Threat Modeling in 2026: Updating STRIDE and PASTA for AI-Discovered Attack Classes

STRIDE was designed for human adversaries. AI-powered attackers that autonomously discover zero-days require updated assumptions

9
Glasswing CVE classes, each mapping to a STRIDE category
21/41
ExploitBench V8 ACE exploits solved by Mythos, zero by all other models
200+
Partner organizations with AI-era threat models under Glasswing

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Threat modeling is one of the most valuable security practices an engineering team can adopt, and one of the most often neglected. The core activity, sitting down with a data flow diagram and systematically asking 'who could attack this and how,' surfaces design-level security problems before they become deployed vulnerabilities. STRIDE and PASTA are the two most widely used structured frameworks for this exercise. Both were designed for a world in which adversaries are human, use known tools, require significant time and expertise to discover novel vulnerabilities, and are constrained by the effort required to develop working exploits. Project Glasswing has provided a concrete picture of what a different kind of adversary looks like: one that autonomously discovered 10,000+ findings in 90 days, found a 17-year-old FreeBSD vulnerability that conventional scanning had missed, developed working exploit chains without human-written exploit code, and solved 21 of 41 ExploitBench V8 arbitrary code execution challenges while every other model solved zero. AI adversaries with Glasswing-class capabilities change the assumptions that underlie both STRIDE and PASTA. This guide explains which parts of each framework still hold, which assumptions require updating, and how to conduct a threat modeling session that accounts for AI-powered discovery and exploitation capabilities.

STRIDE Explained: Where It Still Holds

STRIDE divides threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each category maps to a security property that a well-designed system should protect: Authentication prevents Spoofing; Integrity prevents Tampering; Non-repudiation prevents Repudiation; Confidentiality prevents Information Disclosure; Availability prevents Denial of Service; and Authorization prevents Elevation of Privilege. The framework is applied to a data flow diagram by examining each element, including data flows, processes, data stores, and external entities, and asking which of the six threat categories could apply to interactions with that element. STRIDE's core strength is its comprehensiveness as a structured checklist: it prevents threat modeling sessions from focusing exclusively on the threat category that happened to be in the news this week and missing the others. That strength holds in the AI era. The six threat categories still cover the relevant threat space. A system that prevents Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege is well-defended against AI-powered adversaries as well as human ones. What changes is not the threat category framework but the attacker capability assumptions within each category, and the specific threat scenarios that are now plausible.

PASTA Explained: The Risk-Centric Alternative

PASTA (Process for Attack Simulation and Threat Analysis) takes a different approach from STRIDE. Where STRIDE is a classification mnemonic applied to a data flow diagram, PASTA is a seven-stage process that starts with business objectives and works down to specific attack scenarios. The seven stages are: (1) Definition of Objectives, establishing the business context and security requirements; (2) Definition of Technical Scope, documenting the technical components and architecture; (3) Application Decomposition, building the data flow diagram and identifying trust boundaries; (4) Threat Analysis, identifying threat actors and their capabilities; (5) Vulnerability and Weakness Analysis, identifying weaknesses in the architecture that threat actors could exploit; (6) Attack Modeling and Simulation, mapping threat actors to specific attack paths through the identified weaknesses; and (7) Risk and Impact Analysis, estimating the business impact and likelihood of each attack path. PASTA's strength is its explicit business context: the risk analysis in stage 7 is grounded in the business objectives from stage 1. This makes PASTA outputs more actionable for executives and product teams than STRIDE outputs, which tend to be more technically detailed. PASTA's Threat Analysis stage (stage 4) is where AI adversary assumptions are most directly incorporated, specifically in how the threat actor capability profiles are defined.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

What AI Adversaries Change About Threat Modeling Assumptions

Traditional threat models sort adversaries into tiers by capability: script kiddies using off-the-shelf exploit tools, commodity attackers using known techniques and CVEs, sophisticated attackers developing novel techniques against specific targets, and nation-state actors with significant resources and specialized expertise. AI-powered adversaries like Claude Mythos do not fit cleanly into this hierarchy. Mythos demonstrated nation-state-level vulnerability discovery capability in a 90-day coordinated program, but the underlying AI capability is not nation-state-exclusive: it is accessible to any threat actor with API access to a sufficiently capable model. This collapses the distinction between commodity attackers and sophisticated attackers in a specific way: the rate of novel zero-day discovery, previously a nation-state capability, is now accessible to well-resourced non-state actors. For threat modeling purposes, four assumptions require explicit revision. First, the exploit development timeline: traditional models assume weeks to months from vulnerability disclosure to weaponized exploit. AI narrows this to hours or days. Second, the discovery breadth: traditional models assume adversaries focus on high-profile targets and known vulnerability classes. AI can sustain systematic scanning across an entire attack surface. Third, the attacker knowledge assumption: AI systems like Mythos can reason about vulnerability chains that require understanding multiple system layers simultaneously. Fourth, the barrier to novel discovery: finding an unfixed 17-year-old bug like the FreeBSD NFS vulnerability now requires AI-level effort, not decades of human expertise.

