/security-threat-review - Red Team / Blue Team Comprehensive Security Assessment

Goal

Evaluate the entire application from two perspectives: attackers (Red Team) and defenders (Blue Team), and output an integrated report including an Attack Scenario and Defense Gap Matrix.

Differences from other security skills:
/security-audit-quick
= grep-based known pattern detection (mechanical, fast)
/security-hardening
= in-depth handling of single threats (threat model → mitigation → testing → gate)
/review --focus security
= security review of PR diffs (diff-limited)
/security-threat-review
= holistic attack/defense two-perspective assessment of the entire application (comprehensive, periodic)

Input

Argument	Description	Default
`--scope`	Limit evaluation target	`all` (entire application)
`--layer`	Limit Blue Team evaluation layers (1-8)	All layers

--scope Option

Value	Target
`all`	Entire application (default)
`api`	Only `src/app/api/`
`actions`	Only `src/app/actions/`
`auth`	Only authentication/authorization related
`payment`	Only Stripe/billing related
`upload`	Only file upload/processing related

Examples

bash

# Comprehensive evaluation of the entire application (default)
/security-threat-review

# Evaluate only API Routes
/security-threat-review --scope api

# Evaluate only authentication-related areas
/security-threat-review --scope auth

# Full evaluation, but Blue Team only assesses Layers 1-3 (Auth/Authorization/Input)
/security-threat-review --layer 1-3

Workflow

Phase 0: Reconnaissance (Understand Attack Surface)

First, execute the following to understand the application's attack surface:

bash

# 1. All API endpoints
echo "=== API Routes ==="
find src/app/api -name "route.ts" | sort

# 2. All Server Actions
echo "=== Server Actions ==="
find src/app/actions -name "*.ts" | sort

# 3. List of security modules
echo "=== Security Modules ==="
find src/lib/security -name "*.ts" | sort

# 4. Number of RLS policies
echo "=== RLS Policies ==="
grep -r "CREATE POLICY" supabase/migrations/ --include="*.sql" | wc -l

# 5. Test mode boundaries
echo "=== Test Mode ==="
cat src/lib/test-mode.ts | head -50

Pass this information as context to both agents.

Phase 1: Red Team / Blue Team Parallel Execution

Launch two agents in parallel:

Red Team (Attacker Perspective)

text

Task(red-team-attacker):
  Please evaluate this PowerPoint translation SaaS from an attacker's perspective.

  ## App Overview
  - Stack: Next.js 16 + React 19 + Supabase + Stripe + Claude API
  - Features: PPTX Upload → Text Extraction → Claude Translation → Download
  - Authentication: Supabase Auth (Cookie-based)
  - Billing: Stripe Subscriptions

  ## Attack Surface
  [Paste Phase 0 results]

  ## Scope
  [Value of --scope option]

  Please follow the format in .claude/docs/reviewer-output-format.md for output.

Blue Team (Defender Perspective)

text

Task(blue-team-defender):
  Please evaluate the defense posture of this PowerPoint translation SaaS.

  ## App Overview
  - Stack: Next.js 16 + React 19 + Supabase + Stripe + Claude API
  - Features: PPTX Upload → Text Extraction → Claude Translation → Download
  - Authentication: Supabase Auth (Cookie-based)
  - Billing: Stripe Subscriptions

  ## Defense Mechanisms
  [Paste Phase 0 results]

  ## Scope
  [Value of --scope option]
  [Value of --layer option]

  Please follow the format in .claude/docs/reviewer-output-format.md for output.
  Be sure to include the Defense Scorecard (Layers 1-8).

Phase 2: Result Aggregation

Use the review-aggregator agent to integrate outputs from both teams.

In addition to regular PR review aggregation, output the following unique to this skill:

Attack-Defense Matrix (Skill-Specific Output)

Cross-reference results from both teams to generate a matrix of attack scenarios and defense status:

markdown

### Attack-Defense Matrix

| # | Attack Scenario (Red) | Defense Status (Blue) | Gap | Priority |
|---|-------------------|----------------|-----|----------|
| 1 | IDOR: Download via others' fileId | RLS + user_id check implemented | None | - |
| 2 | Rate Limit Bypass: Header Spoofing | Guarded by isProductionRuntime() | None | - |
| 3 | Test Mode Spoofing: X-E2E-Test | Fail-closed but some checks missing | Partial | High |
| 4 | Webhook Forgery: Unsigned Requests | Signature verification implemented | None | - |
| 5 | Translation Limit Bypass | Counter implemented, but race condition exists | Yes | Critical |

Gap Criteria:

Gap	Meaning
None	Red Team's attack is completely blocked by Blue Team's defense
Partial	Defense exists but is incomplete; breakthrough possible under certain conditions
Yes	Defense is missing, attack is feasible

Priority Criteria:

Priority	Conditions
Critical	Gap=Yes and impact includes data leakage, privilege escalation, or billing fraud
High	Gap=Partial and impact is severe
Medium	Gap=Partial and impact is limited
Low	Theoretical risk only
-	Gap=None (defended properly)

Phase 3: Final Report Output