PASTA Threat Model Dispatcher (Sequential)
Dispatch 7 PASTA stages in strict sequential order. Unlike all other framework dispatchers, PASTA runs each stage as a Task, waits for its output, and passes that output into the next stage's prompt. This is because PASTA is a risk-centric process where business objectives (Stage 1) constrain technical scope (Stage 2), which constrains decomposition (Stage 3), and so on through risk analysis (Stage 7).
Do NOT run stages in parallel. Do NOT skip stages. Do NOT reorder stages.
Stage Failure Handling
If a stage fails (returns empty output, errors, or times out):
-
Record the failure: stage number, error details, partial output if any.
-
Check if remaining stages can proceed:
-
Stages 1–3 are foundational. If any fails, STOP the pipeline and report partial results from completed stages.
-
Stages 4–7 can run with degraded input from prior stages. Note the gap explicitly in their output.
-
Present completed stage outputs to the user with clear status markers:
-
Stage 3: COMPLETED (12 components identified)
-
Stage 4: FAILED — [reason]. Stages 5–7 ran with reduced context.
-
NEVER discard completed stage outputs due to a later stage failure.
Supported Flags
Read ../../shared/schemas/flags.md for the full flag specification. This dispatcher supports all cross-cutting flags.
Flag Dispatcher-Specific Behavior
--scope
Propagated to all stages. Default changed . Stages 2-3 may expand scope to trace architecture.
--depth
Propagated to all stages. Default standard .
--severity
Applied to final Stage 7 output to filter the risk-ranked findings.
--format
Applied to final consolidated output after Stage 7.
--only 1,4,7
Run only the listed stages (by number 1-7). Prior stages still run if their output is needed. E.g., --only 5 implicitly runs 1-4 first.
--fix
Propagated to Stage 5 (vulnerability analysis) and Stage 7 (risk mitigation).
--quiet
Propagated to all stages; suppress explanations.
--explain
Propagated to all stages; add learning material per finding.
Framework Reference
Read ../../shared/frameworks/pasta.md for the full PASTA framework specification including all 7 stage definitions, cross-framework mappings to OWASP/STRIDE/CWE, and compliance mapping templates.
Stage Pipeline
The 7 stages execute strictly in order. Each stage is launched as a single Task tool call, and you MUST wait for it to complete before launching the next stage.
Stage Skill Output Feeds Into
- Business Objectives skills/pasta-objectives/SKILL.md
Business context, risk tolerance, compliance requirements Stage 2
- Technical Scope skills/pasta-scope/SKILL.md
Attack surface inventory, entry points, tech stack, DFD Stage 3
- Application Decomposition skills/pasta-decompose/SKILL.md
Component inventory, trust boundaries, role-permission matrix Stage 4
- Threat Analysis skills/pasta-threats/SKILL.md
Threat catalog, MITRE ATT&CK mappings, attack trees Stage 5
- Vulnerability Analysis skills/pasta-vulns/SKILL.md
Vulnerability inventory with CWE mappings, exploitability scores Stage 6
- Attack Simulation skills/pasta-attack-sim/SKILL.md
Exploit chains, DREAD scores, detection gap analysis Stage 7
- Risk & Impact Analysis skills/pasta-risk/SKILL.md
Risk-ranked findings, mitigation roadmap, executive summary Final output
Sequential Dispatch Workflow
Step 1: Resolve Scope
Parse flags and resolve the target file list per the flags spec. Build the initial file list that will be passed to Stage 1.
Step 2: Execute Stages Sequentially
For EACH stage (1 through 7), follow this pattern:
-
Build the subagent prompt with all prior stage outputs embedded.
-
Launch a single Task tool call for this stage.
-
Wait for the Task to complete and capture its full output.
-
Store the output for inclusion in subsequent stage prompts.
-
Proceed to the next stage.
Do NOT launch the next stage until the current stage has returned.
