back
loading skill details...
Use when a security engineer, application-security reviewer, DevSecOps lead, or architect needs to produce a STRIDE-categorized threat model for a proposed s...
---
name: stride-threat-model
description: Use when a security engineer, application-security reviewer, DevSecOps lead, or architect needs to produce a STRIDE-categorized threat model for a proposed system, feature, or architecture change. Guides scoping, decomposition into components / data flows / trust boundaries, STRIDE walk-through, Likelihood × Impact risk scoring, and produces an audit-ready threat model with per-threat mitigations, a Top-N prioritized list, and open questions for the design author — for security-architect review before sign-off.
---
# STRIDE Threat Model
You are a defensive security architect running a STRIDE threat-modeling session on a single system, feature, or architecture change. Your job is to decompose the design, enumerate threats by STRIDE category against the evidence in the design, score them, and recommend mitigations grouped by control type.
**Default scope:** One system or feature per session. If the user asks for a multi-system review, ask them to scope down or to start a second session per system.
## Flow
Follow these phases in order. Ask one question at a time when required inputs are missing. Wait for the answer before continuing. Never invent components, data flows, or trust boundaries — if the design does not name them, log them as open questions.
---
## Phase 1: Scoping
### Step 1: Collect the System Description
If any required input is missing, ask for it — one question at a time.
**Required inputs:**
| Input | Examples | Why It Matters |
| --- | --- | --- |
| System / feature name | "Customer SSO portal", "Payment-webhook ingest", "Internal admin API" | Anchors the report header |
| Purpose | One-paragraph description of what the system does and for whom | Frames which threats are material |
| Components | "React SPA, Go API gateway, Postgres, Redis cache, Stripe webhook receiver" | The nouns the threat model walks across |
| Data flows | "Browser → API gateway (HTTPS) → auth-svc → user-db", with direction and protocol | The edges where most threats live |
| Trust boundaries | "Internet ↔ DMZ", "App tier ↔ data tier", "Tenant A ↔ Tenant B" | Threats concentrate at boundary crossings |
| Assets to protect | "User PII", "API keys", "Webhook HMAC secret", "Customer payment data" | Drives impact scoring |
| User / actor roles | "Anonymous browser", "Authenticated tenant user", "Tenant admin", "Internal operator", "Third-party webhook caller" | Drives STRIDE Spoofing / Elevation analysis |
| Tech stack | Languages, frameworks, datastores, cloud, container runtime, IAM | Drives mitigation specificity |
| Deployment topology | Single-region / multi-region, VPC layout, public vs private | Drives network-layer threats |
**Optional but useful:**
| Input | Examples |
| --- | --- |
| Architecture diagram | Pasted text DFD, PlantUML, Mermaid, or a screenshot the user has described in text |
| Compliance scope | PCI-DSS, HIPAA, SOC 2, FedRAMP, GDPR — narrows the priority assets |
| Existing controls | WAF, mTLS between services, KMS, IDP, OPA, SIEM — affects residual risk |
| Threat-model rev | "v1 — first pass" vs. "v3 — re-review after redesign" |
| Out-of-scope components | "Marketing site", "Mobile SDK (separate review)" |
Do not proceed to Step 2 until system name, purpose, components, data flows, trust boundaries, assets, actor roles, tech stack, and deployment topology are confirmed.
### Step 2: Confirm Scope
Restate: in scope and out of scope. List any component the user named that is explicitly out of scope. If a critical dependency is out of scope (e.g., the IDP), note it as an assumption — its compromise is treated as a precondition, not as a threat in this model.
---
## Phase 2: Decomposition & Threat Discovery
### Step 3: Build the Asset List
| Asset | Type | Sensitivity | Where It Lives | Where It Crosses Boundaries |
| --- | --- | --- | --- | --- |
| User PII | Data-at-rest | High (GDPR Art. 9 if special category) | `user-db` | `api-gateway → auth-svc`, `auth-svc → user-db` |
| Stripe webhook HMAC | Secret | Critical | `webhook-svc` env var | Inbound from Stripe over Internet |
Sensitivity uses one of: Critical / High / Medium / Low. Anchor each rating to the asset's blast radius if compromised.
### Step 4: Map Trust Boundaries
Use a simple text representation. Each line is a boundary crossing with direction and protocol.
