security-requirement-extraction

Transform threat analysis into actionable security requirements. Converts STRIDE threat categories into functional, non-functional, and constraint requirements with automatic priority calculation based on impact and likelihood Generates security user stories, acceptance criteria, and test cases directly from threats; includes traceability matrices linking threats to requirements Maps requirements to compliance frameworks (PCI-DSS, HIPAA, GDPR, SOC2, NIST, ISO 27001, OWASP) and identifies coverage gaps Organizes requirements by security domain (authentication, authorization, data protection, audit logging, input validation, cryptography, and six others) with built-in filtering and export to markdown

INSTALLATION
npx skills add https://github.com/wshobson/agents --skill security-requirement-extraction
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

Security Requirement Extraction

Transform threat analysis into actionable security requirements.

When to Use This Skill

  • Converting threat models to requirements
  • Writing security user stories
  • Creating security test cases
  • Building security acceptance criteria
  • Compliance requirement mapping
  • Security architecture documentation

Core Concepts

1. Requirement Categories

Business Requirements → Security Requirements → Technical Controls

         ↓                       ↓                      ↓

  "Protect customer    "Encrypt PII at rest"   "AES-256 encryption

   data"                                        with KMS key rotation"

2. Security Requirement Types

TypeFocusExample
FunctionalWhat system must do"System must authenticate users"
Non-functionalHow system must perform"Authentication must complete in <2s"
ConstraintLimitations imposed"Must use approved crypto libraries"

3. Requirement Attributes

AttributeDescription
TraceabilityLinks to threats/compliance
TestabilityCan be verified
PriorityBusiness importance
Risk LevelImpact if not met

Templates and detailed worked examples

Full template library lives in references/details.md. Read that file when you need concrete templates for this skill.

Best Practices

Do's

  • Trace to threats - Every requirement should map to threats
  • Be specific - Vague requirements can't be tested
  • Include acceptance criteria - Define "done"
  • Consider compliance - Map to frameworks early
  • Review regularly - Requirements evolve with threats

Don'ts

  • Don't be generic - "Be secure" is not a requirement
  • Don't skip rationale - Explain why it matters
  • Don't ignore priorities - Not all requirements are equal
  • Don't forget testability - If you can't test it, you can't verify it
  • Don't work in isolation - Involve stakeholders
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card