Our review
Builds comprehensive attack trees to visualize threat paths, identify defense gaps, and communicate security risks to stakeholders.
Strengths
- Systematically decomposes complex attack scenarios into sub-goals with AND/OR structure.
- Annotates leaves with cost, skill, time, and detectability for risk prioritization.
- Maps mitigations per branch to identify defense gaps.
- Facilitates risk communication with clear visualizations.
Limitations
- Requires well-defined scope and assets to be effective.
- Does not replace formal quantitative risk analysis.
- Quality depends on the analyst's threat expertise.
Use this skill to visualize complex attack paths, identify defense gaps, or plan defensive investments.
Do not use it if you lack authorization or a defined scope to model the system, or if the task is a general risk review without attack-path modeling.
Security analysis
SafeThe skill describes a purely methodological process (attack tree construction) with no executable commands, no access to system resources, and no dangerous instructions. It includes safety caveats about sharing only with authorized stakeholders, but no actual execution risk.
No concerns found
Examples
Build an attack tree for a SaaS web application handling payment data. Root goal: 'Exfiltrate payment card data.' Include sub-goals for SQL injection, XSS, and session hijacking. Annotate leaves with estimated cost and skill level.Create an attack tree for a smart home IoT device. Root goal: 'Remotely control the device without authorization.' Decompose into firmware exploitation, network sniffing, and cloud API abuse. Add mitigations per branch.Generate an attack tree for a multi-cloud environment (AWS + GCP). Root goal: 'Leak data from S3 and GCS buckets.' Break down into misconfiguration exploitation, credential theft, and insider threat. Prioritize paths by detectability.name: Attack Tree Construction description: "Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders." risk: unknown source: community
Attack Tree Construction
Systematic attack path visualization and analysis.
Use this skill when
- Visualizing complex attack scenarios
- Identifying defense gaps and priorities
- Communicating risks to stakeholders
- Planning defensive investments or test scopes
Do not use this skill when
- You lack authorization or a defined scope to model the system
- The task is a general risk review without attack-path modeling
- The request is unrelated to security assessment or design
Instructions
- Confirm scope, assets, and the attacker goal for the root node.
- Decompose into sub-goals with AND/OR structure.
- Annotate leaves with cost, skill, time, and detectability.
- Map mitigations per branch and prioritize high-impact paths.
- If detailed templates are required, open
resources/implementation-playbook.md.
Safety
- Share attack trees only with authorized stakeholders.
- Avoid including sensitive exploit details unless required.
Resources
resources/implementation-playbook.mdfor detailed patterns, templates, and examples.
Security Audit Scanner
Security
Analyzes code to detect OWASP Top 10 vulnerabilities.
OWASP Security Checklist
Security
Generates application security checklists based on the OWASP Top 10.
Threat Model Generator
Security
Generates threat model documents with STRIDE analysis.