Identity, network, softwareIntermediate21 min read

What Does STRIDE Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

STRIDE is a tool used by IT security professionals to think about different kinds of attacks. It breaks threats into six easy-to-remember groups: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each group represents a specific way a system can be attacked, helping teams plan better defenses.

Commonly Confused With

STRIDEvsDREAD

DREAD is a risk assessment model (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) used to score threats numerically, while STRIDE is a classification model. DREAD comes after STRIDE to prioritize the identified threats.

You use STRIDE to find a data leakage issue. Then you use DREAD to decide if it is a high, medium, or low priority to fix.

STRIDEvsPASTA

PASTA (Process for Attack Simulation and Threat Analysis) is a broader threat modeling methodology that includes seven stages and often uses STRIDE as one component within it. STRIDE is only one part of PASTA's classification step.

If PASTA is a full recipe for baking a cake, STRIDE is just the step where you check the ingredients for spoilage.

STRIDEvsCVSS

CVSS (Common Vulnerability Scoring System) is used to score the severity of known vulnerabilities (like CVEs) based on metrics like attack vector and complexity. STRIDE is unrelated to scoring and focuses only on threat types during the design phase.

CVSS tells you a vulnerability has a score of 7.5; STRIDE tells you that vulnerability is an Elevation of Privilege threat.

STRIDEvsOWASP Top 10

OWASP Top 10 is a list of the most critical web application security risks (like injection, broken authentication). STRIDE is a broader classification that covers any system, not just web apps, and does not prioritize by prevalence.

OWASP says SQL injection is a top risk; STRIDE would categorize that same vulnerability as Tampering or Information Disclosure depending on the action.

Must Know for Exams

STRIDE appears in several general IT certification exams, most notably CompTIA Security+, CompTIA CySA+, and the ISC2 Certified Information Systems Security Professional (CISSP) exam. In CompTIA Security+, STRIDE is covered under Domain 1.2, which focuses on threat actors and threat vectors. The exam expects candidates to understand the six categories of STRIDE and be able to recognize them in given scenarios. For example, an exam question might describe a situation where an attacker guesses a user's password and logs into their account. The correct answer would be Spoofing, because the attacker is faking the user's identity. In CompTIA CySA+, STRIDE appears in the context of threat modeling and risk management. The exam may ask candidates to apply STRIDE to a system architecture diagram to identify potential vulnerabilities. For CISSP, STRIDE is part of Domain 3: Security Architecture and Engineering. The exam tests the candidate's ability to use STRIDE during the design phase of software and systems development.

For all of these exams, candidates should memorize the six categories and their associated security properties. Understanding the real-world application is more important than rote memorization. Exam questions often present a short scenario involving a network or application vulnerability and ask which STRIDE category is most relevant. For instance, a scenario about a database breach that leaks credit card numbers is Information Disclosure. A scenario about a ransomware attack that encrypts files is Tampering. A scenario about an employee performing an unauthorized action and then denying it is Repudiation. Candidates should also know that STRIDE is a threat classification model, not a risk assessment model, it does not prioritize threats by severity. This distinction is a common exam point. Some exams test the history of STRIDE, noting that it was developed by Microsoft. Knowing the acronym by heart is essential, but understanding how to apply it in a threat modeling session is what separates a passing score from a failing one.

Simple Meaning

STRIDE is like a security checklist for computer systems. Imagine you are a security guard at a large office building. To keep everyone safe, you need to think about all the different ways someone could cause trouble. Could someone sneak in by pretending to be an employee? That is Spoofing. Could someone break into a locked room and change important documents? That is Tampering. Could someone do something bad and then deny they did it? That is Repudiation. Could someone steal sensitive files from a desk? That is Information Disclosure. Could someone block the main entrance so no one can get in or out? That is Denial of Service. Could a janitor somehow get a master key and enter the CEO's office? That is Elevation of Privilege.

STRIDE helps security teams, network administrators, and software developers think like attackers. Instead of just hoping nothing goes wrong, they use STRIDE to systematically check for weaknesses. For example, when a company builds a new website, they can go through each STRIDE category and ask: Can someone fake their identity? Can someone change data? Can someone deny their actions? Can someone steal customer information? Can someone crash the site? Can someone gain admin access they should not have? By using this structured approach, teams can find and fix problems before criminals exploit them. STRIDE was created by Microsoft as part of their Security Development Lifecycle, but it is now used broadly across the IT industry.

