// Phase 1 Business Context Analysis guide. Use when starting a threat model, setting business context, or configuring business features like industry sector, data sensitivity, and regulatory requirements.
Phase 2 Architecture Analysis guide. Use when documenting system components, connections, data stores, or analyzing technical architecture for threat modeling.
Phase 3 Threat Actor Analysis guide. Use when identifying threat actors, setting relevance and priority, or analyzing who might attack the system.
Phase 4 Trust Boundary Analysis guide. Use when defining trust zones, crossing points, and security boundaries between system components.
Phase 5 Asset Flow Analysis guide. Use when identifying valuable assets, tracking data flows, or analyzing how sensitive data moves through the system.
Phase 6 Threat Identification guide with STRIDE methodology reference. Use when identifying threats, categorizing security issues, applying STRIDE analysis, or assessing threat severity and likelihood.
Phase 7.5 Code Validation guide. Use when validating threats against actual code, checking which security controls are implemented, or generating remediation reports.
| name | phase-1-business-context |
| description | Phase 1 Business Context Analysis guide. Use when starting a threat model, setting business context, or configuring business features like industry sector, data sensitivity, and regulatory requirements. |
Understand what the system does, who it serves, and what's at stake if it's compromised. This phase sets the foundation for all subsequent analysis.
Sets description AND all business features in one call.
Parameters:
| Parameter | Required | Values |
|---|---|---|
| description | Yes | Free text describing the system |
| industry_sector | No | Finance, Healthcare, Retail, Technology, Manufacturing, Government, Education, Energy, Transportation, Other |
| data_sensitivity | No | Public, Internal, Confidential, Restricted, Regulated |
| user_base_size | No | Small (<1K), Medium (1K-100K), Large (100K-1M), Enterprise (>1M) |
| geographic_scope | No | Local, Regional, National, Multinational, Global |
| regulatory_requirements | No | GDPR, HIPAA, PCI-DSS, SOX, FISMA, CCPA, None, Multiple (comma-separated) |
| system_criticality | No | Low (down for days), Medium (up within hours), High (up within minutes), Mission-Critical (cannot be down) |
| financial_impact | No | Minimal (<$10K), Low ($10K-$100K), Medium ($100K-$1M), High ($1M-$10M), Severe (>$10M) |
| authentication_requirement | No | None, Basic, MFA, Federated, Biometric |
| deployment_environment | No | On-Premises, Cloud-Public, Cloud-Private, Hybrid, Multi-Cloud |
| integration_complexity | No | Standalone, Limited, Moderate, Complex, Highly Complex |
Example:
set_business_context(
description="Payment processing microservice handling credit card transactions for an e-commerce platform",
industry_sector="Finance",
data_sensitivity="Restricted",
user_base_size="Large",
geographic_scope="Global",
regulatory_requirements="PCI-DSS,GDPR",
system_criticality="High",
financial_impact="High",
authentication_requirement="MFA",
deployment_environment="Cloud-Public",
integration_complexity="Complex"
)
validate_business_context_completeness() -- Checks all 10 features are set. Must return PASSED.get_business_context() -- Review what's been setget_business_context_features() -- List all available features and descriptionsget_business_context_analysis_plan() -- Get AI-powered analysis guidanceadd_assumption(description, category, impact, rationale) -- Document scope decisionsset_business_context() with ALL parameters filledvalidate_business_context_completeness() -- must pass before proceedingadd_assumption() for any scope decisions:
validate_business_context_completeness() returns PASSEDadvance_phase() to proceed to Phase 2