DREAD Model
What is DREAD Model?
DREAD ModelA qualitative risk-rating model that scores threats on Damage, Reproducibility, Exploitability, Affected users, and Discoverability.
DREAD is a qualitative risk-rating model originally introduced by Microsoft in the early 2000s alongside STRIDE for application threat modeling. Analysts assess each identified threat across five dimensions — Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability — typically scored 1 to 10 each, then summed or averaged to derive a relative risk score used for prioritization. Microsoft formally deprecated DREAD due to the subjectivity and inconsistency of its scoring, but it is still taught and applied in many AppSec, threat modeling, and ISO 27001 risk-assessment contexts where a lightweight scoring scheme is preferred over CVSS or full quantitative analysis. It pairs naturally with STRIDE-identified threats.
● Examples
- 01
A threat-modeling workshop scoring each STRIDE threat with DREAD to rank remediation backlog items.
- 02
A product security team using DREAD in early design reviews where CVE-style scoring does not yet apply.
● Frequently asked questions
What is DREAD Model?
A qualitative risk-rating model that scores threats on Damage, Reproducibility, Exploitability, Affected users, and Discoverability. It belongs to the Compliance & Frameworks category of cybersecurity.
What does DREAD Model mean?
A qualitative risk-rating model that scores threats on Damage, Reproducibility, Exploitability, Affected users, and Discoverability.
How do you defend against DREAD Model?
Defences for DREAD Model typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DREAD Model?
Common alternative names include: DREAD risk model.