Forem: Travis Felder The latest articles on Forem by Travis Felder (@tfelder). https://forem.com/tfelder https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3796590%2F47d4840b-73fa-4644-b24f-199445a89024.png Forem: Travis Felder https://forem.com/tfelder en Automated Threat Modeling with AI - How Thr8 Works Travis Felder Fri, 27 Feb 2026 15:02:30 +0000 https://forem.com/tfelder/automated-threat-modeling-with-ai-how-thr8-works-76h https://forem.com/tfelder/automated-threat-modeling-with-ai-how-thr8-works-76h <p>Every security compliance framework asks the same question: "Where is your threat model?"</p> <p>And every engineering team gives the same answer: "We will get to it."</p> <p>PASTA (Process for Attack Simulation and Threat Analysis) is one of the most thorough threat modeling frameworks. It is risk-centric, covers 7 stages from business objectives through attack simulation, and produces actionable output. But it takes days of manual work per application. Most teams never start.</p> <p>I built <a href="https://github.com/cybrking/thr8" rel="noopener noreferrer">thr8</a> to automate this. It is a GitHub Action that generates complete PASTA threat models by combining static codebase analysis with AI-powered threat reasoning. This article walks through the architecture, the PASTA methodology, and how it integrates into CI/CD.</p> <h2> The PASTA Framework in 60 Seconds </h2> <p>PASTA has 7 stages. Most threat modeling tools skip half of them. thr8 covers all 7:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stage</th> <th>Name</th> <th>What thr8 Does</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Business Objectives</td> <td>Identifies what the system protects and the impact of a breach</td> </tr> <tr> <td>2</td> <td>Technical Scope</td> <td>Detects tech stack, infrastructure, data classification</td> </tr> <tr> <td>3</td> <td>Application Decomposition</td> <td>Generates data flow diagrams across trust boundaries</td> </tr> <tr> <td>4</td> <td>Threat Analysis</td> <td>Maps attack surfaces and threat vectors</td> </tr> <tr> <td>5</td> <td>Vulnerability Analysis</td> <td>Identifies specific weaknesses with severity ratings</td> </tr> <tr> <td>6</td> <td>Attack Modeling</td> <td>Creates realistic kill chain scenarios</td> </tr> <tr> <td>7</td> <td>Risk &amp; Impact Analysis</td> <td>Scores business risk with tactical recommendations</td> </tr> </tbody> </table></div> <p>The key insight behind PASTA is that threats only matter in the context of business risk. A SQL injection in an internal admin tool is a different risk than a SQL injection in a payment processing API. thr8 captures that context.</p> <h2> Architecture: Static Analysis + AI Reasoning </h2> <p>thr8 runs a 4-stage pipeline. The first stage is deterministic (no AI). The second uses Claude. The third is templating. The fourth is optional GitHub integration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Discovery (Static) Reasoning (Claude AI) Output Remediation +---------------------+ +----------------------+ +----------+ +--------------+ | | | Business Objectives | | Markdown | | GitHub Issues| | Codebase Scanner |-----&gt;| Attack Surfaces |-----&gt;| JSON |-----&gt;| Fix PRs | | | | Kill Chain Scenarios | | HTML | | | | - Tech stack | | Risk Analysis | | PDF | | (optional) | | - Infrastructure | | Recommendations | | | | | | - API endpoints | | | | | | | | - Data flows | | (3 focused API calls) | | | | | +---------------------+ +----------------------+ +----------+ +--------------+ </code></pre> </div> <h3> Stage 1: Discovery (Static Analysis) </h3> <p>The <code>CodebaseScannerAgent</code> walks the repository tree, prioritizing security-relevant files. It uses a scoring system to read the most important files first:</p> <ul> <li> <strong>Priority files</strong> (always included): <code>package.json</code>, <code>Dockerfile</code>, <code>docker-compose.yml</code>, <code>terraform/*.tf</code>, <code>.env.example</code> </li> <li> <strong>High-signal source files</strong> (read first): routes, controllers, auth middleware, security configs</li> <li> <strong>Infrastructure configs</strong>: Terraform HCL, Kubernetes manifests, Docker Compose YAML</li> <li> <strong>General source</strong>: remaining source files up to a 120K character budget</li> </ul> <p>The scanner does not use AI for this step. It reads files, respects a configurable size budget (8K chars per file, 120K total), skips binary files and lock files, and produces a structured context document.</p> <p>Here is what the file prioritization looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Files sorted by security relevance</span> <span class="nx">files</span><span class="p">.</span><span class="nf">sort</span><span class="p">((</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">score</span> <span class="o">=</span> <span class="p">(</span><span class="nx">p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="sr">/route|controller|handler|endpoint|api/i</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">p</span><span class="p">))</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="sr">/auth|security|middleware|guard/i</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">p</span><span class="p">))</span> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="sr">/config|setting/i</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">p</span><span class="p">))</span> <span class="k">return</span> <span class="mi">2</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="sr">/</span><span class="se">\.</span><span class="sr">tf$|docker|k8s|helm|deploy/i</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">p</span><span class="p">))</span> <span class="k">return</span> <span class="mi">3</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="sr">/model|schema|migration|database/i</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">p</span><span class="p">))</span> <span class="k">return</span> <span class="mi">4</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="sr">/service|util|helper|lib/i</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">p</span><span class="p">))</span> <span class="k">return</span> <span class="mi">5</span><span class="p">;</span> <span class="k">return</span> <span class="mi">6</span><span class="p">;</span> <span class="p">};</span> <span class="k">return</span> <span class="nf">score</span><span class="p">(</span><span class="nx">a</span><span class="p">.