Threat Modeling Harness Stack
The continuous, design-time threat-modeling pipeline: Terraform/OpenAPI/draw.io ingestion, ground-truth DFD generation in Mermaid, STRIDE automation with LLM enrichment.
The DFD is derived from ground truth, not memory. Parsed from the Terraform and OpenAPI the team maintains, the model regenerates on every change and cannot drift from the implementation. This is the inversion that replaces the quarterly whiteboard session that decays immediately.
Mermaid is the canonical DFD format because it is text. It diffs in git, reviews in PRs, and regenerates cleanly. The manual layer (draw.io) feeds in; the output is a source-controlled, versioned component of the architecture record — not a picture.
The LLM-enrichment layer is where the value compounds. A rule lookup produces generic STRIDE threats engineers dismiss as boilerplate. The LLM attaches system-specific context (resource names, data classifications, trust boundaries) — 'consider Spoofing' becomes 'the payment webhook has no mTLS, spoofing enables fraudulent refunds.' Specificity is what makes threats actionable.
The outputs are sensitive architecture maps. The DFD is a resource/trust-boundary map and the threat list is a prioritized attack playbook. Both are exactly what an attacker wants. Govern them like pentest reports; the read-only ingestion is the safe part.