From offensive-claude
Builds and validates threat models, detects drift by comparing new attack surface against baseline. Lints model for completeness and blocks advancement on unreviewed changes.
How this skill is triggered — by the user, by Claude, or both
Slash command
/offensive-claude:threat-model-disciplineThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**You cannot test what you have not modeled.** A threat model names the assets, entry points, trust
You cannot test what you have not modeled. A threat model names the assets, entry points, trust boundaries, relevant ATT&CK techniques, and existing mitigations — so coverage is deliberate, not accidental. On a long engagement the surface drifts (a new endpoint, a new dependency); un-reviewed drift is where bugs hide. This skill keeps the model complete and re-checks it for drift.
/engage.gate — the gate refuses to advance on un-acknowledged drift.threat-model.json (see templates/threat-model/): five required lists —
assets, entry_points, trust_boundaries, attck (technique ids), mitigations.
# 1. Lint - every required field present, no placeholders, valid ATT&CK ids
python skills/threat-model-discipline/scripts/threatmodel_lint.py lint .engage/recon/threat-model.json
# 2. Drift - diff a re-run against the reviewed baseline; NEW entry points/assets/boundaries are
# unreviewed surface and BLOCK the gate until re-reviewed or acknowledged
python skills/threat-model-discipline/scripts/threatmodel_lint.py drift \
.engage/recon/threat-model.baseline.json .engage/recon/threat-model.json
Or use /engage.threatmodel (materialize | lint | drift).
TBD/[fill in] — that is not a model; the lint fails it.entry_point appeared and you proceeded anyway — that is the exact gap attackers use.| Excuse | Reality |
|---|---|
| "The model is obvious, skip it" | Obvious to you ≠ documented. Coverage you can't diff is coverage you can't trust. |
| "Drift is just noise" | A new entry point is new attack surface. Acknowledge it explicitly or re-review. |
| "ATT&CK mapping is busywork" | It turns 'we tested stuff' into 'we covered these techniques' — the report's backbone. |
Pairs with scope-discipline (what you may touch) and finding-discipline (what counts as proven).
npx claudepluginhub hypnguyen1209/offensive-claude --plugin offensive-claudeMaps trust boundaries, enumerates threat actors, and generates threat scenarios for attack surface analysis. Outputs a structured THREAT_MODEL.md with prioritized remediation.
Produces threat models for codebases or systems: identifies crown jewels assets, maps attack surface entry points and trust boundaries, ranks threats, suggests mitigations and accepted risks.
Generates threat models using OWASP Four-Question Framework and STRIDE methodology, producing matrices with risk ratings, mitigations, and prioritization for attack surface analysis and security reviews.