What Is Threat modelling? Security Definition
On This Page
What do you want to do?
Quick Definition
Threat modelling is a way to think about how someone might attack a system before it is built. It helps teams find weak spots early and decide where to focus security efforts. Instead of waiting for a breach, you map out possible dangers and plan how to stop them.
Common Commands & Configuration
aws guardduty list-findings --region us-east-1 --query 'FindingIds' --output textLists all GuardDuty findings in us-east-1, which are threats detected based on the deployed threat model configuration.
Tests understanding of GuardDuty as a threat detection service for AWS-SAA and CySA+. Used to validate that threat modelling outputs correlate with active findings.
az role assignment list --assignee <user-or-group-id> --query '[].roleDefinitionName' --output tsvLists all Azure role assignments for a specific user or group, helping identify over-privileged accounts in threat models for Elevation of Privilege risks.
Common in AZ-104 exams to test permission auditing skills. Threat models require verifying least privilege.
gcloud asset list --saved-analysis-query=threat-model-query-1 --project=my-projectRetrieves assets matching a pre-saved threat analysis query in Google Cloud, useful for visualizing assets under threat in a multi-cloud model.
Though not cloud-specific, it tests automation of threat model data retrieval. Relevant for multi-cloud certifications like ISC2-CISSP.
kubectl describe pod web-app-1 -n production | grep -i 'security-context'Describes the security context of a pod in Kubernetes, checking for privileged mode or host PID settings that could be Elevation of Privilege threats.
Appears in AZ-400 and CySA+ exams when discussing container security in threat models. Emphasizes container hardening.
terraform plan -out=tfplan -var-file=production.tfvars -input=false; inspect tfplan for security groups with cidr_blocks = ["0.0.0.0/0"]Generates a Terraform plan and then manually checks for overly permissive security groups, a top threat in cloud infrastructure.
Common in AZ-400 and AWS-SAA exams where IaC auditing is central to threat modelling. Tests ability to spot insecure defaults.
Update-AzSqlDatabaseVulnerabilityAssessmentSetting -ResourceGroupName "rg-prod" -ServerName "sqlprod-01" -DatabaseName "custdb" -StorageAccountName "vulnstorage" -ScanResultsContainerName "scans"Enables vulnerability assessment scanning on an Azure SQL Database, which feeds into the threat model by identifying weaknesses such as SQL injection risks.
Tests Azure SQL security configurations for AZ-104 and SC-900. Directly linked to threat modelling outputs for database threats.
nmap -sS -p 22,443,3389 --script vuln <target-ip> -oX threat-scan.xmlScans target IPs for open SSH, HTTPS, and RDP ports, then runs a vulnerability script, outputting XML for integration into threat model tools.
Used in Security+ and CySA+ exams to illustrate network reconnaissance in threat models. Tests ability to enumerate attack surface.
Must Know for Exams
For the AWS Solutions Architect Associate exam (SAA C03), threat modelling appears primarily in the context of designing secure architectures. You may need to recommend security controls based on a threat model. For example, a question might describe an application that processes sensitive user data and ask which combination of services would best mitigate data exposure threats. Understanding STRIDE categories helps you reason about which AWS services apply.
For the AZ 400 Azure DevOps exam, threat modelling is part of the security development lifecycle. You will need to know how to integrate threat modelling into a CI/CD pipeline, which tools to use (like Microsoft Threat Modeling Tool), and how to review threat models during pull request reviews. Expect questions about when in the pipeline to perform threat modelling and how to automate it.
The ISC2 CISSP exam covers threat modelling in depth within Domain 3, Security Architecture and Engineering. You must understand multiple methodologies, including STRIDE, PASTA, and OCTAVE. Questions may ask you to select the appropriate methodology for a given scenario or to interpret a data flow diagram. You should also be able to apply the concept of trust boundaries and understand how threats change across boundaries.
For the CySA+ exam, threat modelling is a key part of the threat management domain. You will need to analyze a scenario, identify the most likely threat, and recommend a mitigation. The exam emphasizes the use of frameworks like STRIDE to systematically identify threats. Practical familiarity with reading DFDs is important.
For Security+, threat modelling appears in the architecture and design domain. Questions are often conceptual, asking you to define STRIDE or identify which threat category applies to a scenario. For example, a question about an attacker using stolen credentials to access a system tests your understanding of spoofing. Understanding the difference between spoofing and elevation of privilege is a common exam point.
For MD 102 and MS 102 (Microsoft endpoint and Microsoft 365 administrator exams), threat modelling is lighter but still relevant. You may see questions about defender for endpoint or conditional access policies that relate to threats identified through modelling. The SC 900 exam covers basic security concepts including threat modelling as part of the Microsoft security principles.
For AZ 104, threat modelling is not a primary objective but appears in context when designing secure Azure infrastructure. You might need to decide where to place network security groups based on threat modeling of data flows. Understanding trust boundaries helps you reason about why certain traffic should be blocked.
In all cases, exam questions often present a system description and ask what the next step should be. The correct answer usually involves identifying threats before building controls. Avoid answers that suggest adding controls without first understanding the threat landscape.
