Name: Threat Mitigation Mapping
Author: Wshobson
Install
Terminal · npx
$npx skills add https://github.com/wshobson/agents --skill threat-mitigation-mapping
Works with Paperclip
How Threat Mitigation Mapping fits into a Paperclip company.

Threat Mitigation Mapping drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md741 linesmarkdown
Expand
1---2name: threat-mitigation-mapping3description: Map identified threats to appropriate security controls and mitigations. Use when prioritizing security investments, creating remediation plans, or validating control effectiveness.4---5 6# Threat Mitigation Mapping7 8Connect threats to controls for effective security planning.9 10## When to Use This Skill11 12- Prioritizing security investments13- Creating remediation roadmaps14- Validating control coverage15- Designing defense-in-depth16- Security architecture review17- Risk treatment planning18 19## Core Concepts20 21### 1. Control Categories22 23```24Preventive ────► Stop attacks before they occur25   │              (Firewall, Input validation)26   │27Detective ─────► Identify attacks in progress28   │              (IDS, Log monitoring)29   │30Corrective ────► Respond and recover from attacks31                  (Incident response, Backup restore)32```33 34### 2. Control Layers35 36| Layer           | Examples                             |37| --------------- | ------------------------------------ |38| **Network**     | Firewall, WAF, DDoS protection       |39| **Application** | Input validation, authentication     |40| **Data**        | Encryption, access controls          |41| **Endpoint**    | EDR, patch management                |42| **Process**     | Security training, incident response |43 44### 3. Defense in Depth45 46```47                    ┌──────────────────────┐48                    │      Perimeter       │ ← Firewall, WAF49                    │   ┌──────────────┐   │50                    │   │   Network    │   │ ← Segmentation, IDS51                    │   │  ┌────────┐  │   │52                    │   │  │  Host  │  │   │ ← EDR, Hardening53                    │   │  │ ┌────┐ │  │   │54                    │   │  │ │App │ │  │   │ ← Auth, Validation55                    │   │  │ │Data│ │  │   │ ← Encryption56                    │   │  │ └────┘ │  │   │57                    │   │  └────────┘  │   │58                    │   └──────────────┘   │59                    └──────────────────────┘60```61 62## Templates63 64### Template 1: Mitigation Model65 66```python67from dataclasses import dataclass, field68from enum import Enum69from typing import List, Dict, Optional, Set70from datetime import datetime71 72class ControlType(Enum):73    PREVENTIVE = "preventive"74    DETECTIVE = "detective"75    CORRECTIVE = "corrective"76 77 78class ControlLayer(Enum):79    NETWORK = "network"80    APPLICATION = "application"81    DATA = "data"82    ENDPOINT = "endpoint"83    PROCESS = "process"84    PHYSICAL = "physical"85 86 87class ImplementationStatus(Enum):88    NOT_IMPLEMENTED = "not_implemented"89    PARTIAL = "partial"90    IMPLEMENTED = "implemented"91    VERIFIED = "verified"92 93 94class Effectiveness(Enum):95    NONE = 096    LOW = 197    MEDIUM = 298    HIGH = 399    VERY_HIGH = 4100 101 102@dataclass103class SecurityControl:104    id: str105    name: str106    description: str107    control_type: ControlType108    layer: ControlLayer109    effectiveness: Effectiveness110    implementation_cost: str  # Low, Medium, High111    maintenance_cost: str112    status: ImplementationStatus = ImplementationStatus.NOT_IMPLEMENTED113    mitigates_threats: List[str] = field(default_factory=list)114    dependencies: List[str] = field(default_factory=list)115    technologies: List[str] = field(default_factory=list)116    compliance_refs: List[str] = field(default_factory=list)117 118    def coverage_score(self) -> float:119        """Calculate coverage score based on status and effectiveness."""120        status_multiplier = {121            ImplementationStatus.NOT_IMPLEMENTED: 0.0,122            ImplementationStatus.PARTIAL: 0.5,123            ImplementationStatus.IMPLEMENTED: 0.8,124            ImplementationStatus.VERIFIED: 1.0,125        }126        return self.effectiveness.value * status_multiplier[self.status]127 128 129@dataclass130class Threat:131    id: str132    name: str133    category: str  # STRIDE category134    description: str135    impact: str  # Critical, High, Medium, Low136    likelihood: str137    risk_score: float138 139 140@dataclass141class MitigationMapping:142    threat: Threat143    controls: List[SecurityControl]144    residual_risk: str = "Unknown"145    notes: str = ""146 147    def calculate_coverage(self) -> float:148        """Calculate how well