Module S07 — Threat Modeling Harnesses
Threat Modeling Harnesses
Architecture ingestion, STRIDE analysis engine, and mitigation generation with issue tracking.
60
minutes
8
artifacts
3
sub-sections
A harness that ingests architecture as-written — draw.io, Terraform, OpenAPI — converts it to a data flow diagram, runs STRIDE per element with LLM-generated grounded threats, and emits prioritized mitigations as tracked issues. Threat modeling that happens at the speed of architecture change, not the speed of a quarterly meeting.
Key Claims
Load-Bearing Claims
Manual threat modeling fails because the model goes stale. The fix is to generate the model from architecture as-written (IaC, OpenAPI) and regenerate on every change.
STRIDE threat generation must be grounded. Specific technologies + flows crossing trust boundaries produce actionable threats; generic templates produce platitudes.
Mitigations map to three layers — OWASP ASVS, CWE, cloud best practice. The mapping is the difference between a slogan and an implementable change.
Continuous threat modeling requires diffing, not full re-runs. Cost scales with the change, not the architecture size.
After This Module
01
Build an architecture-to-DFD ingestion pipeline parsing draw.io, Terraform, CloudFormation, and OpenAPI with trust boundary detection.
02
Implement a STRIDE engine applying applicable categories per element with LLM-driven grounded threat generation, dedup, and prioritization.
03
Generate per-threat mitigations mapped to OWASP controls, CWE remediations, and cloud best practices; auto-create tracker issues.
04
Version threat models and diff two architecture versions to identify what changed and what new threats the change introduced.
Artifacts
01
Teaching Document
~3,500 words; 3 sub-sections — architecture ingestion, STRIDE engine, mitigation + issue tracking
READ
02
Diagrams
5 diagrams — pipeline n8n, STRIDE applicability, grounded generation, version diff, mitigation mapping
READ
03
Slide Deck
reveal.js slide deck, dark theme, design-system teal
READ
04
Teaching Script
Verbatim teaching transcript, [SLIDE N] cues
READ
05
Flashcards
Anki flashcards (TSV)
TEST
06
Exam
Exam bank, Bloom-distributed
TEST
07
Lab Spec
3 labs — Terraform/draw.io to DFD, STRIDE engine with grounded threats, mitigation generation + GitHub issues
DO
08
Module Web Page
Single-file HTML hub
HERE