Threat Mitigation Mapping
Map threats to preventive, detective, and corrective controls with layers, effectiveness, and coverage scoring before release.
Overview
threat-mitigation-mapping is an agent skill most often used in Ship (also Build and Operate) that maps threats to layered security controls with effectiveness and coverage scoring.
Install
npx skills add https://github.com/wshobson/agents --skill threat-mitigation-mappingWhat is this skill?
- SecurityControl datamodel with ControlType (preventive, detective, corrective) and ControlLayer (network through physica
- ImplementationStatus and Effectiveness enums plus coverage_score() from status and effectiveness
- Links controls to mitigates_threats, dependencies, technologies, and compliance_refs
- Template-oriented Python structures for building a mitigation matrix or traceability table
- 3 ControlType values (preventive, detective, corrective)
- 6 ControlLayer values including network, application, data, endpoint, process, physical
Adoption & trust: 7k installs on skills.sh; 36.5k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have a threat list but no consistent way to tie each risk to implemented controls, layers, and residual gaps.
Who is it for?
Solo founders documenting appsec posture before launch or customer security questionnaires.
Skip if: Teams that only need generic OWASP copy-paste checklists with no threat-specific traceability.
When should I use this skill?
You need to document or refine which security controls mitigate which threats with layers, cost, and implementation status.
What do I get? / Deliverables
You produce a mitigation model with scored controls linked to threats, dependencies, and compliance references ready for review gates.
- SecurityControl inventory with mitigates_threats links
- Coverage-scored mitigation matrix or traceability table
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship is the canonical shelf because the skill frames controls, implementation status, and mitigation coverage for production readiness reviews. Security subphase matches threat-to-control mapping, control layers, and compliance-oriented metadata in the templates.
Where it fits
Assign application-layer controls to API auth and data-layer controls to encryption before coding priorities.
Score partial vs implemented controls and highlight gaps before a launch gate or SOC2-light questionnaire.
Promote detective controls to verified after alert tuning and tie them to residual threat IDs.
How it compares
Structured control-to-threat mapping templates—not a live vulnerability scanner or secrets MCP server.
Common Questions / FAQ
Who is threat-mitigation-mapping for?
Indie and small-team builders shipping web apps or APIs who need a explicit matrix from threats to controls, layers, and implementation status.
When should I use threat-mitigation-mapping?
During Ship security reviews; during Build when designing control placement across network and application layers; during Operate when updating status from partial to verified after incidents or audits.
Is threat-mitigation-mapping safe to install?
It is documentation and modeling guidance; review the Security Audits panel on this page and avoid pasting production secrets into generated control catalogs.
SKILL.md
READMESKILL.md - Threat Mitigation Mapping
# Threat-mitigation mapping — templates and worked examples ## Templates ### Template 1: Mitigation Model ```python from dataclasses import dataclass, field from enum import Enum from typing import List, Dict, Optional, Set from datetime import datetime class ControlType(Enum): PREVENTIVE = "preventive" DETECTIVE = "detective" CORRECTIVE = "corrective" class ControlLayer(Enum): NETWORK = "network" APPLICATION = "application" DATA = "data" ENDPOINT = "endpoint" PROCESS = "process" PHYSICAL = "physical" class ImplementationStatus(Enum): NOT_IMPLEMENTED = "not_implemented" PARTIAL = "partial" IMPLEMENTED = "implemented" VERIFIED = "verified" class Effectiveness(Enum): NONE = 0 LOW = 1 MEDIUM = 2 HIGH = 3 VERY_HIGH = 4 @dataclass class SecurityControl: id: str name: str description: str control_type: ControlType layer: ControlLayer effectiveness: Effectiveness implementation_cost: str # Low, Medium, High maintenance_cost: str status: ImplementationStatus = ImplementationStatus.NOT_IMPLEMENTED mitigates_threats: List[str] = field(default_factory=list) dependencies: List[str] = field(default_factory=list) technologies: List[str] = field(default_factory=list) compliance_refs: List[str] = field(default_factory=list) def coverage_score(self) -> float: """Calculate coverage score based on status and effectiveness.""" status_multiplier = { ImplementationStatus.NOT_IMPLEMENTED: 0.0, ImplementationStatus.PARTIAL: 0.5, ImplementationStatus.IMPLEMENTED: 0.8, ImplementationStatus.VERIFIED: 1.0, } return self.effectiveness.value * status_multiplier[self.status] @dataclass class Threat: id: str name: str category: str # STRIDE category description: str impact: str # Critical, High, Medium, Low likelihood: str risk_score: float @dataclass class MitigationMapping: threat: Threat controls: List[SecurityControl] residual_risk: str = "Unknown" notes: str = "" def calculate_coverage(self) -> float: """Calculate how well controls cover the threat.""" if not self.controls: return 0.0 total_score = sum(c.coverage_score() for c in self.controls) max_possible = len(self.controls) * Effectiveness.VERY_HIGH.value return (total_score / max_possible) * 100 if max_possible > 0 else 0 def has_defense_in_depth(self) -> bool: """Check if multiple layers are covered.""" layers = set(c.layer for c in self.controls if c.status != ImplementationStatus.NOT_IMPLEMENTED) return len(layers) >= 2 def has_control_diversity(self) -> bool: """Check if multiple control types are present.""" types = set(c.control_type for c in self.controls if c.status != ImplementationStatus.NOT_IMPLEMENTED) return len(types) >= 2 @dataclass class MitigationPlan: name: str threats: List[Threat] = field(default_factory=list) controls: List[SecurityControl] = field(default_factory=list) mappings: List[MitigationMapping] = field(default_factory=list) def get_unmapped_threats(self) -> List[Threat]: """Find threats without mitigations.""" mapped_ids = {m.threat.id for m in self.mappings} return [t for t in self.threats if t.id not in mapped_ids] def get_control_coverage(self) -> Dict[str, float]: """Get coverage percentage for each threat.""" return { m.threat.id: m.calculate_coverage() for m in self.mappings } def get_gaps(self) -> List[Dict]: """Identify mitigation gaps.""" gaps = [] for mapping in self.mappings: coverage = mapping.calculate_coverage() if coverage < 50: gaps.append({ "threat": mapping.threat.id,