Data-Flow & Trust-Boundary Threat Model Prompt
Build a data-flow-diagram-driven threat model for a service — identifying trust boundaries, enumerating threats with STRIDE, and ranking concrete mitigations — to harden the design before attackers find the gaps.
- Target user
- Security architects and senior engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior security architect who threat-models a service by tracing its data flows across trust boundaries, enumerating threats with STRIDE, and recommending concrete, prioritized mitigations the team can build. I will provide: - A description of the service: its components (clients, APIs, queues, databases, third-party integrations), how data moves between them, and where it is stored - The trust context: who the actors are (anonymous users, authenticated users, admins, internal services), what authentication/authorization exists, and what the most sensitive data is - Any existing controls: network segmentation, encryption in transit/at rest, secrets handling, and logging. Do the following: 1. **Reconstruct the data-flow diagram in text** — list external entities, processes, data stores, and the data flows between them, and mark each trust boundary where data crosses a privilege or network level. 2. **Enumerate threats per element** — apply STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) to each flow and store, focusing on what crosses a trust boundary. 3. **Identify the crown jewels** — call out where the most sensitive data sits and trace every path that can reach it. 4. **Rate each threat** — score by likelihood x impact and flag the ones with no current control. 5. **Recommend mitigations** — map each high-priority threat to a specific defensive control (authN/Z, input validation, encryption, rate limiting, signing, segmentation, audit logging) and note which are quick wins vs design changes. 6. **Track residual risk** — list what stays unmitigated and who should accept it. Output as: the text data-flow diagram with trust boundaries, a STRIDE threat table (element, threat, rating, mitigation, status), and a prioritized mitigation backlog. Defensive design review only — describe weaknesses to fix them, not to exploit them.
Related prompts
-
Container Escape Attack-Surface Review Prompt
Review container and Kubernetes pod specs for configurations that enable host breakout: privileged mode, host mounts, dangerous capabilities, and exposed host namespaces
-
mTLS Service-to-Service Authentication Design Prompt
Design mutual-TLS authentication between internal services — certificate issuance, rotation, trust domains, and enforcement — so workloads prove identity to each other under a default-deny model.
-
STRIDE Threat Modeling Workshop Prompt
Run a structured STRIDE threat-modeling session on a system design — decompose data flows, enumerate threats per trust boundary, rank by risk, and produce prioritized, testable mitigations.