security-requirement-extraction
wshobson/agents
Transform threat models into actionable security requirements and test cases.
What is security-requirement-extraction?
This skill helps you convert threat analysis and business context into specific, testable security requirements. Use it when creating security user stories, building acceptance criteria, mapping compliance needs, or developing security test cases.
- Convert threat models to security requirements with traceability
- Categorize requirements as functional, non-functional, or constraints
- Define requirement attributes: traceability, testability, priority, and risk level
- Create security user stories and acceptance criteria
- Map requirements to compliance frameworks
- Generate security test cases from requirements
How to install security-requirement-extraction
npx skills add https://github.com/wshobson/agents --skill security-requirement-extractionHow to use security-requirement-extraction
- 1.Gather threat model outputs and business context for your system
- 2.Identify the security concern or threat to address
- 3.Determine the requirement type: functional (what), non-functional (how), or constraint (limitations)
- 4.Define requirement attributes including traceability to threats, testability criteria, priority, and risk level
- 5.Write specific, measurable acceptance criteria that can be verified
- 6.Map the requirement to relevant compliance frameworks if applicable
- 7.Review with stakeholders to ensure alignment and feasibility
Use cases
- Translating STRIDE or similar threat models into actionable requirements
- Writing security user stories for development teams
- Creating security acceptance criteria for user story completion
- Building compliance requirement mappings to frameworks like NIST or ISO 27001
- Documenting security architecture decisions with linked requirements
- Security architects
- Product security teams
- Compliance officers
- Development teams implementing security features
- Security engineers designing test strategies
security-requirement-extraction FAQ
Functional requirements specify what the system must do (e.g., 'authenticate users'), while non-functional requirements specify how it must perform (e.g., 'authentication must complete in under 2 seconds'). Both are essential for complete security coverage.
Include specific, measurable acceptance criteria. Avoid vague language like 'be secure.' Instead, specify the control (e.g., 'encrypt PII with AES-256'), the mechanism (e.g., 'using KMS key rotation'), and how to verify it.
Yes. Every security requirement should map to at least one threat or compliance obligation. This traceability ensures requirements address actual risks and aren't arbitrary.
Consider business impact, risk level if not met, compliance obligations, and implementation effort. Not all requirements have equal importance; prioritization helps teams focus on high-impact items first.
Yes. The skill supports mapping security requirements to compliance frameworks early in the process, helping ensure your requirements address regulatory obligations alongside threat mitigation.
Full instructions (SKILL.md)
Source of truth, from wshobson/agents.
name: security-requirement-extraction description: Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.
Security Requirement Extraction
Transform threat analysis into actionable security requirements.
When to Use This Skill
- Converting threat models to requirements
- Writing security user stories
- Creating security test cases
- Building security acceptance criteria
- Compliance requirement mapping
- Security architecture documentation
Core Concepts
1. Requirement Categories
Business Requirements → Security Requirements → Technical Controls
↓ ↓ ↓
"Protect customer "Encrypt PII at rest" "AES-256 encryption
data" with KMS key rotation"
2. Security Requirement Types
| Type | Focus | Example |
|---|---|---|
| Functional | What system must do | "System must authenticate users" |
| Non-functional | How system must perform | "Authentication must complete in <2s" |
| Constraint | Limitations imposed | "Must use approved crypto libraries" |
3. Requirement Attributes
| Attribute | Description |
|---|---|
| Traceability | Links to threats/compliance |
| Testability | Can be verified |
| Priority | Business importance |
| Risk Level | Impact if not met |
Templates and detailed worked examples
Full template library lives in references/details.md. Read that file when you need concrete templates for this skill.
Best Practices
Do's
- Trace to threats - Every requirement should map to threats
- Be specific - Vague requirements can't be tested
- Include acceptance criteria - Define "done"
- Consider compliance - Map to frameworks early
- Review regularly - Requirements evolve with threats
Don'ts
- Don't be generic - "Be secure" is not a requirement
- Don't skip rationale - Explain why it matters
- Don't ignore priorities - Not all requirements are equal
- Don't forget testability - If you can't test it, you can't verify it
- Don't work in isolation - Involve stakeholders
Related skills
More from wshobson/agents and the wider catalog.
tailwind-design-system
Build production-ready design systems with Tailwind CSS v4, design tokens, and component libraries.
typescript-advanced-types
Master TypeScript's advanced type system: generics, conditional types, mapped types, and utility types for type-safe applications.
nodejs-backend-patterns
Build production-ready Node.js backends with Express/Fastify, middleware patterns, auth, and database integration.
python-performance-optimization
Profile and optimize Python code using cProfile, memory profilers, and performance best practices.
brand-landingpage
Brand-first landing page designer with guided interviews and Stitch-powered iteration.
python-testing-patterns
Implement comprehensive testing strategies with pytest, fixtures, mocking, and test-driven development.