Threat Modeling

What is Threat Modeling?

Threat modeling is a structured, proactive process for identifying potential security threats, vulnerabilities, and attack paths in a system — before the system is built or before changes are deployed to production. Rather than discovering security problems after deployment through incident response or penetration testing, threat modeling embeds security analysis into the design phase, when fixes are cheapest and most effective. The output of threat modeling is a prioritized list of threats and the countermeasures needed to address them, validated against the system's specific architecture and threat environment.

Description

Threat modeling answers four foundational questions about a system: What are we building? (system decomposition and asset identification) What can go wrong? (threat enumeration) What are we going to do about it? (countermeasure identification) Did we do a good enough job? (validation). Several structured methodologies guide this process. STRIDE, developed by Microsoft, categorizes threats as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege — mapping each category to specific security properties. PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric methodology that aligns threat analysis with business objectives and risk tolerance. DREAD provides a quantitative scoring system for threat severity. MITRE ATT&CK extends threat modeling to operational security by mapping adversary techniques to detection and mitigation controls. For AI systems, specialized threat modeling frameworks are emerging that address prompt injection, data poisoning, model extraction, and agentic AI attack surfaces that traditional frameworks were not designed to cover. Evolve Security's cyber threat modeling guide provides an accessible introduction to threat modeling methodology and its practical application.

Usage and Examples

A development team is designing a new API that will expose patient health records to third-party healthcare applications. Before writing a line of code, a threat modeling session identifies: authentication bypass as the highest-severity threat (countermeasure: OAuth 2.0 with PKCE, not API keys); excessive data exposure in API responses (countermeasure: response field filtering, not returning full records); insecure direct object reference vulnerabilities (countermeasure: resource-level authorization checks); and rate limiting absence enabling credential stuffing (countermeasure: per-client rate limits with exponential backoff). These findings, addressed at design time, cost a fraction of what they would cost after deployment — either as rework or as breach response. The resulting threat model also defines the scope for a subsequent API penetration test that validates whether the implemented countermeasures actually work.

How Does This Relate to Penetration Testing?

Threat modeling and penetration testing are complementary: threat modeling identifies what should be tested; penetration testing validates whether the defenses work. Organizations with mature threat models provide penetration testers with a richer briefing — known high-risk components, trust boundaries, intended security properties to validate — which improves engagement efficiency and the quality of findings. Conversely, penetration test findings feed back into threat models, revealing threats that were not anticipated in the design phase. For DevSecOps teams, integrating lightweight threat modeling into sprint planning and design reviews creates continuous security analysis that complements periodic penetration testing engagements. Evolve Security's Advisory services support organizations building threat modeling practices as part of a mature security program. Evolve Security's application penetration testing and Advisory services integrate with your threat modeling practice — validating design-time assumptions with real-world adversarial testing.