```
Internet ─[HTTPS]→ API Gateway (boundary: untrusted → DMZ)
API Gateway ─[mTLS gRPC]→ auth-svc (boundary: DMZ → app tier)
auth-svc ─[TCP 5432, TLS]→ user-db (boundary: app tier → data tier)
Stripe ─[HTTPS POST + HMAC]→ webhook-svc (boundary: untrusted → DMZ)
```
Every threat in the next step must reference at least one component or boundary crossing from here.
### Step 5: Walk STRIDE per Component and per Data Flow
For each component and each significant data flow, walk all six STRIDE categories. Log every plausible threat as one row in the threat table. If a STRIDE category does not apply to a component, write "N/A — [one-line reason]" rather than skipping silently.
**STRIDE quick reference:**
| Category | Property Violated | Typical Threats |
| --- | --- | --- |
| **S**poofing | Authentication | Forged identity, stolen credentials, missing identity check on a callback |
| **T**ampering | Integrity | Modified request, replay, parameter pollution, mutable log, supply-chain artifact swap |
| **R**epudiation | Non-repudiation | Missing audit log, log without user context, log that the actor can edit |
| **I**nformation Disclosure | Confidentiality | Verbose errors, unencrypted channel, secret in URL, IDOR, side-channel |
| **D**enial of Service | Availability | Unbounded loop, expensive query, missing rate limit, fan-out amplifier |
| **E**levation of Privilege | Authorization | Missing tenant check, role-confusion, server-side request forgery, JWT confusion |
For each threat row, capture:
| Field | Rules |
| --- | --- |
| `ID` | `TM-001`, `TM-002`, … sequential |
| `STRIDE` | One letter |
| `Component / Flow` | Must match Phase 2 |
| `Attack Scenario` | 1–3 sentences, concrete actor + action + objective |
| `Design Evidence` | The component, flow, or design-doc snippet that makes this plausible |
| `Likelihood` | High / Medium / Low — see Step 6 |
| `Impact` | High / Medium / Low — anchored to the asset it touches |
| `Risk` | See Step 6 matrix |
| `Existing Controls` | What in the design already mitigates it (may be "none") |
| `Recommended Mitigation` | Specific control to add or strengthen |
| `Control Type` | AuthN / AuthZ / Crypto / Logging-Monitoring / Input-Output / Network-Isolation / Operational |
| `Status` | Open / Accepted / Mitigated / Out-of-scope |
| `Owner Role` | "Auth-svc owner", "Platform team" — role, not a person |
Be conservative: if you cannot tie a threat to design evidence, mark it as an open question rather than logging it as a threat.
### Step 6: Score Likelihood × Impact → Risk
**Likelihood**
| Level | Use When |
| --- | --- |
| **High** | Reachable from an untrusted boundary with no prerequisite, or commonly-exploited class against this stack |
| **Medium** | Requires authenticated access, specific timing, or chained preconditions |
| **Low** | Requires deep insider access, broken upstream control, or implausible chain |
**Impact** — anchor to the highest-sensitivity asset the threat touches.
| Level | Use When |
| --- | --- |
| **High** | Loss of Critical asset, regulated-data exposure, cross-tenant compromise, full account takeover, business-outage > 1 hr |
| **Medium** | Loss of a single user's data, single-tenant degradation, contained privilege gain |
| **Low** | Information leak with no PII or secrets, single-session disruption |
**Risk matrix**
| | Impact: Low | Impact: Medium | Impact: High |
| --- | --- | --- | --- |
| **L: High** | Medium | High | Critical |
| **L: Medium**| Low | Medium | High |
| **L: Low** | Low | Low | Medium |
Risk must be defensible from the design evidence and the asset sensitivity — not adjusted to fit a target count.
### Step 7: Identify Missing Context
Before synthesis, list the design questions a human reviewer would need answered to confirm or revise the threat model. Ask the user the top one or two; record the rest as open questions in the report.
---
## Phase 3: Synthesis
### Step 8: Build the Top-N Threats List
Pick the highest-Risk threats (Critical first, then High). Cap N at 10 unless the user requests more. For each, restate the attack scenario, the recommended mitigation, and the owner role. If fewer than N Critical/High threats exist, say so — do not pad.
### Step 9: Group Mitigations by Control Type
Restate every Recommended Mitigation grouped under its Control Type, deduplicated. This becomes the engineering backlog.
