BLACKSHIELD

Guía pública

Run Threat Modeling Sessions with the MCP Gateway

Use BlackShield's governed MCP gateway to run structured STRIDE threat-modeling sessions, attach generated reports to Security Reviews as tenant-scoped evidence, and configure gateway controls so only approved clients can trigger sensitive modeling tools. Audiencia: Security architects, AppSec leads, tenant admins, and AI Gateway operators. Tiempo típico de configuración: 20-30 minutes.

quickstart

Úsalo si

Use BlackShield's governed MCP gateway to run structured STRIDE threat-modeling sessions, attach generated reports to Security Reviews as tenant-scoped evidence, and configure gateway controls so only approved clients can trigger sensitive modeling tools.

Audience
Security architects, AppSec leads, tenant admins, and AI Gateway operators
Typical time
20-30 minutes

Antes de comenzar

  • Confirm you have admin access to AI Gateway policy configuration and can edit the policy pack for the target client.
  • Prepare the system architecture description, component inventory, and business context inputs that will seed the STRIDE session.
  • Identify which Security Review record the threat-model output should be attached to after the session.

Camino rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Solo demostración

Esta configuración está diseñada para facilitar el uso. Para desplegar clientes de escaneo a escala, planifique su arquitectura de despliegue en consecuencia o contáctenos para obtener las mejores prácticas empresariales.

Ejecuta esto

Minimal AI Gateway policy to enable threat modeling tools

json
{
  "allowed_tools": [
    "threat_modeling.session.create",
    "threat_modeling.session.export",
    "threat_modeling.session.get"
  ],
  "hidden_tools": [
    "threat_modeling.agent_workspace_review.start"
  ],
  "human_approval_required": [
    "threat_modeling.agent_workspace_review.start"
  ],
  "approved_providers": ["anthropic", "openai"],
  "mode": "advisory"
}

Entender y personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Paso 1

Grant threat_modeling.* access in AI Gateway policy

Threat-modeling MCP tools are gated behind explicit AI Gateway policy. Enable them only for approved clients.

  • In `/ai-gateway`, edit the policy pack for the client or client group that will run threat-modeling sessions.
  • Add `threat_modeling.*` to the `allowed_tools` list, or enable individual tools such as `threat_modeling.session.create` and `threat_modeling.session.export`.
  • Use `hidden_tools` to suppress threat-modeling tools from clients that should not see them.
  • Require human approval for `threat_modeling.agent_workspace_review.start` to prevent unsupervised code-reading runs.

Cómo se ve el éxito

Require human approval for `threat_modeling.agent_workspace_review.start` to prevent unsupervised code-reading runs.

Open AI Gateway · Requiere inicio de sesión

Paso 2

Start and run a hosted STRIDE session

Hosted sessions run structured STRIDE analysis against architecture inputs through the governed MCP endpoint.

  • Call `threat_modeling.session.create` with your system architecture description, business context, and component inventory.
  • Use the AWS Labs threat-modeling tools exposed by the gateway to step through Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
  • Capture intermediate outputs with `threat_modeling.session.export` at the end of each category for incremental review.
  • Review AI Gateway activity logs after the session to confirm tool calls, latency, and any policy warnings.

Cómo se ve el éxito

Review AI Gateway activity logs after the session to confirm tool calls, latency, and any policy warnings.

Open AI Gateway · Requiere inicio de sesión

Paso 3

Attach the session output to a Security Review

Threat-model outputs are persisted as tenant-scoped artifacts and linked to Security Review records for audit and due-diligence.

  • Exported Markdown and JSON session outputs are stored in a tenant-isolated S3 path keyed to your workspace and session ID, encrypted with KMS.
  • Open `/security-reviews` and attach the exported session artifact to the relevant review.
  • Include the threat-model export in the Security Review evidence package when responding to vendor questionnaires or audit requests.
  • Set a data retention period in company integrations settings (default 30 days) to match your policy requirements.

Cómo se ve el éxito

Set a data retention period in company integrations settings (default 30 days) to match your policy requirements.

Open Security Reviews · Requiere inicio de sesión

Cómo se ve el éxito

  • The gateway client can invoke threat_modeling.session.create and completes a full STRIDE walkthrough with exported Markdown and JSON outputs.
  • Session artifacts appear in the tenant-isolated S3 path and are attached to the correct Security Review record for audit and due-diligence evidence.
Run Threat Modeling Sessions with the MCP Gateway | Docs de BlackShield