controls cover the threat."""149        if not self.controls:150            return 0.0151 152        total_score = sum(c.coverage_score() for c in self.controls)153        max_possible = len(self.controls) * Effectiveness.VERY_HIGH.value154 155        return (total_score / max_possible) * 100 if max_possible > 0 else 0156 157    def has_defense_in_depth(self) -> bool:158        """Check if multiple layers are covered."""159        layers = set(c.layer for c in self.controls if c.status != ImplementationStatus.NOT_IMPLEMENTED)160        return len(layers) >= 2161 162    def has_control_diversity(self) -> bool:163        """Check if multiple control types are present."""164        types = set(c.control_type for c in self.controls if c.status != ImplementationStatus.NOT_IMPLEMENTED)165        return len(types) >= 2166 167 168@dataclass169class MitigationPlan:170    name: str171    threats: List[Threat] = field(default_factory=list)172    controls: List[SecurityControl] = field(default_factory=list)173    mappings: List[MitigationMapping] = field(default_factory=list)174 175    def get_unmapped_threats(self) -> List[Threat]:176        """Find threats without mitigations."""177        mapped_ids = {m.threat.id for m in self.mappings}178        return [t for t in self.threats if t.id not in mapped_ids]179 180    def get_control_coverage(self) -> Dict[str, float]:181        """Get coverage percentage for each threat."""182        return {183            m.threat.id: m.calculate_coverage()184            for m in self.mappings185        }186 187    def get_gaps(self) -> List[Dict]:188        """Identify mitigation gaps."""189        gaps = []190        for mapping in self.mappings:191            coverage = mapping.calculate_coverage()192            if coverage < 50:193                gaps.append({194                    "threat": mapping.threat.id,195                    "threat_name": mapping.threat.name,196                    "coverage": coverage,197                    "issue": "Insufficient control coverage",198                    "recommendation": "Add more controls or improve existing ones"199                })200            if not mapping.has_defense_in_depth():201                gaps.append({202                    "threat": mapping.threat.id,203                    "threat_name": mapping.threat.name,204                    "coverage": coverage,205                    "issue": "No defense in depth",206                    "recommendation": "Add controls at different layers"207                })208            if not mapping.has_control_diversity():209                gaps.append({210                    "threat": mapping.threat.id,211                    "threat_name": mapping.threat.name,212                    "coverage": coverage,213                    "issue": "No control diversity",214                    "recommendation": "Add detective/corrective controls"215                })216        return gaps217```218 219### Template 2: Control Library220 221```python222class ControlLibrary:223    """Library of standard security controls."""224 225    STANDARD_CONTROLS = {226        # Authentication Controls227        "AUTH-001": SecurityControl(228            id="AUTH-001",229            name="Multi-Factor Authentication",230            description="Require MFA for all user authentication",231            control_type=ControlType.PREVENTIVE,232            layer=ControlLayer.APPLICATION,233            effectiveness=Effectiveness.HIGH,234            implementation_cost="Medium",235            maintenance_cost="Low",236            mitigates_threats=["SPOOFING"],237            technologies=["TOTP", "WebAuthn", "SMS OTP"],238            compliance_refs=["PCI-DSS 8.3", "NIST 800-63B"]239        ),240        "AUTH-002": SecurityControl(241            id="AUTH-002",242            name="Account Lockout Policy",243            description="Lock accounts after failed authentication attempts",244            control_type=ControlType.PREVENTIVE,245            layer=ControlLayer.APPLICATION,246            effectiveness=Effectiveness.MEDIUM,247            implementation_cost="Low",248            maintenance_cost="Low",249            mitigates_threats=["SPOOFING"],250            technologies=["Custom implementation"],251            compliance_refs=["PCI-DSS 8.1.6"]252        ),253 254        # Input Validation Controls255        "VAL-001": SecurityControl(256            id="VAL-001",257            name="Input Validation Framework",258            description="Validate and sanitize all user input",259            control_type=ControlType.PREVENTIVE,260            layer=ControlLayer.APPLICATION,261            effectiveness=Effectiveness.HIGH,262            implementation_cost="Medium",263            