Cloud Threat Modeling

STRIDE, PASTA, LINDDUN, and attack trees applied to cloud architectures. A vendor-neutral practitioner's guide to reasoning about what can go wrong - Adam Shostack's four questions, the major methodologies, the tooling, and worked examples for a 3-tier AWS app, an LLM RAG application, and a multi-account landing zone.

A small team in front of a whiteboard sketching arrows between boxes during a design discussion
Threat modeling at its best: a small group, a whiteboard, and enough discipline to write the threats down.

· · Vendor-neutral · View source on GitHub

The 30-second version: Threat modeling is the practice of reasoning out loud, in writing, about what can go wrong with a system before an attacker does it for you. It is not a checklist, not a tool, and not a compliance artifact - though all three exist around it. The classic framing is Adam Shostack's four questions: What are we building? What can go wrong? What are we going to do about it? Did we do a good job?

The practitioner's stack: STRIDE as the day-to-day categorization, PASTA for high-stakes risk-quantified modeling, LINDDUN for privacy, attack trees for goal-oriented analysis, and MITRE ATT&CK Cloud as the threat library. Cloud changes the model in five ways: identities everywhere, the control plane is the attack surface, shared responsibility shrinks scope, multi-tenancy is an assumption, and default stances differ per cloud.

On this page

  1. What threat modeling is (and isn't)
  2. Shostack's four questions
  3. STRIDE
  4. STRIDE-per-element vs per-interaction
  5. PASTA
  6. LINDDUN (privacy)
  7. Attack trees
  8. Kill chains & ATT&CK
  9. OWASP Threat Dragon & Microsoft TMT
  10. Commercial platforms
  11. Where it fits in the SDLC
  12. The agile threat model
  13. What's different for cloud
  14. Worked example: 3-tier AWS app
  15. Worked example: LLM RAG app
  16. Worked example: multi-account landing zone
  17. Threat libraries vs custom
  18. Risk scoring threats
  19. Threat modeling as code
  20. AI in threat modeling
  21. Common pitfalls
  22. Maturity stages
  23. Further reading
  24. FAQ

What threat modeling is (and isn't)

Threat modeling is a structured way to reason about what can go wrong with a system. It produces a written artifact - a list of threats, ranked, with mitigations and owners - that future versions of you, your team, and the auditor can read. It is most valuable when applied during design, when the cost of changing an architectural decision is still close to zero.

It is not a checklist. Checklists answer "did you do X?" Threat modeling asks "given what we are building, what is the set of Xs we should worry about?" - which is a different and earlier question. A checklist that came out of a threat model is a useful artifact; a checklist that replaces the modeling is dangerous, because it bakes in someone else's threat assumptions.

It is not a tool. Threat Dragon, Microsoft TMT, IriusRisk, and a dozen others can support the work, but the work itself is human reasoning over a system diagram. A team without tooling that runs a 30-minute STRIDE session every two weeks will out-deliver a team with a $50,000 platform that never books the meeting.

It is not a compliance artifact, though SOC 2, ISO 27001, PCI DSS, FedRAMP, and most modern frameworks now reference threat modeling explicitly. Doing it only for the auditor produces compliance theater - a 200-page document everyone signs once, nobody updates, and which fails its first contact with a real attacker. Do it because it makes your system safer; the audit evidence follows.

It is not a one-time event. Systems evolve; trust boundaries shift; new third-party integrations introduce new edges. A model from two years ago describes a system that no longer exists. The discipline is in re-running it at every meaningful design change.

Shostack's four questions

Adam Shostack - author of Threat Modeling: Designing for Security, the field's defining textbook - reduced the practice to four questions. Almost every methodology since maps to one of them.

1. What are we building?

Draw the system. A data-flow diagram with components, data stores, external entities, and the edges (interactions) between them. Mark the trust boundaries - the dashed lines where data crosses from one zone of trust to another. The diagram is the foundation; vague diagrams produce vague models.