Simple Meaning
Imagine you are designing a new house. Before you start building, you sit down and think about all the ways someone could break in. Could they climb through a window? Could they pick the lock on the front door? Is there a weak spot in the basement? You also think about what they might want to steal and where the most valuable items will be kept. Then you decide where to put stronger locks, alarms, or reinforced doors. That is exactly what threat modelling does for computer systems, networks, and software applications.
Threat modelling turns security from something you add at the end into something you plan from the start. Instead of reacting to a problem after it happens, you look at your system like a blueprint and ask what could go wrong. You ask questions like who might attack us, what tools do they have, what are they after, and which parts of the system are most vulnerable. This helps you prioritize what to protect first.
In the real world, you cannot protect everything equally. You have limited time, money, and energy. Threat modelling helps you spend those resources where they will do the most good. For example, if you are building a banking app, protecting customer account balances is more important than protecting a public help page. Threat modelling makes those choices clear.
The process usually involves drawing a picture of how data moves through the system, identifying trust boundaries where data passes from one security zone to another, and then systematically listing threats for each component. Common threat categories include spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. By the end, you have a list of risks and a plan to reduce them.
Threat modelling is not a one time activity. As systems change, new threats appear. A good team reviews and updates their threat model regularly, especially when adding new features or connecting to new services. It is a habit, not a checkbox.
Full Technical Definition
Threat modelling is a systematic engineering technique used to identify, enumerate, and prioritize potential security threats and vulnerabilities in a system, application, or infrastructure. It is performed during the design phase of the software development lifecycle (SDLC) and is a core component of the security development lifecycle (SDL). The goal is to proactively address security risks before code is written or deployed, reducing the cost and impact of fixing security flaws later.
There are several established methodologies for threat modelling. The most widely recognized is STRIDE, developed by Microsoft. STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each category represents a class of threat. STRIDE is typically applied against each element of a Data Flow Diagram (DFD), which includes external entities, processes, data stores, and data flows. By mapping each threat category to each DFD element, security analysts can systematically identify where threats might occur.
Another common methodology is PASTA, the Process for Attack Simulation and Threat Analysis. PASTA is a risk centric framework that aligns business objectives with technical requirements. It has seven stages: define objectives, define technical scope, decompose the application, analyze threats, analyze vulnerabilities, analyze attacks, and model risks. PASTA produces a risk score for each identified threat, helping teams prioritize remediation efforts.
Other methodologies include OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), which focuses on organizational risk, and LINDDUN, which is designed specifically for privacy threats. TRIKE is another open source methodology that uses a risk based approach with actor and asset models. In practice, many organizations combine elements from different methodologies.
The core artifacts of threat modelling include a Data Flow Diagram (DFD), which maps all system components, data flows, trust boundaries, and external interactors. Trust boundaries are particularly important because they represent points where data moves from a more trusted environment to a less trusted one, such as from an internal network to the internet. Each crossing of a trust boundary is a potential attack surface.
After creating the DFD, the team applies a threat enumeration technique. With STRIDE, each DFD element is examined against each threat type. For example, a process might be vulnerable to tampering if it accepts input without validation. A data store might be vulnerable to information disclosure if it stores data in plaintext. A data flow might be vulnerable to spoofing if it lacks authentication.
Once threats are identified, they are documented in a threat model report. Each threat is assigned a risk rating, often using DREAD (Damage potential, Reproducibility, Exploitability, Affected users, Discoverability) or a simple High/Medium/Low scale. The team then decides on mitigation strategies, which can include redesigning the architecture, adding authentication, encrypting data, implementing input validation, or adding logging.
In modern DevOps and DevSecOps environments, threat modelling is increasingly automated. Tools like Microsoft Threat Modeling Tool, OWASP Threat Dragon, and IriusRisk integrate with CI/CD pipelines. They automatically generate DFDs from infrastructure as code templates, scan for known threat patterns, and produce actionable output for developers. Automated threat modelling helps teams keep models current as systems evolve rapidly.
Threat modelling is also mandated by several regulatory and compliance frameworks. For example, PCI DSS requires a formal threat modelling process for any organization handling credit card data. ISO 27001 and NIST SP 800-30 both recommend threat modelling as part of risk management. In government and defense, frameworks like NIST SP 800-53 require threat modelling as part of the security assessment and authorization process.
Real IT implementation requires collaboration across roles. Security architects lead the modelling sessions. Developers contribute deep knowledge of how the code works. Operations engineers bring understanding of network topology and infrastructure. Product managers help identify what assets are most valuable to the business. Threat modelling is not a solo activity; it is a team sport that breaks down silos between security and development.
Real-Life Example
Think about planning a safe neighborhood watch program for a new housing development. Before any houses are built, the neighborhood association sits down with a map of the layout. They mark where the main road connects to the highway, where the walking paths are, and where the streetlights will go. They also mark areas that are hidden from view, like behind a large fence or around a corner with no lights.
Now they ask themselves: if someone wanted to break into a house, how would they get in? They could drive in from the highway and turn onto a side street. They could walk through the park and cut through someone's backyard. They could come at night when streetlights are dim in certain spots. The association also thinks about what burglars might want. Maybe some houses have expensive bikes in the garage or visible electronics near windows.
