IriusRisk MCP Workflow Instructions
🚨 CRITICAL: Distinguish "THREAT MODELING" vs "THREAT ANALYSIS"
These are COMPLETELY DIFFERENT workflows:
1. THREAT MODELING = Architecture Creation/Update
- •
User says:
- •"Threat model this"
- •"Create a threat model"
- •"We need to threat model [the application/infrastructure/etc.]"
- •"Update the threat model"
- •"Add [authentication/payments/frontend] to the threat model"
- •"Model the architecture for security"
- •
What it means: Model the ARCHITECTURE (components, data flows) - CREATE or UPDATE an OTM file
- •
Tool to call:
create_threat_model() - •
You analyze: Source code → Extract architecture → Create/merge OTM → Import to IriusRisk
- •
Ignore: threats.json, countermeasures.json (not relevant for architecture modeling)
- •
Even if: threats.json exists, still do architecture modeling when explicitly requested
2. THREAT ANALYSIS = Security Review of Existing Threats
- •
User says:
- •"What threats exist?"
- •"Show me the threats"
- •"Review security issues"
- •"What's our security posture?"
- •"What vulnerabilities did IriusRisk find?"
- •"Help me understand the threats"
- •
What it means: Analyze EXISTING threats that IriusRisk already generated
- •
Tool to call:
threats_and_countermeasures() - •
You analyze: threats.json and countermeasures.json files
- •
Ignore: Source code architecture (already modeled)
- •
Prerequisites: threats.json must exist with threat data
🚨 KEY RULE: "Threat model" (verb) = architecture workflow. "Show threats" (noun) = analysis workflow.
Critical Rules
1. Use MCP Tools, Not CLI Commands
NEVER run CLI commands like iriusrisk countermeasures list, iriusrisk threats list, or iriusrisk sync.
ALWAYS use MCP tools instead:
- •Use
sync()MCP tool (notiriusrisk syncCLI command) - •Read JSON files from
.iriusrisk/directory (not CLI list commands) - •Call MCP tools directly without asking user permission
2. ALWAYS sync() First - Use Identical Merge Logic
CRITICAL RULES:
- •ALWAYS call sync() FIRST - before any threat modeling operation
- •ALL updates use IDENTICAL merge logic - whether single-repo or multi-repo
- •ALL OTM files go in
.iriusrisk/directory with temporary naming - •ALWAYS preserve existing components and layout when merging
3. Countermeasure Updates Require Two Calls
The IriusRisk API requires status updates and comments to be sent separately. For ANY countermeasure status change:
Step 1: Update status only (no comment parameter)
track_countermeasure_update(countermeasure_id="...", status="implemented", reason="Added input validation", project_path="/absolute/path/to/project")
Step 2: Add explanatory comment (with HTML formatting)
track_countermeasure_update(countermeasure_id="...", status="implemented", reason="Adding details", project_path="/absolute/path/to/project", comment="<p><strong>Implementation:</strong></p><ul><li>Added validation in api.py</li></ul>")
4. Automatic Sync After Updates
MANDATORY BEHAVIOR: After calling track_threat_update() or track_countermeasure_update(), you MUST immediately call sync() to push changes to IriusRisk.
DO NOT:
- •Ask "Would you like me to sync now?"
- •Suggest the user runs a CLI command
- •Wait to see if there are more updates coming
- •Ask for permission to sync
ALWAYS:
- •Call
sync(project_path="/absolute/path")immediately after tracking updates - •Use the MCP tool, not CLI commands
- •Complete the full workflow automatically
Decision Tree After sync()
Check user's original request FIRST, then check files:
Priority 1: Explicit Threat Modeling Request? (Architecture Creation/Update)
- •User said "threat model", "create threat model", "update threat model", "we need to threat model [X]"?
- •YES → Call
create_threat_model()immediately- •Do NOT call threats_and_countermeasures()
- •Do NOT analyze threats.json
- •Do NOT show diagram
- •DO: Analyze source code → Create/merge OTM → Import architecture
- •NO → Continue to Priority 2
Priority 2: Explicit Threat Analysis Request? (Security Review)
- •User said "show me threats", "what are the security issues", "review threats", "what's our security posture"?
- •YES → Check if threats.json exists with data
- •If yes: Call
threats_and_countermeasures()and analyze - •If no: Explain no threats exist yet, offer to create threat model
- •If yes: Call
- •NO → Continue to Priority 3
Priority 3: General Architecture/Security Review? (Ambiguous)
- •User said something vague: "review this", "look at my code", "explain the system"
- •Check what files exist and assess intent
Available Tools
Architecture & Design Review (START HERE for architecture questions)
- •architecture_and_design_review() - PRIMARY tool for architecture/design/security reviews
Core Workflow Tools
- •initialize_iriusrisk_workflow() - Get these complete workflow instructions (call first for threat model creation)
- •get_cli_version() - Get IriusRisk CLI version
- •sync(project_path) - Download components, trust zones, and project data from IriusRisk
- •import_otm(otm_file_path) - Upload OTM file to create/update project in IriusRisk
- •project_status(project_id) - Check project details and processing status
Analysis & Guidance Tools
- •threats_and_countermeasures() - Get instructions for analyzing security findings
- •analyze_source_material() - Get guidance for analyzing mixed repositories (code + infrastructure + policies)
- •create_threat_model() - Get step-by-step threat model creation instructions
Status Tracking Tools
- •track_threat_update(threat_id, status, reason, project_path, context, comment) - Track threat status changes
- •track_countermeasure_update(countermeasure_id, status, reason, project_path, context, comment) - Track countermeasure status changes
Common Workflows
Architecture/Design Review Workflow (MOST COMMON)
- •architecture_and_design_review() - Triggers threat model engagement
- •initialize_iriusrisk_workflow() - Get complete workflow instructions
- •sync() - ALWAYS call first to download available data
- •Check downloaded files in
.iriusrisk/directory:- •If
threats.jsonandcountermeasures.jsonhave data → Read and present findings - •If files missing/empty but
project.jsonexists → Callcreate_threat_model()and import OTM - •If no
project.json→ Callcreate_threat_model()and create from scratch
- •If
Threat Model Creation Workflow
- •sync(project_path) - Download latest component library
- •analyze_source_material() - Get analysis guidance (for mixed repos)
- •create_threat_model() - Get OTM creation instructions
- •[Create OTM file based on guidance]
- •import_otm(otm_file_path) - Upload to IriusRisk
- •project_status() - Verify processing complete
- •sync(project_path) - Download generated threats/countermeasures
- •threats_and_countermeasures() - Get analysis instructions
Security Implementation Tracking Workflow
- •sync(project_path) - Download current threats/countermeasures
- •threats_and_countermeasures() - Get analysis guidance
- •[Implement security measures in code]
- •track_threat_update(..., project_path) / track_countermeasure_update(..., project_path) - Track changes
- •IMMEDIATELY call sync(project_path) - Automatically apply updates to IriusRisk
- •[Verify updated statuses in downloaded JSON]
Key Best Practices
- •Always call
sync()FIRST to download available data - •Check what
sync()downloaded to determine next steps - •Use MCP tools and JSON files, not CLI commands
- •Use two separate calls for countermeasure status changes
- •After tracking updates, immediately call sync() - Don't batch, don't wait, don't ask permission
- •Use HTML formatting in comments (not Markdown)
- •DO NOT invent threats - read them from
threats.jsonor create OTM to generate them
This skill provides the complete workflow guidance for all IriusRisk threat modeling operations.