Threat Modeling Methodologies
Threat modeling methodologies are structured analytical frameworks used to identify, categorize, and prioritize security threats against systems, applications, and infrastructure before those threats are exploited. This page covers the principal methodologies in professional use, their structural mechanics, classification boundaries, and the regulatory contexts in which they are applied. The topic is directly relevant to security architects, software developers operating under compliance mandates, and risk management professionals who need a systematic basis for security design decisions.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
Threat modeling is the disciplined process of enumerating threats to a system and evaluating the mitigations that reduce associated risks to an acceptable level. It operates at the intersection of application security, cybersecurity risk management, and secure design — functioning as a preventive control rather than a reactive one.
The scope of threat modeling extends across software development lifecycles, enterprise network architectures, cloud deployments, and operational technology environments. NIST Special Publication 800-154, "Guide to Data-Centric System Threat Modeling," defines threat modeling as a form of risk assessment that analyzes representations of a system to identify security concerns. The NIST Cybersecurity Framework (CSF) positions threat modeling within the "Identify" function, specifically under risk assessment (ID.RA).
Regulatory frameworks that reference or implicitly require threat modeling include NIST SP 800-53 (Control CA-3 and RA-3), the Payment Card Industry Data Security Standard (PCI DSS Requirement 6.3.2 for software design review), and the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) at Level 2 and above. The Open Web Application Security Project (OWASP) publishes the Threat Modeling Manifesto, a community-ratified reference document establishing core values and principles for the discipline.
Core mechanics or structure
Every major threat modeling methodology follows a four-phase logical structure, though naming conventions differ across frameworks:
- System decomposition — Defining system boundaries, data flows, trust boundaries, entry/exit points, and assets of value. Data Flow Diagrams (DFDs) are the dominant representation artifact.
- Threat enumeration — Identifying threat actors, attack vectors, and threat scenarios relevant to the defined system.
- Threat analysis — Assessing likelihood and impact, typically using a scoring mechanism such as DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) or the Common Vulnerability Scoring System (CVSS), maintained by FIRST (Forum of Incident Response and Security Teams).
- Mitigation identification — Mapping countermeasures to identified threats and validating residual risk.
The Microsoft Threat Modeling Tool operationalizes this structure using DFDs and the STRIDE threat classification scheme. OWASP's Threat Dragon provides an open-source implementation of similar mechanics. Both tools generate threat lists and mitigation recommendations tied to diagram elements.
The MITRE ATT&CK framework supplements threat enumeration by providing an empirically derived taxonomy of adversary tactics and techniques, enabling teams to ground abstract threat categories in documented attacker behaviors.
Causal relationships or drivers
Adoption of formal threat modeling methodologies is driven by three converging forces: regulatory mandates, software supply chain risk, and the increasing cost of post-deployment remediation.
The National Institute of Standards and Technology (NIST) published findings in SP 800-64 (retired, superseded by SP 800-160) indicating that defects identified in design phases cost substantially less to remediate than those found in production — a structural economic driver for pre-deployment threat analysis. The secure software development lifecycle embeds threat modeling as a mandatory gate in frameworks such as Microsoft's Security Development Lifecycle (SDL) and the NIST Secure Software Development Framework (SSDF), formally documented in NIST SP 800-218.
Executive Order 14028 (May 2021), "Improving the Nation's Cybersecurity," directed federal agencies to adopt secure software development practices — directly referencing the SSDF and, by extension, the threat modeling activities it requires. The Cybersecurity and Infrastructure Security Agency (CISA) subsequently published guidance reinforcing threat modeling as a component of secure-by-design principles.
Supply chain security concerns have further elevated threat modeling's profile: the SolarWinds incident and Log4Shell vulnerability demonstrated that trust boundary failures — a core concern of threat modeling — can propagate across thousands of dependent systems.
Classification boundaries
Threat modeling methodologies divide along three axes: the primary analytical object (software, data, attackers), the scoring mechanism used, and the organizational maturity level required.
STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) — Developed at Microsoft, system-centric, categorizes threats by the type of violation rather than by attacker identity. Best suited for software and service design contexts.
PASTA (Process for Attack Simulation and Threat Analysis) — Seven-stage, risk-centric methodology developed by Tony UcedaVélez and Marco Morana. Aligns threat modeling output to business impact, making it suitable for enterprise governance contexts. Described in the book Risk Centric Threat Modeling (Wiley, 2015).
LINDDUN — Privacy-focused methodology developed at KU Leuven, mapping threats to privacy properties: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance. Relevant under GDPR and CCPA compliance contexts.
VAST (Visual, Agile, and Simple Threat modeling) — Designed for DevOps and Agile environments at scale, with separate threat models for applications and infrastructure. Operationalized through the ThreatModeler commercial platform.
Attack Trees — Graphical, adversary-centric models originating in work by Bruce Schneier (1999, Dr. Dobb's Journal). Represent attack paths as hierarchical trees; useful for specific attack scenario analysis rather than comprehensive system review.
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) — Developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. Asset-centric and organizationally focused; three variants exist: OCTAVE, OCTAVE-S, and OCTAVE Allegro.