2. What can go wrong?

Apply a categorization - STRIDE, PASTA, LINDDUN, attack trees, or a custom library - to enumerate threats. Walk the diagram element-by-element or interaction-by-interaction. Don't filter for plausibility yet; the goal is breadth, then ranking.

3. What are we going to do about it?

For each threat, decide: mitigate (add a control), transfer (insurance, contract, third-party), accept (risk decision with an owner), or avoid (don't build the thing). The output is mitigations with owners and target dates.

4. Did we do a good job?

Validation. Did the mitigations ship? Did peer reviewers find threats you missed? Did pentests or red-team exercises confirm the threats you ranked were the right ones? The fourth question is the one most teams skip; it's also the one that turns threat modeling into an evolving discipline rather than a one-shot ritual.

Skip any one of the four and the work degrades. Skip question one and you'll find threats in the imaginary architecture, not the real one. Skip question three and you've cataloged risks rather than reduced them. Skip question four and you'll never know whether you got better.

STRIDE

STRIDE is Microsoft's six-category mnemonic for the kinds of threats that systems face. Each letter maps to a security property that the threat violates. It is the most-taught, most-used, and most-tractable categorization scheme - a 30-minute team can produce a useful threat list with nothing more than STRIDE and a diagram.

Letter Threat category Violates Cloud-specific example
S Spoofing Authentication Forged JWT, stolen IAM role credentials, IMDSv1 SSRF impersonating the workload identity, OIDC trust-policy misconfiguration trusting any GitHub repo.
T Tampering Integrity S3 object overwrite without versioning, container image swap before pull, IaC plan tampering between plan and apply, RDS audit log mutation.
R Repudiation Non-repudiation CloudTrail disabled in one region, KMS key used without logging, shared IAM user accessed by multiple humans, log-bucket retention disabled by the attacker.
I Information disclosure Confidentiality Public S3 bucket, error message returning stack trace + secrets, secrets in env vars exposed via SSRF, blob storage SAS URL leaking customer data.
D Denial of service Availability Cloud-bill DoS via misconfigured auto-scaling, billing-account suspension after fraud signals, exhaustion of API quotas, KMS key rotation breaking dependent services.
E Elevation of privilege Authorization iam:PassRole abuse, AssumeRoleWithWebIdentity to a more-privileged role, lateral movement via shared KMS keys, GuardDuty bypass via cross-account trust.

The mnemonic is a generative tool, not a comprehensive ontology. STRIDE doesn't explicitly cover privacy (that's LINDDUN), supply chain (that's a category in its own right), or business-logic abuse (which often lives at the application layer below the threat-model abstraction). Use STRIDE as the starting categorization and add domain-specific lenses where the system warrants it.

STRIDE-per-element vs STRIDE-per-interaction

There are two ways to apply STRIDE against a data-flow diagram. They produce different threat lists and different costs.

STRIDE-per-element

For each element on the diagram - external entity, process, data store, data flow - apply the STRIDE categories that can affect that element type. The Microsoft Threat Modeling Tool encodes which categories apply to which element types out of the box: external entities can be Spoofed and can Repudiate; processes can suffer every STRIDE class; data stores can be Tampered with, leak Information, suffer DoS, but not generally Spoofed; data flows can be Tampered with, leak Information, and suffer DoS. The mechanical traversal makes per-element fast and predictable; it tends to under-find at boundaries.

STRIDE-per-interaction

For each edge (interaction) on the diagram - every arrow that crosses a trust boundary - apply the full STRIDE set. Per-interaction produces more threats and surfaces the cross-boundary problems STRIDE was originally designed to catch (the trust-boundary crossing is where most cloud threats actually live). It costs more time and demands more practitioner skill to keep the list useful.

The pragmatic default: STRIDE-per-element for fast, repeatable team sessions; STRIDE-per-interaction for new architectures, regulated workloads, or anything where the cost of a missed threat is high. Many mature teams run per-element on a quarterly cadence and per-interaction once at design and after any major architectural change.

