How to install threat-mitigation-mapping
npx skills add https://github.com/wshobson/agents --skill threat-mitigation-mappingFull instructions (SKILL.md)
Source of truth, from wshobson/agents.
name: threat-mitigation-mapping description: Map identified threats to appropriate security controls and mitigations. Use when prioritizing security investments, creating remediation plans, or validating control effectiveness.
Threat Mitigation Mapping
Connect threats to controls for effective security planning.
When to Use This Skill
- Prioritizing security investments
- Creating remediation roadmaps
- Validating control coverage
- Designing defense-in-depth
- Security architecture review
- Risk treatment planning
Core Concepts
1. Control Categories
Preventive ────► Stop attacks before they occur
│ (Firewall, Input validation)
│
Detective ─────► Identify attacks in progress
│ (IDS, Log monitoring)
│
Corrective ────► Respond and recover from attacks
(Incident response, Backup restore)
2. Control Layers
| Layer | Examples |
|---|---|
| Network | Firewall, WAF, DDoS protection |
| Application | Input validation, authentication |
| Data | Encryption, access controls |
| Endpoint | EDR, patch management |
| Process | Security training, incident response |
3. Defense in Depth
┌──────────────────────┐
│ Perimeter │ ← Firewall, WAF
│ ┌──────────────┐ │
│ │ Network │ │ ← Segmentation, IDS
│ │ ┌────────┐ │ │
│ │ │ Host │ │ │ ← EDR, Hardening
│ │ │ ┌────┐ │ │ │
│ │ │ │App │ │ │ │ ← Auth, Validation
│ │ │ │Data│ │ │ │ ← Encryption
│ │ │ └────┘ │ │ │
│ │ └────────┘ │ │
│ └──────────────┘ │
└──────────────────────┘
Templates and detailed worked examples
Full template library and detailed mitigation/control mappings live in references/details.md. Read that file when you need the concrete templates for: Mitigation Model, Defense in Depth scoring, Executive Summary scaffolding, Critical Gaps reporting, Recommendations, Implementation Roadmap, Results by Control.
Best Practices
Do's
- Map all threats - No threat should be unmapped
- Layer controls - Defense in depth is essential
- Mix control types - Preventive, detective, corrective
- Track effectiveness - Measure and improve
- Review regularly - Controls degrade over time
Don'ts
- Don't rely on single controls - Single points of failure
- Don't ignore cost - ROI matters
- Don't skip testing - Untested controls may fail
- Don't set and forget - Continuous improvement
- Don't ignore people/process - Technology alone isn't enough
Related skills
More from wshobson/agents and the wider catalog.
tailwind-design-system
Build production-ready design systems with Tailwind CSS v4, design tokens, and component libraries.
typescript-advanced-types
Master TypeScript's advanced type system: generics, conditional types, mapped types, and utility types for type-safe applications.
nodejs-backend-patterns
Build production-ready Node.js backends with Express/Fastify, middleware patterns, auth, and database integration.
python-performance-optimization
Profile and optimize Python code using cProfile, memory profilers, and performance best practices.
brand-landingpage
Brand-first landing page designer with guided interviews and Stitch-powered iteration.
python-testing-patterns
Implement comprehensive testing strategies with pytest, fixtures, mocking, and test-driven development.