hardw00t/threat-modeling
skills/threat-modeling/SKILL.md
Threat modeling skill for identifying security threats, attack surfaces, and designing mitigations. This skill should be used when performing threat assessments using STRIDE, PASTA, or Attack Trees, creating data flow diagrams, identifying trust boundaries, analyzing attack surfaces, or designing security controls for applications and systems. Triggers on requests to threat model, analyze attack surface, create DFD, apply STRIDE methodology, or assess security architecture.
$ install --global
skillsauthnpx skillsauth add hardw00t/ai-security-arsenal threat-modelingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 5:10 PM7.1s1 file scanned
SKILL.md
- name:
- threat-modeling
- description:
- Threat modeling skill for identifying security threats, attack surfaces, and designing mitigations. This skill should be used when performing threat assessments using STRIDE, PASTA, or Attack Trees, creating data flow diagrams, identifying trust boundaries, analyzing attack surfaces, or designing security controls for applications and systems. Triggers on requests to threat model, analyze attack surface, create DFD, apply STRIDE methodology, or assess security architecture.
Threat Modeling
This skill enables systematic security analysis of applications and systems through structured threat identification methodologies including STRIDE, PASTA, Attack Trees, and DREAD scoring. It covers creating data flow diagrams, identifying trust boundaries, and designing security controls.
When to Use This Skill
This skill should be invoked when:
- Starting a new project security assessment
- Designing security architecture for systems
- Identifying threats using STRIDE methodology
- Creating data flow diagrams (DFDs)
- Analyzing attack surfaces
- Prioritizing security risks with DREAD
- Designing mitigations for identified threats
Trigger Phrases
- "threat model this application"
- "identify threats using STRIDE"
- "create a data flow diagram"
- "analyze the attack surface"
- "what are the security threats"
- "design security controls"
Threat Modeling Methodologies
Methodology Comparison
| Method | Focus | Best For | Complexity | |--------|-------|----------|------------| | STRIDE | Threat categories | Developer-focused, applications | Medium | | PASTA | Risk-centric | Business-aligned, compliance | High | | Attack Trees | Attack paths | Specific threat scenarios | Low-Medium | | DREAD | Risk scoring | Prioritization | Low | | LINDDUN | Privacy | Data protection, GDPR | Medium | | OCTAVE | Enterprise | Organization-wide risk | High |
STRIDE Methodology
STRIDE Categories
## S - Spoofing Identity
**Definition**: Pretending to be someone or something else
**Examples**:
- Using stolen credentials
- Session hijacking
- IP spoofing
- Phishing attacks
**Controls**:
- Strong authentication (MFA)
- Certificate pinning
- Session management
- Anti-phishing measures
## T - Tampering with Data
**Definition**: Modifying data maliciously
**Examples**:
- SQL injection
- Man-in-the-middle attacks
- File modification
- Memory corruption
**Controls**:
- Input validation
- Integrity checks (HMAC, signatures)
- Encryption in transit
- Access controls
## R - Repudiation
**Definition**: Denying having performed an action
**Examples**:
- Deleting logs
- Claiming never made a transaction
- Denying access to resources
- Falsifying records
**Controls**:
- Audit logging
- Digital signatures
- Timestamps
- Non-repudiation mechanisms
## I - Information Disclosure
**Definition**: Exposing information to unauthorized entities
**Examples**:
- Data breaches
- Error message leakage
- Side-channel attacks
- Improper access controls
**Controls**:
- Encryption at rest/transit
- Access control
- Data classification
- Secure error handling
## D - Denial of Service
**Definition**: Making a system unavailable
**Examples**:
- DDoS attacks
- Resource exhaustion
- Crash bugs
- Algorithmic complexity attacks
**Controls**:
- Rate limiting
- Resource quotas
- CDN/WAF
- Graceful degradation