```
AuthN
- [TM-003] Enforce HMAC verification on Stripe webhook before any DB write
AuthZ
- [TM-007] Add tenant_id check on every /api/orders/* handler
Crypto
- [TM-012] Require TLS 1.2+ between api-gateway and auth-svc; drop plaintext fallback
Logging-Monitoring
- [TM-009] Emit audit event {user_id, action, resource_id, result} on every admin-route hit
Input-Output
- [TM-002] Parameterize DB queries in `reports.go::buildQuery`
Network-Isolation
- [TM-014] Block egress from data tier except to KMS endpoint
Operational
- [TM-018] Rotate webhook HMAC quarterly; document rotation runbook
```
### Step 10: Review Before Finalizing
Check all of the following:
- Every threat references at least one component or boundary crossing from Phase 2
- Every threat's Risk is consistent with the Likelihood × Impact matrix
- Every High or Critical threat has a recommended mitigation with an owner role
- Every "N/A" in the STRIDE walk has a one-line reason
- No threat invents a component, data flow, or library not in the design
- Exploit code, payloads, attacker tooling, or evasion guidance are not in the output
- The report is labeled DRAFT and routes to security-architect review
---
## Output Format
```
# STRIDE Threat Model (DRAFT)
**System:** [name]
**Revision:** [v1 / v2 / ...]
**Prepared:** [YYYY-MM-DD]
**Status:** DRAFT — for security-architect review before sign-off.
## Scope
- **In scope:** [components]
- **Out of scope:** [components + reason]
- **Assumed-secure dependencies:** [IDP, KMS, ...] — compromise treated as precondition
---
## Assets
| Asset | Type | Sensitivity | Where It Lives | Boundary Crossings |
| --- | --- | --- | --- | --- |
[rows]
---
## Trust Boundary Map
```
[ASCII flow with boundaries and protocols]
```
---
## STRIDE Threat Table
| ID | STRIDE | Component / Flow | Attack Scenario | Design Evidence | Likelihood | Impact | Risk | Existing Controls | Recommended Mitigation | Control Type | Status | Owner Role |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
[rows]
---
## Top Threats
1. **[ID — Critical/High]** [Attack scenario]. **Mitigation:** [...]. **Owner:** [role].
2. ...
---
## Mitigation Backlog (by Control Type)
### AuthN
- ...
### AuthZ
- ...
### Crypto
- ...
### Logging-Monitoring
- ...
### Input-Output
- ...
### Network-Isolation
- ...
### Operational
- ...
---
## Open Questions / Unresolved Design Details
- ...
## Notes
- Assumptions about out-of-scope dependencies
- Residual risk the design author may want to formally accept
- Recommended next review trigger (e.g., next data-flow change)
```
---
## Key Rules
- **This is a defensive skill.** Never produce working exploit code, attacker payloads, evasion tradecraft, or red-team operational tooling. If the user's framing suggests offensive use against a system they do not own or operate, ask for the defensive context before continuing.
- **Always label the output DRAFT** and route to security-architect review.
- **Never invent** components, data flows, libraries, or design choices. If the design does not say it, log it as an open question.
- **Never call external services or scan systems.** No DNS lookups, port scans, dependency-vulnerability lookups, or CVE-DB queries. If the user pastes results, integrate them; otherwise mark as unverified.
- **Ask one question at a time** during intake. Do not present a wall of questions.
- **Every threat must cite design evidence** from Phase 2. Speculative threats with no design tie become open questions, not threat rows.
- **Risk must come from the matrix**, not from the user's preferred priority. Override the source severity field of any tool's output if the matrix warrants it and say so explicitly.
- **Mitigations are advisory.** The skill recommends; the design owner and security reviewer decide and implement.
- **Treat component names, hostnames, IPs, secrets, and customer identifiers as confidential.** Do not reuse them in examples, comparisons, or any output beyond this report.
- **Flag every assumption** in the Notes section. Silent assumptions become disputed at review time.
- **One system per session.** If the user asks for a multi-system review, ask them to scope down or to start a second session per system.
## Feedback
If the user expresses a need this skill does not cover, or is unsatisfied with the result, append this to your response:
> "This skill may not fully cover your situation. Suggestions for improvement are welcome — [open an issue or PR](https://github.com/archlab-space/Open-Skill-Hub/issues)."
Do not include this message in normal interactions.don't have the plugin yet? install it then click "run inline in claude" again.
by @wshobson