Skill

threat-identification

Systematically identify threats from threat libraries, historical CVEs, and attacker tactics. Use when augmenting STRIDE analysis with known threats from MITRE ATT&CK, CWE, or your industry.

From threat-modeling

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-threat-modeling

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

MITRE ATT&CK Framework: Adversary Tactics, Techniques, and Procedures (TTPs) used across attack lifecycle (reconnaissance, weaponization, delivery, exploitation, C2, exfiltration, impact)

CWE/CVE: Common Weakness Enumeration (software defects) and Common Vulnerabilities & Exploits (specific instances); identify if your stack has known CWEs

Industry-Specific Threats: Payment processing (PCI-related), healthcare (HIPAA/HITECH), financial services (insider trading, fraud), cloud (misconfiguration, privilege escalation)

Historical Attack Chains: Map how real attacks combined TTPs; e.g., phishing → credential theft → lateral movement → data exfiltration

Instructions

Profile the Attacker: Consider attacker types (external opportunists, organized crime, nation-state, insiders). Tailor threat identification to likely adversaries.

Reference MITRE ATT&CK: Browse the tactic-technique matrix for your industry/platform. Identify which tactics are relevant (e.g., cloud services are vulnerable to "Defense Evasion" via misconfiguration; web apps to "Execution" via injection).

Cross-Reference CWE/CVE: Check if your tech stack (languages, frameworks, libraries) has known CWEs. Identify high-impact vulnerabilities (e.g., SQL injection, SSRF, XXE for your platform).

Add Industry Threats: Incorporate threats specific to your vertical (e.g., retail: payment card theft; SaaS: multi-tenant data leakage; cloud: overprivileged IAM roles).

Document Attack Chains: For high-risk scenarios, map multi-step attacks (e.g., "phishing → credentials → MFA bypass → cloud admin access → data exfiltration").

Connect to STRIDE & Assets: Link each threat back to STRIDE categories and specific assets (databases, keys, APIs, user data).

Anti-Patterns

Using threat libraries as a generic checklist; every threat must connect to your specific architecture, assets, and attack surface

Ignoring insider threats because "we trust our employees"; disgruntled employees, contractor misconduct, and social engineering inside are real vectors

Focusing only on external attacks; supply chain compromise, third-party access, and cloud service misconfigurations are harder to detect

Treating all threats equally; some CVEs are pre-auth remote code execution; others are post-auth denial of service — prioritize accordingly

Skipping the "how" when listing threats; "SQL injection" is not a threat; "attacker injects SQL to exfiltrate customer PII from order table" is actionable

Domain Context

MITRE ATT&CK Framework: Adversary Tactics, Techniques, and Procedures (TTPs) used across attack lifecycle (reconnaissance, weaponization, delivery, exploitation, C2, exfiltration, impact)

CWE/CVE: Common Weakness Enumeration (software defects) and Common Vulnerabilities & Exploits (specific instances); identify if your stack has known CWEs

Industry-Specific Threats: Payment processing (PCI-related), healthcare (HIPAA/HITECH), financial services (insider trading, fraud), cloud (misconfiguration, privilege escalation)

Historical Attack Chains: Map how real attacks combined TTPs; e.g., phishing → credential theft → lateral movement → data exfiltration

Instructions

Profile the Attacker: Consider attacker types (external opportunists, organized crime, nation-state, insiders). Tailor threat identification to likely adversaries.

Cross-Reference CWE/CVE: Check if your tech stack (languages, frameworks, libraries) has known CWEs. Identify high-impact vulnerabilities (e.g., SQL injection, SSRF, XXE for your platform).

Add Industry Threats: Incorporate threats specific to your vertical (e.g., retail: payment card theft; SaaS: multi-tenant data leakage; cloud: overprivileged IAM roles).

Document Attack Chains: For high-risk scenarios, map multi-step attacks (e.g., "phishing → credentials → MFA bypass → cloud admin access → data exfiltration").

Connect to STRIDE & Assets: Link each threat back to STRIDE categories and specific assets (databases, keys, APIs, user data).

Anti-Patterns

Using threat libraries as a generic checklist; every threat must connect to your specific architecture, assets, and attack surface

Ignoring insider threats because "we trust our employees"; disgruntled employees, contractor misconduct, and social engineering inside are real vectors

Focusing only on external attacks; supply chain compromise, third-party access, and cloud service misconfigurations are harder to detect

Treating all threats equally; some CVEs are pre-auth remote code execution; others are post-auth denial of service — prioritize accordingly

Skipping the "how" when listing threats; "SQL injection" is not a threat; "attacker injects SQL to exfiltrate customer PII from order table" is actionable

threat-identification

threat-identification

Threat Identification

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Threat Identification

Context

Domain Context

Instructions

Anti-Patterns

Further Reading