Anti-Cheat Design
Agent Prompt Snippet
Ensure the project has an anti-cheat design covering detection methods, server validation, reporting workflows, and penalty systems.Purpose
An anti-cheat design document specifies detection methods, server-side validation rules, reporting workflows, and penalty systems to maintain fair competitive gameplay.
This is a Recommended document — most projects benefit significantly from having one. While not strictly essential for every situation, its absence often leads to gaps in team understanding or quality.
Key Sections to Include
- Detection methods
- Server validation
- Reporting workflows
- Penalty systems
Agent hint: Ensure the project has an anti-cheat design covering detection methods, server validation, reporting workflows, and penalty systems.
What Makes It Good vs Bad
A strong version of this document:
- Identifies specific threat models and attack vectors relevant to the project
- Defines concrete controls with implementation details, not just aspirations
- Includes verification steps — how to test that security measures work
- References established frameworks (OWASP, NIST, CIS) where applicable
- Specifies incident response procedures and escalation paths
Warning signs of a weak version:
- Vague statements like ’the system will be secure’ without specifics
- Missing threat model — no analysis of who attacks, how, and what’s at risk
- No connection between identified threats and chosen mitigations
- Ignores operational security (key rotation, access reviews, audit logging)
- Written once and never updated as the threat landscape changes
Common Mistakes
- Treating security as a checkbox rather than an ongoing practice
- Focusing only on external threats while ignoring insider risks
- Documenting controls without specifying how to verify they work
- Not updating the document when new vulnerabilities or attack patterns emerge
How to Use This Document
Start by identifying the assets worth protecting and the threat actors most likely to target them. Use a framework like STRIDE or OWASP Top 10 to structure your analysis. For each identified threat, document the specific control that mitigates it and how that control is verified. Review the document at least quarterly or whenever the system architecture changes significantly.
For AI agents: When generating or reviewing this document, cross-reference the project’s architecture to ensure every external-facing surface has a corresponding security control documented.
Starter Template
SpecBase includes a ready-to-use template for this document: kb/templates/security/anti_cheat_design.md.tmpl. Use the SpecBase CLI or MCP integration to generate it pre-filled for your project.
# Generate stubs via CLI
specbase init <archetype> --features <features> --dir ./docs
Recommended Reading
- Threat Modeling: Designing for Security by Adam Shostack — The definitive guide to identifying and mitigating security threats systematically.
- Security Engineering by Ross Anderson — Comprehensive reference covering security principles from cryptography to physical security.
- The Web Application Hacker’s Handbook by Dafydd Stuttard & Marcus Pinto — Practical guide to web application security testing and common vulnerability patterns.