threat-model-analyst
Use when a repository, system, or major change needs a structured STRIDE-A threat model — map architecture, data flows, trust boundaries, abuse cases, and prioritized findings, or update an existing model with a change-focused diff.
Best use case
threat-model-analyst is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when a repository, system, or major change needs a structured STRIDE-A threat model — map architecture, data flows, trust boundaries, abuse cases, and prioritized findings, or update an existing model with a change-focused diff.
Teams using threat-model-analyst should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/threat-model-analyst/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How threat-model-analyst Compares
| Feature / Agent | threat-model-analyst | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when a repository, system, or major change needs a structured STRIDE-A threat model — map architecture, data flows, trust boundaries, abuse cases, and prioritized findings, or update an existing model with a change-focused diff.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Threat Model Analyst Perform architecture-first security analysis using **STRIDE-A**: classic STRIDE plus explicit abuse-case thinking. ## When to Use - A new system or subsystem needs an initial threat model - A major change landed and the question is "what changed security-wise?" - You need to reason about trust boundaries, data flows, or risky integrations before implementation - A security review needs architecture evidence, not only code-pattern scanning ## When NOT to Use | Instead of threat-model-analyst | Use | |---------------------------------|-----| | Code-level vulnerability scanning | `security-scan` or `pr-security-review` | | Broad repository posture scoring | `evaluate-repository` | | Agent-specific OWASP checklist review | `agent-owasp-check` | | Supply-chain integrity validation | `agent-supply-chain` | ## Modes ### Single Analysis Use when there is no prior threat model or when the whole system needs review. ### Incremental Analysis Use when a previous threat model exists and you need to compare the current system or a specific commit against that baseline. Incremental mode is often the better day-to-day workflow because it highlights: - new threats - resolved threats - still-present threats - trust-boundary changes - differences in severity or exploitability ## Workflow ### 1. Define scope and assets Clarify: - what system or subsystem is in scope - what assets matter most - what actors exist - what trust boundaries separate them List obvious inputs and high-value outcomes before reading code in detail. ### 2. Build an architecture and data-flow sketch You do not need perfect diagrams before analysis, but you do need a concrete model of: - components - entry points - data stores - external systems - privileged execution zones - trust boundaries between them Represent the system as a lightweight DFD or component map if helpful. ### 3. Apply STRIDE-A to each component and flow For each component or trust boundary, ask: | Dimension | Question | |-----------|----------| | **Spoofing** | Who could impersonate a user, service, or agent? | | **Tampering** | What data or configuration could be modified without detection? | | **Repudiation** | What actions would be hard to prove later? | | **Information Disclosure** | What could leak across the boundary? | | **Denial of Service** | What could exhaust or block the system? | | **Elevation of Privilege** | What paths raise privileges unexpectedly? | | **Abuse** | What realistic misuse path would an attacker or insider choose? | ### 4. Score and prioritize findings For each finding, record: - affected component or trust boundary - short threat statement - exploit path - likely impact - mitigating controls already present - suggested remediation Map to CWE, OWASP, or CVSS only when it clarifies the issue instead of bloating the report. ### 5. Run incremental analysis for changes When comparing against a prior threat model, explicitly classify each item as: - **new** - **resolved** - **still present** - **changed severity** This is especially useful for: - new integrations - changed authentication flows - new background jobs or agents - infrastructure moves - CI/CD or deployment changes ### 6. Produce a concise decision-ready report A good threat model report should leave the reader with: - the architecture in scope - the highest-risk boundaries - the top findings in priority order - what changed since the last model, if applicable - the next mitigation step Suggested structure: ```markdown ## Architecture Overview - ... ## Trust Boundaries - ... ## STRIDE-A Findings - [High] ... - [Medium] ... ## Change Diff - New: ... - Resolved: ... - Still present: ... ## Next Mitigations - ... ``` ## Common Rationalizations | Rationalization | Reality | |----------------|---------| | "We'll just scan the code for vulnerabilities." | Code scanning misses architecture flaws, broken trust boundaries, and misuse paths. | | "The old threat model is close enough." | Architecture drift makes stale threat models dangerously reassuring. | | "Abuse cases are too speculative." | Real attackers optimize for abuse paths, not textbook categories. | ## Red Flags - No one can name the trust boundaries in the system - External systems are treated as trusted by default - Authentication or authorization changes are documented only at code level - A prior threat model exists but no change diff was done after a major update ## Verification - [ ] The system scope and assets are explicit - [ ] Components, flows, and trust boundaries were identified - [ ] STRIDE-A was applied to each meaningful boundary or component - [ ] Findings are prioritized instead of left as an unranked brainstorm - [ ] Incremental changes are called out separately when a baseline exists ## See Also - [`security-scan`](../security-scan/SKILL.md) - inspect code-level vulnerabilities after the model identifies hot spots - [`agent-owasp-check`](../agent-owasp-check/SKILL.md) - review agent-specific OWASP ASI risks - [`security-audit`](../../workflow/security-audit/SKILL.md) - broader workflow for OWASP plus STRIDE review
Related Skills
multi-model-strategy
Use when choosing which AI model to use for a task — pick the right model family and tier based on cost, speed, context needs, and reasoning depth
verification-before-completion
Use before claiming any task is done — run the exact command that proves the fix works, read the output, and only then report success.
using-git-worktrees
Use when you need multiple branches checked out at once — create isolated working directories for parallel development without cloning the repository repeatedly
triage
Use when a single issue needs structured triage — classify it, reproduce if needed, request missing information, and leave a durable brief or close-out note in the tracker.
to-issues
Use when a plan, spec, or PRD must become an actionable backlog — break it into thin dependency-aware issues that each deliver a verifiable vertical slice
sprint-workflow
Use when starting a new feature, refactor, or multi-step dev task — runs the full sprint cycle (Think → Plan → Build → Review → Test → Ship → Monitor) using Copilot CLI's plan/autopilot modes.
sprint-retro
Use at the end of a sprint to run a data-driven retrospective — analyzes session history and git metrics to surface what shipped, what slowed you down, and concrete improvements.
security-audit
Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.
release
Use when a sprint or feature is complete and ready to ship — tags the version, generates GitHub Release notes, runs rollout or smoke verification, and publishes to npm/PyPI/Docker registries.
prompt-optimizer
Use when a rough prompt, vague idea, or task description needs to become a finished copy-pasteable prompt for a chat-based LLM - rewrite it into one ready-to-send prompt with no blanks, no placeholders, and a clear output shape.
outside-voice
Use when you need an independent second opinion before, during, or after implementation — run challenge, consult, or review mode in a direct builder-to-builder voice
llm-wiki
Use when research or domain knowledge keeps getting rediscovered across sessions — build a supplementary markdown wiki that compounds synthesized knowledge without replacing GitHub or committed project guidance