// Phase 5 Asset Flow Analysis guide. Use when identifying valuable assets, tracking data flows, or analyzing how sensitive data moves through the system.
Phase 1 Business Context Analysis guide. Use when starting a threat model, setting business context, or configuring business features like industry sector, data sensitivity, and regulatory requirements.
Phase 2 Architecture Analysis guide. Use when documenting system components, connections, data stores, or analyzing technical architecture for threat modeling.
Phase 3 Threat Actor Analysis guide. Use when identifying threat actors, setting relevance and priority, or analyzing who might attack the system.
Phase 4 Trust Boundary Analysis guide. Use when defining trust zones, crossing points, and security boundaries between system components.
Phase 6 Threat Identification guide with STRIDE methodology reference. Use when identifying threats, categorizing security issues, applying STRIDE analysis, or assessing threat severity and likelihood.
Phase 7.5 Code Validation guide. Use when validating threats against actual code, checking which security controls are implemented, or generating remediation reports.
| name | phase-5-asset-flows |
| description | Phase 5 Asset Flow Analysis guide. Use when identifying valuable assets, tracking data flows, or analyzing how sensitive data moves through the system. |
Identify every valuable asset in the system and track how it moves between components. This reveals where assets are exposed and what protections exist.
| Parameter | Required | Values |
|---|---|---|
| name | Yes | e.g., "Credit Card Numbers" |
| type | Yes | Data, Credential, Process, Configuration, Cryptographic Key, Token, Session, Other |
| classification | Yes | Public, Internal, Confidential, Restricted, Regulated, Other |
| lifecycle_state | No | Creation, Storage, Transmission, Processing, Destruction, Archival, Other |
| owner | No | Team or person responsible |
| sensitivity | No | 1-5 scale (5 = most sensitive) |
| criticality | No | 1-5 scale (5 = most critical) |
| Parameter | Required | Values |
|---|---|---|
| asset_id | Yes | Asset ID from add_asset |
| source_id | Yes | Component ID |
| destination_id | Yes | Component ID |
| transformation_type | No | Encryption, Decryption, Processing, Aggregation, Anonymization, Pseudonymization, Tokenization, Hashing, Signing, Verification, Redaction, Other |
| controls | No | List of: Encryption, Access Control, Authentication, Authorization, Audit Logging, Input Validation, Output Encoding, Integrity Check, Rate Limiting, Monitoring, Other |
| encryption | No | true/false |
| authenticated | No | true/false |
| authorized | No | true/false |
| validated | No | true/false |
| risk_level | No | 1-5 scale (5 = highest risk) |
list_assets(), list_flows() -- Review current stateget_asset(id), get_flow(id) -- Detailed viewget_asset_flow_analysis_plan() -- AI-powered analysisreset_asset_flows() -- Reset to defaultsLook for these in the codebase:
| What to Find | Asset Type | Typical Classification |
|---|---|---|
| Passwords, API keys, tokens | Credential | Restricted |
| PII (names, emails, addresses) | Data | Confidential/Regulated |
| Payment data (credit cards) | Data | Regulated |
| Session tokens, JWTs | Token | Confidential |
| Encryption keys, certificates | Cryptographic Key | Restricted |
| Config files, env vars | Configuration | Internal |
| Audit/access logs | Data | Internal |
| Public content, marketing | Data | Public |
| Risk Level | Criteria |
|---|---|
| 5 (Critical) | Restricted data, crosses trust boundary, no encryption |
| 4 (High) | Confidential data crossing trust boundary |
| 3 (Medium) | Confidential data within same zone, or internal data crossing boundary |
| 2 (Low) | Internal data within same zone with controls |
| 1 (Minimal) | Public data with standard controls |
get_phase_5_guidance()get_asset_flow_analysis_plan() for deeper analysisadvance_phase() to proceed to Phase 6