PASTA - Process for Attack Simulation and Threat Analysis

PASTA is a seven-stage risk-centric methodology developed by Tony UcedaVélez and Marco Morana. Where STRIDE answers "what kinds of threats apply here," PASTA answers "given the business objectives, the actual technology stack, and credible attacker capabilities, what is the prioritized risk picture, and how should we treat it?" It produces a heavier artifact for higher-stakes systems.

Stage Activity Output
1Define business objectivesWhat the system exists to do; regulatory and contractual constraints; risk tolerance.
2Define technical scopeApplication boundaries, dependencies, third-party integrations, cloud services in scope.
3Decompose the applicationData-flow diagrams, trust boundaries, identity model, data classification per element.
4Threat analysisEnumeration of credible threats - often using STRIDE, CAPEC, or ATT&CK as input libraries.
5Vulnerability analysisMap threats to existing weaknesses - known CVEs, misconfigurations, design flaws, control gaps.
6Attack modelingAttack trees, attack libraries, simulated kill chains. The "could an attacker actually do this?" stage.
7Risk and impact analysisScored risks (likelihood × impact, or quantified via FAIR), treatment plan, residual risk register.

PASTA's reputation as "heavyweight" is partly fair. The seven stages are days of work, not minutes. The payoff is a defensible risk artifact - one that a CISO can take to a board, a regulator can read, and an internal audit team can re-perform against. For most workloads, STRIDE is enough; PASTA earns its keep on regulated, mission-critical, or revenue-bearing systems where the stakes justify the cost.

LINDDUN - privacy threat modeling

LINDDUN is the privacy counterpart to STRIDE. Developed at KU Leuven, it categorizes privacy threats - the harms that arise from how a system handles personal data - that security-focused methodologies tend to miss. With GDPR (EU), CCPA / CPRA (California), LGPD (Brazil), PIPL (China), and a growing list of jurisdictional regimes, LINDDUN's relevance has expanded sharply.

Letter Threat category Cloud example
LLinkabilityTwo anonymized analytics events that, together, identify a user (cookie + IP + UA).
IIdentifiabilityA "pseudonymous" identifier (hashed email) that's reversible via rainbow tables or a join.
NNon-repudiationWhistleblower or activist data linked to a real identity by audit log retention that exceeds the privacy promise.
DDetectabilityThe presence of a user record being inferable even without reading it (e.g., conditional access patterns).
DDisclosure of informationConfidential personal data leaking to unauthorized parties (overlaps STRIDE's I).
UUnawarenessUsers not informed how their data is processed; missing consent records or transparent notices.
NNon-complianceProcessing that violates a specific regulatory obligation - retention beyond stated limits, cross-border transfer without lawful basis.

Run LINDDUN alongside STRIDE on any system that processes personal data at scale. The categorizations partially overlap (Disclosure of information appears in both) but address different audiences - STRIDE for the security team, LINDDUN for the privacy office and the data-protection officer. A combined STRIDE + LINDDUN session is a strong default for any consumer-facing or healthcare workload.

Attack trees

Attack trees are Bruce Schneier's contribution - a goal-oriented enumeration of how an attacker could achieve an objective. The root of the tree is the attacker's goal; the branches are sub-goals; the leaves are concrete actions an attacker would take. AND-nodes require all children; OR-nodes require any one.

Where STRIDE walks the defender's view of the system asking "what can go wrong at each element?", attack trees walk the attacker's view asking "given a goal, what paths lead to it?" The two are complementary; many practitioners use STRIDE to generate threat candidates and then build attack trees for the highest-priority ones to enumerate the actual paths.

Worked sketch - goal "exfiltrate customer PII from the database":

The value of writing this down: each leaf maps to a specific mitigation (or absence thereof), and an attacker only needs one leaf to succeed. The defender needs all the leaves' parent OR-branches cut. Attack trees make that asymmetry concrete in a way STRIDE alone doesn't.

