- Home
- Skills
- Ancoleman
- Ai Design Components
- Architecting Security
architecting-security_skill
- Python
291
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill ancoleman/ai-design-components --skill architecting-security- outputs.yaml11.6 KB
- SKILL.md24.7 KB
Overview
This skill designs comprehensive security architectures using defense-in-depth, zero trust, structured threat modeling (STRIDE, PASTA), and mappings to control frameworks like NIST CSF, CIS Controls, and ISO 27001. It guides strategic decisions for greenfield and brownfield systems, cloud-native and hybrid environments, and supply chain protections such as SLSA and SBOM. The focus is on pragmatic, risk-based architectures and governance that scale with organizational maturity.
How this skill works
I inspect system boundaries, data flows, identity and trust relationships, and operational processes to recommend layered controls and verification points. I apply threat modeling (DFDs + STRIDE/PASTA), map mitigations to control frameworks, and produce architecture patterns for identity, segmentation, monitoring, and supply-chain hardening. Outputs include prioritized controls, implementation roadmaps (zero trust overlays, cloud multi-account patterns), and prescriptive guidance for detection and response.
When to use it
- Designing security for a new application, cloud migration, or greenfield system
- Auditing or hardening an existing architecture (brownfield) and planning progressive improvements
- Implementing zero trust across users, devices, and services
- Establishing or maturing security governance and compliance programs (NIST CSF, ISO 27001, CIS)
- Threat modeling APIs, microservices, or complex data flows to prioritize mitigations
- Securing the software supply chain with SBOMs, SLSA, and automated dependency controls
Best practices
- Adopt defense-in-depth: independent layers (network, identity, app, data, ops) with clear failure modes
- Design identity-first and least-privilege policies; enforce MFA, JIT access, and RBAC/ABAC
- Apply continuous verification: device posture, behavioral analytics, and centralized policy engines
- Prioritize controls by risk and maturity—start with CIS IG1 for baselines and map to NIST CSF
- Automate security in CI/CD: SBOM generation, dependency scanning, signed builds (SLSA progression)
- Segment and micro-segment critical assets first to limit blast radius and enable safe incident recovery
Example use cases
- Greenfield SaaS platform: identity-first architecture with zero trust, micro-segmentation, and CI/CD signing
- Enterprise brownfield: overlay zero trust controls incrementally, segment admin and data planes, modernize IAM
- Cloud multi-account strategy: Security/Logging/Audit accounts with SCPs, centralized telemetry, and CSPM
- Threat modeling sprint: DFD-led STRIDE analysis to produce prioritized mitigations tied to frameworks
- Supply-chain hardening: add SBOMs, automate vulnerability alerts, and move CI to hardened SLSA levels
FAQ
Use NIST CSF for risk-based program design, CIS Controls for prescriptive baseline hardening (start with IG1), and ISO 27001 when you need a formal ISMS and certification.
Where should I start when migrating an existing system toward zero trust?
Start by inventorying identities and high-value assets, segment critical systems, modernize IAM (SSO, MFA), and add policy enforcement points for incremental verification.