AIStorageDepot
← Prompt library

Threat Model a Feature

Prompt · Code Review · #security #threat-model #design

Threat-model the following feature before we build it.

Feature: [Feature Description]
Data it touches: [Data Touched]
Who can reach it: [Exposure]

Work through it in this order:

1. **Assets** — what here is worth stealing, corrupting, or denying (data, money, reputation, compute)?
2. **Entry points** — every way input reaches this feature, including indirect ones (webhooks, imports, background jobs).
3. **STRIDE pass** — for each entry point: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Only list threats that are PLAUSIBLE here, with the attack in one concrete sentence each.
4. **Ranked risks** — top 3–5 by (impact × ease). Name the single scariest one.
5. **Mitigations** — for each ranked risk: the cheapest control that meaningfully reduces it, and where it lives (code, config, process).
6. **What you'd log** — the 2–3 events that would let us DETECT each top risk being exploited.

Be specific to THIS feature — no generic advice that would apply to any web app.

This is one of dozens of free prompts in the AIStorageDepot library. Sign up free to save them, version them, and pull them straight into Claude, Cursor, or VS Code over MCP.