attack-tree-construction

by wshobson

attack-tree-construction helps build structured attack trees for Threat Modeling with clear root goals, AND/OR branches, and testable leaf attacks. Use it to map attack paths, expose defense gaps, and support security review, testing, and mitigation planning.

Stars32.6k

Favorites0

Comments0

AddedMar 30, 2026

CategoryThreat Modeling

Install Command

npx skills add wshobson/agents --skill attack-tree-construction

Curation Score

This skill scores 76/100, which means it is a solid directory listing candidate: users get a clearly scoped, substantial guide for building attack trees, and an agent is more likely to execute this task consistently than from a generic prompt alone. The score is held back by limited operational scaffolding beyond the main document, so installers should expect a strong conceptual workflow rather than a tool-backed package.

76/100

Strengths

Clear triggerability: the frontmatter and 'When to Use' section explicitly frame attack-tree construction for threat mapping, defense-gap analysis, stakeholder communication, pentest planning, and architecture review.
Substantive workflow content: the SKILL.md is long and structured, with sections on tree structure, node types, and attack attributes, giving agents reusable conventions instead of ad hoc prompting.
Good progressive disclosure inside one file: headings, tables, and code fences suggest the skill teaches concepts and formatting patterns in a way an agent can follow quickly.

Cautions

No supporting assets, scripts, references, or repo/file references are provided, so users must rely almost entirely on the prose guidance in SKILL.md.
There is no install command or external operational wrapper, which limits confidence for users expecting a more turnkey or tool-integrated workflow.

Security Strategy Workflow Playbook

Overview

Overview of attack-tree-construction skill

What attack-tree-construction does

The attack-tree-construction skill helps an agent build structured attack trees for Threat Modeling: a root attacker goal, decomposed sub-goals, and leaf attack steps linked with AND and OR logic. It is best used when you need a clear picture of how an attacker could reach a target outcome, not just a flat list of threats.

Who should use this skill

This attack-tree-construction skill fits security architects, appsec engineers, red teamers, developers doing design review, and technical leads who need to explain attack paths to others. It is especially useful when a system is complex enough that ordinary brainstorming produces scattered, duplicate, or poorly prioritized threats.

The real job-to-be-done

Most users do not just want “more threats.” They want a model they can act on:

see multiple ways an attacker can achieve one goal
distinguish alternative paths from required chained steps
find weak controls and single points of failure
support review, testing, and mitigation planning

That is where attack-tree-construction for Threat Modeling is stronger than a generic prompt asking for “security risks.”

What makes it different from a generic threat prompt

The main differentiator is structure. The skill centers on attack tree mechanics:

a single root goal
explicit AND vs OR branching
leaf-level attack steps
attack attributes such as cost, time, skill, detection, and impact

That structure improves traceability and makes the output easier to critique, expand, or turn into test cases.

What to know before you install

The repository signal is simple: this skill is primarily contained in SKILL.md, with no helper scripts or support files. That makes attack-tree-construction install lightweight, but it also means output quality depends heavily on the context you provide. If your system description is vague, the tree will be generic too.

How to Use attack-tree-construction skill

Install context for attack-tree-construction

Install the skill from the wshobson/agents repository:

npx skills add https://github.com/wshobson/agents --skill attack-tree-construction

Because the skill lives as a single markdown workflow, there is no extra runtime setup or dependency chain to manage.

Read this file first

Start with:

plugins/security-scanning/skills/attack-tree-construction/SKILL.md

That file contains the core model: when to use the skill, attack tree structure, node types, and attack attributes. Since there are no supporting references or scripts in this skill folder, reading SKILL.md is enough to understand the intended workflow.

Best input shape for attack-tree-construction usage

For strong attack-tree-construction usage, provide:

the system or feature being modeled
the attacker goal as one sentence
trust boundaries and entry points
major assets and sensitive actions
known controls already in place
assumptions and scope limits

Good example input:

System: multi-tenant SaaS admin portal
Root goal: gain unauthorized tenant-wide admin access
Entry points: login, password reset, SSO callback, support impersonation flow, public API
Assets: session tokens, admin role assignment, tenant data export
Existing controls: MFA for admins, audit logs, rate limiting on login
Constraints: exclude physical access and insider abuse

This is much better than “make an attack tree for my web app,” because it gives the skill enough material to branch realistically.

Turn a rough request into a strong prompt

Weak prompt:

“Use attack-tree-construction to analyze my platform.”

