Which Threat Modeling Methodology is Best for Your Organization?
Learn how threat modeling and associated methodologies can improve the evaluation of cybersecurity threats, and provide actionable countermeasures
Firstly, what is threat modeling?
The idea of building security into new hardware and software products from the outset has gained ground over the last few years. The move to "shift left" and introduction of security by design has gained ground, following growing concerns about supply chain attacks.
One way to achieve this is through threat modeling. Threat modeling is not, itself, new: Microsoft did pioneering work on it in the Nineties. But it is now being adopted by bodies such as NIST, with the goal of reducing zero-day vulnerabilities. It was also referenced in the OWASP Top Ten under ‘Insecure Design’; with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

Why should organizations be automating threat modeling efforts?
During a critical period where cyber threats are growing exponentially, and traditional code scanning and security testing is insufficient, threat modeling is a critical competency that is central to all those involved in software development life cycle.
Every sector of the global economy is being transformed by software, yet vulnerabilities are too often exposed by increasingly sophisticated cyber-attacks. By identifying security flaws in software architecture at the design phase, threat modeling makes it possible to fix issues before code is written.
Threat Modeling Methodologies
-
STRIDE
STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, developed by Loren Kohnfelder and Praerit Garg in 1999 to identify potential vulnerabilities and threats to company products. Microsoft's STRIDE methodology aims to ensure that an application meets the security requirements of Confidentiality, Integrity, and Availability (CIA)...
-
TRIKE
TRIKE is an open source threat modeling process focused on the security auditing process from a risk management and defense perspective. This risk-based approach looks at implementation, threats and risk models, meaning it ensures the assigned level of risk for each asset is acceptable to its stakeholders.
-
PASTA
The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology co-founded by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana. PASTA has the added benefit of scalability, it can scale up or scale down as required which is ideal for growing businesses, while most other threat modeling frameworks can also map into it.
- STRIDE
- OCTAVE®
- TRIKE
- PASTA
- Additional methods
STRIDE
STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, developed by Loren Kohnfelder and Praerit Garg in 1999 to identify potential vulnerabilities and threats to company products. Microsoft's STRIDE methodology aims to ensure that an application meets the security requirements of Confidentiality, Integrity, and Availability (CIA)...
OCTAVE®
OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology. This technique focuses on assessing organizational risks, rather than technological risks, for example if a company experiences a data breach, which could impact that business operationally.
TRIKE
TRIKE is an open source threat modeling process focused on the security auditing process from a risk management and defense perspective. This risk-based approach looks at implementation, threats and risk models, meaning it ensures the assigned level of risk for each asset is acceptable to its stakeholders.
PASTA
The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology co-founded by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana. PASTA has the added benefit of scalability, it can scale up or scale down as required which is ideal for growing businesses, while most other threat modeling frameworks can also map into it.
Additional methods
What are the benefits of IriusRisk Threat Modeling?
IriusRisk’s platform automates the threat modeling process, enabling developers to design and build secure software. At scale. IriusRisk is the industry leader in automated threat modeling and secure software design, working with clients that include four of the top 10 Globally Systemically Important Banks (G-SIBs). By using IriusRisk, you can:
- Generate a threat model within minutes
- Identify threats to your product AND countermeasures
- Avoid delays to deployment and speed up time-to-production
- Save time, cost, and development rework
- Ditch the PDFs and instantly identify areas for compliance
- Create a culture of collaboration between security and development teams
Other articles you may be interested in
Cybersecurity and Infrastructure Security Agency, Architecture Risk Analysis (2013) https://www.cisa.gov/uscert/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis#:~:text=Architectural%20risk%20analysis%20examines%20the,not%20the%20absence%2C%20of%20flaws
EC-Council, Cyber Threat Modeling eccouncil.org/threat-modeling
EC-Council, DREAD Threat Modeling eccouncil.org/cybersecurity-exchange/threat-intelligence/dread-threat-modeling-intro/
European Union Agency for Cybersecurity, Octave enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html
First, Common Vulnerability Scoring System version 3.1: Specification Document https://www.first.org/cvss/specification-document
Microsoft, Chapter 3 - Threat Modeling (2010) https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=pandp.10)
Microsoft, STRIDE Chart (2007) microsoft.com/security/blog/2007/09/11/stride-chart/
NIST, National Vulnerability Database nvd.nist.gov/vuln-metrics/cvss
OWASP, Advanced Threat Modeling owasp.org/www-pdf-archive/AdvancedThreatModeling.pdf
OWASP, Top Ten (2021) owasp.org/www-project-top-ten/
Software Engineering Institute, Threat Modeling: 12 Available Methods (2018) https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/
Spiceworks, Top 10 Cyber Threat Intelligence Tools (2022) https://www.spiceworks.com/it-security/vulnerability-management/articles/best-cyber-threat-intelligence-tools/
Versprite, What is PASTA Threat Modeling? (2021) versprite.com/blog/what-is-pasta-threat-modeling/