pasta-attack-sim

Original：🇺🇸 English

Translated

This skill should be used when the user asks to "simulate attacks", "build attack trees", "model exploit chains", "score exploitability", or is running PASTA stage 6. Also triggers when the user asks about attack scenarios, red team simulation, DREAD scoring, or detection gap analysis in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 6 of 7).

1installs

Sourceflorianbuetow/claude-code

Added on2026-03-01

NPX Install

npx skill4agent add florianbuetow/claude-code pasta-attack-sim

SKILL.md Content

View Translation Comparison →

PASTA Stage 6: Attack Simulation

Simulate realistic exploit chains by combining Stage 4 threats with Stage 5 vulnerabilities. Score each scenario by exploitability and impact, and assess whether existing controls detect or prevent each chain.

Supported Flags

Read

../../shared/schemas/flags.md

for the full flag specification. Key behaviors:

Flag	Stage 6 Behavior
`--scope`	Inherits from prior stages. Uses vulnerability inventory and threat catalog, not raw source.
`--depth quick`	Top 3 most critical exploit chains only, basic scoring.
`--depth standard`	Full attack trees for all high/critical pairs, DREAD scoring.
`--depth deep`	Standard + detection gap analysis, control bypass assessment, multi-stage pivots.
`--depth expert`	Deep + red team persona simulation with step-by-step exploit narratives.
`--severity`	Filter to attack scenarios above the specified impact level.

Framework Context

Read

../../shared/frameworks/pasta.md

, Stage 6 section. PASTA is SEQUENTIAL. Stage 6 consumes Stages 1-5 output and feeds Stage 7.

Prerequisites

Required: Stage 5 output -- vulnerability inventory with CWE mappings and vulnerability-threat correlations. Also needs: business assets (Stage 1), entry points (Stage 2), components and trust boundaries (Stage 3), threat catalog (Stage 4). If unavailable, warn and assume.

Workflow

Step 1: Identify Attack Pairs

Combine threats with vulnerabilities. Prioritize pairs targeting business-critical assets. Discard pairs fully mitigated by existing controls.

Step 2: Construct Exploit Chains

For each high-priority pair, build multi-step scenarios covering: entry point, exploitation, lateral movement, privilege escalation, objective reached, and exfiltration/impact. Construct attack trees showing alternate paths:

Goal: [Business-critical asset]
  OR
  +-- Path A: [Entry point] -> [Vuln-1] -> [Pivot] -> [Target]
  +-- Path B: [Entry point] -> [Vuln-2] -> [Escalation] -> [Target]

Step 3: Score Exploitability (DREAD)

Factor	Criteria
Damage	10 = full compromise, 1 = minor info leak
Reproducibility	10 = every time, 1 = race condition
Exploitability	10 = script kiddie, 1 = nation-state
Affected Users	10 = all users, 1 = single user
Discoverability	10 = publicly known, 1 = insider knowledge

DREAD Score = Average of all five factors (0-10).

Step 4: Assess Detection Gaps

For each chain: is exploitation logged? Would alerts fire? Would WAF/IDS block it? Is rate limiting effective? Would post-exploitation behavior be detected?

Step 5: Identify Control Bypasses

For each security control: can it be bypassed via alternative paths? Does it cover all entry points? Are there timing windows? Can the attacker degrade it?

Step 6: Rank Attack Scenarios

Order by: DREAD score, business impact, attack complexity (simpler = higher), detection coverage (undetectable = higher).

Analysis Checklist

Can low-severity vulns chain into high-impact exploits?
What is the shortest path from internet to most sensitive data?
Would current logging detect this attack in progress?
What skill level and tooling is required per path?
Are there paths that bypass all existing controls?
Can a single compromised credential yield full system access?
Are there TOCTOU windows exploitable in chains?
What is the blast radius of the most likely attack?

Output Format

Stage 6 produces Attack Scenarios with Exploit Chains. ID prefix: PASTA (e.g.,

PASTA-ATK-001

).

## PASTA Stage 6: Attack Simulation

### ATK-001: [Scenario Name]
**Target**: [Asset] | **Actor**: [Profile] | **DREAD**: X.X
**Chain**: Entry point -> Vuln exploited -> Access gained -> Pivot -> Objective
| Damage | Reproducibility | Exploitability | Affected Users | Discoverability | Score |
|--------|----------------|---------------|---------------|----------------|-------|
| X | X | X | X | X | X.X |
**Detection**: Logging [Y/N], Alerting [Y/N], WAF [Y/N]
**Gaps**: [Missing controls]

### Attack Scenario Summary
| ID | Scenario | DREAD | Target Asset | Complexity | Detected |
|----|----------|-------|-------------|------------|----------|
| ATK-001 | ... | X.X | ... | Low/Med/High | Yes/No |

### Detection Gap Summary
| Gap | Scenarios Affected | Recommendation |
|-----|-------------------|----------------|

Findings follow

../../shared/schemas/findings.md

with:

```
dread
```
: Full DREAD scoring object
```
references.mitre_attck
```
: technique IDs,
```
references.cwe
```
: exploited CWE IDs

metadata.tool

:

"pasta-attack-sim"

,

metadata.framework

:

"pasta"

,

metadata.category

:

"Stage-6"

Next Stage

Stage 7: Risk & Impact Analysis (

pasta-risk

). Pass attack scenarios, DREAD scores, and detection gaps. Stage 7 combines technical exploitability with Stage 1 business impact to produce risk-weighted scores and a remediation roadmap.