</span><span class="nx">path</span><span class="p">)</span> <span class="o">-</span> <span class="nf">score</span><span class="p">(</span><span class="nx">b</span><span class="p">.</span><span class="nx">path</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>The output of this stage is a JSON document containing:</p> <ul> <li> <code>system_context</code>: project name, tech stack (languages, frameworks, databases, external services, auth mechanisms, security controls), infrastructure (cloud provider, containerization, services), API surface (endpoints with methods, paths, auth requirements, sensitive data), and sensitive patterns found in code</li> <li> <code>data_flows</code>: traced data movement through the system with steps, protocols, data classification, and trust boundaries</li> </ul> <h3> Stage 2: Reasoning (Claude API) </h3> <p>The <code>ThreatGeneratorAgent</code> sends the discovery context to Claude along with a STRIDE attack pattern database. The pattern database contains ~40 pre-built attack patterns across 4 categories:</p> <ul> <li> <strong>stride-api.json</strong>: API key theft, request body tampering, CORS misconfiguration, rate limiting bypass</li> <li> <strong>stride-auth.json</strong>: Credential stuffing, session hijacking, JWT forgery, privilege escalation</li> <li> <strong>stride-database.json</strong>: SQL injection, unencrypted data at rest, connection pool exhaustion</li> <li> <strong>stride-storage.json</strong>: Unauthorized access, pre-signed URL abuse, missing encryption</li> </ul> <p>Claude performs the PASTA analysis (Stages 1-2 and 4-7) and returns structured JSON covering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"business_objectives"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"overall_risk_status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MEDIUM"</span><span class="p">,</span><span class="w"> </span><span class="nl">"attack_surfaces"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Public API Endpoint"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"weakness"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Missing rate limiting on authentication endpoint"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vulnerabilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"API-AUTH-001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Brute Force Authentication"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"No rate limiting on /api/auth/login allows..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"High"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"attack_scenarios"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Account Takeover via Credential Stuffing"</span><span class="p">,</span><span class="w"> </span><span class="nl">"objective"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Gain access to user accounts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"steps"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"phase"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Reconnaissance"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enumerate valid usernames via registration endpoint"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exploits"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"API-AUTH-002"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"phase"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Exploitation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Brute force login with credential lists"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exploits"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"API-AUTH-001"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"risk_analysis"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"tactical_recommendations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The model is <code>claude-sonnet-4-6</code>. Total token usage is typically 2-5K input and 3-8K output per call (3 calls total). Cost: $0.05-0.15 per run.</p> <h3> Stage 3: Output Generation </h3> <p>The <code>ReporterAgent</code> renders the analysis into multiple formats using Handlebars templates:</p> <p><strong>Markdown</strong> (<code>THREAT_MODEL.md</code>) -- renders natively on GitHub with embedded Mermaid data flow diagrams:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph LR auth_flow_0["Browser&lt;br/&gt;&lt;i&gt;external_user&lt;/i&gt;"] auth_flow_1["API Gateway&lt;br/&gt;&lt;i&gt;load_balancer&lt;/i&gt;"] auth_flow_2["Auth Service&lt;br/&gt;&lt;i&gt;application&lt;/i&gt;"] auth_flow_3["User Database&lt;br/&gt;&lt;i&gt;database&lt;/i&gt;"] auth_flow_0 --&gt;|"HTTPS"| auth_flow_1 auth_flow_1 --&gt;|"internal"| auth_flow_2 auth_flow_2 --&gt;|"TLS"| auth_flow_3 </code></pre> </div> <p><strong>JSON</strong> (<code>threat-model.json</code>) -- machine-readable for CI/CD integration, custom dashboards, or feeding into other security tools.</p> <p><strong>HTML</strong> (<code>THREAT_MODEL.html</code>) -- professional report with sidebar navigation, executive summary dashboard, color-coded severity levels, and embedded diagrams. Print-friendly for stakeholder distribution.</p> <p><strong>PDF</strong> (<code>THREAT_MODEL.pdf</code>) -- generated from HTML via headless Chrome when available on the runner.</p> <h3> Stage 4: Automated Remediation </h3> <p>The <code>RemediatorAgent</code> is the most interesting part. When you provide a <code>github-token</code> and enable <code>create-issues</code> and <code>auto-fix</code>, the action does not just report findings -- it acts on them.