What Threat Modeling Is
Threat modeling is a structured exercise to find security flaws in a design before they are built. Instead of testing for bugs after the fact, the team reasons about how a system could be attacked while it is still cheap to change.
The Four Questions
A widely used framing asks:
- What are we building? Draw a diagram with components, data stores, and trust boundaries.
- What can go wrong? Walk each element for threats, often using a mnemonic like STRIDE: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
- What are we going to do about it? Decide to mitigate, accept, transfer, or eliminate each threat.
- Did we do a good job? Review the model as the design evolves.
Where the Value Is
The heart of the exercise is trust boundaries, the lines where data crosses from less trusted to more trusted. Each crossing is where validation and authorization belong. A good model produces a prioritized list of risks and concrete mitigations tied to the design.
Key idea
Threat modeling answers four questions over a system diagram, focusing on trust boundaries and using a mnemonic like STRIDE to enumerate threats, so design flaws are found and mitigated while they are still cheap to fix.