Labsco
wshobson logo

attack-tree-construction

โ˜… 37,559

by wshobson ยท part of wshobson/agents

Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.

๐Ÿงฉ One of 7 skills in the wshobson/agents package โ€” works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates โ€” you don't need to read it to use the skill, but it's here to audit before installing.

Attack Tree Construction

Systematic attack path visualization and analysis.

When to Use This Skill

  • Visualizing complex attack scenarios
  • Identifying defense gaps and priorities
  • Communicating risks to stakeholders
  • Planning defensive investments
  • Penetration test planning
  • Security architecture review

Core Concepts

1. Attack Tree Structure

                    [Root Goal]
                         |
            โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
            โ”‚                         โ”‚
       [Sub-goal 1]              [Sub-goal 2]
       (OR node)                 (AND node)
            โ”‚                         โ”‚
      โ”Œโ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”             โ”Œโ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”
      โ”‚           โ”‚             โ”‚           โ”‚
   [Attack]   [Attack]      [Attack]   [Attack]
    (leaf)     (leaf)        (leaf)     (leaf)

2. Node Types

TypeSymbolDescription
OROvalAny child achieves goal
ANDRectangleAll children required
LeafBoxAtomic attack step

3. Attack Attributes

AttributeDescriptionValues
CostResources needed$, $$, $$$
TimeDuration to executeHours, Days, Weeks
SkillExpertise requiredLow, Medium, High
DetectionLikelihood of detectionLow, Medium, High

Templates and detailed worked examples

Full template library lives in references/details.md. Read that file when you need concrete templates for this skill.

Best Practices

Do's

  • Start with clear goals - Define what attacker wants
  • Be exhaustive - Consider all attack vectors
  • Attribute attacks - Cost, skill, and detection
  • Update regularly - New threats emerge
  • Validate with experts - Red team review

Don'ts

  • Don't oversimplify - Real attacks are complex
  • Don't ignore dependencies - AND nodes matter
  • Don't forget insider threats - Not all attackers are external
  • Don't skip mitigations - Trees are for defense planning
  • Don't make it static - Threat landscape evolves