Skip to main content

Threat Modeling

Threat modeling is a structured process to identify, analyze, and prioritize security threats during design so defenses can be planned early.

Threat modeling is a structured way to think like an attacker before building or shipping a system. It identifies what could go wrong, how an adversary might exploit weaknesses, and which risks deserve mitigation, ideally during design when changes are cheap.

How It Works

A typical threat modeling exercise answers four questions: What are we building? What can go wrong? What are we going to do about it? Did we do a good job? Teams start by diagramming the system, its components, data flows, and trust boundaries, often as a data-flow diagram.

They then enumerate threats using a framework. STRIDE is the most common, covering Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. Other approaches include PASTA, attack trees, and the LINDDUN method for privacy. Identified threats are prioritized by likelihood and impact, sometimes informed by CVSS-style scoring, and matched to mitigations such as authentication, encryption, input validation, and least privilege.

Threat modeling works best as a repeatable activity, revisited as the system evolves rather than done once.

Why It Matters

Finding a design flaw on a whiteboard is far cheaper than patching it after a breach. Threat modeling shifts security earlier in the lifecycle, catching issues that scanners and tests cannot, such as flawed trust assumptions or missing controls.

It also builds a shared security mindset across developers, architects, and security teams, and produces documentation that guides defense in depth. Many secure development frameworks and compliance regimes expect threat modeling for sensitive systems.

Related Terms

Threat modeling guides defense in depth and least-privilege design, informs zero-trust boundaries, and uses severity concepts from CVE and CVSS to prioritize risks.