maintenance_cost="Medium",264            mitigates_threats=["TAMPERING", "INJECTION"],265            technologies=["Joi", "Yup", "Pydantic"],266            compliance_refs=["OWASP ASVS V5"]267        ),268        "VAL-002": SecurityControl(269            id="VAL-002",270            name="Web Application Firewall",271            description="Deploy WAF to filter malicious requests",272            control_type=ControlType.PREVENTIVE,273            layer=ControlLayer.NETWORK,274            effectiveness=Effectiveness.MEDIUM,275            implementation_cost="Medium",276            maintenance_cost="Medium",277            mitigates_threats=["TAMPERING", "INJECTION", "DOS"],278            technologies=["AWS WAF", "Cloudflare", "ModSecurity"],279            compliance_refs=["PCI-DSS 6.6"]280        ),281 282        # Encryption Controls283        "ENC-001": SecurityControl(284            id="ENC-001",285            name="Data Encryption at Rest",286            description="Encrypt sensitive data in storage",287            control_type=ControlType.PREVENTIVE,288            layer=ControlLayer.DATA,289            effectiveness=Effectiveness.HIGH,290            implementation_cost="Medium",291            maintenance_cost="Low",292            mitigates_threats=["INFORMATION_DISCLOSURE"],293            technologies=["AES-256", "KMS", "HSM"],294            compliance_refs=["PCI-DSS 3.4", "GDPR Art. 32"]295        ),296        "ENC-002": SecurityControl(297            id="ENC-002",298            name="TLS Encryption",299            description="Encrypt data in transit using TLS 1.3",300            control_type=ControlType.PREVENTIVE,301            layer=ControlLayer.NETWORK,302            effectiveness=Effectiveness.HIGH,303            implementation_cost="Low",304            maintenance_cost="Low",305            mitigates_threats=["INFORMATION_DISCLOSURE", "TAMPERING"],306            technologies=["TLS 1.3", "Certificate management"],307            compliance_refs=["PCI-DSS 4.1", "HIPAA"]308        ),309 310        # Logging Controls311        "LOG-001": SecurityControl(312            id="LOG-001",313            name="Security Event Logging",314            description="Log all security-relevant events",315            control_type=ControlType.DETECTIVE,316            layer=ControlLayer.APPLICATION,317            effectiveness=Effectiveness.MEDIUM,318            implementation_cost="Low",319            maintenance_cost="Medium",320            mitigates_threats=["REPUDIATION"],321            technologies=["ELK Stack", "Splunk", "CloudWatch"],322            compliance_refs=["PCI-DSS 10.2", "SOC2"]323        ),324        "LOG-002": SecurityControl(325            id="LOG-002",326            name="Log Integrity Protection",327            description="Protect logs from tampering",328            control_type=ControlType.PREVENTIVE,329            layer=ControlLayer.DATA,330            effectiveness=Effectiveness.MEDIUM,331            implementation_cost="Medium",332            maintenance_cost="Low",333            mitigates_threats=["REPUDIATION", "TAMPERING"],334            technologies=["Immutable storage", "Log signing"],335            compliance_refs=["PCI-DSS 10.5"]336        ),337 338        # Access Control339        "ACC-001": SecurityControl(340            id="ACC-001",341            name="Role-Based Access Control",342            description="Implement RBAC for authorization",343            control_type=ControlType.PREVENTIVE,344            layer=ControlLayer.APPLICATION,345            effectiveness=Effectiveness.HIGH,346            implementation_cost="Medium",347            maintenance_cost="Medium",348            mitigates_threats=["ELEVATION_OF_PRIVILEGE", "INFORMATION_DISCLOSURE"],349            technologies=["RBAC", "ABAC", "Policy engines"],350            compliance_refs=["PCI-DSS 7.1", "SOC2"]351        ),352 353        # Availability Controls354        "AVL-001": SecurityControl(355            id="AVL-001",356            name="Rate Limiting",357            description="Limit request rates to prevent abuse",358            control_type=ControlType.PREVENTIVE,359            layer=ControlLayer.APPLICATION,360            effectiveness=Effectiveness.MEDIUM,361            implementation_cost="Low",362            maintenance_cost="Low",363            mitigates_threats=["DENIAL_OF_SERVICE"],364            technologies=["API Gateway", "Redis", "Token bucket"],365            compliance_refs=["OWASP API Security"]366        ),367        "AVL-002": SecurityControl(368            id="AVL-002",369            name="DDoS Protection",370            description="Deploy DDoS mitigation services",371            control_type=ControlType.PREVENTIVE,372            layer=ControlLayer.NETWORK,373            