How to install senior-security
npx skills add https://github.com/alirezarezvani/claude-skills --skill senior-securityFull instructions (SKILL.md)
Source of truth, from alirezarezvani/claude-skills.
name: "senior-security" description: Use when the user asks for STRIDE threat modeling, DREAD risk scoring, data-flow-diagram threat analysis, or a quick secret scan — or when a security request needs routing to the right specialist skill (pen-testing, incident response, cloud posture, red team, AI security, threat hunting, secure code review). This skill owns threat modeling; everything else routes to a sibling.
Senior Security Engineer — Threat Modeling + Security Router
This skill does exactly one job itself — STRIDE/DREAD threat modeling (plus a quick secret scan) — and routes every other security request to the specialist skill that owns that lane. Do not duplicate sibling content here; route instead.
Routing Table (read this first)
| The user wants... | Route to | Why that skill owns it |
|---|---|---|
| Vulnerability assessment, pen-test methodology, OWASP Top 10 testing | ../security-pen-testing/ | Ships vulnerability_scanner.py + dependency_auditor.py with exit-code contracts |
| Incident triage, SEV classification, forensics, containment | ../incident-response/ | SEV1–SEV4 taxonomy, NIST SP 800-61 phases, incident_triage.py |
| Production outage command (non-security incidents) | ../incident-commander/ | Severity classifier + timeline + postmortem tools |
| Security monitoring, CVE triage SLAs, compliance checks (SOC 2 etc.), security headers | ../senior-secops/ | security_scanner.py + compliance_checker.py, CVE SLA table |
| Hostile/adversarial code review | ../adversarial-reviewer/ | 3-persona review with BLOCK/CONCERNS/CLEAN verdict |
| Secure code review as part of general review | ../code-reviewer/ | Language dispatch + regression fixtures |
| Cloud IAM escalation paths, S3 exposure, security groups | ../cloud-security/ | cloud_posture_check.py with per-check exit codes |
| Threat hunting, IOC sweeps, anomaly detection | ../threat-detection/ | z-score anomaly + IOC staleness tooling |
| Red-team engagement planning, ATT&CK kill chains | ../red-team/ | engagement_planner.py with authorization gate |
| LLM/AI attack surface (prompt injection, poisoning) | ../ai-security/ | ATLAS-mapped ai_threat_scanner.py |
If the request spans lanes (e.g., "secure this new architecture"), do the threat model here first — its output (prioritized threats + mitigations) tells you which siblings to load next. Never bulk-load multiple security skills speculatively.
What This Skill Owns: STRIDE Threat Modeling
Workflow
- Scope: assets to protect, trust boundaries, data flows (external entities, processes, data stores, flows).
- Generate the threat model per component:
Output: per-threat STRIDE category, DREAD score (Damage, Reproducibility, Exploitability, Affected users, Discoverability — each 1–10), and suggested mitigations. Repeat per DFD element;python3 scripts/threat_modeler.py --component "User Authentication" --assets "credentials,sessions" --json --output threats.json--interactivewalks scoping questions;--list-threatsshows the threat database. - Consume the output: sort
threats.jsonby DREAD score descending; everything ≥ 7 average needs a named mitigation owner before the design ships. Map each mitigation to the responsible sibling lane (e.g., IAM threats →cloud-security, injection threats →code-reviewer). - Quick secret sweep while you have the codebase open:
20+ patterns (AWS keys, GitHub tokens, private keys, generic credentials). Any critical/high finding blocks merge until rotated and moved to a secret manager.python3 scripts/secret_scanner.py /path/to/project --format json --severity high - Verification gate: every DFD element has ≥ 1 STRIDE row considered, every threat with DREAD ≥ 7 has an owner + mitigation, and the secret scan exits with zero high/critical findings. Re-run both tools after mitigations land — that re-run is the done signal, not the document.
STRIDE per Element Matrix
| DFD Element | S | T | R | I | D | E |
|---|---|---|---|---|---|---|
| External Entity | X | X | ||||
| Process | X | X | X | X | X | X |
| Data Store | X | X | X | X | ||
| Data Flow | X | X | X |
(S=Spoofing→authn, T=Tampering→integrity, R=Repudiation→audit logs, I=Info Disclosure→encryption/access control, D=DoS→rate limiting/redundancy, E=Elevation→least privilege.)
References (load on demand)
| Document | Content |
|---|---|
| references/threat-modeling-guide.md | STRIDE methodology, attack trees, DREAD scoring, DFD creation |
| references/security-architecture-patterns.md | Zero Trust, defense-in-depth, authentication patterns, API security |
| references/cryptography-implementation.md | AES-GCM, Ed25519, password hashing (Argon2id), key management |
The architecture and crypto references are kept because no sibling ships them; for operating those controls (scanning, compliance, monitoring) still route to senior-secops.
Related skills
More from alirezarezvani/claude-skills and the wider catalog.
marketing-skills
Directory and router for the marketing skills library. Use when you need to find the right marketing skill for a task, see what marketing capabilities exist, or get oriented in this plugin. 44 specialist skills across 8 pods (content, SEO + AEO, CRO, channels, growth, intelligence, sales enablement, ops), 59 stdlib Python tools. Routes to one skill — it does not execute marketing work itself.
engineering-skills
Index of the engineering-team skills bundle for Claude Code, Codex, Gemini CLI, Cursor, OpenClaw, and 6 more tools. Architecture, frontend, backend, QA, DevOps, security, AI/ML, data engineering, Playwright, Stripe, AWS, MS365 (stdlib-only Python tools). Use when browsing or choosing among engineering-team role skills — load only the one specialist SKILL.md you need, never bulk-load the bundle.
finance-skills
Router/index for the 2 finance skills bundled in this plugin: financial-analyst (ratio analysis, DCF valuation, budget variance, rolling forecasts) and saas-metrics-coach (ARR/MRR, churn, CAC/LTV, NRR, quick ratio). Use when a finance request doesn't obviously match one skill and you need to pick the right one (e.g., 'analyze these financials', 'how healthy are my SaaS metrics').
business-growth-skills
Router/index for the 4 business & growth skills bundled in this plugin: customer-success-manager (health scoring, churn risk, expansion), sales-engineer (RFP analysis, competitive matrices, PoC planning), revenue-operations (pipeline, forecast accuracy, GTM efficiency), and contract-and-proposal-writer. Use when a growth/revenue request doesn't obviously match one skill and you need to pick the right one (e.g., 'which accounts are at risk', 'should we bid on this RFP').
engineering-advanced-skills
Index of 37 advanced engineering agent skills for Claude Code, Codex, Gemini CLI, Cursor, OpenClaw. Use when browsing or choosing among the POWERFUL-tier engineering skills: agent design, RAG, MCP servers, CI/CD, database design, observability, security auditing, changelog/release automation, reliability (SLO/chaos/flags/operators), platform ops.
product-skills
Router/index for the 12 product skills bundled in this plugin (RICE prioritization, OKRs, UX research, design tokens, competitive teardown, analytics, experiments, discovery, roadmaps, spec-to-repo, landing pages, SaaS scaffolding). Use when a product request doesn't obviously match one skill and you need to pick the right one (e.g., 'help me prioritize features', 'plan a product experiment').