Next, the group decides on a patrol schedule and where to put additional lighting. They might install a gate at the main entrance, but they realize that a gate could block deliveries and make it hard for emergency vehicles to get through. So they consider alternatives like a camera system at the entrance and a neighborhood app where residents report suspicious activity. They also decide to trim bushes near windows so burglars cannot hide.
Now map this to IT. The housing development is your computer system or network. The map is a data flow diagram. The main road entrance is the firewall. The walking paths are network segments. The hidden corners are unpatched services or misconfigured databases. The burglars are attackers with different motivations and capabilities. The valuable items are sensitive data like customer information, credentials, or intellectual property.
The neighborhood watch plan is your threat model. You decide where to put security controls, such as firewalls, encryption, intrusion detection, and access controls. You also decide what to monitor and how to respond if something happens. Just as the neighborhood association does not put a guard at every single tree, you do not apply every security control everywhere. You focus on the most likely and most dangerous threats.
One key lesson from this analogy is that threat modelling is not a one time meeting. If the neighborhood builds a new playground or opens a new entrance, the watch plan must be updated. Similarly, when your IT system adds a new API endpoint, connects to a cloud service, or deploys a new feature, you update your threat model. The process keeps security aligned with the system as it evolves.
Why This Term Matters
In practical IT environments, security incidents are costly. A single data breach can cost millions of dollars in fines, legal fees, and lost customer trust. Threat modelling helps organizations avoid those incidents by catching security flaws early, when they are cheap to fix. Fixing a design flaw after deployment can cost 30 to 100 times more than fixing it during the design phase.
Threat modelling also helps teams communicate about security in a structured way. Instead of vague discussions about being secure, you have a documented model that everyone can review. Developers see exactly where input validation is needed. Operations engineers see which ports should be closed. Business leaders see which assets are most at risk and what investments are required to protect them.
For compliance, threat modelling is often a requirement. Regulators want to see that you have a systematic process for identifying and managing security risks. A well maintained threat model is strong evidence of due diligence. Without it, you may struggle to pass audits or justify security spending.
Finally, threat modelling shifts security left, meaning it moves security activities earlier in the development lifecycle. This is a core principle of DevSecOps. By integrating threat modelling into sprint planning or architecture reviews, security becomes a shared responsibility rather than an afterthought. Teams build with security in mind from the first line of code.
How It Appears in Exam Questions
Scenario based questions are the most common format. A typical question might describe a web application that processes credit card payments. The application stores card data in a database and communicates with a third party payment processor. The question then asks: which threat should the security team prioritize based on the data flow? The correct answer involves information disclosure because sensitive data moves across a trust boundary to the payment processor.
Another common question type is methodology selection. You might be given a scenario where a company wants to align threat modelling with business objectives and also produce a quantitative risk score. The correct answer would be PASTA because PASTA includes business impact analysis and attack simulation that yields risk scores. A distractor might be STRIDE, which is excellent for enumeration but does not produce a built in risk score.
Configuration based questions appear in cloud exams. For example, an AWS SAA question might show a VPC architecture with a public subnet containing a web server and a private subnet containing a database. A threat model reveals that the web server should not have direct access to the database. The question then asks which configuration change mitigates this threat. The correct answer might be adding a security group rule that only allows the web server to talk to the database on the specific port, or moving the database to a different subnet.
Troubleshooting questions can also involve threat modelling. A security team discovers unusual outbound traffic from an internal application. The question asks what the team should do first. The best answer is to review the threat model to see if this traffic was anticipated, and then investigate if the model needs updating. Answers that immediately block the port without investigation are traps because they might break legitimate functionality.
Some questions test your understanding of the threat modelling process itself. For instance, what is the first step in threat modelling? The correct answer is to create a data flow diagram. Another question might ask: when should threat modelling be performed? The correct answer is during the design phase, not after deployment.
Finally, there are comparison questions where two similar terms are presented and you must choose the correct one. For example, a question might ask: which threat category involves an attacker pretending to be a different user? The correct answer is spoofing, not elevation of privilege. These questions test your ability to differentiate between STRIDE categories.
Practise Threat modelling Questions
Test your understanding with exam-style practice questions.
Example Scenario
A small startup is building a new online store. They plan to collect customer names, email addresses, shipping addresses, and credit card numbers. The development team wants to move fast and launch in two months. The CEO is worried about security but does not know where to start.
A security consultant runs a threat modelling session with the team. They draw a data flow diagram on a whiteboard. The diagram shows the customer browser sending data to a web server. The web server sends the order details to a payment processor API. The web server also stores order history in a database. The database is on the same server as the web application.
Using the STRIDE methodology, the team identifies several threats. First, the database is on the same server as the web application. If an attacker compromises the web application through a SQL injection vulnerability, they have direct access to all customer data. This is a tampering and information disclosure threat. Second, the connection to the payment processor is over plain HTTP, so an attacker on the network could intercept credit card numbers. This is an information disclosure threat. Third, the web application has no login rate limiting, so an attacker could try to brute force passwords. This is a spoofing threat.
