Routes to security architecture skills - threat modeling, controls, compliance, authorization
Routes to specialized security skills based on your situation—threat modeling, controls design, compliance, or classified systems. Use this when starting any security task or when security is mentioned to load the right expertise.
/plugin marketplace add tachyon-beep/skillpacks/plugin install ordis-security-architect@foundryside-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
classified-systems-security.mdcompliance-awareness-and-mapping.mddocumenting-threats-and-controls.mdsecure-by-design-patterns.mdsecurity-architecture-review.mdsecurity-authorization-and-accreditation.mdsecurity-controls-design.mdthreat-modeling.mdThis meta-skill routes you to the right security architecture skills based on your situation. Load this skill when you need security expertise but aren't sure which specific security skill to use.
Core Principle: Different security tasks require different skills. Match your situation to the appropriate skill, load only what you need.
Load this skill when:
Don't use for: Simple features with no security implications (e.g., UI styling, basic CRUD with existing auth)
IMPORTANT: All reference sheets are located in the SAME DIRECTORY as this SKILL.md file.
When this skill is loaded from:
skills/using-security-architect/SKILL.md
Reference sheets like threat-modeling.md are at:
skills/using-security-architect/threat-modeling.md
NOT at:
skills/threat-modeling.md ← WRONG PATH
When you see a link like [threat-modeling.md](threat-modeling.md), read the file from the same directory as this SKILL.md.
Symptoms: "Design a new...", "We're building...", "Greenfield project"
Route to:
Example: "Design authentication system" → Load all three in order
Symptoms: "Review this design", "Security audit", "Does this look secure?"
Route to: security-architecture-review.md
When to add:
Example: "Review this plugin system" → Load security-architecture-review.md
Route to:
Route to:
Route to:
Symptoms: "TOP SECRET", "classified data", "security clearances", "multi-level security", "Bell-LaPadula"
Route to:
Example: "Design system handling SECRET and UNCLASSIFIED" → Load classified-systems-security.md first
Symptoms: "HIPAA", "PCI-DSS", "SOC2", "GDPR", "compliance audit", "regulatory requirements"
Route to: compliance-awareness-and-mapping.md
When to add:
Example: "Build HIPAA-compliant system" → Load compliance-awareness-and-mapping.md + threat-modeling.md
Symptoms: "ATO", "AIS", "authority to operate", "SSP", "SAR", "POA&M", "FedRAMP", "FISMA"
Route to: security-authorization-and-accreditation.md
Cross-reference: Load muna/technical-writer/operational-acceptance-documentation for SSP/SAR writing
Symptoms: "Document security decisions", "Write security docs", "Explain threat model"
Route to: documenting-threats-and-controls.md
Cross-faction reference: Load muna/technical-writer/documentation-structure for ADR format, clarity guidelines
Example: "Document why we chose MLS" → Load documenting-threats-and-controls.md + documentation-structure
Load these for any project with security needs:
Load these only when context requires:
Decision: If you're unsure whether context is "specialized", start with core skills. Specialized contexts will be explicit in requirements.
Is this security-related?
├─ No → Don't load security skills
└─ Yes → Continue
What's the situation?
├─ New system design → threat-modeling + secure-by-design-patterns + security-controls-design
├─ Reviewing existing → architecture-security-review
├─ Documenting security → documenting-threats-and-controls + muna/technical-writer/documentation-structure
└─ Domain-specific → See "Specific Security Domains" above
Is this a specialized context?
├─ Classified data → ADD: classified-systems-security
├─ Compliance required → ADD: compliance-awareness-and-mapping
├─ Government ATO → ADD: security-authorization-and-accreditation
└─ No → Core skills sufficient
Security work often requires skills from other factions:
Muna (Documentation):
muna/technical-writer/documentation-structure - When documenting security (ADRs, SSPs)muna/technical-writer/clarity-and-style - When explaining security to non-expertsLoad both factions when: Documenting security decisions, writing security policies, explaining threats to stakeholders
User: "Design authentication with passwords and OAuth"
You: Loading threat-modeling + secure-by-design-patterns + security-controls-design
User: "Review this plugin security design"
You: Loading architecture-security-review
User: "Build system handling TOP SECRET data"
You: Loading classified-systems-security + threat-modeling + secure-by-design-patterns
User: "Build HIPAA-compliant patient portal"
You: Loading compliance-awareness-and-mapping + threat-modeling + security-controls-design
User: "Document our MLS security decisions"
You: Loading documenting-threats-and-controls + muna/technical-writer/documentation-structure
Don't load security skills for:
Example: "Add dark mode toggle to settings" → No security skills needed (unless settings include security-sensitive preferences)
| Task Type | Load These Skills | Notes |
|---|---|---|
| New system design | threat-modeling, secure-by-design-patterns, security-controls-design | Load in order |
| Design review | architecture-security-review | Add threat-modeling if no threat analysis exists |
| Authentication | threat-modeling, secure-by-design-patterns | Consider authorization-and-accreditation if ATO needed |
| API security | threat-modeling, architecture-security-review | Apply STRIDE to endpoints |
| Classified data | classified-systems-security + core skills | Extension required |
| Compliance | compliance-awareness-and-mapping + core skills | Extension for regulatory contexts |
| Government ATO | security-authorization-and-accreditation + core skills | Extension for ATO/AIS |
| Document security | documenting-threats-and-controls, muna/documentation-structure | Cross-faction |
Wrong: Load all 8 security-architect skills for every security task Right: Load only the skills your situation needs (use decision tree)
Wrong: Jump straight to implementation for new security features Right: Always threat model first for new systems/features
Wrong: Use generic threat modeling for classified systems Right: Load classified-systems-security for MLS contexts
Wrong: Write security docs without documentation structure skills Right: Load both ordis/documenting-threats + muna/documentation-structure
User: "Design a payment processing microservice"
Your routing:
1. Recognize: New system + financial domain → security critical
2. Load: threat-modeling (identify payment-specific threats)
3. Load: secure-by-design-patterns (encryption, secrets management)
4. Load: security-controls-design (PCI-DSS controls)
5. Consider: compliance-awareness-and-mapping (PCI-DSS is compliance requirement)
User: "Add a favorites button to the UI"
Your routing:
1. Recognize: UI feature, uses existing auth, no new security surface
2. Decision: No security skills needed
3. Proceed with standard implementation
User: "Review architecture for system handling SECRET and UNCLASSIFIED data"
Your routing:
1. Recognize: Classified context (SECRET mentioned) + review task
2. Load: classified-systems-security (MLS patterns required)
3. Load: architecture-security-review (review process)
4. Load: threat-modeling (if threats not already modeled)
Currently Available (Phase 1):
using-security-architect (this skill)threat-modeling (in progress)Coming Soon (Phases 2-3):
security-controls-designarchitecture-security-reviewsecure-by-design-patternsclassified-systems-securitycompliance-awareness-and-mappingsecurity-authorization-and-accreditationdocumenting-threats-and-controlsFor Phase 1: Focus on threat-modeling as primary skill. Reference other skills by name even though they're not implemented yet - this tests the routing logic.
This skill maps your situation → specific security skills to load.
Meta-rule: When in doubt, start with threat-modeling.md. Threats drive everything else.
After routing, load the appropriate specialist skill for detailed guidance:
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.