playbooks

home / skills / sickn33 / antigravity-awesome-skills / attack-tree-construction

attack-tree-construction skill

/skills/attack-tree-construction

This skill helps you construct detailed attack trees to visualize threat paths, prioritize defenses, and communicate security risks to stakeholders.

This is most likely a fork of the attack-tree-construction skill from xfstudio
npx playbooks add skill sickn33/antigravity-awesome-skills --skill attack-tree-construction

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
1.3 KB
---
name: attack-tree-construction
description: Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.
---

# Attack Tree Construction

Systematic attack path visualization and analysis.

## Use this skill when

- Visualizing complex attack scenarios
- Identifying defense gaps and priorities
- Communicating risks to stakeholders
- Planning defensive investments or test scopes

## Do not use this skill when

- You lack authorization or a defined scope to model the system
- The task is a general risk review without attack-path modeling
- The request is unrelated to security assessment or design

## Instructions

- Confirm scope, assets, and the attacker goal for the root node.
- Decompose into sub-goals with AND/OR structure.
- Annotate leaves with cost, skill, time, and detectability.
- Map mitigations per branch and prioritize high-impact paths.
- If detailed templates are required, open `resources/implementation-playbook.md`.

## Safety

- Share attack trees only with authorized stakeholders.
- Avoid including sensitive exploit details unless required.

## Resources

- `resources/implementation-playbook.md` for detailed patterns, templates, and examples.

Overview

This skill builds comprehensive attack trees to visualize threat paths and prioritize defensive actions. It converts a defined attacker goal and system scope into a structured AND/OR tree, annotates leaf nodes with effort and detectability, and links mitigations to high-risk branches. The output is designed for security teams, decision-makers, and test planning.

How this skill works

Start by confirming scope, assets, and the attacker goal as the tree root. Decompose the root into sub-goals using AND/OR nodes, iterating until leaves represent discrete attacker actions or conditions. Annotate each leaf with cost, required skill, time, and detectability, then map mitigations and controls to each branch and prioritize paths by risk and impact.

When to use it

  • Mapping complex, multi-step attack scenarios for a system or application
  • Identifying defense gaps and prioritizing security investments
  • Designing red-team exercises or penetration test scopes
  • Communicating concrete risks and mitigations to non-technical stakeholders
  • Planning layered defenses or incident response playbooks

Best practices

  • Always confirm authorization and a clear scope before modeling any system
  • Use AND nodes for concurrent requirements and OR nodes for alternative paths
  • Annotate leaves with cost, skill level, time-to-execute, and detectability for realistic prioritization
  • Link specific mitigations to branches and estimate residual risk after controls
  • Keep trees versioned and review with architecture, ops, and incident response teams

Example use cases

  • Construct an attack tree for a web application to prioritize fixes for authentication and session management
  • Model supply-chain compromise scenarios to evaluate third-party risk and controls
  • Develop a red-team plan focusing on the highest-impact attack paths discovered in the tree
  • Produce a stakeholder-friendly visualization showing top risk paths and recommended mitigations
  • Assess cloud tenant misconfiguration risks by mapping privilege escalation and lateral movement paths

FAQ

Can I include exploit details in the tree?

Only include detailed exploit steps when stakeholders are authorized; otherwise keep leaves high-level to avoid exposing sensitive instructions.

How do I prioritize branches?

Prioritize by combining ease (cost, skill, time), detectability, and impact to target high-risk, low-effort paths first.