Threat Modeling
What is Threat Modeling?
Threat ModelingA structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on.
Threat modeling is a collaborative engineering practice in which architects, developers and security engineers reason about how a system could be attacked. It produces a decomposition of the application (data flow diagrams, trust boundaries, assets), enumerates threats using frameworks such as STRIDE, PASTA or LINDDUN, and proposes countermeasures with priorities derived from risk ratings like DREAD or CVSS. Done early in the SDLC, threat modeling shifts security left and is significantly cheaper than fixing flaws after release. The output is typically a living document or model that is updated whenever architecture, dependencies or trust boundaries change.
● Examples
- 01
STRIDE workshop on a new payments microservice that identifies a missing authentication check between two internal APIs.
- 02
Data flow diagram review revealing an untrusted webhook crossing a trust boundary without signature verification.
● Frequently asked questions
What is Threat Modeling?
A structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on. It belongs to the Application Security category of cybersecurity.
What does Threat Modeling mean?
A structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on.
How do you defend against Threat Modeling?
Defences for Threat Modeling typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Threat Modeling?
Common alternative names include: Architectural risk analysis.