## E - Elevation of Privilege
**Definition**: Gaining higher privileges than authorized
**Examples**:
- Buffer overflow exploits
- Privilege escalation bugs
- SQL injection to admin
- RBAC bypass
**Controls**:
- Least privilege
- Input validation
- Sandboxing
- Regular patching
STRIDE per Element Analysis
## Element Types & Applicable Threats
| Element | S | T | R | I | D | E |
|---------|---|---|---|---|---|---|
| External Entity | ✓ | | ✓ | | | |
| Process | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Data Store | | ✓ | ? | ✓ | ✓ | |
| Data Flow | | ✓ | | ✓ | ✓ | |
### Analysis Process
1. Decompose system into DFD elements
2. Apply STRIDE to each element
3. For each applicable threat category:
- Identify specific threats
- Assess likelihood and impact
- Design mitigations
- Document residual risk
Data Flow Diagrams (DFD)
DFD Elements
## Element Symbols
┌─────────────────┐
│ External │ Rectangle: External Entity
│ Entity │ (users, external systems)
└─────────────────┘
┌─────┐
│ │
│ ●──│──────> Circle: Process
│ │ (transforms data)
└─────┘
═══════════════ Parallel lines: Data Store
═══════════════ (databases, files, queues)
─────────────> Arrow: Data Flow
(data movement)
- - - - - - - - Dotted line: Trust Boundary
(security perimeter)
Example: Web Application DFD
┌─────────────────────────────────────────────┐
│ TRUST BOUNDARY │
│ ┌─────────────────────────────────────┐ │
┌──────────┐ │ │ │ │
│ │ HTTPS │ │ ┌─────────┐ ┌─────────┐ │ │
│ User │───────┼──┼──>│ Web │─────>│ API │ │ │
│ (Browser)│ │ │ │ Server │ │ Server │ │ │
└──────────┘ │ │ └─────────┘ └────┬────┘ │ │
│ │ │ │ │
│ │ │ SQL │ │
│ │ ─────┴───── │ │
│ │ ═══════════ │ │
│ │ Database │ │
│ │ ═══════════ │ │
│ └─────────────────────────────────────┘ │
└─────────────────────────────────────────────┘
External Services:
┌──────────┐
│ Payment │<──── External API calls
│ Gateway │
└──────────┘
Trust Boundaries
## Common Trust Boundaries
1. **Internet / DMZ**
- Public network to internal network
- Firewall boundary
2. **DMZ / Internal Network**
- Web servers to application servers
- Different security zones
3. **Application / Database**
- App tier to data tier
- Different privilege levels
4. **User / Admin**
- Regular user functions vs admin
- Role-based boundaries
5. **Client / Server**
- Browser/mobile app to backend
- Untrusted client code
## Questions for Each Boundary
- What crosses this boundary?
- What authentication/authorization exists?
- What can an attacker do from outside?
- What if boundary is bypassed?
Attack Surface Analysis
Attack Surface Components
## Entry Points
### Network
- Open ports and services
- API endpoints
- WebSocket connections
- Protocol handlers
### Application
- User input fields
- File uploads
- API parameters
- Authentication endpoints
- Session management
### Data
- Database interfaces
- File system access
- Memory/cache access
- Configuration files
### Physical/Environment
- Physical access points
- USB/removable media
- Hardware interfaces
Attack Surface Reduction
## Reduction Strategies
### 1. Minimize Entry Points
- [ ] Close unnecessary ports
- [ ] Remove unused endpoints
- [ ] Disable unused features
- [ ] Remove debug interfaces
### 2. Reduce Privileges
- [ ] Least privilege principle
- [ ] Service accounts with minimal rights
- [ ] Role-based access control
- [ ] Time-limited access
### 3. Limit Data Exposure
- [ ] Minimize data collection
- [ ] Data masking/tokenization
- [ ] Encryption at rest
- [ ] Secure deletion
### 4. Code Reduction
- [ ] Remove unused code
- [ ] Minimize dependencies
- [ ] Disable unnecessary features
- [ ] Configuration hardening
PASTA Methodology
PASTA Stages
## Stage 1: Define Objectives
- Business objectives
- Security requirements
- Compliance requirements
- Risk tolerance
## Stage 2: Define Technical Scope
- System architecture
- Technology stack
- Data flows
- Integration points
## Stage 3: Application Decomposition
- Identify components
- Map data flows
- Identify assets
- Trust boundaries
## Stage 4: Threat Analysis
- Identify threat sources
- Enumerate threat scenarios
- Map to attack patterns
