Skip to content
threatcl

Example Threat Model

The following is a lightweight example of a threatcl HCL file. The specification is built off HCLv2 - if you’ve ever written terraform, this may seem familar to you. See developer.hashicorp.com for more high level information about the syntax.

tower-of-london.hcl
threatmodel "Tower of London" {
  description = "A historic castle"
  author = "@xntrik"


  attributes {
    new_initiative = "true"
    internet_facing = "true"
    initiative_size = "Small"
  }


  information_asset "crown jewels" {
    description = "including the imperial state crown"
    information_classification = "Confidential"
  }


  usecase {
    description = "The Queen can fetch the crown"
  }


  threat {
    description = "Someone who isn't the Queen steals the crown"
    impacts = ["Confidentiality"]


    expanded_control "Guards" {
      description = "Trained guards patrol tower"
      risk_reduction = 75
    }
  }
}