Full Technical Definition

STRIDE is a threat modeling methodology developed by Microsoft in the late 1990s. It provides a structured taxonomy for categorizing security threats based on the type of security property that is violated. The six threat categories map directly to six security properties: Spoofing violates authentication, Tampering violates integrity, Repudiation violates non-repudiation, Information Disclosure violates confidentiality, Denial of Service violates availability, and Elevation of Privilege violates authorization.

In practice, STRIDE is applied during the design phase of software development or infrastructure planning. A threat modeling session typically begins with creating a data flow diagram that shows how data moves through a system, including external entities, processes, data stores, and trust boundaries. The team then applies STRIDE to each element in the diagram, asking whether that element is vulnerable to each type of threat. For instance, a web server sitting at a trust boundary might be vulnerable to Spoofing if it does not properly validate client certificates. A database storing user credentials could be vulnerable to Information Disclosure if encryption is not implemented.

STRIDE is often used alongside other frameworks like DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) for risk scoring, but STRIDE itself is purely a classification tool. It does not rank threats by severity; it simply ensures that all threat types are considered. The methodology is particularly effective because it forces teams to think about threats that are easy to overlook, such as Repudiation, a threat often ignored in systems without proper logging. STRIDE is also adaptable to cloud environments, IoT systems, and network architectures. When used with tools like Microsoft Threat Modeling Tool, teams can generate threat lists automatically from data flow diagrams. The approach aligns with the principle of "shift left" in security, meaning threats are addressed early in the development lifecycle, reducing the cost and effort of fixing them later.

Real-Life Example

Imagine you live in an apartment building with a security door at the main entrance. One day, you notice that people are getting in without a key. You start thinking about all the ways someone might break in. First, someone could pretend to be a delivery person to get tenants to buzz them in, that is Spoofing. Second, someone could tamper with the lock so it does not close properly, that is Tampering. Third, a visitor could enter without signing the guest log and later claim they were never there, that is Repudiation. Fourth, someone could look over a tenant's shoulder and see their access code, that is Information Disclosure. Fifth, someone could jam the door open so no one can close it, blocking everyone out, that is Denial of Service. Finally, a regular tenant could somehow get a master key that opens every apartment, not just their own, that is Elevation of Privilege.

In the IT world, the apartment building is your network or application. The security door is your authentication system. Each attack method corresponds to a STRIDE threat category. By thinking through all six possibilities, a security professional can design stronger defenses. For example, to prevent Spoofing, you might use multi-factor authentication. To prevent Tampering, you might use data integrity checks like hashing. To prevent Repudiation, you might require digital signatures and maintain audit logs. To prevent Information Disclosure, you might use encryption. To prevent Denial of Service, you might implement rate limiting and redundancy. To prevent Elevation of Privilege, you might apply the principle of least privilege and strictly control administrative access.

Why This Term Matters

STRIDE matters because it gives IT professionals a practical, repeatable way to identify security threats early. Instead of relying on gut feelings or waiting for an attack to happen, STRIDE provides a checklist that covers the most common attack vectors. This is especially important in modern IT environments where systems are complex, interconnected, and constantly changing. A single application might have a web front end, an API layer, databases, third-party integrations, and cloud services, each with its own vulnerabilities. Using STRIDE, a security team can methodically examine every component and data flow, ensuring no category of threat is forgotten.

STRIDE helps bridge the gap between security teams and other IT roles. Developers might not think about non-repudiation, but when they see it on a STRIDE list, they understand the need for logging and digital signatures. Network administrators might focus on preventing unauthorized access but might overlook the risk of a disgruntled employee who already has valid credentials and then escalates privileges. STRIDE forces a broader perspective. It also supports compliance with security standards like ISO 27001, NIST, and PCI DSS, which require organizations to conduct regular threat assessments. Regulatory auditors often expect to see evidence of structured threat modeling, and STRIDE is a widely recognized method. Ultimately, using STRIDE reduces the risk of data breaches, service outages, and reputational damage, saving organizations significant financial and operational costs.