- Use threat intelligence
## Stage 5: Vulnerability Analysis
- Known vulnerabilities
- Design weaknesses
- Implementation flaws
- Configuration issues
## Stage 6: Attack Modeling
- Attack trees
- Attack scenarios
- Exploit analysis
- Attack probability
## Stage 7: Risk & Impact Analysis
- Risk calculation
- Impact assessment
- Prioritization
- Mitigation planning
Attack Trees
Attack Tree Structure
## Tree Components
ROOT: Ultimate attack goal
├── OR: Alternative methods (any one succeeds)
│ ├── AND: Required steps (all must succeed)
│ │ ├── Leaf: Atomic attack step
│ │ └── Leaf: Atomic attack step
│ └── Leaf: Alternative atomic attack
└── OR: Another path to goal
└── AND: Required combination
├── Leaf: Step 1
└── Leaf: Step 2
Example: Compromise User Account
Compromise User Account
├── OR: Steal Credentials
│ ├── Phishing Attack
│ │ └── AND
│ │ ├── Create fake login page
│ │ └── Lure user to page
│ ├── Credential Stuffing
│ │ └── AND
│ │ ├── Obtain breached credentials
│ │ └── Try against target
│ └── Keylogger
│ └── AND
│ ├── Install malware
│ └── Capture keystrokes
├── OR: Session Hijacking
│ ├── XSS to steal token
│ │ └── AND
│ │ ├── Find XSS vulnerability
│ │ └── Inject payload
│ └── Session fixation
│ └── AND
│ ├── Set session ID
│ └── User authenticates
├── OR: Password Reset Exploit
│ ├── Weak reset questions
│ └── Email interception
└── OR: Brute Force
└── AND
├── Enumerate usernames
└── Password spray attack
Attack Tree Analysis
## Annotations
### Probability (P)
- High (H): Likely to succeed
- Medium (M): Possible
- Low (L): Unlikely
### Cost (C)
- High ($$$): Expensive resources
- Medium ($$): Moderate investment
- Low ($): Minimal cost
### Skill (S)
- Expert: Advanced knowledge required
- Intermediate: Some expertise
- Novice: Basic skills
## Node Evaluation
Each leaf node: P × C × S = Threat Score
Combine up tree based on AND/OR logic
DREAD Risk Scoring
DREAD Categories
## D - Damage (0-10)
How bad would an attack be?
- 0: Nothing
- 5: Individual user data
- 10: Complete system compromise
## R - Reproducibility (0-10)
How easy to reproduce the attack?
- 0: Very hard, rare conditions
- 5: Requires specific configuration
- 10: Always reproducible
## E - Exploitability (0-10)
How easy to launch the attack?
- 0: Requires advanced knowledge
- 5: Requires some expertise
- 10: Novice can exploit
## A - Affected Users (0-10)
How many users affected?
- 0: None
- 5: Some users
- 10: All users
## D - Discoverability (0-10)
How easy to find the vulnerability?
- 0: Very difficult to find
- 5: Can be found with effort
- 10: Easily visible
DREAD Calculation
## Risk Score = (D + R + E + A + D) / 5
### Rating Scale
- 12-15: Critical
- 9-12: High
- 6-9: Medium
- 3-6: Low
- 0-3: Informational
### Example: SQL Injection in Login
- Damage: 10 (Full database access)
- Reproducibility: 10 (Always works)
- Exploitability: 6 (Requires some skill)
- Affected Users: 10 (All users)
- Discoverability: 6 (Found by testing)
Score = (10+10+6+10+6)/5 = 8.4 (Medium-High)
Threat Modeling Process
Step-by-Step Guide
## 1. Preparation
- [ ] Gather architecture documentation
- [ ] Identify stakeholders
- [ ] Define scope and boundaries
- [ ] Schedule modeling session
## 2. System Decomposition
- [ ] Create/update DFD
- [ ] Identify all entry points
- [ ] Map data flows
- [ ] Mark trust boundaries
- [ ] List assets to protect
## 3. Threat Identification
- [ ] Apply STRIDE per element
- [ ] Use threat libraries
- [ ] Consider abuse cases
- [ ] Review historical threats
## 4. Threat Analysis
- [ ] Assess likelihood
- [ ] Evaluate impact
- [ ] Calculate risk scores
- [ ] Prioritize threats
## 5. Mitigation Design
- [ ] Identify controls for each threat
- [ ] Map to security requirements
- [ ] Consider defense in depth
- [ ] Document residual risk
## 6. Validation
- [ ] Review with security team
- [ ] Validate with developers
- [ ] Get stakeholder sign-off
- [ ] Plan for updates
Threat Libraries
## CAPEC (Common Attack Pattern Enumeration)
- Standard attack pattern catalog
- Categories: Social Engineering, Injection, etc.
