Summary

The threatmodel category has a single skill (pytm) which is code-first and requires Python fluency. The majority of threat modeling practitioners use diagram-based tools (data flow diagrams, trust boundary annotations). OWASP Threat Dragon is the standard open-source option: a free, desktop/web app that produces STRIDE-mapped threat models as JSON files that can be committed to source control and reviewed in PRs.

Requested Skill: threatmodel/threatdragon

What to Cover

Core workflows:

1. Create a threat model for a new service — define components, data flows, trust boundaries, and STRIDE threats using Threat Dragon's GUI, then save the .json model file to the repo

2. CLI-based threat model generation from architecture diagrams

# Export threats as JSON for CI integration
threat-dragon export --model threat-models/api-gateway.json --format json

3. Review a threat model in a PR — diff the .json model file to see what threats were added/removed/mitigated

4. Generate a threat report — produce a markdown or PDF summary of all identified threats, their severity (STRIDE category), and mitigation status

threat-dragon report --model threat-models/api-gateway.json --output report.md

5. STRIDE threat enumeration checklist — for each component type (web app, API, database, message queue, identity provider), enumerate applicable STRIDE threats

STRIDE Coverage Table

Relationship to Existing Skills

• Complements pytm (code-first) — Threat Dragon is better for architecture review early in design phase
• Threats identified here feed directly into sast-semgrep rule selection and dast-nuclei scan templates
• High-risk threats can pre-populate devsecops/vuln-defectdojo findings for tracking

Frameworks

• OWASP Threat Modeling Cheat Sheet
• STRIDE (Microsoft)
• LINDDUN (privacy threat modeling)
• PASTA (Process for Attack Simulation and Threat Analysis)
• NIST SP 800-154 (Data-Centric System Threat Modeling)