TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Frameworks

What Is Threat Modeling? The Process, STRIDE & Methodologies

Threat modeling asks 'what could go wrong?' while a system is still on the whiteboard — finding security flaws in the design before they're ever built. Here's the process and the STRIDE methodology.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Threat modeling is a structured process for identifying potential security threats and weaknesses in a system, application, or process — ideally early, while it's still being designed — so they can be addressed before they become real vulnerabilities. Instead of waiting to find flaws after a system is built (or after an attacker finds them), threat modeling deliberately asks "what could go wrong?" up front, when fixing problems is cheapest and easiest. It's a proactive, "shift-left" practice that has become a cornerstone of secure software development and system design.

In short: threat modeling is thinking like an attacker while you're still drawing the blueprints. Find the weaknesses on the whiteboard, and you never have to patch them in production.

Why threat modeling matters

Security flaws are dramatically cheaper to fix the earlier they're caught. A weakness identified in a design diagram costs almost nothing to address; the same weakness discovered after launch may require emergency patching, incident response, or a costly redesign — and might be exploited first. Threat modeling front-loads security thinking into the design phase, where it has the most leverage. It also produces a shared understanding among developers, architects, and security teams of what they're protecting and against whom, and it documents security decisions for the future.

The four key questions

At its heart, threat modeling answers four deceptively simple questions, popularized by security expert Adam Shostack:

  1. What are we building? Understand and diagram the system — its components, data flows, and trust boundaries.
  2. What can go wrong? Identify the threats — the ways an attacker could abuse or break the system.
  3. What are we going to do about it? Decide on mitigations for the threats that matter.
  4. Did we do a good job? Validate the model and the mitigations, and refine over time.

The threat modeling process

  1. Decompose and diagram. Map the system, often with a data flow diagram, marking components, data stores, data flows, and the trust boundaries where data crosses between different levels of trust.
  2. Identify threats. Systematically enumerate what could go wrong, usually with the help of a methodology like STRIDE (below) to ensure coverage.
  3. Mitigate. For each significant threat, decide how to address it — mitigate, eliminate, transfer, or accept the risk.
  4. Validate. Confirm the threats were correctly identified and the mitigations are effective, and update the model as the system evolves.

STRIDE: the most common methodology

STRIDE, developed at Microsoft, is the best-known threat modeling methodology. It's a mnemonic for six categories of threats, prompting you to ask whether each applies to every component:

  • S — Spoofing: impersonating something or someone (e.g., faking an identity). Counter with authentication.
  • T — Tampering: unauthorized modification of data or code. Counter with integrity controls.
  • R — Repudiation: denying having performed an action without others being able to prove otherwise. Counter with logging and non-repudiation.
  • I — Information disclosure: exposing data to those not authorized to see it. Counter with encryption and access control.
  • D — Denial of service: making a system unavailable, as in a DoS attack. Counter with resilience and rate limiting.
  • E — Elevation of privilege: gaining capabilities without authorization — privilege escalation. Counter with least privilege and authorization checks.

Working through STRIDE for each part of a system is a reliable way to surface threats you'd otherwise miss.

Other threat modeling methodologies

  • PASTA (Process for Attack Simulation and Threat Analysis): a risk-centric, seven-stage methodology that ties threats to business impact.
  • Attack trees: a graphical method mapping how a goal could be achieved through branching attack paths.
  • DREAD: a model for rating and prioritizing threats (though less used today).
  • LINDDUN: focused specifically on privacy threats.

STRIDE answers "what can go wrong?"; methodologies like PASTA and DREAD help prioritize which threats matter most.

Threat modeling and related concepts

Threat modeling connects to the broader vocabulary of security. It deals in the relationship between vulnerabilities, threats, and risk — identifying where a threat could exploit a weakness to create risk. It complements attacker-behavior frameworks like MITRE ATT&CK and the cyber kill chain, which describe how real attacks unfold, by helping you anticipate those attacks against your specific design.

When and how often to threat model

The biggest payoff comes from threat modeling early — during the design phase, before code is written — because that's when changing the architecture is cheapest. But threat modeling isn't a one-time gate. Systems evolve: new features, new data flows, new integrations, and new trust boundaries all change the threat picture. Mature teams treat threat modeling as an ongoing activity, revisiting the model whenever the design changes significantly, and increasingly integrate lightweight, continuous threat modeling into their development workflow rather than running a single heavyweight exercise. The goal is to keep the model alive alongside the system it describes.

Common threat modeling mistakes

  • Trying to boil the ocean. Modeling an entire enterprise at once is overwhelming; scope to one system, feature, or data flow at a time.
  • Treating it as a one-off. A model that's never updated quickly drifts out of date as the system changes.
  • Stopping at "what can go wrong?" Identifying threats without deciding on and tracking mitigations wastes the effort.
  • Making it security's job alone. The best threat modeling involves the developers and architects who actually understand the system, not just a security reviewer.
  • Over-formalizing. A simple whiteboard session that actually happens beats an elaborate methodology that's too heavy to use.

Where threat intelligence fits

Threat intelligence grounds threat modeling in reality. Knowing which threats actually target your industry, and the techniques attackers really use, helps you focus on plausible, current threats rather than purely theoretical ones — making the exercise both more efficient and more relevant. Intelligence answers "what can go wrong?" with "here's what's actually going wrong out there right now."

The bottom line

Threat modeling is a structured, proactive process for finding security threats early — ideally in design — by asking what you're building, what can go wrong, what to do about it, and whether you did a good job. STRIDE is the most common methodology for enumerating threats, complemented by approaches like PASTA and attack trees for prioritization. Done early, it catches flaws when they're cheapest to fix. To ground your threat models in real-world threats, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is threat modeling?

Threat modeling is a structured process for identifying potential security threats and weaknesses in a system, application, or process — ideally during design — so they can be addressed before becoming real vulnerabilities. It's a proactive 'shift-left' practice that asks 'what could go wrong?' up front.

What is STRIDE in threat modeling?

STRIDE is a Microsoft-developed methodology and mnemonic for six threat categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. Working through STRIDE for each system component is a reliable way to surface threats systematically.

What are the steps in the threat modeling process?

The core steps are: decompose and diagram the system (including trust boundaries), identify threats (often using STRIDE), mitigate the significant threats, and validate that threats were correctly identified and mitigations are effective — updating the model as the system evolves.

What are the four questions of threat modeling?

Popularized by Adam Shostack: What are we building? What can go wrong? What are we going to do about it? And did we do a good job? These four questions capture the essence of any threat modeling exercise.

What are other threat modeling methodologies besides STRIDE?

Other methodologies include PASTA (a risk-centric, seven-stage process tied to business impact), attack trees (graphical mapping of attack paths), DREAD (for rating and prioritizing threats), and LINDDUN (focused on privacy threats). STRIDE finds threats; others help prioritize them.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

FundamentalsVulnerability vs Threat vs Risk: What's the Difference?FrameworksThe MITRE ATT&CK Framework, ExplainedFrameworksThe Cyber Kill Chain: All 7 Stages ExplainedAttacksWhat Is Privilege Escalation? Vertical vs Horizontal Explained