- https://capec.mitre.org
## OWASP Top 10
- Web application threats
- Updated periodically
- https://owasp.org/Top10/
## MITRE ATT&CK
- Adversary tactics and techniques
- Enterprise/Mobile/ICS matrices
- https://attack.mitre.org
## CWE (Common Weakness Enumeration)
- Software weakness types
- Maps to vulnerabilities
- https://cwe.mitre.org
Threat Modeling Tools
Tool Comparison
| Tool | Type | Cost | Features | |------|------|------|----------| | Microsoft Threat Modeling Tool | Desktop | Free | STRIDE, DFD templates | | OWASP Threat Dragon | Web/Desktop | Free | DFD, STRIDE, reporting | | IriusRisk | SaaS | Paid | Automation, integrations | | ThreatModeler | SaaS | Paid | Enterprise, compliance | | Threagile | CLI | Free | As-code, YAML-based | | draw.io | Web | Free | Manual DFD creation |
OWASP Threat Dragon
# Install
npm install -g owasp-threat-dragon
# Run locally
threat-dragon
# Key features:
# - DFD creation
# - STRIDE per element
# - Threat suggestions
# - Report generation
Threagile (Threat Modeling as Code)
# threagile.yaml
title: My Application Threat Model
date: 2024-01-15
technical_assets:
web_server:
id: web-server
usage: business
type: process
technologies:
- web-server
internet: true
machine: container
encryption: none
database:
id: database
type: datastore
technologies:
- database
encryption: transparent
data_assets:
customer_data:
id: customer-data
usage: business
quantity: many
confidentiality: confidential
integrity: critical
availability: critical
trust_boundaries:
dmz:
id: dmz
type: network-cloud-security-group
technical_assets_inside:
- web-server
communication_links:
web_to_db:
source_id: web-server
target_id: database
protocol: tcp
authentication: credentials
Security Control Mapping
Control Categories
## Preventive Controls
- Stop threats before they occur
- Examples: Firewalls, input validation, encryption
## Detective Controls
- Identify when threats occur
- Examples: IDS, logging, monitoring
## Corrective Controls
- Respond to threats after detection
- Examples: Incident response, patching, recovery
## Deterrent Controls
- Discourage threat actors
- Examples: Legal warnings, security awareness
STRIDE to Controls Matrix
| STRIDE | Controls |
|--------|----------|
| Spoofing | MFA, certificates, session management |
| Tampering | Integrity checks, signatures, validation |
| Repudiation | Audit logs, digital signatures, timestamps |
| Info Disclosure | Encryption, access control, masking |
| DoS | Rate limiting, quotas, redundancy |
| Elevation | Least privilege, sandboxing, RBAC |
Reporting Template
# Threat Model Report
## Document Information
- Application: [Name]
- Version: [X.Y]
- Date: YYYY-MM-DD
- Author: [Name]
- Reviewers: [Names]
## Executive Summary
Brief overview of the system, key assets, major threats identified,
and overall risk posture.
