threat-modeling-techniques

Threat modeling methodologies using STRIDE, attack trees, and risk assessment for proactive security analysis. Use when designing secure systems, conducting security reviews, or identifying potential attack vectors in applications.

13 stars

Best use case

threat-modeling-techniques is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Threat modeling methodologies using STRIDE, attack trees, and risk assessment for proactive security analysis. Use when designing secure systems, conducting security reviews, or identifying potential attack vectors in applications.

Teams using threat-modeling-techniques should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/threat-modeling-techniques/SKILL.md --create-dirs "https://raw.githubusercontent.com/NickCrew/Claude-Cortex/main/skills/threat-modeling-techniques/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/threat-modeling-techniques/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How threat-modeling-techniques Compares

Feature / Agentthreat-modeling-techniquesStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Threat modeling methodologies using STRIDE, attack trees, and risk assessment for proactive security analysis. Use when designing secure systems, conducting security reviews, or identifying potential attack vectors in applications.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Threat Modeling Techniques

Systematic framework for identifying, analyzing, and mitigating security threats during system design and architecture phases using proven methodologies like STRIDE, attack trees, and risk assessment frameworks.

## When to Use This Skill

- Designing new systems or features with security requirements
- Conducting security architecture reviews
- Identifying attack vectors and threat scenarios
- Assessing security risks before implementation
- Creating security requirements and controls
- Evaluating third-party integrations for security impact
- Planning security testing strategies
- Documenting security design decisions
- Training teams on proactive security thinking
- Supporting security compliance initiatives (SOC 2, ISO 27001)

## Core Process

**Five-Stage Threat Modeling Process:**

1. **Define** - Understand the system and create architecture diagrams
2. **Identify** - Enumerate threats using structured methodologies (STRIDE, attack trees)
3. **Assess** - Evaluate risk severity and likelihood (DREAD scoring)
4. **Mitigate** - Design controls and countermeasures
5. **Validate** - Review and test security controls

## Quick Reference

| Task | Load reference |
| --- | --- |
| STRIDE: Spoofing Identity | `skills/threat-modeling-techniques/references/stride-spoofing.md` |
| STRIDE: Tampering with Data | `skills/threat-modeling-techniques/references/stride-tampering.md` |
| STRIDE: Repudiation | `skills/threat-modeling-techniques/references/stride-repudiation.md` |
| STRIDE: Information Disclosure | `skills/threat-modeling-techniques/references/stride-disclosure.md` |
| STRIDE: Denial of Service | `skills/threat-modeling-techniques/references/stride-dos.md` |
| STRIDE: Elevation of Privilege | `skills/threat-modeling-techniques/references/stride-elevation.md` |
| Attack Trees | `skills/threat-modeling-techniques/references/attack-trees.md` |
| Data Flow Diagrams (DFD) | `skills/threat-modeling-techniques/references/data-flow-diagrams.md` |
| DREAD Risk Scoring | `skills/threat-modeling-techniques/references/dread-scoring.md` |
| Mitigation Strategies | `skills/threat-modeling-techniques/references/mitigation-strategies.md` |
| Tools & Process | `skills/threat-modeling-techniques/references/tools-and-process.md` |

## Core Concepts

### STRIDE Methodology

**STRIDE** categorizes threats into six types:

- **S**poofing: Pretending to be someone/something else (authentication bypass, credential theft)
- **T**ampering: Malicious modification of data (MITM attacks, data corruption)
- **R**epudiation: Denying actions without proof (lack of audit trails)
- **I**nformation Disclosure: Exposing sensitive data (data leaks, verbose errors)
- **D**enial of Service: Making systems unavailable (resource exhaustion, DDoS)
- **E**levation of Privilege: Gaining unauthorized capabilities (privilege escalation, IDOR)

**Apply STRIDE to:**
- Each component in data flow diagrams
- Every trust boundary crossing
- All data stores and processes
- External integrations and APIs

### Attack Trees

Hierarchical diagrams showing attack paths from goals to methods:

```
[Root: Attack Goal]
    |
    +-- [OR] Method 1 (alternative paths)
    |       |
    |       +-- [AND] Required Step 1.1
    |       +-- [AND] Required Step 1.2
    |
    +-- [OR] Method 2 (alternative paths)
```

**Use attack trees to:**
- Visualize attack scenarios
- Identify easiest attack paths
- Assign attributes (cost, skill, detection likelihood)
- Prioritize mitigations for high-risk paths

### DREAD Risk Scoring

**DREAD** quantifies threat severity (each criterion scored 0-10, average = risk score):

- **D**amage Potential: How much damage if exploited?
- **R**eproducibility: How easy to reproduce?
- **E**xploitability: How easy to exploit?
- **A**ffected Users: How many users affected?
- **D**iscoverability: How easy to discover?

**Risk Levels:**
- 7.1-10.0: Critical (immediate action)
- 5.1-7.0: High (next sprint)
- 3.1-5.0: Medium (upcoming releases)
- 0.0-3.0: Low (backlog)

### Trust Boundaries

Lines separating different trust levels:

- **Network**: Internet → DMZ → Internal
- **Process**: User Mode → Kernel, Container → Host
- **User**: Anonymous → Authenticated → Admin

**At each boundary, verify:**
- Authentication required?
- Authorization checks enforced?
- Data encrypted?
- Inputs validated?
- Actions logged?