Updated Threat Library: AI-Discoverable Zero-Days as a Threat Category

Most threat modeling tools ship with built-in threat libraries: catalogs of threat scenarios associated with each STRIDE category and common architecture patterns. These libraries do not yet include AI-era threat scenarios. Security teams running threat modeling sessions need to manually extend the threat library with the following categories. Category: AI-Discovered Elevation of Privilege. Scenario: An AI adversary autonomously identifies a local privilege escalation vulnerability in an operating system kernel (class demonstrated by Glasswing Linux LPE finding) and chains it with an initial access vulnerability to achieve full system compromise. Relevant STRIDE category: Elevation of Privilege. Category: AI-Discovered VMM Escape. Scenario: An AI adversary identifies a vulnerability in the hypervisor or virtual machine monitor that allows code executing in a guest VM to break out of the virtualization boundary and execute code on the host. Relevant STRIDE category: Tampering (host environment) and Elevation of Privilege. Category: AI-Discovered Browser ACE. Scenario: An AI adversary identifies a V8 JIT compiler vulnerability that enables arbitrary code execution in the browser renderer process, delivered via a malicious webpage or drive-by download. Glasswing Mythos solved 21/41 ExploitBench V8 ACE challenges. Relevant STRIDE category: Elevation of Privilege and Tampering. Category: AI-Discovered Protocol Implementation Vulnerability. Scenario: An AI adversary identifies a vulnerability in a network protocol implementation (class demonstrated by Glasswing FreeBSD NFS RCE, CVE-2026-4747) that enables remote code execution without authentication. Relevant STRIDE category: Spoofing and Elevation of Privilege.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Applying Updated STRIDE to a Glasswing-Era System

A concrete example illustrates how updated STRIDE assumptions change the output of a threat modeling session. Consider a healthcare organization running a patient data management system with three tiers: a React web frontend, a Node.js API, and a PostgreSQL database, all deployed in AWS on EC2 instances. In a traditional STRIDE analysis, the Elevation of Privilege threats for the EC2 instances would include known privilege escalation vulnerabilities in the installed Linux kernel version, misconfigured IAM roles with overly permissive policies, and container escapes if the application runs in Docker. In an AI-era STRIDE analysis, the same threat category now includes: AI-discovered novel Linux LPE vulnerabilities in the installed kernel version that have not yet been publicly disclosed and may not have patches available at time of exploitation; AI-discovered hypervisor vulnerabilities enabling escape from EC2 instance isolation to the underlying host; and AI-systematic scanning of the application's API surface for logic vulnerabilities that enable privilege escalation at the application layer. The mitigations for the traditional threats (patch promptly, enforce least-privilege IAM, use read-only filesystem containers) still apply. The additional mitigations for AI-era threats include: compensating controls for kernel LPE (seccomp profiles, AppArmor or SELinux policies, kernel exploit mitigations like KASLR and stack canaries) that reduce the exploitability of novel LPEs; network segmentation that limits lateral movement even after a successful LPE; and enhanced detection capabilities (EDR, anomalous process behavior monitoring) that identify exploitation attempts for novel vulnerabilities without requiring known signatures.

How AI Changes the Attacker Capability Tier Assumptions

PASTA's Threat Analysis stage (stage 4) requires defining threat actor profiles including capabilities, motivations, and target selection criteria. The standard threat actor tiers need to be updated for the AI era. Script kiddie tier: unchanged. These actors use off-the-shelf tools and do not have AI-powered discovery capability. Commodity attacker tier: meaningfully upgraded. Commodity attackers with API access to sufficiently capable AI models can now conduct vulnerability research at a quality level previously associated with sophisticated actors, particularly against open source software and widely deployed commercial products. The barrier to AI-assisted discovery is access to the model, not specialized expertise. Sophisticated non-state actor tier: significantly upgraded. Sophisticated actors with dedicated AI infrastructure can sustain Mythos-class autonomous discovery against specific target organizations, finding novel zero-days in the target's specific software stack. Nation-state tier: substantially upgraded. Nation-state actors with dedicated AI research programs can operate at or above Glasswing-class capability, with the ability to maintain ongoing discovery operations against high-value targets. The practical impact on PASTA stage 4 is that the exploit development timeline should be compressed for sophisticated and above tier actors, the target selection model should account for AI-powered systematic scanning (less target selection, more comprehensive coverage), and the threat scenarios generated in stage 6 should include AI-discovered zero-days as plausible attack paths for any actor at sophisticated tier or above.

Integrating AI Threat Intel into Threat Modeling Sessions

Threat modeling sessions are most valuable when grounded in current threat intelligence rather than theoretical worst cases. Project Glasswing provides directly applicable threat intelligence for threat modeling sessions in 2026. The nine confirmed Glasswing CVEs map to specific STRIDE categories and can be used as concrete threat scenarios in threat modeling exercises. FreeBSD NFS RCE (CVE-2026-4747) as a threat scenario for any organization running FreeBSD or NFS services: Elevation of Privilege and Spoofing threats from unauthenticated remote code execution. wolfSSL Cert Forgery (CVE-2026-5194) as a threat scenario for any organization with IoT, embedded systems, or wolfSSL dependencies: Information Disclosure and Spoofing through certificate validation bypass. Linux LPE as a threat scenario for any Linux-based server infrastructure: Elevation of Privilege enabling root access from any authenticated user or container process. VMM Escape as a threat scenario for any virtualized environment: Tampering with host environment from a compromised guest. V8 ACE as a threat scenario for any user-facing web application or organization with managed browser fleets: Elevation of Privilege via client-side code execution. When running a PASTA stage 4 threat analysis, these confirmed Glasswing scenarios can be applied to the specific components in scope, replacing hypothetical 'AI could find a zero-day' scenarios with 'AI has found this specific class of zero-day in this category of software.'