effectiveness=Effectiveness.HIGH,374            implementation_cost="High",375            maintenance_cost="Medium",376            mitigates_threats=["DENIAL_OF_SERVICE"],377            technologies=["Cloudflare", "AWS Shield", "Akamai"],378            compliance_refs=["NIST CSF"]379        ),380    }381 382    def get_controls_for_threat(self, threat_category: str) -> List[SecurityControl]:383        """Get all controls that mitigate a threat category."""384        return [385            c for c in self.STANDARD_CONTROLS.values()386            if threat_category in c.mitigates_threats387        ]388 389    def get_controls_by_layer(self, layer: ControlLayer) -> List[SecurityControl]:390        """Get controls for a specific layer."""391        return [c for c in self.STANDARD_CONTROLS.values() if c.layer == layer]392 393    def get_control(self, control_id: str) -> Optional[SecurityControl]:394        """Get a specific control by ID."""395        return self.STANDARD_CONTROLS.get(control_id)396 397    def recommend_controls(398        self,399        threat: Threat,400        existing_controls: List[str]401    ) -> List[SecurityControl]:402        """Recommend additional controls for a threat."""403        available = self.get_controls_for_threat(threat.category)404        return [c for c in available if c.id not in existing_controls]405```406 407### Template 3: Mitigation Analysis408 409```python410class MitigationAnalyzer:411    """Analyze and optimize mitigation strategies."""412 413    def __init__(self, plan: MitigationPlan, library: ControlLibrary):414        self.plan = plan415        self.library = library416 417    def calculate_overall_risk_reduction(self) -> float:418        """Calculate overall risk reduction percentage."""419        if not self.plan.mappings:420            return 0.0421 422        weighted_coverage = 0423        total_weight = 0424 425        for mapping in self.plan.mappings:426            # Weight by threat risk score427            weight = mapping.threat.risk_score428            coverage = mapping.calculate_coverage()429            weighted_coverage += weight * coverage430            total_weight += weight431 432        return weighted_coverage / total_weight if total_weight > 0 else 0433 434    def get_critical_gaps(self) -> List[Dict]:435        """Find critical gaps that need immediate attention."""436        gaps = self.plan.get_gaps()437        critical_threats = {t.id for t in self.plan.threats if t.impact == "Critical"}438 439        return [g for g in gaps if g["threat"] in critical_threats]440 441    def optimize_budget(442        self,443        budget: float,444        cost_map: Dict[str, float]445    ) -> List[SecurityControl]:446        """Select controls that maximize risk reduction within budget."""447        # Simple greedy approach - can be replaced with optimization algorithm448        recommended = []449        remaining_budget = budget450        unmapped = self.plan.get_unmapped_threats()451 452        # Sort controls by effectiveness/cost ratio453        all_controls = list(self.library.STANDARD_CONTROLS.values())454        controls_with_value = []455 456        for control in all_controls:457            if control.status == ImplementationStatus.NOT_IMPLEMENTED:458                cost = cost_map.get(control.id, float('inf'))459                if cost <= remaining_budget:460                    # Calculate value as threats covered * effectiveness / cost461                    threats_covered = len([462                        t for t in unmapped463                        if t.category in control.mitigates_threats464                    ])465                    if threats_covered > 0:466                        value = (threats_covered * control.effectiveness.value) / cost467                        controls_with_value.append((control, value, cost))468 469        # Sort by value (higher is better)470        controls_with_value.sort(key=lambda x: x[1], reverse=True)471 472        for control, value, cost in controls_with_value:473            if cost <= remaining_budget:474                recommended.append(control)475                remaining_budget -= cost476 477        return recommended478 479    def generate_roadmap(self) -> List[Dict]:480        """Generate implementation roadmap by priority."""481        roadmap = []482        gaps = self.plan.get_gaps()483 484        # Phase 1: Critical threats with low coverage485        phase1 = []486        for gap in gaps:487            mapping = next(488                (m for m in self.plan.mappings if m.threat.id == gap["threat"]),489                None490            )491            if mapping and mapping.threat.impact == "Critical":492                controls = self.library.get_controls_for_threat(mapping.threat.category)493                phase1.extend([494                    {495                        "threat": gap["threat"],496                        "control": c.id,497                        "control_name": c.name,498                        "phase": 1,499                        "priority": "Critical"500                    }501                    for c in controls502                    if c.status == ImplementationStatus.NOT_IMPLEMENTED503                ])504 505        roadmap.extend(phase1[:5])  # Top 5 for phase 1506 507        # Phase 2: High impact threats508        phase2 = []509        for gap in gaps:510            mapping = next(511                (m for m in self.plan.mappings if m.threat.id == gap["threat"]),512                None513            )514            if mapping and mapping.threat.impact == "High":515                controls = self.library.get_controls_for_threat(mapping.threat.category)516                phase2.extend([517                    {518                        "threat": gap["threat"],519                        "control": c.id,520                        "control_name": c.name,521                        "phase": 2,522                        "priority": "High"523                    }524                    for c in controls525                    if c.status == ImplementationStatus.NOT_IMPLEMENTED526                ])527 528        roadmap.extend(phase2[:5])  # Top 5 for phase 2529 530        return roadmap531 532    def defense_in_depth_analysis(self) -> Dict[str, List[str]]:533        """Analyze defense in depth coverage."""534        layer_coverage = {layer.value: [] for layer in ControlLayer}535 536        for mapping in self.plan.mappings:537            for control in mapping.controls:538                if control.status in [ImplementationStatus.IMPLEMENTED, ImplementationStatus.VERIFIED]:539                    layer_coverage[control.layer.value].append(control.id)540 541        return layer_coverage542 543    def generate_report(self) -> str:544        """Generate comprehensive mitigation report."""545        risk_reduction = self.calculate_overall_risk_reduction()546        gaps = self.plan.get_gaps()547        critical_gaps = self.get_critical_gaps()548        layer_coverage = self.defense_in_depth_analysis()549 550        report = f"""551# Threat Mitigation Report552 553## Executive Summary554- **Overall Risk Reduction:** {risk_reduction:.1f}%555- **Total Threats:** {len(self.plan.threats)}556- **Total Controls:** {len(self.plan.controls)}557- **Identified Gaps:** {len(gaps)}558- **Critical Gaps:** {len(critical_gaps)}559 560## Defense in Depth Coverage561{self._format_layer_coverage(layer_coverage)}562 563## Critical Gaps Requiring Immediate Action564{self._format_gaps(critical_gaps)}565 566## Recommendations567{self._format_recommendations()}568 569## Implementation Roadmap570{self._format_roadmap()}571"""572        return report573 574    def _format_layer_coverage(self, coverage: Dict[str, List[str]]) -> str:575        lines = []576        for layer, controls in coverage.items():577            status = "✓" if controls else "✗"578            lines.append(f"- {layer}: {status} ({len(controls)} controls)")579        return "\n".join(lines)580 581    def _format_gaps(self, gaps: List[Dict]) -> str:582        if not gaps:583            return "No critical gaps identified."584        lines = []585        for gap in gaps:586            lines.append(f"- **{gap['threat_name']}**: {gap['issue']}")587            lines.append(f"  - Coverage: {gap['coverage']:.1f}%")588            lines.append(f"  - Recommendation: {gap['recommendation']}")589        return "\n".join(lines)590 591    def _format_recommendations(self) -> str:592        recommendations = []593        layer_coverage = self.defense_in_depth_analysis()594 595        for layer, controls in layer_coverage.items():596            if not controls:597                recommendations.append(f"- Add {layer} layer controls")598 599        gaps = self.plan.get_gaps()600        if any(g["issue"] == "No control diversity" for g in gaps):601            recommendations.append("- Add more detective and corrective controls")602 603        return "\n".join(recommendations) if recommendations else "Current coverage is adequate."604 605    def _format_roadmap(self) -> str:606        roadmap = self.generate_roadmap()607        if not roadmap:608            return "No additional controls recommended at this time."609 610        lines = []611        current_phase = 0612        for item in roadmap:613            if item["phase"] != current_phase:614                current_phase = item["phase"]615                lines.append(f"\n### Phase {current_phase}")616            