Kill chains, ATT&CK, and threat libraries

Categorization frameworks (STRIDE, LINDDUN) answer "what kinds of bad things can happen?" Kill-chain models answer "what is the typical sequence an attacker follows to do them?" - useful for connecting design threats to detection and response controls (see Cloud SOC and Detection Engineering).

Lockheed Martin Cyber Kill Chain

The original seven-stage model: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Useful as a teaching scaffold; criticized in cloud contexts because cloud breaches frequently skip stages (a leaked access key collapses several stages into one API call).

MITRE ATT&CK and ATT&CK Cloud Matrix

MITRE ATT&CK is a comprehensive threat library - tactics (the why), techniques (the how), and sub-techniques (the specifics) - built from real-world adversary behavior. The Cloud Matrix is the cloud-specific lens, with sub-matrices for AWS, Azure, GCP, Microsoft 365, Google Workspace, and SaaS. Most modern threat modeling references ATT&CK techniques by ID (T1078, T1098, T1136, etc.) so that designers, detection engineers, and red teams share vocabulary.

Other libraries

A group at a flipchart working through diagrams and notes during a design discussion
A flipchart, a marker, and the four questions outperform most tooling.

OWASP Threat Dragon & Microsoft Threat Modeling Tool

OWASP Threat Dragon

OWASP Threat Dragon is the open-source, cross-platform threat modeling tool. Web or desktop; diagrams as JSON; STRIDE-per-element built in; git-friendly storage so threat models can live next to the code. Strengths: free, vendor-neutral, scriptable, good enough for the 80% case. Limitations for cloud: it's element-and-flow generic - there's no cloud-service-aware threat library, so you bring the cloud knowledge yourself.

Microsoft Threat Modeling Tool (TMT)

Microsoft TMT is the canonical STRIDE tool, free and Windows-only. Strengths: an excellent stencil library, automatic threat generation per STRIDE-per-element rules, and good reporting. Limitations: Windows-only, Azure-flavored stencils (you can use it for AWS or GCP, but you'll fight it), and the threat library is generic.

Both tools share a common gap for cloud: the generated threat lists are categorically correct (STRIDE) but lack the cloud-specific specificity that makes a threat model actionable. A cloud-aware practitioner has to enrich the output with the IMDS, IAM, OIDC, KMS, and shared-responsibility-edge threats the generic library doesn't surface.

Commercial threat modeling platforms

The commercial layer adds cloud-aware threat libraries, integration with CI/CD and ticketing, and team-collaboration features that the open-source tools lack.

The selection criterion that matters: which tool produces threat lists your team will actually act on. A platform with a deep threat library nobody trusts produces dust-collecting models. A simpler tool that's been adopted by the team produces shipped mitigations.

Where threat modeling fits in the SDLC

The most expensive moment to find an architectural threat is after the architecture is implemented. The cheapest is at the whiteboard. The SDLC placements that earn their cost:

Threat modeling at any single stage helps; threat modeling across all five is how mature programs operate. The opportunity cost of one missed iteration is generally small; the opportunity cost of never threat modeling a critical system is what shows up in the post-incident report.

The agile threat model

The classic threat-modeling failure mode is the 200-page artifact: produced once, reviewed once, never updated, and quietly irrelevant by the time the system has shipped. The agile threat model is the antidote.

The mechanics: 30 minutes on a whiteboard with the engineer who knows the system, a security partner, and a product / ops person who knows the data sensitivity. Draw the data-flow diagram. Walk STRIDE per element. Write threats on sticky notes. End the session with a list of mitigations, each with an owner and a target date. Commit the diagram and the threat list to the repo. That is the artifact.

Re-run the session whenever the trust boundary changes - new identity type, new third-party integration, new data classification, new region. Re-run for new features whose blast radius the team isn't sure about. Skip the formality when the change is genuinely cosmetic. The discipline is in doing it often, not in doing it exhaustively.

