Threat Model Generator

Updated May 13, 2026

What this skill does

Creates comprehensive STRIDE-based threat models from architecture descriptions, design documents, or code repositories. Identifies threats across Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege categories, then produces a prioritized threat matrix with recommended mitigations and Jira tickets for tracking.

Example

PROMPT

We're building a new payment processing microservice: API Gateway receives requests, routes to Lambda functions for validation and charging, stores transaction data in DynamoDB, and publishes events to SQS for downstream order fulfillment. Customer PII and payment tokens flow through the system. We need a threat model for our security review.

OUTPUT

STRIDE Threat Model — Payment Processing Microservice | Category | Threat | Risk | Mitigation | |--------------------|---------------------------------------------|------|------------------------------| | Spoofing | Attacker impersonates API client | High | API keys, mTLS, OAuth | | Tampering | Request/response modification in transit | High | TLS 1.3, request signing | | Repudiation | User denies transaction, no audit trail | Med | CloudTrail, immutable logs | | Info Disclosure | PII/tokens in logs or error messages | High | Data masking, log scrubbing | | DoS | Lambda/cold start exhaustion | Med | Rate limits, auto-scaling | | Elevation | Lambda assumes excessive IAM permissions | High | Least privilege, scoped roles| Top 5 Mitigations (Jira tickets created): 1. Implement request signing for API Gateway 2. Enable encryption at rest for DynamoDB (KMS) 3. Rotate API keys with 90-day expiry policy 4. Add PII redaction to CloudWatch log groups 5. Scope Lambda execution role to minimal DynamoDB/SQS access

Required Tools

GitHub

Jira

Compatible Agents

Claude

Cursor

Windsurf

ChatGPT

GitHub Copilot

Any MCP-compatible agent

Add to your agent

Download Skill

Or install via CLI:
$ npx skills add webrix-ai/agent-skills --skill threat-model-generator

Deploy Org-wide

Provision to teams via RBAC

Identity-aware execution

Signed & verified skills

Full audit trail

Auto-bundled with required MCP servers

Use with

Free for up to 5 users

Related Skills

Abandoned Cart Recovery

Detects abandoned carts and triggers recovery workflows including email sequences, discount offers, and retargeting campaigns. Analyzes cart abandonment patterns to identify friction points in the checkout flow. Tracks recovery rate and revenue recaptured.

A/B Testing

Helps design statistically rigorous A/B tests for marketing campaigns, landing pages, and product features. Calculates required sample sizes, defines success metrics, sets up test variants, and analyzes results with confidence intervals. Prevents common testing mistakes like peeking and underpowered tests.

AI Adoption Dashboard Builder

Creates a multi-tab analytics dashboard for tracking AI tool adoption across your engineering organization. Includes executive KPIs, team-level adoption curves, per-tool usage breakdowns, productivity impact comparisons, and cost tracking. Optionally generates a Grafana dashboard JSON for real-time monitoring.

AI Adoption Readiness Assessment

A structured assessment framework that scores your organization across five critical dimensions of AI readiness. Produces an actionable scorecard with prioritized recommendations, a detailed gap analysis spreadsheet, and optional Jira tickets to track remediation efforts.

Your agents are already in the wild.

Give them a Basecamp. Go from AI chaos to AI work, in minutes.

Get Started

See a Demo