U.S. organizations paid $10.22 million per data breach in 2025. Vulnerability exploitation against edge devices jumped nearly 8x. ENISA verified 4,875 security incidents between July 2024 and June 2025—each incident revealing how sophisticated modern cyber threats have become.
Threat modeling changes this equation. ISC2 research documents that 45% of cybersecurity teams now integrate threat modeling into their security operations. These organizations find and fix vulnerabilities before attackers exploit them. This guide covers the threat modeling techniques that NIST, CISA, ENISA, and other authoritative bodies have validated through extensive real-world applications.
What Threat Modeling Accomplishes
Threat modeling identifies potential threats and security risks before systems go into production. The CMS Threat Modeling Handbook defines it as “a proactive, holistic approach of analyzing potential threats and risks in a system or application to identify and address them proactively”.
Security teams use threat modeling to achieve specific objectives:
- Document data flows through detailed architectural diagrams
- Identify trust boundaries where data crosses security zones
- Map attack vectors available to threat actors
- Prioritize threats based on likelihood and business impact
- Implement security controls protecting critical assets and sensitive data
NIST guidance emphasizes continuous threat modeling that evolves with the threat landscape rather than annual static assessments. CISA’s Secure by Design initiative recommends integrating threat modeling into early design stages to identify vulnerabilities before they become exploitable.
The Five-Step Process
ISACA and CMS break threat modeling into five steps:
Step 1: Define Security Requirements
What assets need protection? Align security objectives with business risk tolerance. This step sets the scope.
Step 2: Create System Architecture Diagrams
Map your data flows, external entities, data stores, processes, and trust boundaries. Document the entire infrastructure.
Step 3: Identify Threats
Use structured methodologies to find vulnerabilities and attack paths. Look for potential security risks.
Step 4: Assess and Prioritize Risks
Evaluate the threats you found. Consider exploitability, likelihood, impact, and business consequences. Not all threats deserve equal attention.
Step 5: Develop and Implement Mitigations
Build security measures for prioritized threats. Set up processes for continuous updates—systems change, so threat models must change too.
NIST recommends embedding these steps throughout the software development life cycle. Threat modeling works best as an ongoing practice, not a one-time exercise.
- Learn how attacker behavior shapes real-world cyber risks
- Apply Zero Trust principles to reduce exposure at every layer
- Build proactive defenses that detect, contain, and neutralize threats faster
Six Established Threat Modeling Frameworks
Organizations have multiple proven frameworks available, each validated through extensive real-world application and recognized by authoritative cybersecurity organizations. Selection depends on organizational maturity, resource availability, and specific security contexts.
1. STRIDE Framework
Microsoft developed STRIDE for their Security Development Lifecycle, establishing it as one of the most widely adopted frameworks for application threat modeling. The CMS Threat Modeling Handbook endorses STRIDE as “expedient and reliable” with “industry-standard language”.
Six Threat Categories
STRIDE organizes threats into six distinct classifications:
- Spoofing Identity: Attackers impersonate legitimate users or services to bypass authentication mechanisms and gain privileged access
- Tampering with Data: Unauthorized modification of persistent data in transit or at rest, enabling attackers to alter system behavior or inject malicious code
- Repudiation: Users deny actions they performed when systems lack adequate logging or audit trail capabilities
- Information Disclosure: Sensitive data exposure to unauthorized parties through inadequate encryption or access control failures
- Denial of Service: Resource exhaustion or service disruption preventing legitimate users from accessing systems
- Elevation of Privilege: Attackers exploit vulnerabilities to gain capabilities exceeding their authorization level
Implementation Approach
Security teams begin STRIDE analysis by creating comprehensive data flow diagrams documenting all external entities, data stores, processes, and trust boundaries within the system scope. Each component undergoes systematic evaluation against all six STRIDE categories.
In microservices architectures, STRIDE analysis reveals specific spoofing risks between services. Teams address these risks by implementing mutual TLS authentication that verifies service identity before data exchange. Identifying vulnerabilities during design phases reduces remediation costs significantly compared to discovery during penetration testing or post-deployment.
Optimal Use Cases
STRIDE delivers maximum value for new application development projects establishing security requirements, design phase reviews preceding code development, microservices and distributed architectures with multiple trust boundaries, and teams beginning their threat modeling journey who need straightforward methodology.
