security-requirement-extraction
Generate security requirements from threats
Security threats are hard to turn into clear requirements. This skill converts threats into testable requirements, user stories, and compliance mappings. Use it when translating threat models into actionable security controls.
Download the skill ZIP
Upload in Claude
Go to Settings → Capabilities → Skills → Upload skill
Toggle on and start using
Test it
Using "security-requirement-extraction". Create requirements from a spoofing threat targeting login
Expected outcome:
- SR-001: Authenticate users before access to login
- Acceptance criteria: MFA for sensitive operations, authentication failures logged
- Test cases: Unauthenticated access denied, invalid credentials rejected, tokens cannot be forged
Using "security-requirement-extraction". Generate requirements for data tampering threats
Expected outcome:
- SR-005: Validate all input to data store
- Acceptance criteria: Data integrity verified, modification attempts trigger alerts
- Test cases: Invalid input rejected, tampered data detected and rejected
Security Audit
SafePure documentation skill containing templates and guidance for security requirement extraction. Python code examples in SKILL.md are documentation templates only, not executable code. All 47 static findings are false positives: URLs are documentation links, backticks are markdown code blocks, and security terminology (C2, crypto, reconnaissance, SAM) appears in legitimate compliance and threat modeling context. No actual code execution, network calls, or credential access occurs.
Risk Factors
🌐 Network access (4)
Quality Score
What You Can Build
Threat to requirement mapping
Convert STRIDE threat lists into prioritized security requirements with rationale.
Security user stories
Produce user stories and acceptance criteria for security backlog planning.
Control traceability
Map requirements to PCI DSS, HIPAA, GDPR, and OWASP controls.
Try These Prompts
Convert this threat into security requirements with acceptance criteria and test cases: [threat details].
Extract security requirements for these STRIDE threats and group by domain: [list of threats].
Generate security user stories with priority and acceptance criteria for these threats: [threats].
Map these requirements to PCI DSS and OWASP controls, and note gaps: [requirements].
Best Practices
- Provide clear threat descriptions with impact and likelihood ratings
- Trace each requirement to a specific threat identifier
- Include measurable acceptance criteria and testable conditions
Avoid
- Using generic requirements without testability
- Omitting rationale or priority for requirements
- Mapping to compliance without threat traceability