Threat Modeling: Methodologies and Practical Application

Threat modeling is a structured security engineering practice used to identify, classify, and prioritize potential threats against a system before those threats materialize as incidents. The practice spans software development, infrastructure architecture, operational technology, and cloud environments, making it one of the broadest analytical disciplines within the cybersecurity profession. Regulatory frameworks including NIST SP 800-53 and the OWASP Application Security Verification Standard reference threat modeling as a foundational activity within risk management programs. The information security providers on this site index service providers and practitioners operating across threat modeling and related disciplines.

Definition and scope

Threat modeling is defined by NIST SP 800-154 as a form of risk assessment that models aspects of attack and defense, producing a structured representation of all information affecting an application or system's security. The scope of threat modeling activity extends from early design phases of software development through post-deployment security reviews of production environments.

The practice is bounded by four core objectives:

  1. Asset identification — enumerating what must be protected (data stores, services, credentials, physical components)
  2. Threat enumeration — identifying threat agents, attack vectors, and abuse cases relevant to those assets
  3. Vulnerability analysis — determining where identified threats can be realized given current or planned controls
  4. Countermeasure prioritization — ranking mitigations by feasibility, cost, and residual risk reduction

Threat modeling is distinct from vulnerability scanning or penetration testing in that it is design-time analysis, not runtime or post-deployment discovery. Where a penetration test identifies exploitable weaknesses in a running system, threat modeling anticipates weaknesses in a system's conceptual architecture — including systems not yet built.

Regulatory bodies and standards organizations that reference threat modeling as a required or recommended activity include the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Open Web Application Security Project (OWASP). Within HIPAA-regulated environments, the HHS Office for Civil Rights references risk analysis requirements under 45 CFR §164.308(a)(1) that threat modeling exercises can address, though the regulation does not mandate a specific methodology.

How it works

Threat modeling follows a repeatable process structure. The 4-question framework published by Microsoft SDL organizes the process around: (1) What are we building? (2) What can go wrong? (3) What should be done about it? (4) Did we do a good enough job? This framing is methodology-agnostic and applicable across the major formal approaches.

Primary methodologies in professional use:

STRIDE — Developed at Microsoft, STRIDE categorizes threats into 6 classes: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It is applied against data flow diagrams (DFDs) to systematically surface threats at each component boundary.

PASTA (Process for Attack Simulation and Threat Analysis) — A 7-stage, risk-centric methodology that aligns threat modeling output to business objectives. PASTA emphasizes attack simulation and is frequently applied in enterprise environments where threat modeling feeds directly into risk registers.

LINDDUN — Developed by KU Leuven, LINDDUN focuses specifically on privacy threats, mapping to 7 categories: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance. It is used where GDPR or CCPA compliance obligations require privacy-by-design analysis.

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) — Developed by Carnegie Mellon University's Software Engineering Institute (SEI), OCTAVE is an organizational risk framework rather than a software-specific model. The OCTAVE Allegro variant is suited to information asset–focused assessments without requiring deep technical architecture documentation.

STRIDE vs. PASTA comparison: STRIDE is threat-centric and operates at the component or data flow level, making it efficient for development teams working against system diagrams. PASTA is risk-centric and business-aligned, requiring more cross-functional input but producing output directly consumable by risk management programs. STRIDE is generally faster per engagement; PASTA produces broader organizational traceability.

A standard threat modeling engagement proceeds through discrete phases:

OWASP's Threat Modeling Cheat Sheet provides a publicly accessible reference for each of these phases.

Common scenarios

Threat modeling is applied across at least 5 distinct operational contexts within US security programs:

Application development pipelines — Security teams embed threat modeling in sprint cycles or design review gates, typically using STRIDE against DFDs generated from architecture documentation. This is the most common context for threat modeling activity in commercial software organizations.

Cloud migration and architecture review — Organizations moving workloads to AWS, Azure, or GCP conduct threat modeling to identify new trust boundary exposures, misconfigurations, and identity-access risks that do not map to on-premises controls. CISA's Cloud Security Technical Reference Architecture supports this use case.

Critical infrastructure and OT environments — Industrial control systems (ICS) and operational technology (OT) networks require threat modeling adapted to the Purdue Model and ICS-specific threat taxonomies. NIST SP 800-82 (Guide to OT Security) references threat analysis as a component of OT security programs. Environments subject to NERC CIP standards use threat modeling to satisfy control gap analyses.

Healthcare and medical device security — The FDA's Cybersecurity in Medical Devices guidance (2023) requires manufacturers to submit a threat model as part of premarket submissions, citing STRIDE as an acceptable methodology.

Compliance-driven assessments — Organizations subject to PCI DSS v4.0, SOC 2 Type II, or FedRAMP authorization requirements use threat modeling outputs as supporting evidence for control implementation documentation. The page describes how compliance-adjacent service categories are organized within this reference network.

Decision boundaries

Determining when and how threat modeling applies — and which methodology to select — depends on system type, organizational maturity, regulatory environment, and available resources.

When to use STRIDE: Software systems with defined architecture diagrams, development teams with security champions, and projects where speed of analysis is a priority. STRIDE produces actionable output within a single design review session for systems of moderate complexity.

When to use PASTA: Enterprises requiring business risk traceability, environments where threat modeling must feed a formal risk register, or organizations subject to frameworks like ISO/IEC 27001 that require documented risk treatment decisions.

When to use OCTAVE: Organizations prioritizing organizational and operational risk over technical component analysis, or teams without dedicated security engineers who need a facilitated, workshop-based approach. The SEI's OCTAVE Method Implementation Guide details applicability criteria.

When to use LINDDUN: Any system processing personally identifiable information (PII) where privacy impact analysis is required — particularly under state privacy laws such as the California Consumer Privacy Act (CCPA) or Virginia's CDPA.

Threat modeling does not substitute for penetration testing, static application security testing (SAST), or dynamic application security testing (DAST). It is a design-time complement to those runtime techniques. Practitioners verified in the information security providers provider network operate across all four of these complementary disciplines, and boundary conditions between them are covered in detail within this reference network's supporting content on how to use this information security resource.

Maturity thresholds matter: organizations at early security program stages often lack the architecture documentation necessary to execute a complete threat model. In those cases, lightweight variants such as OWASP's Threat Modeling Manifesto principles or the PASTA Stage 1–3 subset provide entry points that scale with program development.

📜 1 regulatory citation referenced  ·   · 

References

Read Next

Information Security Listings ANA › Professional Services Authority Authority › National Cyber Authority Authority › Information Security Authority Information Security Providers The providers... Information Security Directory: Purpose and Scope ANA › Professional Services Authority Authority › National Cyber Authority Authority › Information Security Authority Information Security Network: Purpose and Scope... Threat Intelligence: Sources, Tools, and US Applications ANA › Professional Services Authority Authority › National Cyber Authority Authority › Information Security Authority Threat Intelligence: Sources, Tools, and US...