원클릭으로
discover
Auto-discover infrastructure components from codebase using the infrastructure-scout agent
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Auto-discover infrastructure components from codebase using the infrastructure-scout agent
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Assign classes to unclassified components, boundaries, data flows, and data items
Guided end-to-end threat modeling workflow — scope through validation and sync
Populate security attributes, MITRE ATT&CK references, credentials, and monitoring tools
Quality dashboard with score breakdown, gap analysis, and readiness assessment
Attack surface summary with component breakdown, trust boundary crossings, and control gap analysis
Push local model to platform, pull platform model to local, or check sync status
| name | discover |
| description | Auto-discover infrastructure components from codebase using the infrastructure-scout agent |
| agent | threat-modeler |
| argument-hint | [scope] [path] |
Scan the current codebase for infrastructure components, trust boundaries, and data flows using automated discovery.
Note: This skill uses agent: threat-modeler (not infrastructure-scout) because discovery requires writing model files. The threat-modeler delegates scanning to Agent(infrastructure-scout) and handles all file writes per the subagent write convention.
/dethereal:create first and stop.dethereal/scope.json if it exists — use scope context to guide discovery focusIf .dethernety/discovery-cache.json exists:
.dethernety/decomposition-plan.json)assignedTo mapDelegate scanning to Agent(infrastructure-scout):
From the scout's report:
mcp__plugin_dethereal_dethereal__get_classesShow which source categories were checked and results:
Sources checked: Code (3), IaC/Terraform (12), Containers (3), K8s (—), API defs (1), Network (—), CI/CD (2), DB schemas (—), Env files (1), Diagrams (—), Docs (2)
Show a single confirmation table for all discovered elements:
| # | Name | Type | Class | Confidence | Include? |
|---|------|------|-------|------------|---------|
| 1 | API Gateway | PROCESS | API Gateway | high | Y |
| 2 | PostgreSQL | STORE | Database | high | Y |
| 3 | Redis | STORE | Key-Value Store | high | Y |
| 4 | Auth Service | PROCESS | — | medium | Y |
| 5 | CloudWatch | EXTERNAL_ENTITY | — | low | ? |
Also found 4 boundaries and 8 data flows (shown below).
Are any components missing? Should any be removed or reclassified?
Respond with changes or "looks good" to confirm.
Also present suggested boundaries and inferred data flows for confirmation.
After user confirms the component list, run the consolidated blind spots prompt (one question, not five sequential ones):
Discovery found [confirmed list]. Code analysis systematically misses certain elements.
Are any of these relevant to your system?
1. Shared infrastructure — IdP, DNS, CA, log aggregator, SIEM, secret manager
2. Side-channel data flows — Logging pipelines, metrics, DNS resolution, backup destinations
3. Deployment pipeline — CI/CD platform, container registries, artifact stores
4. Third-party SaaS — OAuth providers, payment processors, CDN, email/SMS
5. Human actors with privileged access — System admins, DBA, on-call engineers
6. Shared credentials — Service accounts used by multiple components, shared API keys,
database credentials reused across services
List anything else I missed, or say "none" to continue.
Add any user-provided elements to the confirmed list. Backup destinations and CI/CD registries/artifact stores enter as COMPONENTS (STORE or EXTERNAL_ENTITY), not merely as flows — a backup store holds the same crown-jewel data at rest (usually with weaker controls) and must carry its own data-item links (inherited from the source store) and enrichment; "DB → backup" as a bare flow leaves the backup copy invisible to data classification and control-gap analysis.
After final confirmation, check if the validated inventory exceeds decomposition thresholds:
If exceeded, follow the Decomposition Protocol in the threat-modeler agent:
The recommendation is advisory — the user can proceed with a large model.
Write full discovery provenance to <model-path>/.dethereal/discovery.json with a top-level envelope:
{
"version": 1,
"timestamp": "ISO-8601",
"sourcesChecked": { "code": 3, "iac": 12, "containers": 3, "kubernetes": 0, ... },
"blindSpotsAsked": true,
"userAddedElements": ["Log Aggregator", "Admin Portal"],
"elements": [ /* per-element DiscoveredElement objects */ ]
}
Write or update model files with confirmed elements:
structure.json — confirmed components and boundaries with coordinates (use layout guidelines from guidelines-layout.md)dataflows.json — confirmed data flowsA boundary's zone/plane proposals (suggestedZone/suggestedPlane) stay in discovery.json — do not write them into structure.json's zone/planes here. They are ratified at Step 4 (Boundary Refinement); persisting an unratified proposal would set the field and silently drop the boundary from the Step 9 unclassified count (proposed ≠ set).
If this is the first discovery in the project, write .dethernety/discovery-cache.json with the full raw inventory for potential multi-model reuse.
Update <model-path>/.dethereal/state.json via Edit:
currentState: DISCOVEREDcompletedStates: add DISCOVEREDlastModified: current timestamplastReconcileCommit: <git rev-parse HEAD> — establishes the drift-detection baseline so subsequent /dethereal:threat-model runs surface in-scope file changes since this SHA. Resolve via Bash(git -C <model-path> rev-parse HEAD); if the command exits non-zero (not a git repo, no commits), omit the field — drift detection skips on resume with a "no baseline — run /dethereal:discover" hint until the operator re-runs this skill in a git repo. Re-running /dethereal:discover on an existing model overwrites the field; that is the explicit re-baseline path (after a history rewrite, a --full-scan, or any other reason the operator wants to re-anchor).Call mcp__plugin_dethereal_dethereal__validate_model_json to check structural validity.
[done] Discovery complete. N components, M boundaries, K data flows confirmed. Quality: X/100.
[next] /dethereal:add (refine model structure) or /dethereal:classify (assign classes to components)