How It Appears in Exam Questions

In certification exams, STRIDE questions typically fall into three patterns: scenario-based identification, matching categories to security properties, and applying STRIDE to a system design.

Scenario-based identification questions present a short description of an attack and ask the candidate to identify which STRIDE category applies. For example: A user receives an email that appears to be from their bank, asking them to click a link and enter their password. This is a classic phishing attempt. The correct STRIDE category is Spoofing, because the attacker is impersonating the bank. Another example: A hacker modifies the source code of a popular open-source library and distributes it with a hidden backdoor. This is Tampering, because the integrity of the code has been compromised.

Matching questions ask candidates to pair each STRIDE category with the security property it violates. For example: Spoofing violates Authentication, Tampering violates Integrity, Repudiation violates Non-repudiation, Information Disclosure violates Confidentiality, Denial of Service violates Availability, and Elevation of Privilege violates Authorization. These questions test the candidate's foundational knowledge.

Application-based questions are more advanced and common in CySA+ and CISSP. They may present a data flow diagram of a web application with components like a load balancer, web server, application server, database, and external API. The candidate must identify which components are most at risk for each STRIDE category. For example, the database might be vulnerable to Information Disclosure if it stores passwords in plaintext. The load balancer might be vulnerable to Denial of Service if it lacks rate limiting. The application server might be vulnerable to Elevation of Privilege if it runs with excessive permissions. These questions require the candidate to think critically about how threats map to real system components.

Some exams also ask about the limitations of STRIDE. A question might state: Which of the following is NOT a benefit of using STRIDE? The correct answer might be that STRIDE does not prioritize threats by severity. Another common question: Which company developed the STRIDE model? Answer: Microsoft. Knowing these details can earn easy points on exam day.

Practise STRIDE Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are the IT security officer for a small online retail company. The development team has just finished building a new customer portal where users can log in, view their order history, and edit their shipping address. Your manager asks you to conduct a threat assessment using STRIDE.

First, you look at Spoofing. The login form only asks for a username and password. An attacker could use a brute-force attack or a stolen password to log in as another user. To mitigate this, you recommend adding two-factor authentication.

Second, you consider Tampering. The portal allows users to edit their shipping address. If an attacker gains access, they could change the address to their own and steal packages. You check that address changes are logged and validated on the server side.

Third, you think about Repudiation. A customer places an expensive order and later claims they never did. The system logs the order creation, but the log does not include the user's IP address or session ID. You advise adding detailed audit logs that capture user identity, timestamp, and action.

Fourth, you examine Information Disclosure. The order history page displays the last four digits of the user's credit card number. However, the API returns the full card number in the backend response. An attacker who intercepts the traffic could steal the full card number. You enforce encryption and limit the data sent to the front end.

Fifth, you evaluate Denial of Service. The customer portal is hosted on a single server with no load balancing. A distributed denial-of-service attack could overwhelm the server, making the site unavailable for legitimate users. You recommend adding a web application firewall and a content delivery network.

Sixth, you check for Elevation of Privilege. The portal uses a shared database account with broad permissions. If a vulnerability in the portal is exploited, an attacker could execute SQL commands to modify other users' data. You implement least privilege by creating separate database accounts for read and write operations.

By systematically applying STRIDE, you have identified six distinct threats and proposed practical countermeasures. The development team can now prioritize and implement these fixes before the portal goes live.

Common Mistakes

Thinking STRIDE is a risk assessment tool that ranks threats by severity.

STRIDE only categorizes threats; it does not assign risk scores or prioritize them. Tools like DREAD are used for risk assessment, but STRIDE is purely a classification framework.

Use STRIDE to identify and categorize threats, then use a separate method like DREAD or CVSS to assess their severity and priority.

Confusing Denial of Service with Tampering.

Denial of Service attacks target system availability by overwhelming resources, whereas Tampering involves unauthorized modification of data or code. They affect different security properties (availability vs. integrity).

Remember that DoS is about making a service unavailable. Tampering is about changing data without permission. Think of a web server crash (DoS) versus a hacker changing a user's password in the database (Tampering).

