Stats
Actions
Tags
From grimoire
Applies STRIDE threat modeling to system data flow diagrams to enumerate threats, assess risk, and produce prioritized mitigations. Use during system design, architecture review, or before security audits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/grimoire:design-threat-modelThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Apply STRIDE to a system's data flow diagram to systematically enumerate threats, assess risk, and produce a prioritized mitigation list.
Apply STRIDE to a system's data flow diagram to systematically enumerate threats, assess risk, and produce a prioritized mitigation list.
Adopted by: Microsoft has required threat modeling for all new product features since the Security Development Lifecycle (SDL) was mandated company-wide in 2004 following the "Trustworthy Computing" memo. Amazon, Google, and Meta all document threat modeling as part of their security review gates. OWASP's Threat Modeling Cheat Sheet (updated 2023) formalizes STRIDE as the recommended entry-point methodology for organizations without dedicated security teams. Impact: Microsoft's SDL data (published by Adam Shostack in "Threat Modeling: Designing for Security", 2014) showed that finding and fixing a vulnerability during design costs ~$0.10 per defect vs. ~$100 in production — a 1000× cost difference. The 2020 Verizon Data Breach Investigations Report (DBIR) found that 86% of breaches involved threats that were categorized under STRIDE (primarily spoofing, information disclosure, and elevation of privilege) — all findable at design time. Why best: Ad hoc security review ("is this secure?") produces inconsistent coverage and depends on reviewer expertise. STRIDE ensures every trust boundary is examined against six threat categories in a repeatable, auditable way. Compared to PASTA or attack trees, STRIDE is faster to learn and produces immediately actionable findings for developers without a security background.
Sources: Adam Shostack, "Threat Modeling: Designing for Security" (Wiley, 2014); Microsoft SDL (microsoft.com/en-us/securityengineering/sdl); OWASP Threat Modeling Cheat Sheet (owasp.org); Verizon DBIR 2020
Sketch the system using four elements:
Mark every trust boundary (dashed line) where data crosses privilege levels: browser → API, API → database, internal service → external service.
Minimum viable DFD: one page, covers all external-facing flows and trust boundaries.
For every process, data store, and data flow that crosses a trust boundary, ask each STRIDE question:
| Letter | Threat | Question to ask | Common controls |
|---|---|---|---|
| S | Spoofing | Can an attacker impersonate a legitimate identity? | Authentication, MFA, mutual TLS |
| T | Tampering | Can data be modified in transit or at rest? | HMAC, signing, integrity checks, TLS |
| R | Repudiation | Can an actor deny performing an action? | Audit logging, non-repudiation tokens |
| I | Information Disclosure | Can sensitive data be read by unauthorized parties? | Encryption at rest/transit, access control |
| D | Denial of Service | Can availability be degraded or eliminated? | Rate limiting, circuit breakers, quotas |
| E | Elevation of Privilege | Can an actor gain more permissions than granted? | Least privilege, input validation, RBAC |
For each threat identified, write one line:
[STRIDE-category] [Element] — [threat description] — [proposed control]
Use DREAD or a simple 3×3 matrix (Likelihood × Impact) for each threat. At minimum, classify each as High / Medium / Low.
Prioritize:
For each High or Medium threat, write a mitigation card:
Threat: Attacker spoofs API caller by replaying a stolen JWT
STRIDE: Spoofing
Severity: High
Mitigation: Set JWT expiry to 15 min; implement refresh token rotation;
add jti (JWT ID) claim and blacklist on logout
Owner: @auth-team
Due: before launch
For threats accepted without full mitigation, record:
Re-run threat model when:
[S] Payment API /charge endpoint
Threat: Attacker replays a captured request to charge a card twice.
Control: Implement idempotency key (UUID per request); reject duplicate
idempotency keys within 24h; return 200 with original response body.
Severity: High | Owner: payments-team | Due: Sprint 14
[Browser] --HTTPS--> [API Gateway] --mTLS--> [Payment Service]
^ ^
Trust boundary 1 Trust boundary 2
(internet→DMZ) (DMZ→internal)
Threat model each arrow crossing a trust boundary separately.
npx claudepluginhub jeffreytse/grimoire --plugin grimoireRun a structured threat-modeling session using STRIDE, attack trees, and data flow diagrams for pre-implementation security design.
Applies STRIDE methodology to model threats: identifies components, generates Mermaid DFDs, categorizes threats, scores risks by probability/impact, proposes mitigations.
Systematically identifies threats using STRIDE categories (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Guides creation of Data Flow Diagrams and documents threats per element.