The Threat Modeling Manifesto codifies the spirit: people and collaboration over processes, methodologies, and tools; a journey of understanding over a security or privacy snapshot; a tool to expose dangers over a means to compliance.

What's different for cloud

The methodology survives the move to cloud unchanged. The threats it surfaces shift in five practical ways.

Identities everywhere

Every workload has an identity (instance profile, managed identity, service account); every human has multiple (corporate SSO, cloud console, federated roles); every service-to-service call carries one. Identity is the new perimeter and most cloud threats involve an identity primitive somewhere. STRIDE Spoofing and Elevation of Privilege dominate the cloud threat list. See IAM & Identity.

Control plane = attack surface

The cloud API is itself an attack surface. A traditional threat model worried about network-layer threats to a service; a cloud threat model worries about API-layer threats to the service and to the cloud control plane that manages it. CreateAccessKey, AssumeRole, PutBucketPolicy, and similar API actions are first-class threat surfaces.

Shared responsibility

Some threats are already mitigated by the provider - physical access, hypervisor escape (mostly), DDoS scrubbing for managed front-doors. The model should explicitly mark which threats are out-of-scope because the provider owns them, and which are still yours. See Shared Responsibility.

Multi-tenancy assumptions

Every managed service is multi-tenant under the hood. The model must state explicitly what tenancy guarantees you rely on (per-account isolation, per-VPC isolation, KMS key-policy enforcement) and what would break if the provider's isolation model surprised you (extremely rare in practice, but the threat is non-zero - see breach reviews like LastPass and the GCP DataStudio class of disclosure).

Default stances differ

AWS defaults to deny on IAM, permit on networking-within-VPC; Azure defaults to a more permissive RBAC inheritance model; GCP defaults to organization-inherited deny. Threats that are obvious on one cloud are surprises on another. A cloud-portable threat model must call out which defaults the design depends on.

Change rate & ephemerality

Cloud workloads are ephemeral; networks are software-defined; identities can be created and destroyed in API calls. A threat model that's correct at design time but stale at runtime is a hazard. Pair the model with runtime sensing (CSPM/CNAPP) so the design intent and the operational state stay aligned.

Worked example: 3-tier app on AWS

The architecture: Route 53 → ALB → EC2 Auto Scaling Group running a Java application → RDS PostgreSQL. KMS for encryption keys. CloudTrail and VPC Flow Logs enabled. A typical SaaS pattern that looks deceptively simple on the diagram. A STRIDE-per-interaction pass produces roughly 20 threats; here's a representative subset.

# Element / interaction STRIDE Threat Mitigation
1User → Route 53SDNS hijack via registrar account takeoverRegistrar MFA, DNSSEC, monitoring NS-record changes
2User → ALBITLS downgrade, weak cipherTLS 1.3 only policy, HSTS, ACM-managed cert
3Internet → ALBDL7 DDoS exhausting backendAWS WAF, Shield Advanced, ALB rate-based rules
4ALB → App tierSBypass of ALB by reaching EC2 directlySecurity group on EC2 allows only ALB SG; private subnets
5App tier (EC2)ISSRF retrieves IMDS credentialsIMDSv2 required, hop-limit 1, minimal instance-profile permissions
6App tier (EC2)EInstance profile has overly broad RDS or S3 accessScope role to specific resources; periodic IAM Access Analyzer review
7App tier → RDSSSQL connection from compromised host using shared DB passwordIAM database authentication; per-app database user; rotation
8App tier → RDSIUnencrypted in-transit between app and DBForce SSL on RDS parameter group; verify cert chain in app
9RDSISnapshot copied cross-account to attacker accountResource policy on snapshot sharing; SCP denying snapshot share
10RDSTBackup integrity not verifiedRestore drill cadence; AWS Backup with vault lock
11App tier → KMSEKey policy allows broad principalsTight key policy; grant model; aws:SourceVpc condition
12KMSDKey disabled or scheduled for deletionMulti-region keys; CloudWatch alarms on disable/schedule actions
13CloudTrailRTrail disabled by compromised principalOrg trail with S3 + KMS lock; SCP denying trail disable
14CloudTrail S3 bucketTLog mutationS3 Object Lock (compliance mode); bucket policy restricting writes to CT
15App tier dependenciesTSupply-chain compromise of a librarySBOM, pinned versions, dependency scanning in CI/CD
16Deployment pipeline → EC2SForged deploy as a releaseOIDC federation from CI to AWS; sigstore-signed artifacts; required reviewers
17Operator → cloud consoleEConsole-only break-glass without time-bound elevationIAM Identity Center with permission sets; PIM-style time-bound roles
18Operator → cloud consoleRShared root credentialsDisable root key; MFA on root; per-human SSO identities
19App → S3 (objects in upload bucket)IPublic bucket accessBlock Public Access at account level; SCP denying its disable
20Whole architectureDRegion-wide outage (single-region design)Multi-AZ baseline; documented RPO/RTO; multi-region for tier-1 systems

