PASTA Stage 7: Risk & Impact Analysis
Produce business-weighted risk scores by combining Stage 6 exploitability with Stage 1 business impact. Deliver a prioritized remediation roadmap balancing risk reduction against effort. This is the final PASTA stage.
Supported Flags
Read ../../shared/schemas/flags.md for the full flag specification. Key behaviors:
| Flag | Stage 7 Behavior |
|---|---|
--scope | Inherits from prior stages. Synthesizes all prior outputs. |
--depth quick | Top 5 risk-ranked findings with one-line mitigations only. |
--depth standard | Full risk scoring, mitigation roadmap, and compliance mapping. |
--depth deep | Standard + residual risk assessment, systemic issues, cost-benefit per mitigation. |
--depth expert | Deep + executive summary, quantified risk, formal compliance gap report. |
--severity | Filter final output to findings at or above the threshold. |
--format md | Standalone markdown report for stakeholder distribution. |
--fix | Chain into fix mode for highest-priority findings. |
Framework Context
Read ../../shared/frameworks/pasta.md, Stage 7 section. PASTA is SEQUENTIAL.
Stage 7 consumes all prior stage outputs to produce the final deliverable.
Prerequisites
Required: Stage 6 output -- attack scenarios, DREAD scores, detection gaps. Also needs: business assets and compliance (Stage 1), entry points (Stage 2), components (Stage 3), threats (Stage 4), vulnerabilities (Stage 5). If unavailable, warn and assume.
Workflow
Step 1: Calculate Business-Weighted Risk
Risk Score = Exploitability (DREAD, 1-10) x Business Impact (1-10).
| Impact Level | Score | Criteria |
|---|---|---|
| Critical | 9-10 | Regulatory breach, massive financial loss, existential threat |
| High | 7-8 | Significant data breach, major outage, legal liability |
| Medium | 4-6 | Limited exposure, partial degradation, reputational harm |
| Low | 1-3 | Minor disclosure, negligible business effect |
Step 2: Rank Findings
Order by composite risk score (descending). Break ties by: compliance implications, attack complexity (simpler ranks higher), detection coverage (undetectable ranks higher).
Step 3: Propose Mitigations
| Effort | Definition | Timeline |
|---|---|---|
| Quick win | Single file change, config update, dependency bump | Same day |
| Short-term | Targeted code changes, new middleware or control | 1-2 sprints |
| Long-term | Architectural change, new service, framework migration | Quarterly |
Prioritize by risk-reduction-per-effort. Identify mitigations resolving multiple findings.
Step 4: Map to Compliance
Cross-reference with Stage 1 compliance requirements: which findings violate regulatory controls, which would be flagged in audit, mandated timelines, documentation needed.
Step 5: Assess Residual Risk
After proposed mitigations: what risk remains, what needs formal acceptance, what compensating controls exist, what monitoring is needed.
Step 6: Executive Summary
Non-technical summary: overall posture, top 3 immediate actions, phased effort estimate, compliance status and regulatory exposure.
Analysis Checklist
- Which findings, if exploited, would cause the greatest business harm?
- Which mitigations give the highest risk reduction for lowest effort?
- Are there findings violating regulatory requirements needing immediate remediation?
- What residual risk remains after all proposed mitigations?
- Are there systemic issues that, if fixed, resolve multiple findings?
- What is the total estimated effort for all recommended mitigations?
- Should any findings be formally accepted rather than fixed?
- What ongoing monitoring is needed after remediation?
Output Format
Stage 7 produces the Final PASTA Report. ID prefix: PASTA (e.g., PASTA-001).
## PASTA Stage 7: Risk & Impact Analysis
### Executive Summary
**Risk Posture**: [Critical / High / Moderate / Low]
[2-3 sentence summary]
**Immediate Actions**: [N] | **Total Findings**: [N] (X critical, Y high, Z medium)
**Effort**: [quick wins: N, short-term: N, long-term: N]
### Risk-Ranked Findings
| Rank | ID | Finding | Risk Score | Exploitability | Business Impact | Effort |
|------|-------|---------|-----------|---------------|----------------|--------|
| 1 | PASTA-001 | SQL injection in search | 81 | 9.0 | 9 (breach) | Quick win |
### Remediation Roadmap
#### Quick Wins (Immediate)
| Finding | Mitigation | Risk Reduction | Effort |
|---------|-----------|---------------|--------|
#### Short-Term (1-2 Sprints)
| Finding | Mitigation | Risk Reduction | Effort |
|---------|-----------|---------------|--------|
#### Long-Term (Quarterly)
| Finding | Mitigation | Risk Reduction | Effort |
|---------|-----------|---------------|--------|
### Compliance Gaps
| Regulation | Requirement | Finding | Status | Deadline |
|-----------|------------|---------|--------|----------|
### Residual Risk
| Risk | After Mitigation | Compensating Controls | Accepted |
|------|-----------------|----------------------|----------|
Findings follow ../../shared/schemas/findings.md with:
dread: DREAD scoring from Stage 6references.cwe: from Stage 5,references.owasp: OWASP mapping,references.mitre_attck: from Stage 4metadata.tool:"pasta-risk",metadata.framework:"pasta",metadata.category:"Stage-7"
Completion
This is the final PASTA stage. The output is the complete threat model deliverable: actionable, prioritized, and tied to business value. Track remediation progress and schedule periodic reassessment as the application evolves.