The team prioritizes the most critical threats. They decide to move the database to a separate private server and put a firewall between it and the web server. They change the payment processor connection to use HTTPS with strong TLS. They add a delay after five failed login attempts. They also plan to review the threat model after every major feature update.
In an exam, a scenario like this would ask you to identify the threat category for each finding or to recommend a specific security control. The key takeaway is that threat modelling helps you find problems early and decide what to fix first, even when resources are limited.
Common Mistakes
Thinking threat modelling is only for large enterprise systems.
Threat modelling is valuable for any system that handles sensitive data, regardless of size. Small applications still have vulnerabilities that attackers can exploit. Ignoring threat modelling because your app is small leaves you exposed.
Apply threat modelling to every project that processes personal or financial data. Even a simple mobile app can benefit from a quick data flow diagram and STRIDE review.
Creating a threat model once and never updating it.
Systems change over time. New features, new APIs, and new deployment architectures introduce new threats. A stale threat model gives a false sense of security because it does not reflect the current system.
Schedule threat model reviews for every major release or infrastructure change. Integrate threat model updates into your change management process.
Focusing only on technical threats and ignoring human or process threats.
Many breaches happen because of social engineering, insider threats, or misconfigurations caused by human error. A pure technical threat model misses these important risks.
Include people, processes, and administrative controls in your threat model. Consider threats like an employee clicking a phishing link or a contractor misconfiguring a firewall.
Listing every possible threat without prioritizing them.
If you treat every threat as equally important, you will overwhelm the team and they will ignore the model. Without prioritization, the team cannot decide where to spend their limited time and budget.
Use a risk rating system like DREAD or a simple High/Medium/Low scale. Focus mitigation efforts on threats with the highest combination of likelihood and impact.
Confusing threat modelling with penetration testing.
Penetration testing finds exploitable vulnerabilities in a running system. Threat modelling identifies potential threats and design weaknesses before any code is written. They are complementary but not interchangeable.
Use threat modelling during design to prevent vulnerabilities. Use penetration testing after deployment to verify that defenses work as expected.
Exam Trap — Don't Get Fooled
{"trap":"On the CISSP and Security+ exams, a question may ask you to identify the threat category for an attacker who uses stolen credentials to gain access. Many learners choose Elevation of Privilege because the attacker now has more access than before. However, the correct category is Spoofing because the attacker is pretending to be the legitimate user."
,"why_learners_choose_it":"Learners see the word privilege and immediately think of elevation of privilege. They forget that elevation of privilege means gaining capabilities that the original user did not have, such as a standard user becoming an administrator. In the stolen credential scenario, the attacker is acting as the user, not exceeding the user's permissions."
,"how_to_avoid_it":"Always read the scenario carefully. Ask yourself: is the attacker claiming an identity they are not (spoofing) or is the attacker doing something the original user could not do (elevation of privilege)? If the attacker is simply using someone else's identity, it is spoofing."
Commonly Confused With
A vulnerability assessment scans a system for known weaknesses, like missing patches or insecure configurations. Threat modelling focuses on identifying potential attacks before the system is built. Vulnerability assessment is reactive after deployment, while threat modelling is proactive during design.
A vulnerability assessment tells you your web server has an unpatched Apache version. Threat modelling tells you that an attacker might send a malformed HTTP request to crash the server.
Penetration testing actively attempts to exploit vulnerabilities in a running system to see if defenses hold. Threat modelling is a paper based analysis that does not involve actual exploitation. Penetration testing validates defenses, whereas threat modelling identifies what defenses you need.
A penetration test would try to SQL inject your login page. Threat modelling would identify the login page as a potential target and recommend input validation before any code is written.
Risk assessment evaluates the overall risk landscape of an organization, including financial, operational, and strategic risks. Threat modelling is a narrower technical exercise focused on specific system components and attack vectors. Risk assessment often uses threat modelling outputs as inputs.
A risk assessment might say that a data breach costs the company two million dollars on average. Threat modelling might find that the payment processing module is the most likely entry point for a breach.
A security architecture review evaluates whether an existing design meets security principles like defense in depth and least privilege. Threat modelling goes further by systematically enumerating threats against each component. Threat modelling can be part of a security architecture review, but the review is broader.
A security architecture review for a cloud network might check that subnets are properly segmented. Threat modelling would ask what happens if an attacker compromises the web server and how they could pivot to the database.
Attack surface analysis identifies all the points where an attacker could interact with a system. Threat modelling uses that information as a starting point but then goes deeper to consider specific attack paths and threat actors. Attack surface analysis is a subset of the full threat modelling process.
Attack surface analysis would list all open ports on a firewall. Threat modelling would analyze each open port to determine if an attacker could exploit the service behind it.
Step-by-Step Breakdown
Define the scope
Start by clearly defining what system or application you are modelling. Include all components, data flows, and external interactors. Set the boundaries of your model so you know what is in scope and what is out of scope. This prevents the analysis from becoming too broad or too narrow.
Identify assets
List all valuable assets in the system, such as customer data, authentication tokens, intellectual property, and system configuration files. Not all data has the same value. Understanding what is most valuable helps you prioritize which threats to worry about most.
