"Why does manual threat modeling fail in most organizations?"	"Manual: diagram in a quarterly meeting, spreadsheet of threats. Diagram goes stale the day someone merges a Terraform change. Nobody re-runs the model. Root cause: model is hand-maintained, separate from architecture. Fix: generate from IaC/OpenAPI, regenerate on every change."	c2a::s07::analysis
"What are the input sources for architecture ingestion, and which are authoritative?"	"draw.io/Mermaid (supplementary — documentation drifts), Terraform/CloudFormation (AUTHORITATIVE — machine-verifiable declaration of what is deployed), OpenAPI/Swagger (authoritative — API endpoints/schemas), source structure. IaC + OpenAPI is the strongest path."	c2a::s07::recall
"What is the DFD, and why is it the canonical intermediate representation?"	"Data Flow Diagram: elements, flows, trust_boundaries. Every input source normalizes to it. Every downstream stage (STRIDE, mitigation, versioning) operates on the DFD, not raw input. Decouples ingestion from analysis — new input only needs a new parser."	c2a::s07::recall
"What is a trust boundary, and why does it matter for threat modeling?"	"Line where trust level changes: public internet↔VPC, low-trust tenant↔admin, third-party↔internal. Where the DANGEROUS threats live — where an adversary crosses from low-trust to high-trust. Flows crossing boundaries are highest-priority STRIDE analysis targets."	c2a::s07::analysis
"How does the harness detect trust boundaries from infrastructure?"	"Internet-facing resources (public IP, internet gateway, public LB listener) → internet↔VPC boundary. IAM cross-account roles → account boundaries. Tenant isolation constructs (per-tenant schema, tenant-scoped policy) → tenant boundaries. Each flow marked crosses_boundary if source/target in different boundaries."	c2a::s07::application
"What does STRIDE stand for?"	"S(poofing) T(ampering) R(epudiation) I(nformation disclosure) D(enial of service) E(levation of privilege). Mnemonic for 6 threat categories. Strength: each maps to specific DFD element types → systematic method, not open-ended brainstorm."	c2a::s07::recall
"Which STRIDE categories apply to each DFD element type?"	"External actor: Spoofing, Repudiation. Process/service: ALL SIX (richest surface). Data store: Tampering, Repudiation, Info Disclosure, DoS (not Spoofing — you don't impersonate a DB). Data flow: Tampering, Info Disclosure, DoS. Scoping prevents irrelevant threats."	c2a::s07::recall
"What is grounded threat generation, and why is it load-bearing?"	"LLM generates threats SPECIFIC to element's technologies + flows crossing its boundary + data involved. Without grounding: 'attacker might spoof auth' (useless, applies anywhere). With grounding: 'stolen Cognito creds bypass API Gateway rate limit + WAF' (specific, CVSS-scored, actionable)."	c2a::s07::analysis
"How does the STRIDE engine dedup and prioritize threats?"	"Dedup via SEMANTIC SIMILARITY: each threat embedded, threats above threshold merged (retain highest-severity phrasing). Prioritize by draft CVSS score from model's base vector. Output is RANKED — top threats first, not a flat dump. 20 elements × ~3 categories × ~3 threats → ~180 candidates → dedup → ranked."	c2a::s07::application
"Why is traceability (every threat carries element_id + category) not decorative?"	"Developer asks 'why flag this?' → harness points to specific DFD element + flow. Architecture changes, element removed → threats auto-retired (not orphaned). Makes model maintainable across versions. Enables delta-only re-analysis on architecture change."	c2a::s07::analysis
"What are the 4 mitigation status values and their meanings?"	"Open (identified, not implemented). In progress (PR open, IaC change in review). Mitigated (deployed, verified resolved). Accepted risk (business decision, documented with approver + expiry). Status links threat model to engineering workflow."	c2a::s07::recall
"What 3 layers does a mitigation map to?"	"(1) OWASP ASVS control (e.g. V2.1.7 MFA). (2) CWE remediation (e.g. CWE-308 single-factor auth). (3) Cloud provider best practice (e.g. AWS IAM condition keys require MFA for sts:AssumeRole). Mapping = difference between platitude and implementable mitigation."	c2a::s07::recall
"Why must threats be filed in the engineering tracker (GitHub/Linear/Jira), not a security silo?"	"Engineers don't open separate security tools. Auto-create issues where they work, with attack narrative, CVSS, mitigation, OWASP/CWE/cloud refs, traceability to threat model. Bidirectional status sync (issue closes → threat mitigated). Goal: zero manual transcription between analysis and backlog."	c2a::s07::application
"How does model version diffing make continuous threat modeling tractable?"	"Diff two model versions → re-run STRIDE ONLY ON DELTA: new elements (run STRIDE), removed elements (retire threats), new flows esp. crossing boundary (HIGHEST priority), changed boundaries (re-analyze affected), unchanged (skip). Cost scales with change, not architecture size."	c2a::s07::analysis
"What makes a threat model go stale, and how does the harness prevent it?"	"Stale: architecture changes (Terraform merge, new endpoint) but model not re-run. Harness prevents: regenerates model from IaC/OpenAPI on every change, diffs versions, re-analyzes only the delta. Model is an OUTPUT of the pipeline, not a hand-maintained artifact."	c2a::s07::analysis
"Compare a platitude mitigation vs a mapped mitigation."	"Platitude: 'Use strong authentication' (prompts no action, ignored). Mapped: 'Enable AWS IAM condition keys requiring MFA for sts:AssumeRole in Lambda execution policy, per OWASP ASVS V2.1.7, CWE-308.' Engineer can implement in a PR — concrete config/IaC/code change, not a slogan."	c2a::s07::application
"Why does the engine NOT analyze data stores for spoofing?"	"You don't impersonate a database. STRIDE is SCOPED per element type: external actors get spoofing + repudiation; processes get all six; data stores get tampering/repudiation/info-disclosure/DoS; flows get tampering/info-disclosure/DoS. Scoping prevents irrelevant threats and keeps the list credible."	c2a::s07::analysis
"What is the highest-priority delta when diffing two threat model versions?"	"NEW FLOWS that cross a trust boundary (esp. new public-to-internal paths). These are where new exposures live — an adversary's new path from low-trust to high-trust. Also high: changed trust boundaries (resource moved private→public, new cross-account role)."	c2a::s07::analysis
"How does the parser extract components from Terraform?"	"Every resource is a component: aws_s3_bucket → data store, aws_lambda_function → process, aws_api_gateway_rest_api → service with external entry points. From OpenAPI: every endpoint group → service; request schemas → data structures. References between resources → data flows."	c2a::s07::application
"Why treat IaC as authoritative and draw.io as supplementary?"	"IaC (Terraform/CloudFormation) is a machine-verifiable declaration of what is ACTUALLY deployed. draw.io is documentation — it drifts from reality the moment someone merges a change. IaC + OpenAPI as authoritative inputs; diagrams add human-readable context but cannot be the source of truth."	c2a::s07::analysis
