// Phase 6 Threat Identification guide with STRIDE methodology reference. Use when identifying threats, categorizing security issues, applying STRIDE analysis, or assessing threat severity and likelihood.
Phase 1 Business Context Analysis guide. Use when starting a threat model, setting business context, or configuring business features like industry sector, data sensitivity, and regulatory requirements.
Phase 2 Architecture Analysis guide. Use when documenting system components, connections, data stores, or analyzing technical architecture for threat modeling.
Phase 3 Threat Actor Analysis guide. Use when identifying threat actors, setting relevance and priority, or analyzing who might attack the system.
Phase 4 Trust Boundary Analysis guide. Use when defining trust zones, crossing points, and security boundaries between system components.
Phase 5 Asset Flow Analysis guide. Use when identifying valuable assets, tracking data flows, or analyzing how sensitive data moves through the system.
Phase 7.5 Code Validation guide. Use when validating threats against actual code, checking which security controls are implemented, or generating remediation reports.
| name | phase-6-threat-identification |
| description | Phase 6 Threat Identification guide with STRIDE methodology reference. Use when identifying threats, categorizing security issues, applying STRIDE analysis, or assessing threat severity and likelihood. |
Systematically identify threats using the STRIDE methodology against every component, connection, and asset flow documented in previous phases.
Can identities be faked?
Can data or code be modified?
Can actions be denied?
Can data leak?
Can availability be impacted?
Can permissions be escalated?
| Element Type | S | T | R | I | D | E |
|---|---|---|---|---|---|---|
| External entities | X | X | ||||
| Processes/Services | X | X | X | X | X | X |
| Data stores | X | X | X | |||
| Data flows | X | X | X | |||
| Trust boundaries | X | X | X |
IMPORTANT: Each text field max 200 characters.
| Parameter | Required | Values |
|---|---|---|
| threat_source | Yes | Who/what (max 200 chars) |
| prerequisites | Yes | Conditions needed (max 200 chars) |
| threat_action | Yes | What they do (max 200 chars) |
| threat_impact | Yes | What happens (max 200 chars) |
| category | No | Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege |
| severity | No | Low, Medium, High, Critical |
| likelihood | No | Unlikely, Possible, Likely, Very Likely |
| affected_components | No | List of component IDs |
| affected_assets | No | List of asset names |
| tags | No | List of tags (max 30 chars each) |
Example:
add_threat(
threat_source="external attacker",
prerequisites="with access to the login endpoint",
threat_action="perform credential stuffing attacks",
threat_impact="unauthorized access to user accounts",
category="Spoofing",
severity="High",
likelihood="Likely",
affected_components=["C001"],
affected_assets=["User Credentials"],
tags=["STRIDE-S", "authentication"]
)
| Severity | Criteria |
|---|---|
| Critical | System compromise, regulated data breach, complete auth bypass |
| High | Significant data exposure, privilege escalation, service disruption |
| Medium | Limited data exposure, partial impact, requires specific conditions |
| Low | Minimal impact, difficult to exploit, limited scope |
| Likelihood | Criteria |
|---|---|
| Very Likely | Trivially exploitable, public knowledge, no special access |
| Likely | Known vector, moderate skill, some access needed |
| Possible | Specific conditions required, moderate skill and access |
| Unlikely | Significant access/skill needed, rarely seen |
get_phase_6_guidance()search_documentation() to research service-specific threatslist_threats() -- ensure all 6 STRIDE categories representedlist_threats() shows comprehensive inventoryadvance_phase() to proceed to Phase 7