Subagent Prompt Template
Each stage gets a FULLY self-contained prompt including all prior outputs:
Execute PASTA Stage {N}: {STAGE_NAME}
STEP 1: Read the skill definition at: {ABSOLUTE_PATH_TO_PLUGIN}/skills/{SKILL_NAME}/SKILL.md
STEP 2: Read the PASTA framework reference at: {ABSOLUTE_PATH_TO_PLUGIN}/shared/frameworks/pasta.md Focus on the "Stage {N}" section for guidance.
STEP 3: Read the findings schema at: {ABSOLUTE_PATH_TO_PLUGIN}/shared/schemas/findings.md
PRIOR STAGE OUTPUTS (use these as input for your analysis): --- Stage 1 Output --- {STAGE_1_OUTPUT or "N/A - this is Stage 1"} --- Stage 2 Output --- {STAGE_2_OUTPUT or "Not yet executed"} [... include all prior stage outputs ...]
FILES TO ANALYZE: {FILE_LIST}
FLAGS: --scope {SCOPE} --depth {DEPTH} --severity {SEVERITY}
IMPORTANT: Your output will be passed to Stage {N+1} as input. Structure your output clearly with headers and sections so the next stage can parse it. Return your stage-specific output only -- do NOT attempt to execute later stages.
Stage Execution Details
Stage 1 -- Business Objectives: Receives only the file list. Infers business context from code artifacts (payment processing, PII handling, authentication flows, admin interfaces). Outputs business context statement, risk tolerance, and compliance requirements.
Stage 2 -- Technical Scope: Receives Stage 1 output plus file list. Maps entry points, protocols, external dependencies, and tech stack. May request expanded file scanning to find architecture artifacts (Dockerfiles, K8s manifests, API gateway configs).
Stage 3 -- Application Decomposition: Receives Stages 1-2 output. Decomposes into components, maps trust boundaries, classifies data sensitivity, documents auth/authz flows per component.
Stage 4 -- Threat Analysis: Receives Stages 1-3 output. Identifies threats using real-world intelligence, maps to MITRE ATT&CK techniques, builds attack trees for high-value targets identified in Stage 1.
Stage 5 -- Vulnerability Analysis: Receives Stages 1-4 output. Core code analysis stage. Finds specific weaknesses that enable the threats from Stage 4. Maps to CWE identifiers. Prioritizes vulnerabilities that directly enable identified threats over theoretical weaknesses.
Stage 6 -- Attack Simulation: Receives Stages 1-5 output. Constructs multi-step exploit chains combining threats (Stage 4) with vulnerabilities (Stage 5). Scores each chain with DREAD. Identifies which attacks reach business-critical assets from Stage 1.
Stage 7 -- Risk & Impact Analysis: Receives Stages 1-6 output. Calculates business-weighted risk scores (Likelihood x Business Impact). Produces risk-ranked finding list, mitigation roadmap (quick wins / short term / long term), compliance gap report, and executive summary.
Consolidation
After Stage 7 completes, the dispatcher:
- Collect All Findings
Gather the final risk-ranked finding list from Stage 7 output. Stage 7 already incorporates context from all prior stages.
- Format Output
Apply the --format flag to produce the final output. The Stage 7 output should already contain:
-
Executive summary (non-technical stakeholder audience)
-
Risk-ranked finding list with business impact justification
-
Mitigation roadmap with effort estimates
-
Compliance gap report (if regulatory requirements identified in Stage 1)
-
Residual risk assessment
- Apply Severity Filter
If --severity is set, filter the finding list to show only findings at or above the specified severity threshold.
- Cross-Reference
Populate cross-framework references on all findings:
-
references.owasp : Map to OWASP Top 10 category.
-
references.stride : Map to STRIDE category letter(s).
-
references.mitre_attck : Already populated by Stage 4.
-
references.cwe : Already populated by Stage 5.
- Present Results
Output the final PASTA report. Include the stage progression summary showing how business objectives flowed through to risk-ranked mitigations.
Expert Mode
If --depth expert is set, after Stage 7 completes, launch red team subagents with the full PASTA output. Red team agents receive the exploit chains from Stage 6 and attempt to extend them, finding additional attack paths or chaining multiple exploit chains together.
Red team findings are appended to the final output with prefix RT and metadata.tool set to "red-team" .