Tradeoffs and tensions
The primary tension in threat modeling practice lies between comprehensiveness and operational velocity. STRIDE-based models applied exhaustively to a complex microservices architecture can generate hundreds of threat items, creating triage overhead that slows development cycles. VAST and Agile-adapted approaches reduce this overhead but may miss edge-case threats that comprehensive DFD analysis would surface.
A second tension exists between attacker-centric models (attack trees, PASTA) and system-centric models (STRIDE). Attacker-centric models produce outputs more directly usable by red team and blue team operations but require threat intelligence inputs that may not be available to all organizations. System-centric models are more deterministic but can miss novel attack patterns not represented in their categorical schemes.
Automation introduces a third tension. Automated threat modeling tools reduce manual effort and improve consistency but are constrained by the quality of diagram inputs. Garbage-in, garbage-out dynamics mean that poorly constructed DFDs yield incomplete threat lists regardless of tool sophistication. The OWASP Threat Modeling Manifesto explicitly warns against treating tool output as a substitute for human expert analysis.
Finally, threat models decay. A model created at system design becomes stale as the system evolves. Maintaining synchronization between threat models and live architectures — especially in DevSecOps environments with continuous deployment — is an unsolved operational challenge without dedicated process ownership.
Common misconceptions
Misconception: Threat modeling is equivalent to vulnerability scanning. Vulnerability scanning identifies known weaknesses in deployed systems using signature databases such as the National Vulnerability Database (NVD) maintained by NIST. Threat modeling identifies design-level risks before deployment. The two practices are complementary but address fundamentally different problem spaces and occur at different points in the system lifecycle.
Misconception: STRIDE is the only recognized methodology. STRIDE is the most widely referenced methodology in software security literature, but NIST SP 800-154, the SEI OCTAVE framework, and OWASP's own guidance all describe alternative approaches suited to different analytical contexts. No single methodology is mandated across federal frameworks.
Misconception: Threat modeling applies only to software applications. NIST SP 800-82 (Guide to OT Security) and ICS-CERT advisories both reference threat modeling in the context of operational technology and industrial control systems. Network architectures, cloud environments, and physical-cyber systems are all valid threat modeling targets.
Misconception: A threat model, once completed, remains valid indefinitely. The OWASP Threat Modeling Manifesto and Microsoft SDL both specify that threat models must be updated when the system changes, when new threat intelligence emerges, or when business context shifts. A static threat model for a dynamic system provides false assurance.
Checklist or steps (non-advisory)
The following phase sequence reflects the consensus structure documented across NIST SP 800-154, the Microsoft SDL, and OWASP guidance:
- [ ] Define scope: identify system boundaries, included components, and assets in scope
- [ ] Identify stakeholders and data owners with knowledge of system behavior
- [ ] Construct a Data Flow Diagram (DFD) or equivalent system representation including trust boundaries
- [ ] Enumerate entry points, exit points, and data stores
- [ ] Apply a threat enumeration scheme (STRIDE, PASTA, LINDDUN, or equivalent) to each DFD element
- [ ] Score or prioritize identified threats using CVSS, DREAD, or a defined risk scoring methodology
- [ ] Map threats to applicable mitigations or security controls (referencing NIST SP 800-53 control catalog where applicable)
- [ ] Document residual risks and acceptance decisions with named owners
- [ ] Validate mitigations through design review, code review, or penetration testing
- [ ] Establish a review cadence tied to change management or release cycles
- [ ] Archive the threat model artifact with version control linked to system documentation
Reference table or matrix
| Methodology | Primary Focus | Threat Enumeration Basis | Organizational Suitability | Key Source |
|---|---|---|---|---|
| STRIDE | System / Software | Violation categories (6 types) | Software development teams | Microsoft SDL |
| PASTA | Risk / Business impact | Attack simulation, 7 stages | Enterprise security governance | SEI / UcedaVélez & Morana (Wiley, 2015) |
| LINDDUN | Privacy | Privacy property violations (7 types) | GDPR/CCPA compliance contexts | KU Leuven |
| VAST | Application & Infrastructure | Agile-adapted, visual | DevOps / high-velocity environments | ThreatModeler / VerSprite |
| Attack Trees | Adversary / Scenario | Hierarchical attack path decomposition | Specific scenario analysis | Schneier (1999) |
| OCTAVE Allegro | Organizational Assets | Asset-centric risk assessment | Risk management, non-technical teams | SEI / Carnegie Mellon University |
| TRIKE | Risk-based acceptance | Threat-per-requirement enumeration | Audit and compliance-oriented teams | Octotrike (open source) |
References
- NIST SP 800-154 (Draft) — Guide to Data-Centric System Threat Modeling
- NIST SP 800-218 — Secure Software Development Framework (SSDF)
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems
- NIST Cybersecurity Framework (CSF)
- OWASP Threat Modeling Manifesto
- OWASP Threat Dragon (Open Source Tool)
- FIRST — Common Vulnerability Scoring System (CVSS)
- SEI / Carnegie Mellon — OCTAVE Methodology
- CISA — Secure by Design Guidance
- Executive Order 14028 — Improving the Nation's Cybersecurity (Federal Register)
- MITRE ATT&CK Framework
- PCI DSS v4.0 — PCI Security Standards Council
- NIST SP 800-82 Rev. 3 — Guide to OT Security