Create a data flow diagram (DFD)
Draw the system architecture showing how data moves between components. Include external entities, processes, data stores, and trust boundaries. The DFD is the central artifact of threat modelling. Every element in the DFD will be analyzed for threats.
Identify trust boundaries
Mark every point where data crosses from one trust level to another. A trust boundary might be between the internet and your internal network, or between a web server and a database server. Each trust boundary is a potential attack surface where threats become more dangerous.
Enumerate threats using a methodology
Apply a threat categorization framework like STRIDE to each DFD element. For each process, data store, data flow, and external entity, ask if it is vulnerable to spoofing, tampering, repudiation, information disclosure, denial of service, or elevation of privilege. Document every threat you find.
Prioritize threats
Assign a risk rating to each identified threat. Use a consistent method such as DREAD or a simple High/Medium/Low scale. Consider both the likelihood of the threat and the potential impact. Prioritize threats that are both likely and high impact.
Define mitigations
For each high priority threat, design a specific mitigation. This could be a technical control like encryption, authentication, or input validation, or a procedural control like logging and monitoring. Document the mitigation and assign it to a team member for implementation.
Validate and review
After mitigations are implemented, review the threat model to confirm that the threats are adequately addressed. Re run the analysis to see if any new threats were introduced by the mitigations themselves. This step closes the loop and ensures the model remains accurate.
Maintain and update
Schedule periodic reviews of the threat model, especially when system changes occur. Integrate threat model updates into your change management and release processes. A living threat model stays relevant and continues to protect the system over time.
Practical Mini-Lesson
Threat modelling is a discipline that benefits greatly from practice. As an IT professional, you do not need to be a security expert to start. The most important skill is learning to see your system from an attacker's perspective. That shift in mindset is what makes threat modelling powerful.
When you start a threat modelling session, bring together people with different roles. The developer who wrote the code understands the nuances of how input is processed. The operations engineer knows the network topology and firewall rules. The product manager knows which features are business critical. The security architect knows common attack patterns and mitigation strategies. The best threat models come from this diversity of viewpoints.
In practice, you will often use a tool to help you. The Microsoft Threat Modeling Tool is free and generates DFDs from templates. It also has a built in threat generator based on STRIDE. You can guide it by selecting which threats apply to which elements. OWASP Threat Dragon is an open source alternative that works well for web applications. For cloud native architectures, tools like IriusRisk can import infrastructure as code and automatically generate threat models.
One common challenge is scope creep. Teams often want to model the entire enterprise, which becomes overwhelming. Instead, focus on one system or one feature at a time. A good rule of thumb is to model the components that handle the most sensitive data or are most exposed to external networks. You can always expand later.
Another practical consideration is how to present threat model findings to non technical stakeholders. Executives do not need to know every STRIDE category. They need to know the top three risks and what it will cost to mitigate them. Always tie threats back to business impact. For example, instead of saying the database is vulnerable to SQL injection, say that a breach of customer data could cost the company 5 million dollars in fines and lost revenue.
Finally, remember that threat modelling is not a one time project. Systems evolve, and so do attackers. New vulnerabilities are discovered every day. A threat model that is never updated becomes a liability rather than an asset. Make it a habit to revisit the model at least quarterly and after every major deployment. With practice, threat modelling becomes a natural part of how you design and build systems.
Applying the STRIDE Threat Modelling Methodology
In the context of threat modelling for cloud and enterprise environments, the STRIDE framework is a foundational taxonomy used to identify and categorize security threats. Developed by Microsoft, STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each category represents a specific type of security risk that must be assessed during the design stage of applications and infrastructure.
For example, Spoofing involves an attacker impersonating a user, system, or component. In AWS, this might relate to IAM role confusion, while in Azure, it could involve service principal token theft. Tampering covers unauthorized modification of data, such as altering a database record in an Azure SQL instance or modifying an S3 object.
Repudiation threats focus on users denying actions without audit trails, which is why services like AWS CloudTrail and Azure Monitor are critical. Information Disclosure involves exposing sensitive data, such as through misconfigured storage buckets or unencrypted communications. Denial of Service attacks aim to exhaust resources, often targeting load balancers or serverless functions in both cloud platforms.
Elevation of Privilege threats allow attackers to gain higher permissions, such as exploiting a bug in a Kubernetes API or an IAM role proxy. The STRIDE approach is particularly relevant for exams like ISC2-CISSP because it forces engineers to think about threats from multiple angles rather than focusing solely on confidentiality. When conducting a STRIDE analysis, the team typically diagrams the system architecture, identifies trust boundaries, and then systematically evaluates each threat type against data flows, data stores, processes, and external entities.
For instance, a web application with user uploads would be examined for tampering of uploads in transit and information disclosure via public storage endpoints. STRIDE is not a one-time activity but a continuous practice in the software development lifecycle, especially in DevOps pipelines for AZ-400 or security operations for CySA+. Analysts often combine STRIDE with DFDs (Data Flow Diagrams) to visualize threats at each interaction point.