2. DREAD Methodology
DREAD provides quantitative risk assessment through five-factor scoring, enabling security teams to prioritize identified threats systematically. While STRIDE focuses on threat identification, DREAD determines which threats demand immediate resource allocation.
Five Risk Factors
DREAD assigns numerical scores from 0 to 10 for each factor, creating consistent risk quantification:
- Damage Potential: Measures harm extent from successful exploitation, ranging from information disclosure to complete system compromise
- Reproducibility: Evaluates ease of exploit repetition
- Exploitability: Assesses technical skill and resources attackers require
- Affected Users: Quantifies systems and users impacted by successful exploitation
- Discoverability: Determines how easily attackers can identify the vulnerability
Total scores across five dimensions create prioritized threat rankings that guide resource allocation toward critical security improvements.
Quantitative Assessment
When security teams discover SQL injection vulnerabilities in web applications, DREAD methodology provides objective prioritization. A vulnerability scoring 8/10 for damage potential, 9/10 for reproducibility, 9/10 for exploitability, 10/10 for affected users, and 5/10 for discoverability yields a total score of 41/50, indicating critical priority requiring immediate remediation.
Ideal Organizations
DREAD suits organizations with mature security practices requiring quantitative risk data for executive decision-making, security teams comfortable with risk management principles and numerical assessments, complex systems where incorrect prioritization costs exceed thorough analysis time investment, and enterprises needing numerical risk scores for budget allocation and compliance reporting.
3. PASTA Framework
The Process for Attack Simulation and Threat Analysis follows a seven-stage business-driven, risk-centric methodology. PASTA distinguishes itself by integrating business impact analysis with technical threat identification.
Seven-Stage Methodology
- Stage 1 - Define Business Objectives: Establish alignment between security requirements and organizational priorities with risk tolerance
- Stage 2 - Define Technical Scope: Determine threat modeling framework boundaries and system parameters
- Stage 3 - Application Decomposition: Develop detailed data flow diagrams documenting information movement through systems
- Stage 4 - Threat Analysis: Integrate threat intelligence to identify threat agents, their capabilities, and exploited attack vectors
- Stage 5 - Vulnerability Analysis: Evaluate existing security controls to identify exploitable gaps
- Stage 6 - Attack Modeling: Construct attack trees visualizing potential scenarios and threat actor paths
- Stage 7 - Risk Assessment & Mitigation: Develop strategies based on comprehensive analysis and business impact evaluation
Business Context Integration
PASTA’s risk-centric approach incorporates business considerations into technical security decisions, enabling leadership to understand how identified threats impact revenue generation, operational continuity, customer trust, brand reputation, regulatory compliance, legal obligations, strategic objectives, and competitive positioning.
Implementation Considerations
Large enterprises requiring structured risk management practices for auditors, regulators, and board members benefit most from PASTA. The comprehensive seven-stage process delivers thorough threat analysis but requires greater complexity and time investment than simpler frameworks.
Critical infrastructure, financial services, healthcare systems, and other high-stakes environments where security incident costs are severe justify PASTA’s detailed methodology.
4. Attack Trees
Attack trees provide hierarchical visual representations of threat actor methods for achieving specific objectives. The root node defines the attacker’s ultimate goal, with branches showing alternative attack paths and required actions at each step.
Construction Methodology
Security teams build attack trees through systematic progression. First, define the threat actor’s objective, such as unauthorized database access. Second, identify alternative strategies attackers might employ, creating main branches. Third, subdivide branches into detailed tactics and techniques. Fourth, mark nodes as AND (multiple conditions required) or OR (alternative paths available).
Security Applications
Attack trees identify where security measures provide maximum risk reduction. Analysis of branches representing the most probable or damaging attack paths enables teams to prioritize security controls that block multiple scenarios or defend against highly exploitable vulnerabilities.
These visual representations prove valuable during threat modeling sessions with stakeholders lacking deep technical expertise who must understand potential attack scenarios to approve security investments.
5. VAST Methodology
Visual, Agile, and Simple Threat modeling addresses scalability limitations in traditional methodologies for agile development environments. VAST integrates threat modeling directly into development workflows without creating delivery bottlenecks.
Dual Model Structure
VAST employs two model categories serving distinct purposes:
- Application Threat Models: Address specific software components that development teams integrate into regular sprint workflows
- Operational Threat Models: Cover infrastructure and deployment environments, including network security, access controls, and system-level risks maintained by security operations teams
Agile Development Advantages
VAST emphasizes automation and tool integration, providing specific benefits for continuous integration and deployment practices. Development process integration occurs without workflow disruption. Pipeline integration enables continuous security assessment. Living documentation updates automatically as systems evolve. Rapid development cycles with changing architectures receive full support.