Stronger prompt:

“Use the attack-tree-construction skill to build an attack tree for the goal ‘extract customer PII from the billing service.’ Use AND and OR nodes explicitly, stop at leaf attacks that are concrete enough to test, and annotate leaves with cost, time, skill, detection difficulty, and impact. Consider web app, API, CI/CD secrets, and support workflows. Exclude nation-state capabilities.”

The stronger version improves:

root goal clarity
decomposition depth
branch quality
prioritization value

Choose the right root goal

A common mistake is making the root too broad, such as “compromise the company.” Better roots are specific attacker outcomes:

obtain privileged console access
exfiltrate payment data
deploy malicious code to production
bypass tenant isolation
disable logging before fraud

A precise root gives the attack-tree-construction guide a cleaner tree and fewer mixed threat categories.

Use AND and OR nodes deliberately

This skill is most useful when you force branching logic to be explicit:

use OR when any one path is enough
use AND when multiple conditions or steps are required

Example:

Root: steal user account
- OR: credential stuffing
- OR: session token theft
- AND: reset password + control email inbox

Without this distinction, the output becomes a bullet list rather than a real attack tree.

Ask for leaf nodes that are testable

Tell the agent to stop decomposition when a leaf is:

concrete enough to validate
distinct from sibling leaves
not just a restatement of a parent node

Good leaves:

reuse leaked credentials against admin login
exploit missing auth check on role-update endpoint
steal support agent session via phishing

Weak leaves:

break security
exploit vulnerability
get access somehow

Testable leaves make the skill more useful for red teaming, architecture review, and mitigation mapping.

Request attack attributes for prioritization

The skill includes attack attributes, so ask for them. Useful leaf annotations include:

cost
time
required skill
detection likelihood or detection difficulty
impact

These attributes help turn a tree into a decision tool. If two branches reach the same goal, teams usually care most about the cheapest, fastest, least detectable path first.

Suggested workflow in practice

A practical attack-tree-construction usage flow:

Define one attacker goal.
Provide architecture and scope context.
Generate the first tree.
Remove duplicate or hand-wavy branches.
Add attributes to leaves.
Review branches against existing controls.
Pick the top paths for mitigation or testing.

Do not start by asking for “all possible attack trees” across the entire environment. One root goal per pass produces much better output.

Where this skill fits in Threat Modeling

attack-tree-construction for Threat Modeling works best after you understand the system at a high level and before you finalize mitigations. It is particularly good for:

drilling into one high-risk abuse case
explaining why a control matters
comparing alternate attack paths
selecting scenarios for security testing

It is less suited to broad asset inventories or compliance-style control checklists.

Practical tips that change output quality

To improve attack-tree-construction usage immediately:

include non-technical paths like support workflows or password reset
list controls already present so the tree reflects bypass attempts
separate cloud, app, identity, and human attack surfaces
ask the model to note assumptions when evidence is missing
cap tree depth if the first result gets noisy

One of the biggest quality gains comes from naming interfaces and privileged actions explicitly instead of describing the system in marketing terms.

attack-tree-construction skill FAQ

Is attack-tree-construction good for beginners

Yes, if you already understand the system being modeled. The structure helps beginners avoid random threat lists. But beginners still need to supply scope, assets, and attacker goals; the skill does not replace system knowledge.

When should I use attack-tree-construction instead of a normal prompt

Use attack-tree-construction when you need branching logic, attack path comparison, and a model you can review with others. A normal prompt is fine for quick brainstorming, but it often mixes preconditions, actions, and outcomes without clear relationships.

Is this only for application security

No. The attack-tree-construction skill can be used for infrastructure, identity, CI/CD, insider-adjacent workflows, and operational abuse cases, as long as you can define a root attacker objective and meaningful sub-goals.

When is attack-tree-construction a poor fit

It is a poor fit when:

your scope is still undefined
you need a full threat enumeration across many unrelated goals
you want compliance mapping rather than attacker reasoning
the system description is too vague to support concrete leaf nodes

In those cases, do scoping or high-level threat modeling first.

Does the skill include automation or templates

Not much. Based on the repository structure, the skill is document-driven and lives in SKILL.md without helper scripts or reference assets. That keeps adoption simple, but it means your prompting discipline matters more than tool support.

Can I use attack-tree-construction for stakeholder communication

Yes. This is one of its better uses. Attack trees communicate risk more clearly than long prose because they show how alternative and chained paths lead to the same business-impacting outcome.

