BLACKSHIELD

Guia público

Run Threat Modeling Sessions with the MCP Gateway

Use BlackShield's governed MCP gateway to run structured STRIDE threat-modeling sessions, attach generated reports to Security Reviews as tenant-scoped evidence, and configure gateway controls so only approved clients can trigger sensitive modeling tools. Público: Security architects, AppSec leads, tenant admins, and AI Gateway operators. Tempo típico de configuração: 20-30 minutes.

quickstart

Use isto se

Use BlackShield's governed MCP gateway to run structured STRIDE threat-modeling sessions, attach generated reports to Security Reviews as tenant-scoped evidence, and configure gateway controls so only approved clients can trigger sensitive modeling tools.

Audience
Security architects, AppSec leads, tenant admins, and AI Gateway operators
Typical time
20-30 minutes

Antes de começar

  • Confirm you have admin access to AI Gateway policy configuration and can edit the policy pack for the target client.
  • Prepare the system architecture description, component inventory, and business context inputs that will seed the STRIDE session.
  • Identify which Security Review record the threat-model output should be attached to after the session.

Caminho rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Apenas para demonstração

Esta configuração foi concebida para facilitar a utilização. Para implementar clientes de scanner em escala, planeie a sua arquitetura de implementação adequadamente ou contacte-nos para obter as melhores práticas empresariais.

Executar isto

Minimal AI Gateway policy to enable threat modeling tools

json
{
  "allowed_tools": [
    "threat_modeling.session.create",
    "threat_modeling.session.export",
    "threat_modeling.session.get"
  ],
  "hidden_tools": [
    "threat_modeling.agent_workspace_review.start"
  ],
  "human_approval_required": [
    "threat_modeling.agent_workspace_review.start"
  ],
  "approved_providers": ["anthropic", "openai"],
  "mode": "advisory"
}

Entender e personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Passo 1

Grant threat_modeling.* access in AI Gateway policy

Threat-modeling MCP tools are gated behind explicit AI Gateway policy. Enable them only for approved clients.

  • In `/ai-gateway`, edit the policy pack for the client or client group that will run threat-modeling sessions.
  • Add `threat_modeling.*` to the `allowed_tools` list, or enable individual tools such as `threat_modeling.session.create` and `threat_modeling.session.export`.
  • Use `hidden_tools` to suppress threat-modeling tools from clients that should not see them.
  • Require human approval for `threat_modeling.agent_workspace_review.start` to prevent unsupervised code-reading runs.

Como é o sucesso

Require human approval for `threat_modeling.agent_workspace_review.start` to prevent unsupervised code-reading runs.

Open AI Gateway · Requer login

Passo 2

Start and run a hosted STRIDE session

Hosted sessions run structured STRIDE analysis against architecture inputs through the governed MCP endpoint.

  • Call `threat_modeling.session.create` with your system architecture description, business context, and component inventory.
  • Use the AWS Labs threat-modeling tools exposed by the gateway to step through Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
  • Capture intermediate outputs with `threat_modeling.session.export` at the end of each category for incremental review.
  • Review AI Gateway activity logs after the session to confirm tool calls, latency, and any policy warnings.

Como é o sucesso

Review AI Gateway activity logs after the session to confirm tool calls, latency, and any policy warnings.

Open AI Gateway · Requer login

Passo 3

Attach the session output to a Security Review

Threat-model outputs are persisted as tenant-scoped artifacts and linked to Security Review records for audit and due-diligence.

  • Exported Markdown and JSON session outputs are stored in a tenant-isolated S3 path keyed to your workspace and session ID, encrypted with KMS.
  • Open `/security-reviews` and attach the exported session artifact to the relevant review.
  • Include the threat-model export in the Security Review evidence package when responding to vendor questionnaires or audit requests.
  • Set a data retention period in company integrations settings (default 30 days) to match your policy requirements.

Como é o sucesso

Set a data retention period in company integrations settings (default 30 days) to match your policy requirements.

Open Security Reviews · Requer login

Como é o sucesso

  • The gateway client can invoke threat_modeling.session.create and completes a full STRIDE walkthrough with exported Markdown and JSON outputs.
  • Session artifacts appear in the tenant-isolated S3 path and are attached to the correct Security Review record for audit and due-diligence evidence.
Run Threat Modeling Sessions with the MCP Gateway | Documentação BlackShield