TARA Framework

Threat Analysis & Risk Assessment for LLM-Powered Applications

Based on: "Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous"

Total Threats

Critical Risks

High Risks

Medium Risks

Low Risks

📊 Risk Distribution

Add threats to see risk distribution

🛡️ Residual Risk

Add threats to see residual risk distribution

🎯 STRIDE Categories

Add threats to see STRIDE distribution

🏷️ Threat Classes

Add threats to see threat class distribution

📋 Recent Threats

No threats added yet. Go to "Add Threat" to begin your assessment.

📄

Cite This Work

If you use this framework in your research or work, please cite the paper:

"Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous"

Ben Nassi, Stav Cohen, Or Yair

arXiv:2508.12175 [cs.CR], 2025

📑 Read Paper (arXiv) 🌐 Project Website

Add New Threat

Threat ID

Threat Name

Threat Description

Attack Scenario / Steps

Threat Class

Target Application

STRIDE Category ? STRIDE+O is a threat modeling framework:

Spoofing - Impersonating something or someone
Tampering - Modifying data or code
Repudiation - Denying performed actions
Information Disclosure - Exposing information
Denial of Service - Disrupting availability
Elevation of Privilege - Gaining unauthorized access
Other - Threats not fitting other categories

Spoofing

Tampering

Repudiation

Info Disclosure

Denial of Service

Elevation of Privilege

Other

Impact Assessment ? Impact is determined by the configured calculation method.

Impact Score

NEGLIGIBLE

Likelihood / Practicality Assessment ? Likelihood is calculated using the configured calculation method. Higher scores = more likely/practical attack.

3.00

Likelihood Score

VERY LIKELY

Calculated Risk

LOW

Global Risk Score

LOW

Mitigations

Suggested Mitigations

Calculate Residual Risk (After Mitigations)

Re-assess the likelihood factors assuming mitigations are deployed:

0.00

Residual Likelihood

VERY UNLIKELY

All Threats

Compact (click rows to expand)

Full Table (all columns)

No threats added yet.

🎯 Interactive Risk Matrix

Risk = Impact × Likelihood. Click on any cell to see which threats fall into that risk category.

📋 All Threats Summary

Add threats to see them plotted on the risk matrix.

TARA Methodology

This framework implements the Threat Analysis and Risk Assessment (TARA) methodology from the research paper "Invitation Is All You Need!" for evaluating security risks to end users of LLM-powered applications.

💡 All categories, factors, and calculations can be customized in the Settings tab.

💥

Impact Score

0-4

MAX of categories

📊

Likelihood Score

0-3

AVG of factors

⚠️

Risk Levels

Very Low → Critical

🔄

Residual Risk

Post-Mitigation

Re-assessed likelihood

📋

7 Steps of Risk Assessment

Asset Identification Catalog user assets to secure (data, devices, privacy)

Adversary Identification Profile the adversary and threat model

Threat Modeling Predict threats using STRIDE+O framework

Likelihood & Impact Calculate practicality and impact scores

Risk Assessment Create risk matrix (Impact × Likelihood)

Risk Treatment Plan mitigations (reduce, transfer, accept)

Residual Risk Re-assess after mitigations are deployed

🏷️

LLM Threat Classes

The paper identifies 5 primary threat classes specific to LLM-powered applications:

⚡

Short-term Context Poisoning

Malicious content injected into the current conversation context via indirect prompt injection

🧠

Long-term Memory Poisoning

Persistent poisoning of LLM's saved memory that affects future sessions

🔧

Tool Misuse

Exploiting integrated tools (calendar, email, etc.) to perform unauthorized actions

🤖

Automatic Agent Invocation

Triggering autonomous agent actions without user consent or awareness

📱

Automatic App Invocation

Forcing LLM to invoke external applications maliciously

🛡️

STRIDE+O Threat Categories

Extended STRIDE framework with "Other" category for LLM-specific threats:

Spoofing

Impersonating something or someone else

Tampering

Modifying data or code without authorization

Repudiation

Denying actions were performed

Information Disclosure

Exposing data to unauthorized parties

Denial of Service

Disrupting service availability

Elevation of Privilege

Gaining unauthorized access or capabilities

Other

Threats not fitting traditional categories

💥

Impact Assessment (0-4 Scale)

Impact Score = Maximum value across all impact categories. Higher score = greater harm.

Negligible

Minor

Moderate

Severe

Critical

Score	Safety	Privacy	Financial	Operational
0	No impact	No exposure	No loss	No effect
1	Minor mental impact	Non-sensitive data	< $100	Easy to revert
2	Significant mental	Geolocation exposed	< $1K	Some effort
3	Physical affected	Important info leaked	< $10K	Significant effort
4	Life-threatening	Sensitive data/video	> $10K	Loss of capability

📊

Likelihood Assessment (0-3 Scale)

Likelihood Score = Average of all factor scores. Higher score = easier to exploit.

Hard

Moderate

Easy

Very Easy

Factor	3 (Easy)	2	1	0 (Hard)
Equipment	Standard laptop	Specialized GPU	Multiple specialized	Restricted tools
Expertise	Layman	Proficient (B.Sc)	Expert (Ph.D)	Multiple experts
Window	Unlimited	Frequent	Rare (monthly)	Very rare (yearly)
Knowledge	Public info	Email needed	Password needed	Implementation details
Time	Days	1-4 weeks	1-6 months	6+ months
Interaction	None (0-click)	Standard action	Special action	Extensive

Very Unlikely < 0.6

Unlikely 0.6 - 1.2

Moderately Likely 1.2 - 1.8

Likely 1.8 - 2.4

Very Likely ≥ 2.4

🔄

Residual Risk Calculation

After mitigations are deployed, likelihood factors are re-assessed while impact remains unchanged:

⚠️

Initial Risk

Impact × Likelihood

→

🛡️

Apply Mitigations

Security controls

→

📊

Re-assess Likelihood

Usually decreases

→

✅

Residual Risk

Impact × New Likelihood

Note: Impact typically stays the same (the potential harm doesn't change), but likelihood decreases as mitigations make attacks harder to execute.

⚙️ Settings

Manage your threat data and customize all framework settings.

📁

Data Management

📤

Export Threats

Download your threats for backup or reporting.

📥

Import Threats

Load threats from a previously exported file.

📄

Sample Data

Load the 14 threats from Table 2 of the paper.

⚠️

Delete Data

Permanently delete all threats.

🔧

Framework Configuration

🏷️

Threat Classes

Manage threat class categories.

💥

Impact Categories

Manage impact assessment categories (0-4 scale).

Calculation:

📊

Likelihood Factors

Manage likelihood factors (0-3 scale).

Calculation:

📈

Impact Scale (0-4)

Customize impact level labels.

📉

Likelihood Scale (0-3)

Customize likelihood level labels.

🚦

Risk Levels & Colors

Customize risk level names and colors. Click color to change.

🔢

Risk Matrix

Configure how Impact × Likelihood maps to Risk Level. Click any cell to change.

💾

Configuration Backup

📤

Export Settings

Save your customizations to a file.

📥

Import Settings

Load settings from another user.

🔄

Reset All

Reset all settings to defaults.