Traditional threat modeling struggles maintaining current models when rapid development continuously alters system architecture and data flows. VAST addresses this persistent challenge.
6. LINDDUN Framework
Privacy experts at KU Leuven developed LINDDUN, earning endorsements from NIST, ENISA, ISO 27550, and EDPS. While previous frameworks address security threats, LINDDUN specifically targets privacy threats in system architectures.
Seven Privacy Threat Categories
LINDDUN categorizes privacy concerns into distinct threat types:
- Linking: Connecting two or more information pieces about a data subject
- Identifying: Determining a particular data subject from subject sets
- Non-repudiation: Data subjects cannot deny particular claims or actions
- Detecting: Determining whether items of interest about data subjects exist
- Data Disclosure: Unauthorized disclosure of sensitive data about data subjects
- Unawareness: Data subjects lack awareness or control over information processing
- Non-compliance: Violations of privacy legislation, regulations, or policies
Three-Step Process
LINDDUN follows systematic methodology. First, model the system through data flow diagrams depicting external entities, data stores, processes, data flows, and trust zones. Second, elicit threats through systematic analysis using privacy threat trees and mapping tables identifying threats at each DFD element. Third, manage threats by prioritizing identified privacy risks and mitigating using privacy-enhancing technique taxonomy.
Applicable Scenarios
Organizations in regulated industries with strict privacy requirements—healthcare, finance, consumer services—require LINDDUN’s systematic approach. GDPR compliance through privacy-by-design practices demands structured methodologies. Large-scale personal data processing requires systematic privacy risk assessment. Integration alongside existing security threat modeling frameworks like STRIDE provides comprehensive coverage.
NIST recognizes LINDDUN in its Privacy Framework for providing systematic support in eliciting and mitigating privacy threats in software architectures. LINDDUN GO addresses lighter assessments while LINDDUN PRO delivers systematic and exhaustive privacy analysis.
Security Operations Integration
The 2025 SANS CTI Survey documents a significant gap between recognition and implementation. While 44% of organizations have documented intelligence requirements, only 37% have formalized threat modeling processes.
Development Workflow Integration
CISA’s Secure by Design guidance specifies that threat modeling must begin during inception and planning phases. Identifying security requirements early costs substantially less than post-deployment remediation. Agile teams create security stories alongside functional requirements, allocating time in each sprint for security reviews of architectural changes.
Development teams conduct threat modeling sessions when introducing new external entities, modifying data flows crossing trust boundaries, implementing capabilities handling sensitive data, or integrating third-party dependencies and APIs.
Threat Intelligence Integration
Current threat intelligence ensures threat identification reflects actual attacker behaviors rather than theoretical vulnerabilities. Executive participation in threat modeling exercises increased from 33% to 52% between 2024 and 2025, with business unit participation also growing.
Threat intelligence platform integration enables security teams to enrich threat models with real-time data about active threat agents and tactics, current attack vectors targeting specific industries, campaign intelligence for technology stacks, and Threat Event Frequency metrics estimating attack likelihood.
This integration transforms threat modeling from static exercises into responsive systems adapting as the threat landscape evolves.
Fidelis Elevate® XDR correlates detection signals from endpoint, network, and cloud environments and maps them to MITRE ATT&CK. It uses real-time terrain mapping to inventory assets, assess risk, and help security teams investigate and prioritize based on observed attacker techniques.
Implementation Challenges and Solutions
Security teams encounter specific obstacles limiting threat modeling effectiveness despite growing adoption.
| Challenge | The Problem | Practical Solution |
|---|---|---|
| Time and Expertise Constraints | Resource-constrained teams already handle incident response, vulnerability management, and compliance. Adding comprehensive threat modeling stretches capacity. | Focus on mission-critical assets first. ISACA recommends targeted exercises where security incidents would severely impact operations. Start small—meaningful risk reduction beats overwhelming teams with enterprise-wide rollouts. |
| Tool Integration Gaps | Standalone threat modeling tools create silos. They disconnect from existing security workflows and duplicate effort. | Use cloud-based solutions (now 68% of deployments) that integrate with current architecture. Connect outputs to:
|
| Skills Development | Teams lack practical experience applying frameworks, reading data flow diagrams, and turning threats into actionable requirements. | Invest in cross-functional training. Build capabilities across security AND development teams. Create shared understanding of risks and collective ownership of fixes—not just security team responsibility. |
2026 Threat Modeling Evolution
Three developments significantly impact threat modeling approaches heading into 2026.
