Multi-framework threat intelligence MCP server — STRIDE, DREAD, LINDDUN, and PASTA analysis for AI coding agents
Project description
ThreatLens
Multi-framework threat intelligence for AI coding agents
ThreatLens is an MCP (Model Context Protocol) server that provides simultaneous threat analysis across four security frameworks — STRIDE, DREAD, LINDDUN, and PASTA — with automatic cross-referencing to CWE and MITRE ATT&CK.
Unlike single-framework tools, ThreatLens gives you a multi-dimensional view of every threat: what category (STRIDE), how severe (DREAD), what privacy impact (LINDDUN), and what attack process (PASTA), all correlated in one analysis.
What Makes This Different
| Capability | ThreatLens | Typical Security Tools |
|---|---|---|
| Multi-framework correlation | STRIDE + DREAD + LINDDUN + PASTA in one pass | Usually one framework |
| Quantitative scoring | DREAD 1-10 scores with weighted context | Qualitative High/Med/Low |
| Privacy-first analysis | Built-in LINDDUN engine | Usually separate DPIA tool |
| Attack tree generation | AND/OR decomposition with likelihood | Manual diagramming |
| CWE + MITRE ATT&CK mapping | Automatic cross-reference | Manual lookup |
| AI agent workflow | MCP server with auto-instructions | IDE plugin or CLI |
Tools
Analysis
| Tool | Framework | Purpose |
|---|---|---|
analyze_threat_landscape |
STRIDE | Categorise threats from a system description |
score_risks |
DREAD | Quantitative risk scoring (1-10 per dimension) |
assess_privacy_impact |
LINDDUN | Privacy threat assessment for personal data |
run_pasta_analysis |
PASTA | 7-stage attack simulation process |
build_attack_tree |
Attack Trees | AND/OR decomposition of attack paths |
Cross-Reference
| Tool | Purpose |
|---|---|
correlate_frameworks |
Map threats across STRIDE → DREAD → LINDDUN → CWE → MITRE ATT&CK |
map_to_cwe |
Link threats to CWE entries with remediation links |
suggest_mitigations |
Prioritised mitigation strategies |
Documentation
| Tool | Purpose |
|---|---|
generate_threat_report |
Full markdown report combining all frameworks |
Quick Start
Install
# Using uv (recommended)
uv pip install .
# Or with pip
pip install .
Run the Server
# stdio (default — for IDE integration)
threatlens
# HTTP transport (for shared/team use)
threatlens --transport streamable-http --port 8000
# SSE transport
threatlens --transport sse --port 8000
IDE Integration
Cursor
Add to .cursor/mcp.json:
{
"mcpServers": {
"threatlens": {
"command": "threatlens",
"args": []
}
}
}
Or with uv (no install required):
{
"mcpServers": {
"threatlens": {
"command": "uv",
"args": ["run", "--directory", "/path/to/threatlens", "threatlens"]
}
}
}
Claude Desktop
Add to claude_desktop_config.json (macOS: ~/Library/Application Support/Claude/, Windows: %APPDATA%\Claude\):
{
"mcpServers": {
"threatlens": {
"command": "threatlens",
"args": []
}
}
}
Or with uv (no install required):
{
"mcpServers": {
"threatlens": {
"command": "uv",
"args": ["run", "--directory", "/path/to/threatlens", "threatlens"]
}
}
}
Claude Code (CLI)
claude mcp add threatlens -- threatlens
Or with uv:
claude mcp add threatlens -- uv run --directory /path/to/threatlens threatlens
VS Code (GitHub Copilot)
Add to .vscode/mcp.json:
{
"servers": {
"threatlens": {
"command": "threatlens",
"args": []
}
}
}
Docker
docker build -t threatlens:latest .
{
"mcpServers": {
"threatlens": {
"command": "docker",
"args": ["run", "--rm", "-i", "threatlens:latest"]
}
}
}
Agent Workflow
When an AI agent connects, ThreatLens automatically sends workflow instructions via the MCP handshake. The agent will follow this flow:
┌─────────────────────────────┐
│ 1. analyze_threat_landscape │ ← STRIDE categorisation
├─────────────────────────────┤
│ 2. score_risks │ ← DREAD quantitative scoring
├─────────────────────────────┤
│ 3. assess_privacy_impact │ ← LINDDUN privacy analysis
├─────────────────────────────┤
│ 4. build_attack_tree │ ← Attack path decomposition
├─────────────────────────────┤
│ 5. correlate_frameworks │ ← Multi-framework mapping
├─────────────────────────────┤
│ 6. generate_threat_report │ ← Comprehensive documentation
└─────────────────────────────┘
No manual configuration needed — the agent receives the instructions on connect.
Example Output
DREAD Score Table
| Threat | D | R | E | A | D | Overall | Rating |
|---|---|---|---|---|---|---|---|
| Authentication Bypass | 8.0 | 7.5 | 7.0 | 8.5 | 6.5 | 7.5 | HIGH |
| Input Manipulation | 9.0 | 6.0 | 6.5 | 7.0 | 5.5 | 6.8 | HIGH |
| Session Hijacking | 7.5 | 6.0 | 5.5 | 7.0 | 5.5 | 6.3 | HIGH |
Cross-Framework Correlation
| Threat | STRIDE | DREAD | LINDDUN | CWE | MITRE |
|---|---|---|---|---|---|
| Auth Bypass | SPOO | 7.5 | IDEN, NON_ | CWE-287, CWE-290 | T1078, T1110 |
| Data Exposure | INFO | 6.8 | DISC, LINK, IDEN | CWE-200, CWE-312 | T1530, T1567 |
Frameworks
STRIDE (Threat Categorisation)
Classifies threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
DREAD (Risk Scoring)
Quantitative scoring on five dimensions (1-10 each): Damage, Reproducibility, Exploitability, Affected Users, Discoverability. Overall score = average.
LINDDUN (Privacy Threats)
Privacy-specific analysis across seven categories: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance.
PASTA (Attack Simulation)
Seven-stage process: Business Objectives → Technical Scope → Decomposition → Threat Analysis → Vulnerability Analysis → Attack Modeling → Risk/Impact Analysis.
Development
# Install with dev dependencies
uv sync --frozen --all-extras --dev
# Run tests
uv run pytest
# Lint & type-check
uv run ruff check .
uv run pyright
License
MIT — see LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file threatlens-0.1.0.tar.gz.
File metadata
- Download URL: threatlens-0.1.0.tar.gz
- Upload date:
- Size: 125.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.11 {"installer":{"name":"uv","version":"0.10.11","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c5b50f6ddd491f1cef3e92dddd3e71bcd218b269fb16d3019863b4e40c41a4d1
|
|
| MD5 |
cda1e9cd97dd19a8e134a68d745bed8b
|
|
| BLAKE2b-256 |
25d9badec8f6eb93aaa932bae953d58fd2fa6a310f46d18aabcd788d4c0f476c
|
File details
Details for the file threatlens-0.1.0-py3-none-any.whl.
File metadata
- Download URL: threatlens-0.1.0-py3-none-any.whl
- Upload date:
- Size: 32.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.11 {"installer":{"name":"uv","version":"0.10.11","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
960525726e55aa521f1caf259bed01f5acf988770bb947f8cfc6b3b9261efec0
|
|
| MD5 |
9da3214f67a7e16392670e9eedc268b5
|
|
| BLAKE2b-256 |
f80985a1fe4525b660d4d275e369ffbd599015b010a8daa0d34ab9fea2165185
|