Believing that Repudiation only applies to users denying actions, not to system logs.

Repudiation applies to both users and system components. If logging is insufficient, the system itself cannot prove what happened, leading to repudiation threats. Attackers can also disable logs to cover their tracks.

Consider the lack of non-repudiation as a vulnerability. Ensure that logs are immutable, include user identity, timestamps, and are stored separately from the system being monitored.

Assuming STRIDE is only for software applications, not network infrastructure.

STRIDE was originally created for software development, but it is widely used for network threat modeling, cloud architectures, and even physical security systems. Any system with data flows and trust boundaries can use STRIDE.

Apply STRIDE to routers, firewalls, VPNs, and cloud configurations. For example, a router without authentication is vulnerable to Spoofing; a misconfigured firewall could lead to Information Disclosure.

Ignoring the 'E' in STRIDE (Elevation of Privilege) because it is the last category.

Elevation of Privilege is often the most dangerous threat because it can enable all other attacks. An attacker who gains admin access can spoof users, tamper with data, disable logs, and cause DoS.

Always treat privilege escalation as a critical threat. Implement least privilege, regular permission audits, and multi-factor authentication for administrative accounts.

Exam Trap — Don't Get Fooled

{"trap":"The exam asks which STRIDE category is violated when an attacker modifies the contents of a database table through a SQL injection vulnerability.","why_learners_choose_it":"Many learners choose Information Disclosure because SQL injection is often associated with stealing data. However, the question focuses on modification, not reading data."

,"how_to_avoid_it":"Read the question carefully. If the attacker is modifying data (INSERT, UPDATE, DELETE), the threat is Tampering. If the attacker is reading data (SELECT), it is Information Disclosure.

SQL injection can be used for both, but the specific action determines the category."

Step-by-Step Breakdown

1

Define System Scope

Identify the boundaries of the system you are analyzing. This could be an application, a network, or a cloud infrastructure. Knowing what is in scope prevents wasted effort and ensures the analysis is focused.

2

Create a Data Flow Diagram

Draw how data moves through the system, including external entities, processes, data stores, and trust boundaries. This diagram helps visualize where trust changes and where threats are most likely to occur.

3

List All Elements in the Diagram

Write down every component from the data flow diagram: web servers, databases, APIs, user interfaces, authentication services, and the connections between them. Each element is a potential threat target.

4

Apply STRIDE to Each Element

For each element, ask six questions: Can it be spoofed? Can its data be tampered with? Can actions be repudiated? Can data be disclosed? Can it be denied service? Can privileges be escalated? Record any 'yes' answers as identified threats.

5

Document and Prioritize Threats

Create a list of all identified threats. Since STRIDE does not prioritize, use a separate method like DREAD or CVSS to assign risk levels. High-risk threats should be addressed immediately.

6

Design and Implement Mitigations

For each threat, design a countermeasure. For Spoofing, use authentication. For Tampering, use hashing. For Repudiation, use audit logs. For Information Disclosure, use encryption. For DoS, use rate limiting. For Elevation of Privilege, use least privilege.

7

Review and Update Regularly

Threats evolve as the system changes. Re-run the STRIDE analysis whenever major features are added, infrastructure changes, or after a security incident. Keeping the threat model current is critical.

Practical Mini-Lesson

Using STRIDE in a real IT environment requires both technical knowledge and a systematic mindset. A professional conducting a threat model should start by gathering all relevant documentation: network diagrams, application architecture, data flow descriptions, and security policies. If documentation is incomplete, the first task is to create a comprehensive data flow diagram using tools like Microsoft Visio, draw.io, or the Microsoft Threat Modeling Tool. The diagram should show every external entity (users, third-party services), every process (web servers, application servers), every data store (databases, file shares), and the data flows between them. Trust boundaries should be clearly marked, these are points where the level of trust changes, like between the internet and an internal network, or between a front-end server and a database.

Once the diagram is ready, the IT professional walks through each element and applies the six STRIDE questions. It is helpful to do this in a group session with developers, network engineers, and security staff, because different team members see different risks. For example, a developer might notice that an API endpoint does not validate input, which could lead to Tampering. A network engineer might spot that a backup server is on the same subnet as the production database, increasing Information Disclosure risk. The output of this session is a list of threats, each tagged with the relevant STRIDE category.

