Threat Modeling Toolkit
Threat modeling inside your developer tools. No new UI. No external platform.
Installation
In Claude Code, run these two commands:
/plugin marketplace add josemlopez/threat-modeling-toolkit
/plugin install threat-modeling-toolkit@josemlopez
That's it. All 9 skills are now available.
Verify it worked:
/tm-status
Quick Start: Try It in 2 Minutes
Try the toolkit on an included test project.
Step 1: Clone the test project
git clone https://github.com/josemlopez/threat-modeling-toolkit.git
cd threat-modeling-toolkit/TEST/simple-app
Step 2: Run the full analysis
In Claude Code:
/tm-full --docs ./docs --compliance owasp,soc2
Step 3: See the results
.threatmodel/
├── state/
│ ├── assets.json # 5 assets discovered
│ ├── threats.json # 15 threats identified
│ ├── controls.json # 5 implemented, 7 missing
│ └── gaps.json # 10 security gaps
├── diagrams/
│ └── architecture.mmd # Mermaid diagram
└── reports/
├── risk-report.md # Full findings
└── compliance-report.md # OWASP 52%, SOC2 48%
Step-by-Step Tutorial
Let's walk through each skill using the TEST/simple-app project (a React + Express + PostgreSQL task manager with intentional security gaps).
Step 1: Initialize the Threat Model
/tm-init --docs ./docs
What it does: Reads your architecture documentation and extracts assets, data flows, trust boundaries, and attack surface.
Output:
Threat Model Initialized
========================
Project: TaskFlow
Framework: STRIDE
Discovered:
- 5 assets (1 client, 1 service, 1 data-store, 1 identity, 1 integration)
- 8 data flows (8 cross trust boundaries)
- 4 trust boundaries
- 8 attack surface entries
Created:
.threatmodel/config.yaml
.threatmodel/state/assets.json
.threatmodel/state/dataflows.json
.threatmodel/diagrams/architecture.mmd
Next Steps:
Run /tm-threats to analyze threats
Files created:
assets.json — React Frontend, Express API, PostgreSQL, JWT Auth, SendGridattack-surface.json — All API endpoints with auth requirementsarchitecture.mmd — Mermaid diagram ready to render
Step 2: Analyze Threats
/tm-threats
What it does: Applies STRIDE analysis to every asset and data flow. Generates attack trees for critical threats.
Output:
Threat Analysis Complete
========================
Framework: STRIDE
Assets Analyzed: 5
Threats Identified:
Critical: 4
High: 7
Medium: 4
Total: 15
Top Critical Threats:
1. [THREAT-001] Credential Stuffing Attack (Risk: 16)
2. [THREAT-003] BOLA - Task Update (Risk: 16)
3. [THREAT-004] BOLA - Task Delete (Risk: 16)
4. [THREAT-013] Missing MFA (Risk: 16)
Files Updated:
.threatmodel/state/threats.json
.threatmodel/state/attack-trees.json
.threatmodel/state/risk-register.json
Next Steps:
Run /tm-verify to check control implementations
What you'll find in threats.json:
Each threat includes category, target, risk score, MITRE ATT&CK mapping, CWE references, and recommended countermeasures.
Step 3: Verify Controls in Code
/tm-verify
What it does: Searches your codebase to verify security controls actually exist. Provides file:line evidence.
Output:
Control Verification Complete
=============================
Controls Analyzed: 15
Verification Results:
✓ Implemented: 5 (33%)
⚠ Partial: 3 (20%)
✗ Missing: 7 (47%)
Gaps Identified:
Critical: 3
High: 5
Medium: 2
Files Updated:
.threatmodel/state/controls.json
.threatmodel/state/gaps.json
Next Steps:
Run /tm-compliance to map to frameworks
Evidence found:
| Control | Status | Evidence |
|---|
| Password Hashing | ✓ | src/routes/auth.js:20 - bcrypt cost 10 |
| JWT Authentication | ✓ | src/middleware/auth.js:16 |
| Rate Limiting (login) | ✓ | src/middleware/rateLimiter.js:4-10 |
| BOLA Protection | ✗ | Missing in src/routes/tasks.js:44 |
| MFA | ✗ | Not found |
Step 4: Map to Compliance Frameworks
/tm-compliance --framework owasp,soc2
What it does: Maps your threats and controls to OWASP Top 10, SOC2, PCI-DSS.
Output:
Compliance Mapping Complete
===========================
