threat-model-analyst

Use when a repository, system, or major change needs a structured STRIDE-A threat model — map architecture, data flows, trust boundaries, abuse cases, and prioritized findings, or update an existing model with a change-focused diff.

8 stars

Best use case

threat-model-analyst is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when a repository, system, or major change needs a structured STRIDE-A threat model — map architecture, data flows, trust boundaries, abuse cases, and prioritized findings, or update an existing model with a change-focused diff.

Teams using threat-model-analyst should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/threat-model-analyst/SKILL.md --create-dirs "https://raw.githubusercontent.com/drvoss/everything-copilot-cli/main/skills/security/threat-model-analyst/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/threat-model-analyst/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How threat-model-analyst Compares

Feature / Agentthreat-model-analystStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when a repository, system, or major change needs a structured STRIDE-A threat model — map architecture, data flows, trust boundaries, abuse cases, and prioritized findings, or update an existing model with a change-focused diff.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Threat Model Analyst

Perform architecture-first security analysis using **STRIDE-A**: classic STRIDE plus
explicit abuse-case thinking.

## When to Use

- A new system or subsystem needs an initial threat model
- A major change landed and the question is "what changed security-wise?"
- You need to reason about trust boundaries, data flows, or risky integrations before implementation
- A security review needs architecture evidence, not only code-pattern scanning

## When NOT to Use

| Instead of threat-model-analyst | Use |
|---------------------------------|-----|
| Code-level vulnerability scanning | `security-scan` or `pr-security-review` |
| Broad repository posture scoring | `evaluate-repository` |
| Agent-specific OWASP checklist review | `agent-owasp-check` |
| Supply-chain integrity validation | `agent-supply-chain` |

## Modes

### Single Analysis

Use when there is no prior threat model or when the whole system needs review.

### Incremental Analysis

Use when a previous threat model exists and you need to compare the current system or a
specific commit against that baseline.

Incremental mode is often the better day-to-day workflow because it highlights:

- new threats
- resolved threats
- still-present threats
- trust-boundary changes
- differences in severity or exploitability

## Workflow

### 1. Define scope and assets

Clarify:

- what system or subsystem is in scope
- what assets matter most
- what actors exist
- what trust boundaries separate them

List obvious inputs and high-value outcomes before reading code in detail.

### 2. Build an architecture and data-flow sketch

You do not need perfect diagrams before analysis, but you do need a concrete model of:

- components
- entry points
- data stores
- external systems
- privileged execution zones
- trust boundaries between them

Represent the system as a lightweight DFD or component map if helpful.

### 3. Apply STRIDE-A to each component and flow

For each component or trust boundary, ask:

| Dimension | Question |
|-----------|----------|
| **Spoofing** | Who could impersonate a user, service, or agent? |
| **Tampering** | What data or configuration could be modified without detection? |
| **Repudiation** | What actions would be hard to prove later? |
| **Information Disclosure** | What could leak across the boundary? |
| **Denial of Service** | What could exhaust or block the system? |
| **Elevation of Privilege** | What paths raise privileges unexpectedly? |
| **Abuse** | What realistic misuse path would an attacker or insider choose? |

### 4. Score and prioritize findings

For each finding, record:

- affected component or trust boundary
- short threat statement
- exploit path
- likely impact
- mitigating controls already present
- suggested remediation

Map to CWE, OWASP, or CVSS only when it clarifies the issue instead of bloating the report.

