Performing Threat Modeling with OWASP Threat Dragon

What it does

This skill teaches an agent how to run threat modeling exercises using OWASP Threat Dragon: installing or running the web app, building data-flow diagrams (DFDs), applying STRIDE and LINDDUN classifications, generating threat inventories, documenting mitigations, and exporting reports for security reviews. It maps practical steps from scoping through report generation and SDLC integration.

When to use it

Use this skill during design reviews, security assessments, architecture changes, or incident response when a structured threat model is required. Good for teams that need to document threats, assign mitigations, or produce compliance-ready reports.

What's included

• Scripts: repo includes scripts and example assets to run Threat Dragon and export models.
• References: links to OWASP Threat Dragon, STRIDE/LINDDUN cheat sheets, and CycloneDX TMBOM guidance.
• Instructions: step-by-step workflow covering install (desktop/docker), scoping, DFD creation, threat identification, mitigation tracking, and report export.

Compatible agents

Likely compatible with cybersecurity and automation-capable agents (Claude Code, GitHub Copilot-style tooling, CLI-capable agents) that can follow procedural security instructions and run containerized tooling.