No tracking. No cookie wall.·100 % EU-hosted on Hetzner
Services

Sample threat model — STRIDE, LLM-backed returns API

Acme Returns AB · sample deliverable · fictional system · produced with the same engine and format as a paid engagement

Document TM-ACME-2026-001 · Scope: single application · Method: STRIDE over DFD · Status: sample — senior review pending

This is a fictional sample. Acme and its returns API don't exist — the system is invented so we can publish a complete deliverable without exposing a client. It was produced with the same gateway engine, the same sources, and the same format as a paid engagement. A sample has no client and nothing to certify, so the sign-off block in §7 shows the format and stays blank by design — on a paid engagement the reviewing practitioner signs there. Every linked citation is a real row fetched from the gateway's corpora; the risk scores and the system itself illustrate the format.
Section 1

Executive summary

The Acme Returns API fronts an LLM-backed support agent that answers return questions, looks up orders, and — within limits — issues refunds. A STRIDE walk over its data-flow diagram produced 9 threats across four trust boundaries. Two stand out: prompt injection through the customer channel (TM-03) and the agent calling the refund tool beyond its intended scope (TM-08) — together they turn a support conversation into an unaudited financial action. First moves: deny-by-default per-tool RBAC with human approval on refunds, guardrail isolation of privileged instructions, and per-request context isolation so one tenant's PII never reaches another's session.

6 of 9 register rows carry citations; the linked ones were fetched live from the gateway's corpora during the run. Two rows (TM-05, TM-07) matched no source row and ship as marked analyst drafts; one row (TM-06) lists candidate provisions but its regulatory basis is unresolved. None of the three is papered over.

Section 2

System & trust boundaries

Acme Returns AB (fictional) runs a customer-support returns flow: a public chat channel where an LLM agent handles return requests end-to-end. Components: the returns API edge (authentication, session handling), the LLM support agent (system instructions plus per-request retrieved context), two tools the agent can call (order lookup and refund), and a multi-tenant customer & order store holding PII.

Data-flow diagram: a customer sends a return question through the returns API edge (trust boundary B1) into the LLM support agent (B2); the agent calls the order-lookup and refund tools (B3), which query the multi-tenant customer and order store (B4); retrieved context flows back into the agent, and a cited answer returns to the customer.
Data-flow diagram with the four trust boundaries. Text version:
Show the text form
[Customer / attacker]
      |  chat + REST over HTTPS                 <- B1: internet -> edge
[Returns API edge]   (OAuth 2.0 access token, session)
      |  prompt assembly                        <- B2: untrusted input -> model context
[LLM support agent]  (system instructions + customer message + retrieved context)
      |  tool calls                             <- B3: model output -> privileged action
[Order lookup] ---- [Refund tool]  (financial action)
      |  queries                                <- B4: tenant isolation
[(Customer & order store -- multi-tenant, PII)]
  • B1Internet → API edge. Anonymous internet traffic meets the authenticated API surface (OAuth 2.0 tokens, sessions).
  • B2Untrusted input → model context. Customer text is assembled into the same context window as privileged system instructions.
  • B3Model output → privileged action. Agent output selects and parameterises tool calls — including the refund tool, a financial action.
  • B4Tenant isolation. Retrieval crosses into a multi-tenant store holding PII and order history.
Section 3

Threat register

One row per threat, walked per element and boundary. Severity and likelihood are analyst-assigned and would be confirmed or corrected in senior review.