lines.append(f"- [{item['priority']}] {item['control_name']} (for {item['threat']})")617 618        return "\n".join(lines)619```620 621### Template 4: Control Effectiveness Testing622 623```python624from dataclasses import dataclass625from typing import List, Callable, Any626import asyncio627 628@dataclass629class ControlTest:630    control_id: str631    test_name: str632    test_function: Callable[[], bool]633    expected_result: bool634    description: str635 636 637class ControlTester:638    """Test control effectiveness."""639 640    def __init__(self):641        self.tests: List[ControlTest] = []642        self.results: List[Dict] = []643 644    def add_test(self, test: ControlTest) -> None:645        self.tests.append(test)646 647    async def run_tests(self) -> List[Dict]:648        """Run all control tests."""649        self.results = []650 651        for test in self.tests:652            try:653                result = test.test_function()654                passed = result == test.expected_result655                self.results.append({656                    "control_id": test.control_id,657                    "test_name": test.test_name,658                    "passed": passed,659                    "actual_result": result,660                    "expected_result": test.expected_result,661                    "description": test.description,662                    "error": None663                })664            except Exception as e:665                self.results.append({666                    "control_id": test.control_id,667                    "test_name": test.test_name,668                    "passed": False,669                    "actual_result": None,670                    "expected_result": test.expected_result,671                    "description": test.description,672                    "error": str(e)673                })674 675        return self.results676 677    def get_effectiveness_score(self, control_id: str) -> float:678        """Calculate effectiveness score for a control."""679        control_results = [r for r in self.results if r["control_id"] == control_id]680        if not control_results:681            return 0.0682 683        passed = sum(1 for r in control_results if r["passed"])684        return (passed / len(control_results)) * 100685 686    def generate_test_report(self) -> str:687        """Generate test results report."""688        if not self.results:689            return "No tests have been run."690 691        total = len(self.results)692        passed = sum(1 for r in self.results if r["passed"])693 694        report = f"""695# Control Effectiveness Test Report696 697## Summary698- **Total Tests:** {total}699- **Passed:** {passed}700- **Failed:** {total - passed}701- **Pass Rate:** {(passed/total)*100:.1f}%702 703## Results by Control704"""705        # Group by control706        controls = {}707        for result in self.results:708            cid = result["control_id"]709            if cid not in controls:710                controls[cid] = []711            controls[cid].append(result)712 713        for control_id, results in controls.items():714            score = self.get_effectiveness_score(control_id)715            report += f"\n### {control_id} (Effectiveness: {score:.1f}%)\n"716            for r in results:717                status = "✓" if r["passed"] else "✗"718                report += f"- {status} {r['test_name']}\n"719                if r["error"]:720                    report += f"  - Error: {r['error']}\n"721 722        return report723```724 725## Best Practices726 727### Do's728 729- **Map all threats** - No threat should be unmapped730- **Layer controls** - Defense in depth is essential731- **Mix control types** - Preventive, detective, corrective732- **Track effectiveness** - Measure and improve733- **Review regularly** - Controls degrade over time734 735### Don'ts736 737- **Don't rely on single controls** - Single points of failure738- **Don't ignore cost** - ROI matters739- **Don't skip testing** - Untested controls may fail740- **Don't set and forget** - Continuous improvement741- **Don't ignore people/process** - Technology alone isn't enough
Related skills
Accessibility Compliance

This walks you through implementing proper WCAG 2.2 compliance with real code patterns for screen readers, keyboard navigation, and mobile accessibility. It cov
Airflow Dag Patterns

If you're building data pipelines with Airflow, this skill gives you production-ready DAG patterns that actually work in the real world. It covers TaskFlow API
Angular Migration

Migrating from AngularJS to Angular is notoriously painful, and this skill tackles the practical stuff that makes or breaks these projects. It covers hybrid app