Threat Modeling: Systematic Risk Identification for Applications

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Threat modeling identifies what can go wrong before you write the code to fix it. It is a structured approach to finding security problems in a system’s design rather than waiting for a penetration test to find them in the implementation. Fixing a design flaw at the architecture stage costs a fraction of fixing it after deployment.

STRIDE

STRIDE is Microsoft’s threat classification model. Each letter represents a category of threat:

• Spoofing: pretending to be something or someone else (authentication bypass, session hijacking)
• Tampering: modifying data or code (SQL injection, parameter manipulation, binary patching)
• Repudiation: denying having taken an action (insufficient logging, log tampering)
• Information Disclosure: exposing data to unauthorized parties (directory traversal, error messages leaking stack traces)
• Denial of Service: making a system unavailable (resource exhaustion, algorithmic complexity attacks)
• Elevation of Privilege: gaining capabilities beyond what was granted (privilege escalation, IDOR)

Apply STRIDE to each component in your system. For a web application with a frontend, API server, and database: what spoofing threats affect the API server? What information disclosure threats exist in the database? Systematically working through each category for each component surfaces threats that ad hoc brainstorming misses.

PASTA

Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage, risk-centric methodology:

1. Define business objectives and security requirements 2. Define the technical scope (architecture, dependencies, data flows) 3. Decompose the application into components 4. Analyze threats relevant to the application’s context 5. Identify vulnerabilities through testing and analysis 6. Model attack scenarios using attack trees 7. Assess risk and determine countermeasures

PASTA differs from STRIDE by starting with business context. It asks “what are we protecting and why?” before diving into technical threats. This makes its output more directly tied to business risk, which helps when communicating findings to non-technical stakeholders.

Attack Trees

Attack trees model how an attacker might achieve a specific goal. The root node is the attacker’s objective (e.g., “steal customer payment data”). Child nodes represent different approaches to achieving that goal. Each approach branches further into specific techniques.

Example root: Steal Payment Data

• Compromise web application (SQLi, auth bypass, SSRF to internal services)
• Compromise database directly (exposed management port, weak credentials, privilege escalation)
• Intercept data in transit (MITM, TLS downgrade, certificate pinning bypass)
• Social engineer an employee (phishing for VPN credentials, insider threat)

Each leaf node can be annotated with difficulty, cost, and likelihood. This helps prioritize defenses against the most probable attack paths rather than spreading effort evenly across all possibilities.

Data Flow Diagrams

Data Flow Diagrams (DFDs) are the visual foundation of most threat models. They map how data moves through a system, crossing trust boundaries along the way.

DFD elements:

• External entities: users, third-party services, other systems (squares)
• Processes: application components that process data (circles)
• Data stores: databases, file systems, caches (parallel lines)
• Data flows: arrows showing data movement between elements
• Trust boundaries: dashed lines separating zones of different trust levels

Every data flow that crosses a trust boundary is a potential attack surface. The API call from the browser to the server crosses from untrusted to trusted — that crossing needs authentication, input validation, and authorization checks. Data flowing from the server to a third-party API crosses into a zone you do not control — that flow needs encryption and output encoding.

Prioritization

Not every identified threat needs a mitigation. Prioritize based on likelihood and impact. A threat that requires physical access to the server room and results in minimal data exposure is lower priority than a remotely exploitable threat that leads to full database access.

Use a risk matrix or quantitative scoring to rank threats. Address high-likelihood, high-impact threats first. Document accepted risks with business justification — threats you choose not to mitigate should be conscious decisions, not oversights.

Next Steps

• Assess your application security skills with the skills assessment
• Explore secure development and design topics in the skills library
• Use the coaching tool to develop threat modeling proficiency through practice scenarios

Related Guides in This Series

• EDR: Endpoint Detection, Response, and Threat Hunting — HADESS | 2026
• Firewall Management: Rules, Zones, and Change Control — HADESS | 2026
• Hardware Security Modules: Key Management and Compliance — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.