Threat Modelling

Threat modelling is a structured process for identifying, analysing, and prioritising potential security threats to a system, application, or organisation. It provides defenders with a systematic analysis of what controls need to be in place, based on the nature of the system, the probable attacker’s profile, the most likely attack vectors, and the assets most at risk.

For organisations designing new systems or assessing existing ones, threat modelling answers the question that matters most: where are we exposed, and what should we do about it first? Rather than treating security as a reactive exercise, threat modelling builds it into the architecture from the start.

Field	Detail
Full name	Threat modelling (also: threat modeling, US spelling)
Type	Methodology
Maintained by	No single owner – multiple frameworks exist (Microsoft, OWASP, MITRE)
First formalised	1999 (Microsoft STRIDE model by Kohnfelder and Garg)
Applies to	Software development, infrastructure design, operational technology, cloud architecture
UK relevance	Central to NCSC Secure by Design principles; referenced in NCSC Cyber Assessment Framework (CAF)
Wikipedia	Threat model
Wikidata	Q7797194

How threat modelling works

A threat modelling exercise follows four stages. First, you decompose the system, mapping architecture, data flows, trust boundaries, and entry points. Then you identify threats systematically, enumerating how an adversary could compromise each component using a structured methodology. Next, you assess and prioritise each threat by likelihood and impact, ranking by risk. Finally, you define mitigations, architectural changes, additional controls, monitoring requirements, or accepted risk with documented rationale.

The output is a threat model document. A living reference that maps threats to assets, rates risk, and links to specific security controls. It directly informs penetration testing scope, security architecture decisions, and incident response planning. Done well, it ensures your security investment targets the threats that actually matter to your organisation, rather than chasing generic compliance checklists.

Common methodologies

Several established frameworks support the threat modelling process, each suited to different contexts.

STRIDE categorises threats by type. Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It works well for application and system-level threat analysis. STRIDE-LM extends this with Lateral Movement, making it more applicable to modern network and cloud environments where lateral movement is a primary attack path.

PASTA (Process for Attack Simulation and Threat Analysis) is a seven-stage, risk-centric approach. It suits organisations that need threat analysis tied directly to business risk and compliance objectives.

MITRE ATT&CK maps threats to real-world adversary tactics, techniques, and procedures. It is the framework of choice for threat-informed defence, detection engineering, and red team exercises.

In practice, experienced practitioners combine approaches. STRIDE for system decomposition, MITRE ATT&CK for adversary modelling, PASTA when the exercise needs to connect directly to business risk appetite.

UK regulatory context

The NCSC’s Secure by Design principles position threat modelling as a foundational practice for any organisation building or operating systems that handle sensitive data. It is a core component of the NCSC Cyber Assessment Framework (CAF) under the ‘Managing security risk’ objective. The NIS2 Directive requires organisations in scope to demonstrate documented threat awareness. DORA (the Digital Operational Resilience Act) mandates threat-led penetration testing for financial services, which begins with a threat model. ISO 27001 risk assessment requirements align directly with threat modelling outputs. And UK government procurement under Secure by Design increasingly expects suppliers to evidence threat modelling as part of their security approach.

How we deliver threat modelling

We deliver structured threat modelling as part of our Identify & Protect engagements, using STRIDE-LM, PASTA, and MITRE ATT&CK frameworks depending on the context. Our threat model outputs feed directly into our CREST-certified penetration testing, ensuring that testing scope targets the threats that matter to your specific environment rather than running generic scans. 

Learn more about our threat intelligence services →

Related glossary terms

• MITRE ATT&CK – adversary tactics and techniques framework used in threat-informed modelling
• CREST certification – accreditation for penetration testing providers who act on threat model findings
• NCSC CAF – UK government framework where threat analysis is a core requirement
• ISO 42001 – AI management standard where threat modelling applies to AI system risk

External references

• Wikipedia: Threat model – encyclopaedic overview
• Wikidata: Q7797194 – canonical entity identifier
• OWASP Threat Modeling – open-source methodology guidance
• NCSC Secure by Design – UK government design principles

Frequently asked questions