Structured way to anticipate what can go wrong—before attackers do.
Threat modeling is a disciplined method to identify, quantify, and address security risks in a system. You capture how the system works (data flows, trust boundaries), enumerate threats, prioritize mitigations, and track residual risk. It turns vague worry into actionable work items for architects, developers, and operations.
Most lightweight approaches follow this loop—click each step for a quick prompt you can use in workshops.
Draw data flows, actors, and trust boundaries.
Use STRIDE, misuse cases, or attack libraries.
Controls, design changes, monitoring.
Test assumptions; update as architecture changes.
| Tool / style | Best for | Notes |
|---|---|---|
| Microsoft Threat Modeling Tool | Data-flow + STRIDE | Windows-centric |
| OWASP Threat Dragon | Web apps, diagrams in Git | Open source |
| iriusRisk / enterprise TM | Scaled programs, risk registers | Commercial |
| Whiteboard + STRIDE | Fast iteration | No license |
Context: A bank exposes account aggregation and payment initiation APIs to a new mobile app and partner fintechs.
Diagram: Trust boundaries between mobile device, API gateway, core banking, and fraud engine.
Threats: Token theft (spoofing), transaction repudiation, rate-limit bypass (DoS), insecure deserialization to core systems.
Mitigations: mTLS or OAuth2 with binding, step-up auth for high-risk payments, WAF + bot management, strict schema validation, centralized audit.
Outcome: Security requirements feed API design reviews and CI policy tests (schema, auth scopes, PII tagging).