## System Overview
### Architecture
[DFD diagram]
### Components
| Component | Description | Technology |
|-----------|-------------|------------|
| Web Server | Handles HTTP requests | Nginx |
| API | Business logic | Node.js |
| Database | Data storage | PostgreSQL |
### Trust Boundaries
1. Internet / DMZ
2. DMZ / Internal
3. Application / Database
### Assets
| Asset | Sensitivity | Value |
|-------|-------------|-------|
| User credentials | High | Critical |
| Personal data | High | High |
| Session tokens | High | High |
## Threat Analysis
### Threat: SQL Injection in Login
**STRIDE Category**: Tampering, Information Disclosure, Elevation of Privilege
**Attack Vector**: Malicious input in username/password fields
**DREAD Score**: 8.4 (High)
**Current State**: No input validation
**Proposed Mitigation**: Parameterized queries, input validation
**Residual Risk**: Low (after mitigation)
### Threat: Session Hijacking
[Similar format for each threat]
## Risk Summary
| Threat | DREAD | Mitigation | Residual |
|--------|-------|------------|----------|
| SQL Injection | 8.4 | Parameterized queries | Low |
| XSS | 7.2 | Output encoding | Low |
| Brute Force | 5.0 | Rate limiting, MFA | Low |
## Recommendations
### Priority 1 (Immediate)
1. Implement parameterized queries
2. Add output encoding
### Priority 2 (Short-term)
1. Enable MFA
2. Implement rate limiting
### Priority 3 (Long-term)
1. Security awareness training
2. Regular penetration testing
## Appendix
- Full DFD
- STRIDE analysis worksheets
- Control implementation details
Bundled Resources
scripts/
stride_analyzer.py- STRIDE threat enumerationdread_calculator.py- DREAD score calculationthreat_report.py- Generate threat model reports
references/
stride_threats.md- STRIDE threat examples by elementcontrol_catalog.md- Security control referenceattack_patterns.md- Common attack patterns
templates/
threat_model_template.md- Report templatedfd_template.drawio- DFD template for draw.iostride_worksheet.xlsx- STRIDE analysis worksheet
Related Skills
hardw00t/sca-security
development
VerifiedTrustedCommunity
Software Composition Analysis: find vulnerable dependencies, correlate CVE/GHSA/OSV across ecosystems, generate CycloneDX/SPDX SBOMs, assess license compliance, and run reachability-aware triage to suppress unexploitable findings. Use when scanning package dependencies (npm, PyPI, Maven, Cargo, Go, RubyGems, Composer), reviewing PR lockfile diffs, generating SBOMs, auditing licenses, hunting malicious packages, or auditing the software supply chain. Triggers on requests to scan dependencies, check vulnerable packages, generate SBOM, license compliance, typosquat/dependency-confusion review, or reachability-based vuln triage.
37SKILL.mdUpdated Apr 5, 2026
hardw00t/sast-orchestration
development
VerifiedTrustedCommunity
Static Application Security Testing orchestration — run and compose Semgrep, CodeQL, Bandit, gosec, Brakeman, SpotBugs, ESLint; author custom rules; ingest SARIF; triage and rank findings by exploitability. Use this skill when asked to scan code for vulnerabilities, write Semgrep/CodeQL rules, triage SAST output, reduce false positives, or integrate SAST into CI/CD. Triggers on phrases like 'scan this code', 'write a Semgrep rule', 'triage these findings', 'SARIF', 'SAST in CI', or when a repo is handed over for a security review.
37SKILL.mdUpdated Apr 5, 2026
hardw00t/network-pentest
testing
VerifiedTrustedCommunity
Internal network and Active Directory penetration testing skill for corporate environments. Use when performing authorized internal network assessments, AD attack path analysis, lateral movement, privilege escalation, and post-exploitation across Windows/Linux estates. Covers BloodHound, Impacket, NetExec/CrackMapExec, Responder, Rubeus, mimikatz, certipy. Triggers on requests to pentest internal networks, attack AD, perform lateral movement, Kerberoast, DCSync, or escalate privileges.
37SKILL.mdUpdated Apr 5, 2026
hardw00t/llm-security
tools
VerifiedTrustedCommunity
LLM and AI application security testing skill for prompt injection (direct, indirect, multimodal), system-prompt extraction, RAG poisoning, memory poisoning, MCP server injection, skill-file injection, agentic tool misuse, computer-use UI injection, and excessive agency. Authorization required — this skill tests AI systems you are explicitly permitted to assess. Triggers on requests to test LLM / AI-agent / RAG / MCP / computer-use security, perform prompt injection, extract system prompts, poison RAG or memory, audit agent tool use, or evaluate AI guardrails.
37SKILL.mdUpdated Apr 5, 2026