Abstract
We present Auspex - a threat modeling system built using a specializedcollection of generative artificial intelligence-based methods that capturethreat modeling tradecraft. This new approach, called tradecraft prompting,centers on encoding the on-the-ground knowledge of threat modelers within theprompts that drive a generative AI-based threat modeling system. Auspex employstradecraft prompts in two processing stages. The first stage centers oningesting and processing system architecture information using prompts thatencode threat modeling tradecraft knowledge pertaining to system decompositionand description. The second stage centers on chaining the resulting systemanalysis through a collection of prompts that encode tradecraft knowledge onthreat identification, classification, and mitigation. The two-stage processyields a threat matrix for a system that specifies threat scenarios, threattypes, information security categorizations and potential mitigations. Auspexproduces formalized threat model output in minutes, relative to the weeks ormonths a manual process takes. More broadly, the focus on bespoke tradecraftprompting, as opposed to fine-tuning or agent-based add-ons, makes Auspex alightweight, flexible, modular, and extensible foundational system capable ofaddressing the complexity, resource, and standardization limitations of bothexisting manual and automated threat modeling processes. In this connection, weestablish the baseline value of Auspex to threat modelers through an evaluationprocedure based on feedback collected from cybersecurity subject matter expertsmeasuring the quality and utility of threat models generated by Auspex on realbanking systems. We conclude with a discussion of system performance and plansfor enhancements to Auspex.