Threat Modeling

Introduction

Threat modeling is the systematic process of identifying potential threats, vulnerabilities, and attack vectors in a system design before implementation begins. It is one of the highest-value security activities because it finds architectural flaws that no amount of code scanning or penetration testing can fix without redesign.

Effective threat modeling answers four fundamental questions: What are we building? What can go wrong? What are we going to do about it? Did we do a good enough job? This section examines two widely adopted frameworks (STRIDE and PASTA) and explores how AI is beginning to automate and enhance the threat modeling process.

STRIDE Methodology

STRIDE, developed at Microsoft, categorizes threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each category maps to a security property: authentication, integrity, non-repudiation, confidentiality, availability, and authorization respectively.

The STRIDE process begins with creating a data flow diagram (DFD) that maps all components, data stores, data flows, and trust boundaries in the system. For each element in the DFD, analysts systematically consider each STRIDE category to identify potential threats. This structured approach ensures comprehensive coverage and prevents the tunnel vision that occurs with ad-hoc security analysis.

• Spoofing: Can an attacker impersonate a user, service, or data source? Mitigated by strong authentication
• Tampering: Can data be modified in transit or at rest? Mitigated by integrity controls and validation
• Repudiation: Can a user deny performing an action? Mitigated by audit logging and digital signatures
• Information Disclosure: Can sensitive data leak to unauthorized parties? Mitigated by encryption and access controls
• Denial of Service: Can the system be made unavailable? Mitigated by rate limiting, redundancy, and scaling
• Elevation of Privilege: Can a user gain unauthorized capabilities? Mitigated by least privilege and input validation

PASTA Framework

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage risk-centric threat modeling methodology. Unlike STRIDE, which focuses on categorizing threat types, PASTA aligns threat analysis with business objectives and risk tolerance, producing threat models that prioritize issues by actual business impact.

PASTA's seven stages progress from defining business objectives through technical scope analysis, application decomposition, threat analysis, vulnerability analysis, attack modeling, and finally risk and impact analysis. This methodical approach ensures that threat modeling efforts are proportional to the business value of the assets being protected.

STRIDE vs. PASTA: STRIDE excels at systematically identifying what can go wrong in a design. PASTA excels at prioritizing those threats by business impact and attacker likelihood. In practice, many organizations use STRIDE for initial threat identification and PASTA-style risk analysis for prioritization. The key is using a structured approach rather than relying on intuition alone.

AI-Assisted Threat Modeling

AI is beginning to transform threat modeling from a labor-intensive manual process into a partially automated one. LLMs can analyze architecture diagrams, infrastructure-as-code files, and API specifications to generate initial threat models that human analysts then review and refine. This dramatically reduces the time required while ensuring that no obvious threats are overlooked.

AI-assisted tools can also maintain threat models as living documents by continuously analyzing code changes, infrastructure updates, and dependency modifications to identify new threats introduced by system evolution. This addresses one of the biggest challenges with traditional threat modeling: models quickly become outdated as systems change.

1. Architecture Analysis: AI extracts components, data flows, and trust boundaries from diagrams and IaC templates
2. Threat Generation: LLMs apply STRIDE categories to each component, generating comprehensive threat lists with mitigation suggestions
3. Continuous Updates: AI monitors code commits and infrastructure changes to flag modifications that introduce new threats
4. Knowledge Integration: AI enriches threat models with CVE data, MITRE ATT&CK mappings, and industry-specific threat intelligence

While AI-assisted threat modeling cannot replace the judgment and creativity of experienced security architects, it significantly lowers the barrier to entry, enabling development teams to perform meaningful threat analysis even without dedicated security expertise on every project.