This method ensures that no major threat category is overlooked, which is why it frequently appears in exam questions about identifying threat types or recommending mitigations. The key takeaway is that STRIDE provides a structured way to ask "What can go wrong here?" across the entire threat landscape, making it indispensable for security architects and engineers aiming for certifications like Security+ or SC-900.
Using the PASTA Threat Modelling Process for Application Security
The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modelling methodology that aligns security objectives with business goals. Unlike STRIDE which is more taxonomical, PASTA is a seven-step process that emphasizes attack simulation and risk quantification. The steps include: Define Objectives (Step 1), Define Technical Scope (Step 2), Decompose Application (Step 3), Threat Analysis (Step 4), Weakness and Vulnerability Analysis (Step 5), Attack Modeling and Simulation (Step 6), and Risk and Impact Analysis (Step 7).
In cloud environments like AWS and Azure, PASTA is highly effective because it requires mapping assets such as Lambda functions, VPCs, and managed databases to business processes. For example, in an e-commerce application on Azure, Step 1 might identify transaction integrity as a top objective. Step 2 defines the technical components: a Web App, Azure SQL Database, and a CDN.
Step 3 involves creating data flow diagrams showing how customer payment data moves through the system. Step 4 identifies threats like SQL injection or server-side request forgery. Step 5 looks for known vulnerabilities in libraries (e.
g., Log4Shell in Java apps). Step 6 simulates an attack, perhaps using a tool like Burp Suite or custom scripts to see if a cross-site scripting attack can be executed successfully.
Finally, Step 7 calculates the potential financial damage if a breach occurs, helping prioritize fixes. PASTA is especially relevant for the ISC2-CISSP exam because it covers risk management under the Security and Risk Management domain. It also appears in CySA+ contexts where analysts need to model threat scenarios for reporting.
For AZ-400 or AWS-SAA, PASTA helps teams integrate threat modelling into DevOps pipelines by providing a repeatable process that can be automated with tools like ThreatModeler or IriusRisk. One of the strengths of PASTA is its focus on business impact, which makes it easier to communicate risks to non-technical stakeholders. For example, if an attack vector could lead to PCI DSS non-compliance, the risk score would be very high.
This methodology also supports the use of attack trees and misuse case diagrams, which are common in exam questions for Security+ or MS-102. Engineers should note that PASTA requires active collaboration between development, operations, and security teams, making it a good fit for DevSecOps practices. In terms of exam preparation, understanding that PASTA is iterative and spread across a seven-step framework can help differentiate it from lighter models like STRIDE or OCTAVE.
The output of PASTA includes a prioritized list of threats with monetary impact, which is not commonly provided by other methods. This makes it a favorite in board-level security discussions and advanced certifications where risk quantification is measured.
Threat Modelling for Azure Resources: Specific Scenarios and Mitigations
When threat modelling in Azure, security professionals must consider the unique attack surface of Azure services such as Azure Active Directory, Azure Storage Accounts, Virtual Machines, and Azure Functions. A common threat involves misconfigured Azure Storage accounts where anonymous access is enabled, leading to data exposure. In the STRIDE framework, this would be classified as Information Disclosure.
A mitigation involves using Azure RBAC to restrict access, enabling firewall rules, and using Private Link to limit network exposure. Another frequent threat is privilege escalation via managed identity tokens. An attacker who compromises a VM with a managed identity can use that identity to access resources like key vaults or databases.
In a PASTA analysis, this would be modeled as an Elevation of Privilege scenario. The mitigation includes applying conditional access policies, using Just-In-Time (JIT) VM access, and monitoring with Azure Sentinel. Azure Security Center and Defender for Cloud provide built-in threat detection for such scenarios, which is why exam questions on AZ-104 or AZ-400 often ask about configuring those services.
Denial of Service threats in Azure can target a Web Application Firewall (WAF) or an App Service, potentially bypassing rate limiting if not correctly configured. Threat models should consider the DDoS Protection tier and ensure Azure Front Door is placed in front of critical endpoints. Repudiation threats are mitigated by enabling Azure Diagnostics and Azure Activity Logs, which capture all actions and allow non-repudiation.
For example, a user deleting a storage container without audit logs could deny that action. Therefore, exam content on MS-102 or MD-102 often tests logging and auditing best practices. Another specific scenario is an attacker exploiting an Azure DevOps pipeline agent to inject malicious code, which would fall under Tampering.
Secure supply chain practices like using signed commits and requiring approval gates are essential. For Elevation of Privilege threats, the compromise of a Global Administrator account in Azure AD remains the biggest risk. Threat models should include principles of least privilege, privileged identity management (PIM), and emergency break-glass accounts.
Azure offers integration with Microsoft Defender for Identity to detect pass-the-hash attacks. In exams like SC-900, questions often target basic threat scenarios like an unpatched VM leading to remote code execution. The key is to map the threat to the appropriate mitigation, such as using Azure Update Management.
Overall, threat modelling for Azure requires a combination of service-specific knowledge and a systematic approach to identify attack vectors across network, identity, and compute layers. Security practitioners should regularly update their threat models to account for new services like Azure Kubernetes Service (AKS) or Azure AI services, which introduce novel threats like container breakout or model extraction. The exam notes for AZ-104 and AZ-400 emphasize the need to understand both the theoretical threat model and its practical application in the Azure portal.
