Scroll to discover
See a Demo
Skip to content

Threat Modeling Methodology: PASTA

Focus: Attacker-focused |  Est: 2015

The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology co-founded by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana. PASTA has the added benefit of scalability, it can scale up or scale down as required which is ideal for growing businesses, while most other threat modeling frameworks can also map into it.

The benefits of PASTA include:1 

  • A contextualized approach that always ties back to business context allowing departments to collaborate
  • Leverages existing organizational processes 
  • Ease of scale - whether up or down 
  • Risk centric - mitigating what matters and adopting the perspective of an attacker
  • Evidence-based threat modeling to support threat motives and leverage data
  • Focus on probability of attack, likelihood, inherent risk, impact of compromise

PASTA provides a 7-step process for risk analysis:2

  1. Define objectives
  2. Define technical scope
  3. Application decomposition 
  4. Threat analysis
  5. Vulnerability and weaknesses analysis 
  6. Attack modeling 
  7. Risk and impact analysis 

The PASTA methodology aims to align both the objectives of a business as well as its technical requirements, hence the benefits of cross-team collaboration and involvement of technical teams alongside key senior decision makers. Due to its risk-centricity and comprehensive 7-step process, PASTA encapsulates not just the technical scope and possible vulnerabilities, but necessary compliance and regulatory needs for that organization. PASTA produces an asset-centric output with a priority focused inventory and score.3

Other Threat Modeling Methodologies 

To learn more about other methodologies please visit Threat Modeling Methodologies.

Information Sources:

1. Versprite, What is PASTA Threat Modeling? (2021)  
2. Software Engineering Institute, Threat Modeling: 12 Available Methods (2018) 
3. EC-Council, Cyber Threat Modeling