### 5. Run incremental analysis for changes

When comparing against a prior threat model, explicitly classify each item as:

- **new**
- **resolved**
- **still present**
- **changed severity**

This is especially useful for:

- new integrations
- changed authentication flows
- new background jobs or agents
- infrastructure moves
- CI/CD or deployment changes

### 6. Produce a concise decision-ready report

A good threat model report should leave the reader with:

- the architecture in scope
- the highest-risk boundaries
- the top findings in priority order
- what changed since the last model, if applicable
- the next mitigation step

Suggested structure:

```markdown
## Architecture Overview
- ...

## Trust Boundaries
- ...

## STRIDE-A Findings
- [High] ...
- [Medium] ...

## Change Diff
- New: ...
- Resolved: ...
- Still present: ...

## Next Mitigations
- ...
```

## Common Rationalizations

| Rationalization | Reality |
|----------------|---------|
| "We'll just scan the code for vulnerabilities." | Code scanning misses architecture flaws, broken trust boundaries, and misuse paths. |
| "The old threat model is close enough." | Architecture drift makes stale threat models dangerously reassuring. |
| "Abuse cases are too speculative." | Real attackers optimize for abuse paths, not textbook categories. |

## Red Flags

- No one can name the trust boundaries in the system
- External systems are treated as trusted by default
- Authentication or authorization changes are documented only at code level
- A prior threat model exists but no change diff was done after a major update

## Verification

- [ ] The system scope and assets are explicit
- [ ] Components, flows, and trust boundaries were identified
- [ ] STRIDE-A was applied to each meaningful boundary or component
- [ ] Findings are prioritized instead of left as an unranked brainstorm
- [ ] Incremental changes are called out separately when a baseline exists

## See Also

- [`security-scan`](../security-scan/SKILL.md) - inspect code-level vulnerabilities after the model identifies hot spots
- [`agent-owasp-check`](../agent-owasp-check/SKILL.md) - review agent-specific OWASP ASI risks
- [`security-audit`](../../workflow/security-audit/SKILL.md) - broader workflow for OWASP plus STRIDE review

Related Skills

multi-model-strategy

8
from drvoss/everything-copilot-cli

Use when choosing which AI model to use for a task — pick the right model family and tier based on cost, speed, context needs, and reasoning depth

verification-before-completion

8
from drvoss/everything-copilot-cli

Use before claiming any task is done — run the exact command that proves the fix works, read the output, and only then report success.

using-git-worktrees

8
from drvoss/everything-copilot-cli

Use when you need multiple branches checked out at once — create isolated working directories for parallel development without cloning the repository repeatedly

triage

8
from drvoss/everything-copilot-cli

Use when a single issue needs structured triage — classify it, reproduce if needed, request missing information, and leave a durable brief or close-out note in the tracker.

to-issues

8
from drvoss/everything-copilot-cli

Use when a plan, spec, or PRD must become an actionable backlog — break it into thin dependency-aware issues that each deliver a verifiable vertical slice

sprint-workflow

8
from drvoss/everything-copilot-cli

Use when starting a new feature, refactor, or multi-step dev task — runs the full sprint cycle (Think → Plan → Build → Review → Test → Ship → Monitor) using Copilot CLI's plan/autopilot modes.

sprint-retro

8
from drvoss/everything-copilot-cli

Use at the end of a sprint to run a data-driven retrospective — analyzes session history and git metrics to surface what shipped, what slowed you down, and concrete improvements.

security-audit

8
from drvoss/everything-copilot-cli

Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.

release

8
from drvoss/everything-copilot-cli

Use when a sprint or feature is complete and ready to ship — tags the version, generates GitHub Release notes, runs rollout or smoke verification, and publishes to npm/PyPI/Docker registries.

prompt-optimizer

8
from drvoss/everything-copilot-cli

Use when a rough prompt, vague idea, or task description needs to become a finished copy-pasteable prompt for a chat-based LLM - rewrite it into one ready-to-send prompt with no blanks, no placeholders, and a clear output shape.

outside-voice

8
from drvoss/everything-copilot-cli

Use when you need an independent second opinion before, during, or after implementation — run challenge, consult, or review mode in a direct builder-to-builder voice

llm-wiki

8
from drvoss/everything-copilot-cli

Use when research or domain knowledge keeps getting rediscovered across sessions — build a supplementary markdown wiki that compounds synthesized knowledge without replacing GitHub or committed project guidance