IDSTRIDEThreat & boundarySeverityMitigationCitationsRegulationStatus
TM-01SpoofingStolen or replayed OAuth access token impersonates a customer at the API edge B1High (Possible)Short-lived, sender-bound access tokens; encrypted token storage; monitor for compromised service accountsSTRIDE-API-OAUTH-001cited
TM-02SpoofingSession credential forged or predicted via a weak random number generator; account takeover B1High (Possible)CSPRNG-backed session identifiers; new session token on authentication (ASVS V3.2.1); randomness verified per WSTGSTRIDE-CRYPTO-RANDOM-001 · CAPEC-196 · OWASP ASVS V3.2.1 · OWASP WSTG 4.2 — session mgmt schemacited
TM-03TamperingPrompt injection via customer message overrides system instructions B2High (Likely)Input/output guardrail + privileged-instruction isolationOWASP LLM01 · CWE-77EU AI Act Art. 15cited
TM-04TamperingReturns-flow step skipping: the final refund-confirmation request is submitted directly, bypassing the eligibility checks of earlier steps B1 → B3Medium (Possible)Server-side state machine over the returns flow; every stage transition validated server-sideCAPEC-140cited
TM-05RepudiationA refund issued through the agent cannot later be attributed to a specific customer instruction and agent decision B3Medium (Possible)Tamper-evident audit log of prompt, tool call, parameters, and approval — retained per policyanalyst draft — no fetched source; held for senior review
TM-06Information disclosureContext-window leakage exposes another tenant's PII B2 / B4High (Possible)Per-request context isolation + retrieval scopingCWE-200NIS2 Art. 21 / GDPR Art. 32 (candidates)flagged — regulatory_basis_unresolved
TM-07Denial of serviceUnbounded chat traffic drives model-call spend and saturates the returns queue — no per-client budget B1 / B2Medium (Likely)Per-client rate limits; token budgets; queue backpressureanalyst draft — no fetched source; held for senior review
TM-08Elevation of privilegeAgent calls the refund tool beyond intended scope (tool-permission escalation) B3Critical (Possible)Per-tool RBAC, deny-by-default + human-in-loop on financial actionsATT&CK T1548 · CWE-269DORA Art. 6cited
TM-09Elevation of privilegeAuthentication bypass on the internal tool API reaches the refund endpoint without passing the agent's controls B3High (Possible)Authenticate every internal hop; step-up authentication before privilege-changing actions (see §4, IAC-16.3)CAPEC-115cited

Linked citations are rows the gateway returned during this run, with source URL, publisher, and license preserved. Unlinked identifiers (OWASP LLM01, CWE-77, ATT&CK T1548, CWE-269, CWE-200 and the regulation references) carry over from the previously published sample register for this system. Rows with no matching source say so instead of carrying an invented reference.

Section 4

Control mapping

Register rows mapped to controls from the gateway's security-controls catalog. Fragments are quoted as fetched.

ControlMaps toFetched description
AAT-29.2 — Agent least-privilege scopingTM-08Confines each agent to the minimum permissions, assets, services, and network reach…
IAC-16.3 — Step-up authentication for privilege changesTM-08, TM-09Asking to alter a privilege level triggers an extra authentication check before…
IAC-20 — Least-privilege logical accessTM-08, TM-09…each task needs, keeping every grant aligned with the least-privilege principle.
IAC-21 — Least privilege for processesTM-01Access is held to the minimum required, permitting only the processes needed…
Section 5

Product-security duties (CRA)

If the returns agent ships to customers as a product with digital elements — for example as an embeddable support widget — the Cyber Resilience Act's essential cybersecurity requirements attach to it. The gateway returned the operative annex:

Cyber Resilience Act, Annex I — Reg (EU) 2024/2847 — “ESSENTIAL CYBERSECURITY REQUIREMENTS — Part I Cybersecurity requirements relating to the properties of products with digital elements” (Publications Office of the European Union).

In a paid engagement each register row is mapped to the specific Annex I point it engages. This sample stops at the annex level: the fetched excerpt covers the Part I heading, not the itemised list, and we don't cite deeper than what was fetched. Applicability is a scoping input, not a conclusion — whether Acme's deployment is a product placed on the market, rather than a pure service, decides if the CRA attaches at all. A real engagement records that determination; here it is marked open.

Section 6

Method note

  • STRIDE over the DFD. All six categories walked per element and boundary of the §2 diagram; classic categories extended for the LLM surface — Tampering to prompt injection, Elevation of privilege to tool-permission escalation, Information disclosure to context-window leakage.
  • Sources fetched through the Ansvar gateway. The STRIDE pattern library, CAPEC, OWASP (ASVS 4.0.3, WSTG 4.2), the security-controls catalog, and the Cyber Resilience Act text — every linked citation is a row the gateway returned during the run, with source URL, publisher, and license preserved. Nothing is cited from model recall.
  • Refusal discipline. No fetched source → the row says so (TM-05, TM-07). Regulatory basis not confirmable at article level → the row is flagged regulatory_basis_unresolved (TM-06). Gaps are marked, never filled with plausible text.
  • What a paid engagement adds. Your real architecture and a scoping call; enrichment across ATT&CK, CWE, and your sector's regulations; and a named senior reviewer who confirms or corrects every row before it ships.
Section 7

Sign-off

Senior review:   [shown for format — fictional sample, nothing to certify]
Reviewer:        [named reviewer — OSCP / CISSP / AI red team]
Date:            [—]

A paid engagement ships only after the named reviewer has validated every row and signed here. This sample is published unsigned, on purpose, so you can read the document exactly as it leaves the engine.

Want this for a real system? Scope a threat model →