</p> <p>For each vulnerability found:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Is auto-fix enabled AND severity is in pr-severity list? +-- YES --&gt; Generate fix with Claude | +-- High/medium confidence --&gt; Open fix PR | +-- Low confidence --&gt; Fall back to issue +-- NO --&gt; Create GitHub Issue (if create-issues enabled) </code></pre> </div> <p>Fix PRs are created on <code>thr8/fix-{vuln-id}</code> branches. Each PR includes:</p> <ul> <li>The minimal code change needed</li> <li>An explanation of what was fixed</li> <li>Risk context (severity, business impact)</li> <li>A list of changed files</li> </ul> <p>Deduplication is built in. Each issue and PR body contains a hidden marker (<code>&lt;!-- thr8:V-001 --&gt;</code>) that prevents duplicates on re-runs.</p> <h2> CI/CD Integration </h2> <h3> Basic Setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Threat Model</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">threat-model</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate Threat Model</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">cybrking/thr8@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">anthropic-api-key</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload Report</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">threat-model</span> <span class="na">path</span><span class="pi">:</span> <span class="s">threat-model/</span> </code></pre> </div> <h3> Fail Builds on Critical Findings </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate Threat Model</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">cybrking/thr8@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">anthropic-api-key</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="na">fail-on-high-risk</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> </code></pre> </div> <h3> Full Remediation Pipeline </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">threat-model</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">issues</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate Threat Model</span> <span class="na">id</span><span class="pi">:</span> <span class="s">threat-model</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">cybrking/thr8@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">anthropic-api-key</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="na">github-token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">create-issues</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">auto-fix</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">pr-severity</span><span class="pi">:</span> <span class="s1">'</span><span class="s">critical,high'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Summary</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "Threats found: ${{ steps.threat-model.outputs.threats-found }}"</span> <span class="s">echo "Critical: ${{ steps.threat-model.outputs.high-risk-count }}"</span> <span class="s">echo "Issues created: ${{ steps.threat-model.outputs.issues-created }}"</span> <span class="s">echo "Fix PRs created: ${{ steps.threat-model.outputs.prs-created }}"</span> </code></pre> </div> <h3> Post Summary as PR Comment </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Comment on PR</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'pull_request'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/github-script@v7</span> <span class="na">with</span><span class="pi">:</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">const fs = require('fs');</span> <span class="s">const report = fs.readFileSync('threat-model/THREAT_MODEL.md', 'utf8');</span> <span class="s">github.rest.issues.createComment({</span> <span class="s">issue_number: context.issue.number,</span> <span class="s">owner: context.repo.owner,</span> <span class="s">repo: context.repo.repo,</span> <span class="s">body: report</span> <span class="s">});</span> </code></pre> </div> <h2> Supported Tech Stacks </h2> <p>The codebase scanner automatically detects:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Examples</th> </tr> </thead> <tbody> <tr> <td>Languages</td> <td>JavaScript, TypeScript, Python, Go, Java, Ruby</td> </tr> <tr> <td>Frameworks</td> <td>Express, Django, Rails, FastAPI, Spring Boot, Next.js</td> </tr> <tr> <td>Databases</td> <td>PostgreSQL, MySQL, MongoDB, Redis, DynamoDB</td> </tr> <tr> <td>Infrastructure</td> <td>Terraform, Docker, Docker Compose, Kubernetes</td> </tr> <tr> <td>Auth</td> <td>JWT, OAuth, session-based, API keys</td> </tr> <tr> <td>Cloud</td> <td>AWS, GCP, Azure resource detection</td> </tr> </tbody> </table></div> <h2> Cost Transparency </h2> <p>Three Claude API calls per run using <code>claude-sonnet-4-6</code>:</p> <ul> <li>Typical input: ~2-5K tokens per call</li> <li>Typical output: ~3-8K tokens per call</li> <li> <strong>Estimated cost: $0.05-0.15 per run</strong> (analysis only)</li> </ul> <p>With <code>auto-fix</code> enabled, add ~$0.02-0.06 per run for fix generation.</p> <p>For a team running this on 50 repos with weekly pushes to main, that is roughly $10-30/month for continuous threat modeling across your entire portfolio.</p> <h2> What It Does Not Do </h2> <p>Transparency matters. thr8 is not:</p> <ul> <li> <strong>A DAST scanner.</strong> It does not make HTTP requests to your running application.</li> <li> <strong>A replacement for penetration testing.</strong> It identifies architectural threats, not runtime vulnerabilities.</li> <li> <strong>A compliance certification tool.</strong> It produces documentation that supports compliance, but does not certify anything.</li> <li> <strong>Deterministic.</strong> Claude's analysis may vary between runs. The static discovery is deterministic, but the threat reasoning is probabilistic.</li> </ul> <h2> Try It </h2> <p>The repo is open source (MIT): <a href="https://github.com/cybrking/thr8" rel="noopener noreferrer">github.com/cybrking/thr8</a></p> <p>GitHub Marketplace: <a href="https://github.com/marketplace/actions/pasta-threat-model-generator" rel="noopener noreferrer">PASTA Threat Model Generator</a></p> <p>Add it to a repo, run it, and open an issue with feedback. The whole setup takes less than 5 minutes.</p> security devsecops ai github