Critical Threat Modelling Scenarios in AWS for Security Certifications
Amazon Web Services offers a vast array of services that require careful threat modelling to secure. A classic scenario involves an Amazon S3 bucket that is publicly writable, allowing an attacker to upload malicious files that could be served to users. This is both a Tampering and Information Disclosure threat.
The mitigation involves blocking public access via bucket policies, enabling S3 Block Public Access at the account level, and using Object Lock to prevent tampering. Another common threat is an attacker abusing an AWS Lambda function with overly permissive IAM roles. If a Lambda has permission to write to DynamoDB tables, an injection vulnerability could allow an attacker to exfiltrate data.
The STRIDE category here is Elevation of Privilege. To mitigate, use least privilege IAM roles, enable AWS WAF for API Gateway, and implement input validation. In exam scenarios for AWS-SAA, questions frequently test the ability to identify such misconfigurations and recommend services like AWS Config or Security Hub to continuously monitor.
A significant Denial of Service threat is an attacker overwhelming an Elastic Load Balancer (ELB) with traffic. The solution involves AWS Shield Advanced, enabling rate limiting on the ALB, and using Auto Scaling to handle bursts. For Repudiation, AWS CloudTrail must be enabled globally to log all API calls, and AWS Config can track resource changes.
A frequent test scenario in Security+ and CySA+ exams is a misconfigured VPC with an open security group to 0.0.0.0/0 for SSH. This external entity threat can lead to unauthorized access.
The threat model must include network segmentation with private subnets, bastion hosts, and AWS Systems Manager Session Manager for secure access. Another reality is the compromise of a KMS key, which could be used to decrypt all encrypted data. Threat modelling should enforce key rotation, KMS key policies with conditions, and separation of duties using CloudHSM for highly sensitive environments.
For exam prep on ISC2-CISSP, candidates must understand that AWS threat models often involve data at rest vs. in transit threats. For example, an RDS instance with encryption disabled is a high-risk Information Disclosure scenario.
The mitigation is to enable encryption at rest for all RDS databases and enforce TLS for connections. Infrastructure as Code (IaC) misconfigurations are a growing concern, where an attacker could read a Terraform state file to learn the environment. The threat model should include encrypted state files in S3 with versioning and secure access.
Finally, containerized workloads on Amazon ECS or EKS face threats like container escape or image poisoning. These are modeled under Elevation of Privilege and Tampering. Using Amazon Inspector for vulnerability scanning and enforcing signed images is critical.
The exam notes for AWS-SAA and CySA+ stress that threat modelling is not a one-off effort but an integrated part of the CI/CD pipeline, with tools like AWS Security Hub and GuardDuty providing real-time threat detection based on the model. Engineers should practice mapping each AWS service to the relevant STRIDE or PASTA threat category to ace exam scenario questions.
Troubleshooting Clues
Overly Permissive IAM Role Permitting Lateral Movement
Symptom: A user with read-only access is able to launch EC2 instances or write to S3 buckets unexpectedly.
The IAM role assigned to the user or service has excessive permissions, often due to wildcard actions (e.g., 'ec2:*') or a trust policy that allows assuming roles from other accounts. In threat modelling, this violates least privilege and enables horizontal privilege escalation.
Exam clue: Exam questions on AWS-SAA and AZ-104 ask to identify misconfigured IAM policies that allow unintended actions. Look for 'Effect: Allow' with 'Action: *'.
Unencrypted Data at Rest in RDS Instances
Symptom: An RDS database contains sensitive data but shows encryption disabled in the configuration or backup snapshots are readable.
When RDS encryption at rest is not enabled, data on disk is plaintext and can be read if an attacker gains physical access to the storage medium, or if backups are leaked. This is an Information Disclosure threat in STRIDE.
Exam clue: Common in AWS-SAA and Security+ exams where you must recommend enabling 'encryption at rest' for RDS using KMS. Often paired with snapshot sharing vulnerabilities.
Azure Key Vault Firewall Bypass via Trusted Services
Symptom: Key Vault logs show access from IPs not in the allowed IP list but the request came from an Azure service like Logic Apps.
If Key Vault firewall is configured to 'Allow trusted Microsoft services', it bypasses IP restrictions and allows all Azure services with that label. This can be a threat if a low-privilege service accesses secrets.
Exam clue: Tests knowledge of Azure Key Vault network settings in AZ-104 and SC-900. Exam questions focus on when 'trusted services' access is appropriate vs. risky.
Container Escape via Privileged Pod in Kubernetes
Symptom: A pod running in a Kubernetes cluster has 'privileged: true' in its security context, and the host file system becomes accessible from inside the container.
Running a container in privileged mode gives it access to all kernel capabilities, allowing it to mount the host file system or use namespace capabilities. This is a critical Elevation of Privilege threat in container threat models.
Exam clue: Often appears in AZ-400 and CySA+ exams where you must identify which pod spec attributes are dangerous. Look for 'privileged: true' or 'allowPrivilegeEscalation: true'.