The exercise is fast - an experienced practitioner produces this list in under two hours. The output is a concrete remediation backlog and a documented design that future reviewers (and auditors) can read.

Worked example: LLM RAG application

The architecture: a customer-support chatbot using an LLM (call it Claude or GPT, your choice) with a RAG layer pulling from a vector database populated by ingesting product documentation and customer-uploaded knowledge bases. The agent has tool-use access to a few internal APIs (lookup ticket, escalate, write summary back to CRM). Cross-reference AI/ML Security for the full treatment.

The architecture introduces three trust boundaries STRIDE-against-a-classic-3-tier-app doesn't see:

ThreatSTRIDESpecificsMitigation
Direct prompt injectionS/EUser crafts input that overrides system prompt; agent executes attacker intentInput filtering, output filtering, system-prompt isolation, untrusted-input markers
Indirect prompt injection via retrieved contentT/EPoisoned document in vector DB redirects agent behaviorProvenance metadata on retrieved docs; treat all retrieved content as untrusted
Vector DB poisoningTAttacker uploads document that biases retrieval for any future queryPer-tenant isolation in the vector DB; ingestion review; signed ingestion sources
Embedding inversionIEmbeddings reverse-engineered to reveal source textDon't treat embeddings as safe to expose; access-control embeddings as PII
Model supply chainTCompromised model weights, training-data poisoningUse vetted providers; model card review; pinned model versions; integrity checks
Agentic tool abuseEAgent coerced to call a privileged tool (refund, send email, modify ticket)Per-tool authorization separate from agent identity; human-in-the-loop on high-impact tools
Cross-tenant data leakageIAgent retrieves another tenant's vector entries via shared indexTenant ID enforced in retrieval queries; per-tenant index where threat model demands
Sensitive data in promptsIPII leaked into model provider's logs / training pipelinePII redaction at the boundary; provider zero-retention agreement; on-tenant models for sensitive workloads
Cost / DoSDAdversarial prompts maximizing tokens; recursion in tool usePer-user rate limits; max-token caps; recursion-depth caps on tool calls
Output exfiltration via markdownIModel output renders an attacker-controlled image URL with PII in the pathStrip image and link rendering from untrusted output; content security policy on chat UI

The lesson generalizes: the same STRIDE walk surfaces these threats, but a practitioner who hasn't seen agentic systems before will miss the tool-abuse category entirely. The threat library matters - extending ATT&CK / MITRE ATLAS / OWASP LLM Top 10 into your team's working vocabulary takes minutes and produces better models for years.