How to Improve attack-tree-construction skill

Give better system context, not more words

The fastest way to improve attack-tree-construction results is to provide structured facts:

components
users and roles
trust boundaries
sensitive operations
entry points
existing defenses

A short, specific system brief beats a long generic description every time.

Narrow the objective before expanding the tree

If the first output feels shallow or chaotic, the root goal is usually too broad. Split “compromise the platform” into narrower objectives, then run the attack-tree-construction skill separately for each one.

Push the model to include overlooked paths

Many first-pass trees over-focus on direct technical exploits. Ask explicitly for branches covering:

identity and access workflows
credential recovery
third-party integrations
CI/CD and secrets handling
admin or support tooling
misconfiguration abuse

This often surfaces more realistic paths than vulnerability-only trees.

Remove vague nodes and force concrete decomposition

Common failure modes:

parent and child say nearly the same thing
leaves are not actionable
branches mix attacker goals with mitigations
the tree stops before useful specificity

Fix this by asking:

“Rewrite vague leaves into concrete attacker actions.”
“Separate preconditions from exploit steps.”
“Stop only when each leaf can be tested or mitigated directly.”

Add control-aware iteration after the first draft

A strong second pass is:

mark which branches current controls already weaken
identify branches with no meaningful control
estimate which low-cost paths remain viable
propose mitigations at the branch or leaf level

This turns attack-tree-construction for Threat Modeling from analysis into prioritization.

Compare trees across attacker assumptions

If the result seems unrealistic, vary the attacker model:

opportunistic external attacker
authenticated low-privilege user
malicious integrator
phishing-capable attacker

The best way to improve the attack-tree-construction guide in practice is to generate separate trees per attacker profile instead of forcing one tree to cover every threat actor.

Use the output as a living review artifact

The highest-value teams do not generate one tree and stop. They update it when:

architecture changes
new controls ship
incidents reveal missed branches
pen tests validate or eliminate paths

That iterative use is where the attack-tree-construction skill becomes more valuable than a one-off prompt.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

collecting-threat-intelligence-with-misp

by mukul975

The collecting-threat-intelligence-with-misp skill helps you collect, normalize, search, and export threat intelligence in MISP. Use this collecting-threat-intelligence-with-misp guide for feeds, PyMISP workflows, event filtering, warninglist reduction, and practical collecting-threat-intelligence-with-misp for Threat Modeling and CTI operations.

Threat Modeling

Favorites 0GitHub 0

analyzing-threat-intelligence-feeds

by mukul975

Analyzing-threat-intelligence-feeds helps you ingest CTI feeds, normalize indicators, assess feed quality, and enrich IOCs for STIX 2.1 workflows. This analyzing-threat-intelligence-feeds skill is built for threat intel operations and Data Analysis, with practical guidance for TAXII, MISP, and commercial feeds.

Data Analysis

Favorites 0GitHub 0

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0

analyzing-ios-app-security-with-objection

by mukul975

The analyzing-ios-app-security-with-objection skill helps authorized testers run runtime iOS app security checks with Objection and Frida. Use it to review keychain exposure, filesystem storage, cookies, SSL pinning, jailbreak detection, and other client-side defenses during a Security Audit. Includes workflow guidance, install steps, and practical usage notes.

Security Audit

Favorites 0GitHub 0

analyzing-heap-spray-exploitation

by mukul975

analyzing-heap-spray-exploitation helps analyze heap spray exploitation in memory dumps with Volatility3. It identifies NOP sled patterns, suspicious large allocations, shellcode landing zones, and process VAD evidence for Security Audit, malware triage, and exploit validation.

Security Audit

Favorites 0GitHub 0

detecting-supply-chain-attacks-in-ci-cd

by mukul975

detecting-supply-chain-attacks-in-ci-cd skill for auditing GitHub Actions and CI/CD configs. It helps find unpinned actions, script injection, dependency confusion, secret exposure, and risky permissions for Security Audit workflows. Use it to review a repo, workflow file, or suspicious pipeline change with clear findings and fixes.

Security Audit

Favorites 0GitHub 0

detecting-api-enumeration-attacks

by mukul975

detecting-api-enumeration-attacks helps Security Audit teams detect API probing, BOLA, and IDOR by analyzing sequential IDs, 404 bursts, authorization failures, and docs discovery paths. It is built for log-driven detection guidance, rule drafting, and practical review of API abuse patterns.

Security Audit

Favorites 0GitHub 0