Trike
What is Trike?
TrikeAn open-source threat-modeling methodology that uses a requirements-driven, risk-based approach centered on actors, assets, and allowed actions.
Trike is an open-source threat-modeling framework first published in 2005 and later refined in successive papers. Unlike attack-centric methods such as STRIDE, Trike is requirements-driven: analysts begin with a defensive standpoint, modeling actors, assets, intended actions, and the rules that govern them in a Requirements Model, then derive an Implementation Model and a Threat Model. Threats are enumerated as denial-of-service and elevation-of-privilege violations of those rules, scored on probability and impact, and reduced to a risk matrix that drives mitigation. Trike is typically used during architecture review and security requirements engineering for in-house applications, especially in regulated environments. It is community-maintained rather than backed by a standards body.
● Examples
- 01
An architect using Trike to derive concrete security requirements from an actor-action-asset matrix during design review.
- 02
A security team combining Trike for requirements and STRIDE for technical threat enumeration in the same project.
● Frequently asked questions
What is Trike?
An open-source threat-modeling methodology that uses a requirements-driven, risk-based approach centered on actors, assets, and allowed actions. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Trike mean?
An open-source threat-modeling methodology that uses a requirements-driven, risk-based approach centered on actors, assets, and allowed actions.
How do you defend against Trike?
Defences for Trike typically combine technical controls and operational practices, as detailed in the full definition above.