playbooks

home / skills / sickn33 / antigravity-awesome-skills / security-requirement-extraction

security-requirement-extraction skill

/skills/security-requirement-extraction

This skill translates threat analysis into actionable security requirements, enabling security user stories, tests, and architecture documentation.

This is most likely a fork of the security-requirement-extraction skill from xfstudio
npx playbooks add skill sickn33/antigravity-awesome-skills --skill security-requirement-extraction

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
1.1 KB
---
name: security-requirement-extraction
description: Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.
---

# Security Requirement Extraction

Transform threat analysis into actionable security requirements.

## Use this skill when

- Converting threat models to requirements
- Writing security user stories
- Creating security test cases
- Building security acceptance criteria
- Compliance requirement mapping
- Security architecture documentation

## Do not use this skill when

- The task is unrelated to security requirement extraction
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Resources

- `resources/implementation-playbook.md` for detailed patterns and examples.

Overview

This skill extracts actionable security requirements from threat models and business context. It turns identified threats, assets, and constraints into measurable requirements, acceptance criteria, and testable user stories. The output is designed for engineers, product owners, and security teams to implement and verify controls.

How this skill works

Provide the threat model, business objectives, assets, and constraints. The skill maps threat scenarios to control goals, derives measurable requirements (what to implement), and creates verification steps and test cases. It applies security best practices and compliance mappings where relevant, and can output user stories, acceptance criteria, and testable items.

When to use it

  • Converting a threat model into developer-ready requirements
  • Writing security user stories for sprint planning
  • Creating security test cases and acceptance criteria
  • Mapping business-driven risks to controls for audits
  • Translating compliance needs into implementable work items

Best practices

  • Start with clear scope, assets, and business impact definitions
  • Prioritize requirements by risk, likelihood, and business criticality
  • Make requirements specific, measurable, and testable (Given/When/Then where possible)
  • Include acceptance criteria and verification steps for each requirement
  • Map each requirement back to the originating threat and control objective

Example use cases

  • Generate security user stories from STRIDE or PASTA threat models for a web application
  • Produce acceptance criteria and test cases for authentication and session management fixes
  • Create a compliance mapping from identified risks to controls for SOC/ISO audits
  • Turn a business impact analysis into prioritized security work items for the next sprint
  • Draft security test cases for CI pipelines based on threat-derived requirements

FAQ

What inputs are required to produce high-quality requirements?

A clear threat model, asset list, business objectives, constraints (technical, legal), and any applicable compliance standards yield the best results.

How are requirements validated?

Each requirement includes acceptance criteria and verification steps; validation is achieved through tests, code review checklists, and evidence linked to the requirement.