After identification, the next practical step is to determine which threats need immediate action. Since STRIDE does not prioritize, the team should use a risk matrix or scoring system. For high-priority threats, the team designs and implements controls. For example, if Information Disclosure is identified for a database, the team might enforce encryption at rest and in transit, implement parameterized queries to prevent SQL injection, and set up database auditing. The team should also document the reasoning for accepting low-risk threats (e.g., a threat that requires physical access to a locked server room).

What can go wrong? A common issue is that STRIDE analysis becomes a one-time exercise and is never updated. Systems change rapidly in IT, new features are deployed, cloud configurations are altered, integrations are added. If the threat model is not reviewed regularly, it becomes outdated and useless. Another common issue is analysis paralysis: teams spend too long creating perfect data flow diagrams or debating whether a threat belongs to Spoofing or Elevation of Privilege. The goal is to identify and fix real risks, not to achieve academic perfection. Finally, threat modeling without management support leads to unaddressed threats. The security professional must communicate findings clearly, showing the business impact of each threat, so that leadership allocates resources to implement mitigations.

Memory Tip

Remember STRIDE with the mnemonic: 'Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege', or use the sentence 'Some Trees Really Include Deadly Evil Squirrels' to recall the first letters.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Is STRIDE only for Microsoft products?

No. STRIDE was created by Microsoft, but it is a general-purpose threat categorization framework used across the IT industry for any system, including Linux, cloud platforms, and network infrastructure.

Do I need to memorize all six STRIDE categories for the exam?

Yes, you must know all six categories and what security property each one violates. Most certification exams include at least one direct question about the STRIDE acronym.

Can a single attack fall into more than one STRIDE category?

Yes. For example, a SQL injection attack can be used to steal data (Information Disclosure) or modify records (Tampering). The category depends on the specific action the attacker takes.

Is STRIDE still relevant in cloud environments?

Absolutely. Cloud architectures have many trust boundaries (e.g., between VPCs, between services), and STRIDE helps identify threats like spoofed API calls, data tampering in storage, and privilege escalation in IAM roles.

What is the difference between STRIDE and a vulnerability scanner?

A vulnerability scanner looks for known weaknesses in existing systems (like missing patches). STRIDE is used during design to anticipate threats before the system is built or deployed. They are complementary.

Can I use STRIDE for physical security?

Yes, the concepts map well to physical security: Spoofing (fake ID badges), Tampering (lock manipulation), Repudiation (unlogged access), Information Disclosure (shoulder surfing), Denial of Service (blocked exits), Elevation of Privilege (janitor accessing server room).

How long does a STRIDE analysis take?

For a small application, a session might take a few hours. For a large enterprise system with many components, it can take several days. The thoroughness depends on the complexity of the data flow diagram.

Summary

STRIDE is a foundational threat classification model that every IT professional should understand. It organizes security threats into six categories based on the security property they violate: Spoofing (authentication), Tampering (integrity), Repudiation (non-repudiation), Information Disclosure (confidentiality), Denial of Service (availability), and Elevation of Privilege (authorization). By using STRIDE during system design, teams can methodically identify vulnerabilities before they are exploited. The model is simple enough to be taught in introductory security courses, yet powerful enough to be used in enterprise threat modeling sessions.

For certification candidates, mastering STRIDE is essential for exams like CompTIA Security+, CySA+, and CISSP. Questions often require you to match a scenario to the correct category or understand the purpose of the model. A common exam trap is confusing the type of threat with the associated risk, remember that STRIDE does not rank threats.

In practice, STRIDE encourages a proactive security mindset. Instead of reacting to breaches, organizations can build security into their systems from the start. While STRIDE does not provide all the answers, it does not prioritize threats or suggest specific fixes, it gives a clear, repeatable framework for thinking about what can go wrong. Combined with proper risk assessment and mitigation strategies, STRIDE helps create more resilient IT systems. The most important takeaway for any learner is to internalize the six categories and practice applying them to everyday scenarios, because that is the skill that both exams and real-world jobs require.