deciduous

Deciduous

A web app that simplifies building decision trees to model adverse scenarios. Hosted at https://www.deciduous.app/

It allows you to document your assumptions about how a system, service, app, etc. will respond to adverse events. Its heritage is in helping defenders anticipate attacker behavior and prepare mitigations accordingly, but it also applies to anticipating reliability-related failures, too.

It is especially useful as a foundation to conduct resilience stress testing / chaos experimentation, allowing you to continually refine your mental models of a system with reality. The end goal of using decision trees is to document your beliefs about how failure will unfold across your system in a given scenario, which can inform design improvements to better sustain resilience to that failure.

Getting started guide: https://kellyshortridge.com/blog/posts/deciduous-attack-tree-app/

Theme options include:

• theme: default - the default tree styling
• theme: accessible - for more color differentiation between attack and mitigation nodes
• theme: classic - classic Graphviz styling
• theme: dark - dark mode

For a more detailed write-up of using decision trees in practice, refer to the book Security Chaos Engineering: Sustaining Resilience in Software and Systems.

Examples

Example trees for #inspo are hosted in /examples.

Security

• S3 Bucket with Video Recordings
• Cryptominer in a Container (video explanation)

Reliability

• Missing Logs (video explanation)
• Unrealistic Traces

Surrealism

• Thanksploitation scenario from Rick and Morty (blog post)