2026-03-08
By Emre SalmanogluThreat Modeling: The Complete Guide for Security and Compliance Teams
Learn how to implement threat modeling that satisfies ISO 27001, SOC 2, NIS2, and DORA. Covers STRIDE, PASTA, attack trees, data flow diagrams, risk assessment, and compliance evidence.
threat modeling
STRIDE
risk assessment
secure design
compliance
What Is Threat Modeling?
Threat modeling is a structured methodology for identifying and mitigating security threats during the design and architecture phase of system development. Rather than waiting to find vulnerabilities through testing, threat modeling proactively analyses how a system could be attacked and builds defences into the design.
Effective threat modeling answers four key questions: What are we building? What can go wrong? What are we going to do about it? Did we do a good enough job?
Threat Modeling Methodologies
| Methodology | Approach | Best For | Complexity |
|---|---|---|---|
| STRIDE | Threat classification (6 categories) | Development teams, component analysis | Low-Medium |
| PASTA | Risk-centric, 7-stage process | Enterprise risk assessment | High |
| Attack trees | Tree structure mapping attack paths | Specific threat scenarios | Medium |
| LINDDUN | Privacy-focused threat categories | Privacy-sensitive applications | Medium |
| VAST | Visual, agile, scalable threat modeling | Large organisations, DevOps | Medium |
| Kill chain analysis | Adversary behaviour modelling | Incident response preparation | Medium |
STRIDE Threat Categories
| Category | Threat | Security Property | Countermeasure |
|---|---|---|---|
| Spoofing | Pretending to be another user or system | Authentication | Strong authentication, MFA, certificates |
| Tampering | Modifying data, code, or configurations | Integrity | Input validation, checksums, digital signatures |
| Repudiation | Denying actions were taken | Non-repudiation | Audit logging, digital signatures, timestamps |
| Information disclosure | Exposing data to unauthorised parties | Confidentiality | Encryption, access controls, data masking |
| Denial of service | Preventing legitimate access to resources | Availability | Rate limiting, redundancy, auto-scaling |
| Elevation of privilege | Gaining unauthorised access levels | Authorisation | Least privilege, RBAC, input validation |
Threat Modeling Process
| Step | Activities | Output |
|---|---|---|
| 1. Scope | Define system boundaries, assets, and trust levels | System context diagram |
| 2. Decompose | Create data flow diagrams showing components, data flows, trust boundaries | DFD with trust boundaries |
| 3. Identify threats | Apply STRIDE or chosen methodology to each element | Threat list with descriptions |
| 4. Assess risk | Rate each threat by likelihood and impact | Prioritised threat matrix |
| 5. Determine countermeasures | Identify security controls for each threat | Countermeasure mapping |
| 6. Validate | Verify countermeasures are effective and implemented | Validation report |
| 7. Document | Record model, decisions, and residual risks | Threat model document |
Data Flow Diagram Elements
| Element | Symbol | Examples | Threat Focus |
|---|---|---|---|
| External entity | Rectangle | Users, external APIs, third-party systems | Spoofing, input validation |
| Process | Circle | Application logic, microservices | All STRIDE categories |
| Data store | Parallel lines | Databases, file systems, caches | Tampering, information disclosure |
| Data flow | Arrow | API calls, network connections, file transfers | Tampering, information disclosure |
| Trust boundary | Dashed line | Network perimeter, service mesh, authentication | All categories (highest risk area) |
Risk Assessment Matrix
| Low Impact | Medium Impact | High Impact | Critical Impact | |
|---|---|---|---|---|
| High Likelihood | Medium | High | Critical | Critical |
| Medium Likelihood | Low | Medium | High | Critical |
| Low Likelihood | Informational | Low | Medium | High |
Common Threat Patterns
| Pattern | Description | Where Found | Countermeasure |
|---|---|---|---|
| Broken authentication | Weak or bypassed authentication | Login flows, API endpoints | MFA, session management, token validation |
| Injection | Untrusted input executed as code | Database queries, OS commands, LDAP | Input validation, parameterised queries |
| Data exposure | Sensitive data transmitted or stored insecurely | APIs, databases, logs | Encryption, masking, access controls |
| Privilege escalation | User gains higher access than authorised | Admin functions, role assignments | Least privilege, authorisation checks |
| Supply chain compromise | Malicious third-party components | Dependencies, integrations, APIs | SCA, SBOM, vendor assessment |
| Insider threat | Authorised user acts maliciously | All internal systems | Monitoring, separation of duties, access reviews |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|---|---|---|---|
| Risk assessment | A.5.7 | CC3.2 | Art. 21(2)(a) | Art. 8(1) |
| Threat intelligence | A.5.7 | CC3.2 | Art. 21(2)(a) | Art. 8(6) |
| Secure design | A.8.25 | CC8.1 | Art. 21(2)(e) | Art. 8(1) |
| Security requirements | A.8.26 | CC8.1 | Art. 21(2)(e) | Art. 8(1) |
| Security testing | A.8.29 | CC8.1 | Art. 21(2)(e) | Art. 8(3) |
| Change risk assessment | A.8.32 | CC8.1 | Art. 21(2)(e) | Art. 8(2) |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| Threat model documents | Completed threat models for critical systems | All frameworks |
| Data flow diagrams | Current DFDs showing trust boundaries | ISO 27001, SOC 2 |
| Risk assessment results | Prioritised threat lists with ratings | All frameworks |
| Countermeasure mapping | Threats mapped to implemented controls | All frameworks |
| Threat model review records | Evidence of periodic review and updates | ISO 27001, NIS2 |
| Remediation tracking | Tickets showing threat-to-fix workflow | All frameworks |
| Training records | Developer threat modeling training | ISO 27001, SOC 2 |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| Only modelling at initial design | Drift between model and reality | Update threat models on significant changes |
| Too abstract, no actionable output | Models provide no security value | Include specific, testable countermeasures |
| Only security team participates | Missing domain knowledge | Include developers, architects, and product owners |
| Ignoring trust boundaries | Missing the highest-risk attack surfaces | Map every trust boundary crossing in DFDs |
| No threat prioritisation | Treating all threats equally | Use risk assessment to focus on critical threats first |
| Not tracking remediation | Identified threats never addressed | Track countermeasures as security requirements |
How Orbiq Supports Threat Modeling Compliance
Orbiq helps you demonstrate threat modeling and risk assessment:
- Evidence collection — Centralise threat models, risk assessments, and remediation records
- Continuous monitoring — Track threat model coverage and remediation progress
- Trust Center — Share your secure design practices via your Trust Center
- Compliance mapping — Map threat modeling activities to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- Risk Management — Enterprise risk assessment and treatment
- DevSecOps — Integrating threat modeling into CI/CD
- Vulnerability Management — From threat identification to remediation
- Incident Response — When threats materialise
- Supply Chain Security — Third-party threat assessment
- API Security — Threat modeling for APIs