skill-threat-modeling

🥈Silver

Automates threat modeling with STRIDE, CWE, CAPEC, and ATT&CK frameworks. Integrates with Claude Code for security design reviews, penetration testing, and compliance assessments. Benefits operations teams by streamlining risk analysis and attack chain mapping.

233160Updated Yesterday

Intermediate30min to implementautomation

Saves ~300 min per use

Quick InstallView Source

git clone https://github.com/fr33d3m0n/skill-threat-modeling.git

Works with:

Claude

Overview

About This Skill

How to Use

1. **Define the Scope**: Replace [SYSTEM/APPLICATION_NAME] with the name of your system or application. Specify the team responsible for addressing risks (e.g., [SECURITY_TEAM/DEVELOPMENT_TEAM]). 2. **Run the Analysis**: Paste the prompt into your AI tool (e.g., Claude, ChatGPT) and execute it. Ensure the AI has access to your system documentation or architecture diagrams if available. 3. **Review and Validate**: Cross-check the AI's output against your existing threat models or security assessments. Use tools like **OWASP Threat Dragon** or **Microsoft Threat Modeling Tool** to visualize the findings. 4. **Prioritize Risks**: Sort threats by risk level (Critical, High, Medium, Low) and focus on mitigations for Critical/High risks first. Use frameworks like **DREAD** or **CVSS** for additional scoring. 5. **Integrate with Workflows**: For penetration testing, use the output to guide **Burp Suite** or **Metasploit** testing. For compliance, map mitigations to **NIST CSF** or **ISO 27001** controls. Update your **Confluence** or **Jira** backlog with actionable tasks. **Tips for Better Results**: - Provide the AI with **system architecture diagrams** or **data flow diagrams** to improve accuracy. - Specify the **tech stack** (e.g., React frontend, Python backend, AWS cloud) to tailor the analysis. - For compliance assessments, include relevant standards (e.g., [HIPAA/GDPR/PCI DSS]) in the prompt to align recommendations.

Setup & Installation

Quick Install

No install command available. Check the GitHub repository for manual installation instructions.

Alternative Install (Git Clone)

git clone https://github.com/fr33d3m0n/skill-threat-modeling

Requirements

Claude Code or compatible AI agent
Works with: Claude

Quick Start Guide

Install the Skill

Copy the install command above and run it in your terminal.

Open Your AI Agent

Launch Claude Code, Cursor, or your preferred AI coding agent.

Try It Out

Use the prompt template or examples below to test the skill.

Customize

Adapt the skill to your specific use case and workflow.

Usage Examples

Prompt Template

Perform a threat modeling analysis for [SYSTEM/APPLICATION_NAME] using the STRIDE framework. Identify potential threats under each category (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). For each threat, map it to relevant CWE (Common Weakness Enumeration) and CAPEC (Common Attack Pattern Enumeration and Classification) entries. Finally, cross-reference the findings with the MITRE ATT&CK framework to determine potential attack chains and mitigation strategies. Provide actionable recommendations for [SECURITY_TEAM/DEVELOPMENT_TEAM] to address the identified risks.

Example Output

### Threat Modeling Analysis for **E-Commerce Platform v2.1**

#### **STRIDE Framework Analysis**

**1. Spoofing (S)**
- **Threat**: Unauthenticated API requests could spoof user identities via JWT token manipulation.
  - **CWE Mapping**: CWE-345 (Insufficient Verification of Data Authenticity)
  - **CAPEC Mapping**: CAPEC-114 (Authentication Bypass)
  - **MITRE ATT&CK**: T1606.002 (Forge Web Credentials: SAML Tokens)
  - **Risk Level**: High
  - **Mitigation**: Enforce JWT token validation with short expiration times and refresh token rotation. Implement IP-based anomaly detection for login attempts.

**2. Tampering (T)**
- **Threat**: Database records could be tampered with via SQL injection in the product search functionality.
  - **CWE Mapping**: CWE-89 (SQL Injection)
  - **CAPEC Mapping**: CAPEC-66 (SQL Injection)
  - **MITRE ATT&CK**: T1505.003 (Server Software Component: Web Shell)
  - **Risk Level**: Critical
  - **Mitigation**: Deploy parameterized queries and input validation. Use a Web Application Firewall (WAF) to block SQLi attempts. Conduct quarterly penetration testing on search endpoints.

**3. Repudiation (R)**
- **Threat**: Admin actions (e.g., order cancellations) lack non-repudiable logging, enabling fraudulent claims.
  - **CWE Mapping**: CWE-778 (Insufficient Logging)
  - **CAPEC Mapping**: CAPEC-148 (Abuse of Functionality)
  - **MITRE ATT&CK**: T1070.001 (Indicator Removal on Host: Clear Windows Event Logs)
  - **Risk Level**: Medium
  - **Mitigation**: Implement immutable audit logs with blockchain-based integrity checks. Ensure all admin actions are logged with timestamps, user IDs, and IP addresses.

**4. Information Disclosure (I)**
- **Threat**: Customer PII could be exposed via misconfigured S3 buckets in the analytics pipeline.
  - **CWE Mapping**: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
  - **CAPEC Mapping**: CAPEC-125 (Exploitation of Trusted Credentials)
  - **MITRE ATT&CK**: T1530 (Data from Cloud Storage)
  - **Risk Level**: High
  - **Mitigation**: Conduct a cloud storage audit using tools like **AWS Trusted Advisor** or **Azure Policy**. Apply bucket-level encryption and enforce least-privilege access policies.

**5. Denial of Service (D)**
- **Threat**: The checkout API could be overwhelmed by a DDoS attack during peak sales, disrupting transactions.
  - **CWE Mapping**: CWE-400 (Uncontrolled Resource Consumption)
  - **CAPEC Mapping**: CAPEC-125 (Exploitation of Trusted Credentials)
  - **MITRE ATT&CK**: T1499 (Endpoint Denial of Service)
  - **Risk Level**: High
  - **Mitigation**: Deploy rate limiting and auto-scaling for the checkout API. Use a CDN to absorb traffic spikes and integrate with **Cloudflare** or **AWS Shield** for DDoS protection.

**6. Elevation of Privilege (E)**
- **Threat**: A privilege escalation vulnerability in the admin dashboard could allow attackers to access customer order histories.
  - **CWE Mapping**: CWE-269 (Improper Privilege Management)
  - **CAPEC Mapping**: CAPEC-13 (Subverting Environment Variable Values)
  - **MITRE ATT&CK**: T1068 (Exploitation for Privilege Escalation)
  - **Risk Level**: Critical
  - **Mitigation**: Enforce role-based access control (RBAC) and implement multi-factor authentication (MFA) for admin accounts. Conduct regular privilege audits using **OpenIAM** or **Okta**.

#### **Attack Chain Mapping (MITRE ATT&CK)**
The analysis reveals a potential attack chain starting with **T1592 (Gather Victim Host Information)** via phishing emails, followed by **T1055 (Process Injection)** to escalate privileges, and culminating in **T1530 (Data from Cloud Storage)** to exfiltrate PII. Mitigation requires a layered defense strategy, including user training, endpoint detection and response (EDR), and cloud security monitoring.

#### **Recommendations for the Security Team**
1. **Immediate Actions**: Patch SQL injection vulnerabilities in the search API and enforce JWT token validation.
2. **Short-Term**: Deploy WAF rules for the checkout API and conduct a cloud storage audit.
3. **Long-Term**: Implement immutable audit logs and integrate EDR solutions for privilege escalation detection.
4. **Compliance**: Align mitigations with **PCI DSS 4.0** (Requirement 6.5) and **GDPR Article 32** (Security of Processing).