AI-Related Security Incidents
IBM’s 2025 Cost of a Data Breach Report documents specific findings about AI-related security incidents. Thirteen percent of organizations experienced security incidents involving AI models or applications. Ninety-seven percent of AI breaches occurred where organizations lacked basic controls preventing data exposure to AI tools. Shadow AI breaches average $4.63 million—$670,000 above standard incidents. Detection and containment requires nearly one additional week for AI-related breaches.
NSA and CISA issued joint guidance in May 2025 requiring organizations to conduct data security threat modeling and privacy impact assessments at the outset of any AI initiative. Security teams must expand threat models to address model poisoning, training data manipulation, adversarial inputs, and unauthorized data exposure to AI tools.
Threat Landscape Convergence
ENISA Threat Landscape 2025 documents how traditional distinctions between cybercrime, state-sponsored espionage, and hacktivism increasingly blur. By early 2025, AI-assisted phishing and social engineering accounted for over 80% of observed global activity, with attackers exploiting jailbroken AI models and synthetic media to automate reconnaissance and impersonation.
ENISA emphasizes that defensive strategies must become intelligence-driven and systemic, prioritizing proactive threat hunting, behavioral detection, and cyber risk management integration into broader operational frameworks. Threat modeling approaches must consider threat actor motivations, capabilities, and convergence patterns alongside technical vulnerabilities.
Continuous Threat Exposure Management
Organizations transition from periodic threat assessments to continuous threat exposure management providing real-time threat prioritization. This aligns with NIST guidance emphasizing dynamic risk quantification adapting with evolving threat landscapes.
Automated tools continuously assess security posture against emerging vulnerabilities and known threat actor tactics cataloged in frameworks like MITRE ATT&CK.
Selecting Your Framework
Organizations should match methodology to their maturity level, available resources, and risk profile.
- New to Threat Modeling: Begin with STRIDE’s category-based approach, focusing on high-value systems where breaches cause significant damage. The CMS Threat Modeling Handbook specifically endorses STRIDE as expedient and reliable for teams beginning threat modeling programs.
- Quantitative Risk Analysis: Implement DREAD when numerical scoring supports data-driven security investments and executive reporting. DREAD suits mature security programs investing time in detailed risk assessment.
- Enterprise Programs: Deploy PASTA for comprehensive methodology demonstrating structured risk management to auditors and regulators. PASTA’s business-centric approach directly connects technical security risks to organizational impact.
- Agile Development: Adopt VAST to integrate threat modeling into continuous development without slowing delivery velocity. VAST’s dual model approach enables parallel work between development and operations teams.
- Privacy Compliance: Implement LINDDUN to systematically identify and mitigate privacy threats in compliance with GDPR, HIPAA, or other privacy regulations. LINDDUN integrates effectively alongside security-focused frameworks like STRIDE.
- Stakeholder Communication: Use attack trees to visualize complex threat scenarios for non-technical executives approving security budgets. Hierarchical structure facilitates attack path comprehension.
- Complex Environments: Combine multiple complementary techniques: STRIDE for initial threat identification, DREAD for risk prioritization, and attack trees for executive communication. Maintain consistency within each method while allowing flexibility across different systems.
Proactive Defense Strategy
As we approach 2026, the threat landscape continues evolving with AI-powered attacks, sophisticated ransomware operations, and expanding cloud attack surfaces. Organizations proactively identifying threats maintain measurable advantages over those reacting after exploitation. ENISA reports Europe faces continuous, diversified, and converging campaigns collectively eroding resilience—a reality equally applicable to U.S. organizations.
Effective security teams view threat modeling as essential intelligence gathering that informs security investments and system architecture decisions. Whether implementing STRIDE for application security, PASTA for enterprise risk management, or LINDDUN for privacy protection, the fundamental principle remains constant: identifying and mitigating threats before exploitation costs substantially less than breach response.
CISA’s Secure by Design initiative establishes the path forward. Building security into systems from earliest design stages, supported by systematic threat modeling, represents the most effective approach to reducing cyber risk in the current threat environment.