## Practical Workflow

### 1. Scope Definition (30 min)
- Identify system components in scope
- Define trust boundaries
- List assets requiring protection
- Identify compliance requirements

### 2. Architecture Decomposition (1 hour)
- Create data flow diagrams (DFDs)
- Document external dependencies
- Identify authentication/authorization points
- Map data storage locations

### 3. Threat Identification (1-2 hours)
- Apply STRIDE to each DFD element
- Create attack trees for high-value assets
- Brainstorm threat scenarios with team
- Use threat modeling tools for suggestions

### 4. Risk Assessment (1 hour)
- Apply DREAD scoring to each threat
- Prioritize threats by risk score
- Consider business context and compliance
- Identify quick wins vs. long-term efforts

### 5. Mitigation Planning (1 hour)
- Design security controls (eliminate, reduce, transfer, accept)
- Document mitigation strategies
- Create security requirements (SEC-### format)
- Assign ownership for implementation

### 6. Documentation (30 min)
- Export threat model diagrams
- Create security requirements document
- Document risk acceptance decisions
- Share with stakeholders

## Common Mistakes

**Avoid:**
- Threat modeling too late (after implementation complete)
- Focusing only on external threats (ignore insider threats)
- Creating static threat models (never updating them)
- Over-complicating diagrams (too much detail)
- Ignoring low-likelihood, high-impact threats
- Failing to document assumptions and decisions
- Not following through on mitigations

## Best Practices

**Team Involvement:**
- Developers: Implementation details, code-level threats
- Architects: System design, integration points
- Security Team: Threat expertise, attack scenarios
- Operations: Deployment, monitoring, incident response
- Product Owners: Business impact, risk acceptance decisions

**Process Integration:**
- Design phase: Threat model before implementation
- Development: Implement controls, create security tests
- Deployment: Verify controls, enable monitoring
- Maintenance: Update model when features change

## Tools

**Microsoft Threat Modeling Tool**: Visual DFD editor, automated STRIDE threat generation
**OWASP Threat Dragon**: Open source, cross-platform, web and desktop versions
**IriusRisk**: Commercial platform, DevSecOps integration, compliance mapping
**ThreatModeler**: Collaborative, cloud architecture support

## Resources

- **Microsoft Threat Modeling Tool**: https://aka.ms/threatmodelingtool
- **OWASP Threat Dragon**: https://owasp.org/www-project-threat-dragon/
- **STRIDE Documentation**: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats
- **Threat Modeling Manifesto**: https://www.threatmodelingmanifesto.org/
- **NIST Threat Modeling**: https://csrc.nist.gov/projects/threat-modeling

Related Skills

writing-skills

13
from NickCrew/Claude-Cortex

Use when creating new skills, editing existing skills, or verifying skills work before deployment - applies TDD to process documentation by testing with subagents before writing, iterating until bulletproof against rationalization

workflow-security-audit

13
from NickCrew/Claude-Cortex

Comprehensive security assessment and remediation. Use for security reviews, compliance checks, vulnerability assessments.

workflow-performance

13
from NickCrew/Claude-Cortex

Systematic performance analysis and optimization. Use when things are slow, need optimization, or preparing for scale.

workflow-feature

13
from NickCrew/Claude-Cortex

Complete feature development workflow from design to deployment. Use when implementing new features or functionality.

workflow-feature-development

13
from NickCrew/Claude-Cortex

Complete workflow for developing new features from design to deployment. Use when starting a new feature, adding functionality, or building something new.

workflow-bug-fix

13
from NickCrew/Claude-Cortex

Systematic approach to identifying, fixing, and validating bug fixes. Use when fixing bugs, resolving issues, or addressing errors.

wiring-audit

13
from NickCrew/Claude-Cortex

User-triggered audit that finds wiring drift between a project's UI surfaces and backend capabilities — orphan surfaces (UI calls endpoints/hooks/procedures that no longer exist), unwired capabilities (backend routes/exports that nothing surfaces), shape drift (both exist but contracts mismatch), method drift (URL matches, HTTP verb does not), validation drift (frontend vs backend rules diverged), permission drift (UI exposes what backend forbids or vice versa), stale labels (UI text references renamed backend concepts), and unsurfaced configuration (env vars or flags that gate behavior with no UI or CLI to control them). This skill should be used when the user asks to "audit our wiring," "find UI/backend drift," "find unwired capabilities," "find stale surfaces," "check for contract violations," "find unused endpoints," "find unused hooks," "what mismatches between UI and backend," or any similar request whose deliverable is a prioritized findings report rather than a descriptive snapshot. Generic across UI frameworks but optimized for React applications (hooks, fetch, react-query, SWR, tRPC, server actions, react-router, Next.js). Not for descriptive architectural snapshots (use architectural-analysis), security audits (use security-auditor), or performance audits (use workflow-performance).

webapp-testing

13
from NickCrew/Claude-Cortex

Toolkit for interacting with and testing local web applications using Playwright. Use when verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browser logs.

web-researcher

13
from NickCrew/Claude-Cortex

Use this skill when you need to research a topic online, gather information from multiple sources, or evaluate source credibility. Trigger phrases: 'research', 'find information about', 'look up', 'investigate'. Not for academic systematic reviews (use literature-reviewer) or fact-checking specific claims (use fact-checker).

visual-modes

13
from NickCrew/Claude-Cortex

Use when activating visual showcase modes (supersaiyan, kamehameha, over9000) for UI or interaction design - provides mode-specific enhancement checklists.

vibe-security

13
from NickCrew/Claude-Cortex

Comprehensive secure coding guide covering OWASP web vulnerabilities with prevention patterns and checklists. Use when writing or reviewing web application code to prevent XSS, CSRF, SSRF, SQL injection, access control flaws, and other common security vulnerabilities.

verification-before-completion

13
from NickCrew/Claude-Cortex

Use when about to claim work is complete, fixed, or passing, before committing or creating PRs - requires running verification commands and confirming output before making any success claims; evidence before assertions always