This skill does exactly one job itself — STRIDE/DREAD threat modeling (plus a quick secret scan) — and routes every other security request to the specialist skill that owns that lane. Do not duplicate sibling content here; route instead.
| The user wants... | Route to | Why that skill owns it |
|---|---|---|
| Vulnerability assessment, pen-test methodology, OWASP Top 10 testing | ../security-pen-testing/ |
Ships vulnerability_scanner.py + dependency_auditor.py with exit-code contracts |
| Incident triage, SEV classification, forensics, containment | ../incident-response/ |
SEV1–SEV4 taxonomy, NIST SP 800-61 phases, incident_triage.py |
| Production outage command (non-security incidents) | ../incident-commander/ |
Severity classifier + timeline + postmortem tools |
| Security monitoring, CVE triage SLAs, compliance checks (SOC 2 etc.), security headers | ../senior-secops/ |
security_scanner.py + compliance_checker.py, CVE SLA table |
| Hostile/adversarial code review | ../adversarial-reviewer/ |
3-persona review with BLOCK/CONCERNS/CLEAN verdict |
| Secure code review as part of general review | ../code-reviewer/ |
Language dispatch + regression fixtures |
| Cloud IAM escalation paths, S3 exposure, security groups | ../cloud-security/ |
cloud_posture_check.py with per-check exit codes |
| Threat hunting, IOC sweeps, anomaly detection | ../threat-detection/ |
z-score anomaly + IOC staleness tooling |
| Red-team engagement planning, ATT&CK kill chains | ../red-team/ |
engagement_planner.py with authorization gate |
| LLM/AI attack surface (prompt injection, poisoning) | ../ai-security/ |
ATLAS-mapped ai_threat_scanner.py |
If the request spans lanes (e.g., "secure this new architecture"), do the threat model here first — its output (prioritized threats + mitigations) tells you which siblings to load next. Never bulk-load multiple security skills speculatively.
python3 scripts/threat_modeler.py --component "User Authentication" --assets "credentials,sessions" --json --output threats.json
--interactive walks scoping questions; --list-threats shows the threat database.threats.json by DREAD score descending; everything ≥ 7 average needs a named mitigation owner before the design ships. Map each mitigation to the responsible sibling lane (e.g., IAM threats → cloud-security, injection threats → code-reviewer).python3 scripts/secret_scanner.py /path/to/project --format json --severity high
| DFD Element | S | T | R | I | D | E |
|---|---|---|---|---|---|---|
| External Entity | X | X | ||||
| Process | X | X | X | X | X | X |
| Data Store | X | X | X | X | ||
| Data Flow | X | X | X |
(S=Spoofing→authn, T=Tampering→integrity, R=Repudiation→audit logs, I=Info Disclosure→encryption/access control, D=DoS→rate limiting/redundancy, E=Elevation→least privilege.)
| Document | Content |
|---|---|
| references/threat-modeling-guide.md | STRIDE methodology, attack trees, DREAD scoring, DFD creation |
| references/security-architecture-patterns.md | Zero Trust, defense-in-depth, authentication patterns, API security |
| references/cryptography-implementation.md | AES-GCM, Ed25519, password hashing (Argon2id), key management |
The architecture and crypto references are kept because no sibling ships them; for operating those controls (scanning, compliance, monitoring) still route to senior-secops.