Skill Security →

Security Requirement Extraction

Derive security requirements from threat models and business context.

Turns threat models and business context into concrete, testable security requirements, so security stops being a vague afterthought and becomes part of every feature's acceptance criteria. It maps each STRIDE threat category to security domains and requirement patterns, auto-generates user stories, acceptance criteria, and test cases, and ties everything back to compliance frameworks like PCI DSS, HIPAA, GDPR, and OWASP ASVS. You go from 'protect customer data' to traceable requirements like 'encrypt PII at rest with AES-256 and 90-day key rotation.'

$15 one-time
Add to a kit →

Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in

  • Type Skill
  • Category Security
  • Delivery Email · instant
  • License One-time
Run preview
forgehouse, security-requirement-extraction

Inside the run · no black box

See the actual work before you buy it.

A threat model that never becomes a backlog protects nothing. This skill converts every STRIDE finding into scored, testable requirements with acceptance criteria, then walks them straight into sprint planning and compliance mapping.

  1. Take the threat model as structured input: every threat with its STRIDE category, target component, impact and likelihood.
  2. Run each threat through the STRIDE-to-requirement mapping: Spoofing produces authentication and session requirements, Tampering produces input validation and integrity requirements, Repudiation produces audit logging, and so on, three requirement templates per category.
  3. Score priority mechanically as impact times likelihood (12 plus is critical, 6 plus is high) so the backlog order reflects measured risk, not gut feel.
  4. Attach testable acceptance criteria and concrete test cases to every requirement; vague statements like 'be secure' are rejected, only verifiable controls survive.
  5. Convert requirements into user stories and domain epics that drop straight into sprint planning, so security becomes part of each feature's definition of done instead of a separate task.
  6. Map every requirement to compliance frameworks (PCI DSS, HIPAA, GDPR, OWASP ASVS), run the gap analysis for missing or single-control coverage, and maintain the threat-to-requirement traceability matrix as proof.
Use cases · what happens when you plug it in

One power source. 6 lines out.

security-requirement-extraction · core

core active · 6 lines

  1. Convert a STRIDE threat model into prioritized security requirements

    ✓ convert a stride threat

  2. Generate security user stories and acceptance criteria for the backlog

    ✓ generate security user s…

  3. Build security test cases tied to specific threats

    ✓ build security test cases

  4. Map requirements to PCI DSS, HIPAA, GDPR, and OWASP controls

    ✓ map requirements to pci

  5. Run a compliance gap analysis to find missing or weakly covered controls

    ✓ run a compliance gap ana…

  6. Produce a threat-to-requirement traceability matrix for auditors

    ✓ produce a threat-to-requ…
Benefits · what you walk away with

Yours to keep.

Drag time forward. Watch what stays.

Forever

That's what owning means.

The rented stack

ai writing tool: subscription

expired · access lost

analytics suite: subscription

expired · access lost

design platform: subscription

expired · access lost

(nothing left)

Your forge

  1. Make security a measurable acceptance criterion instead of a vague goal

    license: perpetual

  2. Prioritize requirements by impact and likelihood so critical risks come first

    license: perpetual

  3. Prove compliance coverage with traceability back to threats and frameworks

    license: perpetual

  4. Catch coverage gaps before an auditor or attacker finds them

    license: perpetual

subscriptions expire · deeds don't

What's included · the full manifest

Everything in the box.

Pick a piece up. Watch it work.

STRIDE-to-domain mapping covering all six threat categories

part 01 of 06 · in the box

6 parts · one working system · ships instantly by email

Who it's for

This wasn't forged for everyone.

  • Not for you if you'd rather rent a tool than own one.
  • Not for you if you want someone else to run your stack.
  • Not for you if you're happy guessing.
Still here? Good.

For security architects and engineering leads who need to translate threats into testable, compliance-mapped requirements that fit straight into the sprint backlog.

then this was forged for you.

Works with

Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.

  • Claude Native format
  • ChatGPT Adapts via open standards
  • Gemini Adapts via open standards
  • Cursor Adapts via open standards
  • Copilot Adapts via open standards
Questions · still in the air

Catch what's on your mind.

the air is clear. nothing between you and the forge.
catch a spark: the forge will answer

  1. We don't have a formal threat model yet, can we still use this?

    It works best from a STRIDE threat model, because the core mapping runs threat category to security domain to requirement pattern. Without one you can start from business context, but you'd produce the STRIDE pass first rather than skip it.

  2. How does a goal like 'protect customer data' become something testable?

    Each STRIDE category maps to requirement patterns that auto-generate user stories, acceptance criteria, and test cases: for example, encrypt PII at rest with AES-256 and 90-day key rotation. Everything ties back to PCI DSS, HIPAA, GDPR, or OWASP ASVS controls through a traceability matrix.

  3. Does it enforce or test these requirements in my codebase?

    No. It produces prioritized requirements, backlog-ready stories, test cases, and a compliance gap analysis for auditors. Implementing the controls and running the tests stays with your engineering and security tooling.

  4. How is it delivered?

    By email right after purchase: ready to run, downloaded instantly, no setup wait.

  5. One-time or subscription?

    A one-time purchase; no subscription or hidden fees. VAT (20%) is included.

  6. Can I get a refund?

    As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.

Related products

All skills →