techniques like attack trees and kill chains. See references/advanced-analysis.md.
OWASP Q3: What are we going to do about it?
Calculate risk for prioritization:
Risk = Likelihood x Impact
Likelihood Scale:
High (3) = Exploitable with public tools, no auth required
Medium (2) = Requires some skill or access
Low (1) = Requires significant effort or insider access
Impact Scale:
High (3) = Data breach, system compromise, regulatory violation
Medium (2) = Limited data exposure, service degradation
Low (1) = Minor inconvenience, no sensitive data
Risk Matrix:
| Impact: Low | Impact: Medium | Impact: High | |
|---|---|---|---|
| High Likelihood | Medium | High | Critical |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |
| Strategy | When to Use | Example |
|---|---|---|
| Mitigate | Risk can be reduced to acceptable level | Add input validation |
| Accept | Cost of mitigation exceeds risk | Low-impact, unlikely threat |
| Transfer | Someone else can manage risk better | Cyber insurance, third-party service |
| Eliminate | Remove the vulnerable component | Drop unused feature |
For each threat, document:
### T001: Credential Stuffing on Login API
**Risk**: Critical (High Likelihood x High Impact)
**Mitigations**:
1. **Implement rate limiting** (Mitigate)
- Max 5 attempts per IP per minute
- Progressive delays after failures
- Status: Planned for Sprint 23
2. **Add CAPTCHA after failures** (Mitigate)
- Trigger after 3 failed attempts
- Status: In progress
3. **Enable MFA** (Mitigate)
- TOTP or WebAuthn
- Status: Blocked on product decision
**Residual Risk**: Medium (after mitigations applied)
python .claude/skills/threat-modeling/scripts/generate_mitigation_roadmap.py \
--input .agents/security/threat-models/auth-threats.md \
--output .agents/security/threat-models/auth-roadmap.md
OWASP Q4: Did we do a good job?
Run the validation script:
python .claude/skills/threat-modeling/scripts/validate_threat_model.py \
.agents/security/threat-models/auth-threats.md
Validation Checks:
Request review from:
Threat models are living documents. Update when:
| Script | Purpose | Usage |
|---|---|---|
generate_threat_matrix.py | Create structured threat matrix | python scripts/generate_threat_matrix.py --scope "Name" --output path.md |
generate_mitigation_roadmap.py | Create prioritized roadmap | python scripts/generate_mitigation_roadmap.py --input threats.md --output roadmap.md |
validate_threat_model.py | Validate model completeness | python scripts/validate_threat_model.py <model.md> |
| Code | Meaning |
|---|---|
| 0 | Success / Validation passed |
| 1 | General failure |
| 10 | Validation failed (missing required elements) |
Use the template at: templates/threat-model-template.md
### T{NNN}: {Threat Title}
**Element**: {Component name from DFD}
**STRIDE**: {S/T/R/I/D/E}
**Description**: {What the threat is}
**Attack Scenario**:
1. Attacker does X
2. System responds with Y
3. Attacker achieves Z
**Likelihood**: {High/Medium/Low} - {Justification}
**Impact**: {High/Medium/Low} - {Justification}
**Risk**: {Critical/High/Medium/Low}
**Mitigations**:
- [ ] {Mitigation 1} - {Status}
- [ ] {Mitigation 2} - {Status}
**Residual Risk**: {After mitigations}
**References**: {CVEs, OWASP links, etc.}
| Agent | Relationship |
|---|---|
| security | Invoke for detailed vulnerability analysis |
| architect | Review threat model during design |
| analyst | Research specific attack patterns |
| qa | Include threat scenarios in test strategy |
Query Forgetful memory for prior threat models:
mcp__forgetful__execute_forgetful_tool("query_memory", {
"query": "threat model authentication",
"query_context": "Finding prior security analysis"
})
Store threat model summaries:
mcp__forgetful__execute_forgetful_tool("create_memory", {
"title": "Auth Service Threat Model Summary",
"content": "Key threats: credential stuffing, session hijacking...",
"context": "Security analysis Q1 2026",
"keywords": ["threat-model", "authentication", "STRIDE"],
"tags": ["security"],
"importance": 8,
"project_ids": [1]
})
| Avoid | Why | Instead |
|---|---|---|
| Threat model once and forget | Security landscape evolves | Schedule regular updates |
| Skip trust boundary analysis | Miss privilege escalation paths | Always map boundaries first |
| Generic threats only | Not actionable | Be specific to your system |
| No risk ratings | Cannot prioritize | Rate every threat |
| Mitigations without owners | Never implemented | Assign owners and deadlines |
| Copy-paste from templates | Miss system-specific threats | Use templates as starting points |
| Criterion | Verification |
|---|---|
| All components have threats | Validation script check |
| All STRIDE categories considered | Validation script check |
| All Critical/High risks have mitigations | Validation script check |
| Risk ratings consistent | Manual review |
| Peer review completed | Stakeholder sign-off |
python .claude/skills/threat-modeling/scripts/validate_threat_model.py <model.md>
Exit code 0 indicates a valid, complete threat model.
| Extension | How to Add |
|---|---|
| Custom STRIDE questions | Add to references/stride-methodology.md |
| New risk rating methodology | Add to references/risk-rating-guide.md |
| Additional threat categories | Extend STRIDE sections in template |
| Custom validation rules | Modify validate_threat_model.py |
| Integration with SAST tools | Add script in scripts/ |
| Skill | Relationship |
|---|---|
security-detection | Triggers threat model review on sensitive file changes |
codeql-scan | Validates code against identified threats |
adr-review | Security agent reviews architecture decisions |
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.