DevOps & Security
Threat Model Generator
Generates a STRIDE threat model from a system architecture, identifying trust boundaries, per-component threats, and a prioritized risk register with mitigations. Useful for shifting threat modeling left in the development cycle. Security-conscious engineering teams starting a new service or feature, startup CTOs preparing for SOC 2 or enterprise security reviews, and architects who want a structured security analysis as input to design review. Also useful for security engineers accelerating threat modeling across a backlog of services. Even security-aware teams defer it until late in a project — at which point the architecture is harder to change and the model produces more regret than insight. The fundamental problem is time: a full STRIDE pass takes hours of expert effort, the output format varies across teams, and the resulting document often lives in a wiki and goes stale. An AI-generated first draft flips the economics: threat modeling becomes a 15-minute review of a structured artifact rather than a four-hour workshop.
One-Time Purchase
$19.99
STRIDE Threat Model — MedTrack Patient Portal
System. Patient SPA + Admin Console → API Gateway → three microservices (Auth, Records, Messaging) → shared Postgres + Redis. A Notification Worker polls Postgres and dispatches email via SendGrid.
Verdict
Two unmitigated criticals. No mTLS between the API Gateway and internal services means PHI traverses the internal network in cleartext (T-04). The Auth Service trusts an X-Internal-Role header forwarded from the gateway, which is injectable from any external caller (T-15) — a one-line role-escalation primitive. Three additional high-severity items (T-06, T-10, T-12) are inexpensive and should land alongside the criticals.
Threats by STRIDE category
Trust Boundaries
| ID | Boundary | Between |
|---|---|---|
| TB-1 | Internet → DMZ | Browser / Admin Console → API Gateway |
| TB-2 | DMZ → Internal | API Gateway → Auth / Records / Messaging |
| TB-3 | Internal → Data Tier | Services → Postgres, Redis |
| TB-4 | Internal → External SaaS | Notification Worker → SendGrid |
STRIDE Threat Table
| ID | Component | STRIDE | Threat | Severity | Status |
|---|---|---|---|---|---|
| T-04 | Gateway → Records (TB-2) | I | No mTLS; PHI in cleartext on internal network | Critical | Unmitigated |
| T-15 | Gateway → Auth (TB-2) | E | Auth trusts injectable X-Internal-Role header | Critical | Unmitigated |
| T-06 | Admin Console (TB-1) | E | Admin JWT scope not re-checked; no step-up MFA | High | Partial |
| T-10 | Redis (TB-3) | I | PHI cached in plaintext; broad network reach | High | Unmitigated |
| T-09 | Records Service | I | SQL injection on filter params | High | Partial (ORM, no SAST) |
| T-12 | Worker → SendGrid (TB-4) | I | Hardcoded SMTP credentials | High | Unmitigated |
| T-13 | Worker → DB | S | Forged notification via direct queue write | Medium | Unmitigated |
| T-07 | Auth Service | S | Credential stuffing on /login | Medium | Partial |
| T-01 | Browser → Gateway (TB-1) | S | Forged/stolen JWT | Medium | Mitigated |
| T-08 | Postgres (TB-3) | T | Overprivileged service accounts | Medium | Unmitigated |
| T-03 | API Gateway | R | No audit trail tying calls to identity | Medium | Unmitigated |
| T-14 | Messaging Service | R | Clinician messages not tamper-evident | Low | Unmitigated |
| T-05 | API Gateway | D | Unauthenticated DDoS | Low | Mitigated |
| T-11 | Redis (TB-3) | D | Memory exhaustion / cache poisoning | Low | Partial |
| T-02 | Browser → Gateway (TB-1) | T | In-transit tampering | Low | Mitigated |
Top-3 Threats
T-04 — mTLS gap
PHI cleartext on internal RPC
Severity Critical · Effort Medium
T-15 — header injection
X-Internal-Role spoofable
Severity Critical · Effort Low
T-15 detail
The API Gateway forwards X-Internal-Role to the Auth Service. The gateway does not strip client-supplied versions of that header — any external caller can include X-Internal-Role: admin and have it propagated. Fix today: add a header-allowlist at gateway ingress and strip every X-Internal-* header before forwarding. This is a config change, not a code change.
Mitigation Coverage
Quick wins (≤ 1 sprint)
Architectural (next quarter)
Residual Risk
After quick wins land
Five quick wins close T-09, T-10, T-12, T-13, and T-15. Residual criticals: T-04 (mTLS) remains open until the service-mesh rollout. Plan a compensating control in the meantime — at minimum, force all inter-service traffic through a single VPC peer with a network policy that denies cross-namespace traffic.
Open questions blocking full coverage
Six components were underspecified — the model cannot close until these resolve: API Gateway vendor (affects T-05/T-15 plugin options), Auth Service SSO federation support (introduces IdP-spoofing class not modeled), Notification Worker runtime (Lambda vs container changes the T-13 attack surface), Postgres managed vs self-hosted (patch ownership), Redis cluster mode with AUTH, and whether the Admin Console shares a domain with the patient portal (CSRF cross-contamination).
Model is a structured first draft against a hypothetical patient-portal architecture. Treat as input to a 15-minute review with the team owning each component, not as a finished artifact.
This sample illustrates the skill's output format. Names, metrics, and operational details are illustrative unless the artifact explicitly analyzes public information.
View full sample →
All sales final. No refunds on digital products.
Includes support for Claude Code, Codex, OpenClaw, and Google Antigravity in the same license.
Also in Security Scanning
Bundle price: $55. Compare this skill with the full workflow bundle or Pro access.
Best for
Engineering teams starting a new service or significant feature who want a STRIDE first-draft they can review in 15 minutes instead of running a four-hour workshop, and startup CTOs assembling threat-modeling evidence for SOC 2 or enterprise security review. Especially valuable when threat modeling tends to get deferred until late, when the architecture is harder to change.
Not ideal for
Adversarial high-stakes systems (cryptocurrency custody, election infrastructure, safety-critical control systems) where the threat model must be authored by a specialist and reviewed against documented adversary capabilities. Also a poor fit for systems where the architecture is genuinely novel and a generic STRIDE pass would miss the threats specific to the design.
Included in this purchase
- Claude Code, Codex, OpenClaw, and Google Antigravity skill files.
- Setup guidance for the right adapter in your workspace.
- One-time license for the purchased skill version.
Setup
Plan for a short setup in the repository or workspace where the skill will run. Some coding familiarity helps for implementation-heavy outputs.
Related Skills
$19.99
One-time license
$19.99
One-time license
$19.99
One-time license
Future Updates
This purchase includes the current version of the skill. If you want future adapter updates — meaning compatibility and packaging updates as supported platforms evolve — plus new catalog additions included automatically, upgrade to Pro.