Threat Model (Lite)
When to use
Use this skill when planning a feature, reviewing an architecture, or preparing security requirements.
Inputs to collect (if available)
- •Entry points (endpoints/jobs)
- •Assets and sensitivities (PII, secrets, money movement)
- •External services and trust assumptions
- •Deployment details (internet-facing, multi-tenant, auth model)
Step-by-step process
- •Define scope
- •What is being built/changed? What is explicitly out of scope?
- •Describe the system
- •Components, identities, data stores, external dependencies
- •Identify assets
- •Secrets, PII, money-moving actions, admin capabilities, integrity-critical data
- •Map trust boundaries
- •Internet ↔ edge, edge ↔ app, app ↔ data, service ↔ service
- •List top threats (ranked)
- •Use STRIDE reasoning; focus on realistic threats
- •Mitigations
- •Prevent: validation, authz, rate limiting, encryption
- •Detect: logs, alerts, anomaly detection
- •Respond: rollback, key rotation, incident playbooks
- •Residual risk
- •What remains and why; follow-ups
Output template
- •System overview
- •Data flows (bulleted)
- •Assets
- •Trust boundaries
- •Top threats + mitigations
- •Residual risk + next steps
Output format
- •Scope
- •Assets & trust boundaries
- •Top threats (ranked) with mitigations (prevent/detect/respond)
- •Validation scenarios (3)
Examples
- •“New webhook endpoint” → threats: spoofing, replay, SSRF; mitigations: signature validation, nonce/timestamp, allow-listed egress.