Proactive security engineering for PAI projects. USE WHEN user needs threat modeling, CMMC compliance baseline, security requirements, vulnerability analysis, or security-first design. Prevents security issues during design, not after deployment.
Shift-left security: identify and mitigate threats before code is written.
| Workflow | When to Use | Output |
|---|---|---|
| ThreatModel | Designing new feature or system | Threat model document with STRIDE threats and mitigations |
| CmmcBaseline | Starting DoD/government project | CMMC Level 2 compliance baseline (all 17 domains, 110 practices) |
| SecurityReview | Reviewing code for vulnerabilities | Security review report with OWASP Top 10 findings and fixes |
| InfrastructureSecurity | Auditing cloud/infrastructure config | Infrastructure security audit with hardening recommendations |
User: "Threat model the user login feature"
Skill loads: Security → ThreatModel workflow
Output: STRIDE threats identified (spoofing, tampering, etc.) with mitigations
User: "Create CMMC baseline for our e-commerce app"
Skill loads: Security → CmmcBaseline workflow
Output: CMMC practices mapped to features, gap analysis, compliance roadmap
User: "Review this authentication code for security vulnerabilities"
Skill loads: Security → SecurityReview workflow
Output: OWASP Top 10 analysis, vulnerability findings (SQL injection, weak passwords), remediation guidance
User: "Audit our AWS configuration for security issues"
Skill loads: Security → InfrastructureSecurity workflow
Output: Infrastructure security findings (open S3 buckets, weak IAM policies), CIS Benchmark gaps
This skill follows security-first principles:
Based on industry standards: STRIDE, OWASP Top 10, CMMC Model v2.0.