Worked example: multi-account AWS landing zone

The architecture: AWS Organizations with a hub-and-spoke account model - management account, log-archive account, security tooling account, network account, and per-environment accounts (dev, staging, prod) plus per-team product accounts. IAM Identity Center for human access; OIDC federation for CI/CD; central transit gateway; org-wide CloudTrail; SCPs and RCPs in place. See Landing Zones for the architecture itself.

The threats that emerge are organization-level - and they're frequently invisible to single-account threat models.

The threat model at the landing-zone layer is what determines whether the per-workload threat models can rely on the boundaries they assume. If the landing-zone threats aren't worked through, every per-workload model is sitting on assumptions that may not hold.

Threat libraries vs custom

A threat library is a curated list of known threat patterns you start from instead of inventing every threat from first principles. The build-vs-buy decision tracks the maturity of the program.

Risk scoring threats

The scoring conversation is where threat modeling meets risk management. Several rubrics exist; none are universally good.

DREAD (deprecated)

Damage, Reproducibility, Exploitability, Affected users, Discoverability - Microsoft's original 1-10 rubric per dimension. Informally deprecated; the scores are too subjective, the dimensions overlap, and different reviewers produce wildly different numbers. A small team with strong shared calibration can still use it; most programs have moved on.

CVSS

The Common Vulnerability Scoring System. Excellent for known vulnerabilities with specific exploit characteristics. Poor for design threats, which don't have a defined exploit yet. Use CVSS for CVE prioritization in vulnerability management; don't try to bend it into a design-review rubric.

FAIR (Factor Analysis of Information Risk)

FAIR is a quantitative model: loss-event frequency × loss magnitude, decomposed into estimable factors with calibrated ranges. Outputs dollar-denominated risk that executives can rank against other investments. The setup cost is meaningful (training, calibration, tooling) and the rigor pays off on high-stakes decisions; overkill for day-to-day STRIDE-session triage.

Simple Likelihood × Impact

Three or five buckets for each dimension (Low / Medium / High, or 1-5). Produces a 9- or 25-cell heat map. Imperfect, but fast, repeatable, and good enough to drive ranking inside a session. Most agile threat models live here.

OWASP Risk Rating

A documented Likelihood × Impact methodology with sub-factors (skill required, opportunity, awareness, etc.). Good middle ground between simple heuristic and FAIR; widely used for application-security risk ranking.

Pick one and stay consistent. Mixing rubrics within a program makes risk-register entries incomparable. The choice matters less than the consistency.

Threat modeling as code

The same instinct that produced infrastructure-as-code and policy-as-code produces threat-modeling-as-code: keep the model in the repo, version it, diff it on changes, and run continuous checks against it.

The GitOps pattern: threat model lives at /threat-model/ in the repo; PRs that change architecture must update the model; CI fails the build if the model parses-but-is-older-than-N-days against a control file; periodic review issues open automatically. Same hygiene as policy-as-code; same payoff.

AI in threat modeling

LLM-assisted threat modeling has moved from research to mainstream practice between 2023 and 2026. The pragmatic 2026 pattern uses AI as a first-draft generator and a completeness validator, with a human reviewer making the keep/discard/edit calls.

Where AI helps

Where humans still own the work

Vendors are racing to integrate LLM features - IriusRisk, ThreatModeler, Devici, and others have shipped agent-style flows that generate first-pass models from architectural prose. Treat them like AI-assisted coding: productivity multipliers when used well, automation traps when used uncritically.

Common pitfalls

Maturity stages

Stage 1 - Ad-hoc

Threat modeling happens occasionally, driven by individual practitioners. No common methodology. No shared template. Output lives in scattered Confluence pages or design docs that age out.

Stage 2 - Documented

A methodology is documented (typically STRIDE-per-element). A template exists. High-priority projects run a model at design review. Output is captured in a known location; mitigations are tracked.

Stage 3 - Repeatable

Threat modeling is a defined SDLC step. Trained internal facilitators are available across teams. A custom threat library has emerged. Mitigations are tracked through to closure in the engineering tracker.

