Threat Model Sketch

Module 9, Lesson 9.1 · three-adversary worksheet · produces Section 1 of /capstone/security-posture.md

Save this as: worksheet stays in your notebook; the five outputs (three adversary descriptions, out-of-scope list, most-underprepared-for line) copy into Section 1 of /capstone/security-posture.md.

Use it again: at every 90-day posture review, re-run Parts 1, 3, and 5. The world changes; your threat model has to change with it.

The audience-equals-you rule is what makes this tractable.

Three adversaries, one student. You are defending the work you have actually built — your own machine, your own keys, your own data, your own pipeline. Not a corporation. Not a multi-tenant service. Just what is yours.

Header

Student: Date:

Posture doc link (path or URL):

Next review date (≤ 90 days):

Part 1 — Adversary 1: the careless self

Name three concrete near-misses or incidents from the last 60 days

A misplaced key. A skill committed with a password still in it. A scheduled task that fired more often than you intended. A draft auto-sent despite audience-equals-you. Specificity earns the point; vague answers do not.

Near-miss #1

What happened:

What would have caught it earlier:

Near-miss #2

What happened:

What would have caught it earlier:

Near-miss #3

What happened:

What would have caught it earlier:

Honesty rule: If you cannot list three, list two and write “only two.” Do not invent a third. A fabricated near-miss does not teach you anything; a real count, even a short one, tells you the true shape of your own carelessness.

Part 2 — Adversary 2: the hostile internet

Which of your agents reads untrusted text, and from where?

Any text the agent reads from outside your own prompt is potentially hostile — a web page summarized by a research agent, an email read by an inbox agent, a PDF a stranger sent, an MCP response from a third-party server. List one agent and three of its untrusted sources.

Agent that reads untrusted text most often:

Source of untrusted text #1 (what site / sender / channel):

Source of untrusted text #2:

Source of untrusted text #3:

Confidence that your current setup would contain a successful injection on one of those sources:

☐ 1 (none) ☐ 2 ☐ 3 ☐ 4 ☐ 5 (fully contained, audience-equals-you plus segregation plus refusal)

One sentence on why:

Part 3 — Adversary 3: the supply chain

Every plugin, MCP, and skill currently installed

List up to eight. Include plugins and MCPs in the Cowork tab, subagents and skills in the Claude Code CLI, and any browser extension that reads your AI-tool pages. Pull last-audit date from your Module 7 plugin register if you have one.

#	Plugin / MCP / skill name	Last audit date	Permissions read? (Y / N)
1
2
3
4
5
6
7
8

Part 4 — Realism filter (out-of-scope adversaries)

Tick any that are actually in-scope for your context; for the rest, write one sentence

Most one-student systems are not targeted by nation-state actors or ransomware crews. Naming what you are not defending against is how you keep the scope honest. If one of these is in-scope for you (you work in a sensitive field, you have a real adversary, etc.), you have graduated past this course's scope and should read further — note why below.

☐ Nation-state actors

☐ Ransomware crews

☐ Zero-days in your tools

☐ Insider in your household

Part 5 — Self-rating: exposure to each adversary (1–5)

One radio row per adversary, one sentence on why

1 = well-defended; 5 = wide open. Be honest. The exercise is only useful if the numbers match reality, not aspiration.

Careless self ☐1 ☐2 ☐3 ☐4 ☐5

Hostile internet ☐1 ☐2 ☐3 ☐4 ☐5

Supply chain ☐1 ☐2 ☐3 ☐4 ☐5

Most-underprepared-for adversary (pick one):

This is the adversary the rest of Module 9 sharpens defenses against. Write it in Section 1 of security-posture.md.

Pre-freeze checklist

Three (or fewer, honestly) careless-self near-misses named, each with a “what would have caught it” line.
One agent named plus three untrusted-text sources plus a 1–5 confidence rating with a one-sentence reason.
Every currently-installed plugin / MCP / skill listed in the supply-chain table; last-audit date and permissions-read column filled.
Four out-of-scope categories reviewed; each has a one-sentence reason (or a tick and explanation if in-scope for you).
Three 1–5 exposure ratings and one most-underprepared-for adversary written; that line is copied into Section 1 of security-posture.md.

This worksheet accompanies Lesson 9.1 of AI Architect Academy. The three-adversary frame (careless self, hostile internet, supply chain) and the honesty rule are concept. The out-of-scope list and the 1–5 rating scale are concept. Specific plugin / MCP names live in your Module 7 register, which is recipe.