Public S3 Bucket with Cross-Origin Access Enabled (CORS)
Symptom: An S3 bucket has a web hosting endpoint and CORS configuration that allows all origins (*), leading to data exfiltration via AJAX requests.
CORS rules that allow all origins can be exploited by attacker-controlled websites to read bucket contents if the user is authenticated. This is an Information Disclosure threat. The misconfiguration is common in shared bucket scenarios.
Exam clue: Exam questions on AWS-SAA test the ability to restrict CORS to specific domains. Threat models include CORS as a data leak vector.
Insufficient Logging and Monitoring Leading to Missed Attacks
Symptom: A security incident occurs but there are no CloudTrail or Activity Log entries for the actions taken, making forensic analysis impossible.
Without proper logging (e.g., CloudTrail disabled in some regions, or Activity Logs not sent to a central Log Analytics workspace), attackers can operate undetected. This is a Repudiation threat because the attacker can deny actions.
Exam clue: Appears in Security+ and CySA+ exams as a question about mandatory log collection. For ISC2-CISSP, this ties to non-repudiation and audit requirements.
Unvalidated Input Leading to SQL Injection in Serverless Functions
Symptom: An AWS Lambda function that queries a DynamoDB table fails when a user submits a string with apostrophes, and error messages reveal table structure.
This indicates a potential injection vulnerability if the Lambda uses string concatenation. DynamoDB is NoSQL but still susceptible to injection if queries are built unsafely. It's a Tampering threat as the attacker can modify query logic.
Exam clue: Exam questions on AWS-SAA and AZ-400 test how to use parameterized queries or AWS WAF to block injection. Threat models list injection as a common web app threat.
Memory Tip
STRIDE: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Think of a thief who Spoofs an identity, Tampers with data, Repudiates their actions, leaks Information, causes Denial of service, then Elevates their privilege to escape consequences.
Learn This Topic Fully
This glossary page explains what Threat modelling means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
AZ-400AZ-400 →CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SAA-C03SAA-C03 →N10-009CompTIA Network+ →220-1102CompTIA A+ Core 2 →SOA-C02SOA-C02 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Quick Knowledge Check
1.A security analyst identifies that an attacker could potentially gain read access to all EC2 instances in an account via a single IAM role. Which STRIDE category best describes this threat?
2.In the PASTA threat modelling methodology, which step involves identifying specific vulnerabilities like outdated libraries or weak password policies?
3.A Kubernetes cluster has a pod running with 'hostNetwork: true' and 'privileged: true'. What is the most immediate threat to the host system?
4.An AWS S3 bucket policy allows public read access but also includes a condition 'aws:SecureTransport': 'true'. How does this affect the threat model?
5.In an Azure environment, a threat model identifies that a compromised VM with a managed identity could access a key vault and retrieve database credentials. Which mitigation should be prioritized?
Frequently Asked Questions
Do I need special software to do threat modelling?
No, you can start with a whiteboard and sticky notes. Many teams use Microsoft Threat Modelling Tool or OWASP Threat Dragon, but the method is more important than the tool.
How long does a threat modelling session take?
A first session for a small application can take two to four hours. Larger systems may require multiple sessions. The key is to stay focused and not try to model everything at once.
What is the difference between STRIDE and PASTA?
STRIDE is a threat categorization framework that helps you identify types of threats. PASTA is a full process that includes business alignment, attack simulation, and risk scoring. PASTA is more comprehensive but requires more effort.
Can threat modelling be automated?
Yes, there are tools that automatically generate data flow diagrams from infrastructure as code templates and suggest threats based on known patterns. However, human judgment is still needed to interpret the results and make decisions.
How often should a threat model be updated?
At least every quarter, and after any significant change such as a new feature, a new API integration, or a change in network topology. If you use automated tools, updates can happen more frequently.
Who should participate in a threat modelling session?
Include a security architect, a developer, an operations engineer, and a product manager. The more perspectives you have, the more comprehensive your model will be.
Is threat modelling required for compliance?
Yes, for many standards. PCI DSS requires formal threat modelling for systems handling credit card data. ISO 27001 and NIST frameworks also recommend or require it as part of risk management.
What is the output of a threat modelling exercise?
The main outputs are a data flow diagram, a list of identified threats with risk ratings, and a set of recommended mitigations. This is usually documented in a threat model report.
Summary
Threat modelling is a proactive security practice that helps you identify and mitigate potential threats before they become real problems. By analyzing system design through methodologies like STRIDE and PASTA, teams can prioritize security controls where they matter most. The process creates a shared understanding of risk across development, operations, and business teams.
For IT certification candidates, understanding threat modelling is essential. It appears across multiple exams, from Security+ to CISSP to AWS SAA. You need to know the different methodologies, how to read a data flow diagram, and how to apply threat categories to real world scenarios. The concept is often tested through scenario based questions that require you to identify threats or recommend mitigations.
The key takeaway for your exam preparation is to practice thinking like an attacker. When you see a system description, immediately ask what could go wrong and how an attacker might exploit it. That mindset, combined with a structured methodology like STRIDE, will help you answer threat modelling questions correctly. Remember that threat modelling is not a one time activity but an ongoing practice that keeps security aligned with a changing system.