Stage 4 - Integrated

Threat models live next to code in the repo. CI surfaces stale models. Cross-functional reviews include privacy (LINDDUN), reliability, and compliance. ATT&CK coverage is tracked end-to-end from design through detection.

Stage 5 - Continuous

Threat modeling is a continuous practice, not a project gate. Quantitative risk scoring (FAIR or equivalent) feeds the program's investment decisions. AI assistance is in the workflow with human review. Models, detections, mitigations, and tests share a common vocabulary.

The skip-stage cost

Jumping from Stage 1 to "AI-assisted continuous threat modeling" without the intermediate discipline produces lists nobody owns. Sequence matters; tooling is a force multiplier on a working program, not a substitute for it.

Further reading

Books

Manifestos and standards

Tools

Related CSOH pages

FAQ

When should I threat model?

As early as possible - ideally during design review, before architectural decisions are baked into code. The marginal cost of changing an architectural choice on a whiteboard is near zero; the same change after six months of implementation can be a quarter of engineering effort. Re-threat-model whenever the trust boundary changes - new third-party integration, new identity type, new data classification, new region, new tenancy model. For mature programs the rhythm is: a 30-minute lightweight session per significant design change, plus a deeper review on a quarterly cadence for high-criticality systems.

STRIDE vs PASTA - which should I use?

STRIDE is a categorization checklist - six threat classes applied to each element or interaction in your model. It's fast, teachable, and produces a usable list in a 30-minute session. PASTA is a seven-stage risk-centric methodology that runs from business objectives through attack simulation to risk scoring. It produces a more rigorous artifact for high-stakes systems but costs days, not minutes. Most practitioners use STRIDE as the day-to-day tool and reach for PASTA when an executive sponsor wants quantified risk on a regulated or revenue-critical workload.

Who should be in the room?

The smallest group that can answer the four questions. At minimum: the engineer or architect who knows the system best, a security practitioner familiar with the relevant cloud, and a product or operations partner who knows the data sensitivity and SLAs. For larger or higher-risk systems add an IAM specialist, a privacy or compliance reviewer (especially for LINDDUN), and a representative of any downstream team your trust boundary touches. Avoid making it a 12-person ceremony - past 6 attendees the signal-to-noise drops sharply.

How long should it take?

For a typical microservice or feature: 30-60 minutes for a STRIDE-per-element pass on a whiteboard, plus another hour or two to write up the findings and mitigations. For a complete new system: a half-day workshop, then a follow-up review of the documented model. PASTA-style modeling on a regulated workload can run multiple days across stages. The discipline isn't the duration - it's that the session ends with a written list of threats, ranked, with owners and target dates for mitigations.

Is DREAD still recommended for risk scoring?

DREAD has been informally deprecated for over a decade - the scores are subjective, the dimensions overlap, and different reviewers produce different numbers on the same threat. Modern programs use a simple Likelihood × Impact heuristic for triage, CVSS only for known CVEs (it's a vulnerability metric, not a design metric), and FAIR when the business needs dollar-denominated risk for investment decisions.

How does threat modeling differ for an LLM-based application?

The classic STRIDE categories still apply - but the trust boundaries shift. Retrieved content becomes a new attack surface (prompt injection via documents in a vector store), the model itself is a supply-chain dependency, and tools the agent can call are part of your attack surface (any agent that can call a payment API can be coerced into doing so). See AI/ML Security for the full treatment, including OWASP LLM Top 10 and MITRE ATLAS.

Can AI tools write threat models for me?

Increasingly they can produce a credible first draft - generate STRIDE elements from a diagram, suggest mitigations from a threat library, validate completeness against known patterns. But they don't yet replace the human judgment that decides which threats your organization will accept, which to mitigate, and how much engineering budget to spend on each. The pragmatic 2026 pattern is LLM-assisted generation with a human reviewer who edits the output, prunes false positives, and signs the result.

Where next