The Security Agent — Threat Modeling Across the Lifecycle
How Datarim's Security agent applies STRIDE threat modeling, OWASP Top 10 review, and dependency CVE audits at multiple stages — so security is built in, not bolted on.
Security review done once, at the end, after the code is already merged, tends to produce a list of findings that are expensive to fix. The Security agent runs at multiple points in the Datarim pipeline — so each phase of the work gets the check it needs when the change is still cheap to make.
The Security agent is a Security Analyst that participates at /dr-design for threat modeling, at /dr-qa for deep security review, and at /dr-compliance for secrets detection. In a multi-agent discussion (consilium), it holds the specific role: "what can go wrong, and how is it prevented?"
What it does
At the design stage, the Security agent runs STRIDE threat modeling — a structured method that asks six questions about each component: can it be spoofed, tampered with, repudiated, revealed to unauthorized parties, made unavailable, or have its permissions elevated. It also builds attack trees: starting from a worst-case outcome and working backward to find the paths that lead there.
At the quality check stage, it applies the OWASP Top 10 — the ten most common web application vulnerabilities — and reviews code for injection flaws, cross-site scripting, server-side request forgery, path traversal, and insecure deserialization. It audits dependencies for CVEs and supply-chain risk, reviews secrets management, and checks authentication and authorization design. Data protection also falls within scope: encryption at rest and in transit, PII handling, and GDPR considerations.
One concrete example
A new endpoint accepts a user-supplied URL to fetch a remote resource. During design review, the Security agent identifies this as an SSRF vector — Server-Side Request Forgery — where an attacker could supply an internal network address and cause the server to make requests on their behalf. The threat lands in the plan's security appendix with a specific mitigation: validate the URL against an allowlist of hostnames before any network call is made. The fix costs minutes at design time; it would cost days after deployment.
Where it sits
The Security agent uses the strongest model in the roster — the same as the Planner and the Strategist — because security findings that are missed have compounding consequences. Its outputs appear in the plan's Security Summary section, in the QA review report, and in the compliance scan at the end of the pipeline. The goal is that every merge carries an auditable trail of what was checked and what was decided.
Full reference on the Security agent card, or read what Datarim is for context on the full pipeline.