Threat Modeling in Practice
Capture Threats on Paper First
This topic works best as a practical framework: clear enough for decision-making and concrete enough for execution.
In Threat Modeling in Practice, the goal is to document choices that teams can execute consistently and repeatably.
This keeps this chapter from being theory and makes it a usable compass for consistent execution.
Immediate measures (15 minutes)
Why this matters
The core of Threat Modeling in Practice is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.
Minimum viable threat model
For each critical system, at minimum:
- Context diagram (actors, systems, external dependencies).
- Dataflows with trust boundaries.
- Misuse cases per critical flow.
- Top risks with priority and owner.
- Concrete control choices + verification plan.
If any of these is missing, the model is incomplete.
Methodology in 6 steps
Step 1: Scope and assets
- define system boundaries;
- identify crown jewels (data, processes, credentials).
Step 2: Draw the dataflow
- document every data transfer;
- explicitly mark trust transitions.
Step 3: Identify threats
- use STRIDE or ATT&CK-based scenarios;
- focus on realistic risk paths, not theoretical edge cases.
Step 4: Prioritize risks
- impact x likelihood;
- emphasize chain dependencies and detection blind spots.
Step 5: Choose measures
- priority order: eliminate > mitigate > detect > respond;
- link each measure to an owner and implementation timeline.
Step 6: Validate and maintain
- validate with pentest/tabletop;
- update model on architecture changes.
STRIDE practically applied
| STRIDE | Architecture question | Typical measure |
|---|---|---|
| Spoofing | Can an actor impersonate another? | Strong authN, token validation, mTLS |
| Tampering | Can data be modified in transit or at rest? | Integrity checks, signing, immutability |
| Repudiation | Can actions be denied? | Audit logs with identity context |
| Information Disclosure | Does sensitive data leak outside scope? | Encryption, segmentation, data minimization |
| Denial of Service | Can availability be deliberately disrupted? | Rate limiting, autoscaling, fallback |
| Elevation of Privilege | Can an actor escalate privileges? | Least privilege, policy enforcement, PAM |
Output format for teams
Per risk, record:
- risk ID;
- scenario;
- impacted asset;
- current controls;
- missing control;
- owner;
- target date;
- evidence of implementation.
This format makes threat modeling directly usable for backlog and governance.
Link to architecture and governance
- Architecture: input for reference designs and ADRs.
- Engineering: input for backlog and test cases.
- Governance: input for top-risk reporting and investment decisions.
Threat modeling only has value when outcomes lead to execution.
Summary
Threat modeling is not a workshop goal in itself but a decision machine: it makes risk paths visible, prioritizes risks, and links measures to ownership and evidence.
Further reading in the knowledge base
These articles in the portal provide more background and practical context:
- Incident Response — when things go wrong
- Compliance — following rules without losing your mind
- Least Privilege — give people only what they need
- Patch management — the most boring thing that can save your life
- Backups — the most boring topic that can save your life
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