Tooling Update: Microsoft Threat Modeling Tool and OWASP Threat Dragon

The two most widely used threat modeling tools require manual extension to incorporate AI-era threat categories. Microsoft Threat Modeling Tool uses an SDL TM Knowledge Base that defines threat templates and suggested mitigations. The tool allows custom templates, and the AI-era threat categories described above can be added as custom template entries. The practical workflow is to extend the built-in template with a new 'AI-Powered Adversary' threat actor and associated threat scenarios for each STRIDE category, then apply the extended template in new threat modeling sessions. OWASP Threat Dragon is a more flexible open source alternative built on React and Electron. Its threat model data is stored as JSON, and the threat library can be extended by modifying the threat template JSON. Threat Dragon's community maintains threat libraries on GitHub that can be forked and extended. For teams using IriusRisk or ThreatModeler (commercial platforms), both support custom threat libraries and can be extended with AI-era scenarios. The key is to make the AI-era threat scenarios a standard part of the threat library rather than a manual addition to individual threat modeling sessions, so that they are consistently applied rather than remembered only when someone raises them.

Updated AI-Era Threat Library and STRIDE Worksheet

The complete AI-era threat library extension with scenario definitions for each STRIDE category, the updated attacker capability tier definitions for PASTA stage 4, and the STRIDE worksheet pre-populated with Glasswing threat scenarios are available in the Mythos Brief. The Brief also includes threat modeling session facilitation guides with AI-era prompts and an integration walkthrough for extending the Microsoft Threat Modeling Tool template.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

STRIDE and PASTA remain effective frameworks for structuring threat modeling sessions. What has changed is the attacker capability assumptions that fill in the framework. AI-powered adversaries like the one demonstrated by Project Glasswing can discover novel zero-days autonomously, develop working exploits without human-written code, and scale discovery across entire attack surfaces at machine speed. The Glasswing CVEs provide concrete evidence: an AI found a 17-year-old FreeBSD bug, developed a Linux LPE, escaped VMMs, solved V8 ACE challenges that no other model could approach, and forged certificates against a widely embedded TLS library. Each of those findings maps to a STRIDE category and should appear in the threat library for any organization whose infrastructure resembles those targets. The updated AI-era threat library, Glasswing STRIDE worksheet, and tooling extension guides are in the Mythos Brief, available free at decryptiondigest.com/mythos-brief.

Frequently asked questions

What is STRIDE threat modeling?

STRIDE is a threat classification mnemonic developed by Microsoft, where each letter represents a threat category: Spoofing identity, Tampering with data, Repudiation of actions, Information Disclosure, Denial of Service, and Elevation of Privilege. In a STRIDE threat model, security architects examine each component of a system and ask which of the six threat categories could apply to it, then identify specific threat scenarios and appropriate mitigations. STRIDE is most effective during the design phase of a system, working from a data flow diagram that represents trust boundaries, data flows, processes, and external entities.

How do I include AI adversaries in my threat model?

Include AI adversaries by updating the attacker capability assumptions in your threat model. Traditional threat models assume adversaries use known tools against known vulnerability classes. AI adversaries like the ones demonstrated by Claude Mythos can discover novel zero-day vulnerabilities autonomously, develop full exploit chains without human-written exploit code, and sustain systematic scanning of an attack surface at machine speed. Practically, this means upgrading the 'Elevation of Privilege' threat category to include AI-discovered LPE vulnerabilities, adding 'AI-Discovered Zero-Day Exploitation' as a new threat category, and revising attacker tier assumptions upward for sophisticated adversaries.

What is PASTA threat modeling?

PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric threat modeling methodology with seven stages: definition of objectives, definition of the technical scope, application decomposition, threat analysis, vulnerability and weakness analysis, attack modeling and simulation, and risk and impact analysis. PASTA is more business-oriented than STRIDE, explicitly connecting technical threats to business risk and using attack simulation to validate threat scenarios. It is commonly used for application-layer threat modeling where business context is as important as technical architecture.

How does AI vulnerability discovery change my threat model?

AI vulnerability discovery compresses the timeline from 'vulnerability exists' to 'exploit in the wild' and removes human effort as a limiting factor on the attacker's discovery rate. Traditional threat models assume that novel zero-day vulnerabilities require significant attacker investment: months of manual research, specialized expertise, and access to the target system's code. Claude Mythos demonstrated that AI can discover novel zero-days in weeks, develop working exploit code without human intervention, and scale that capability across many targets simultaneously. This changes the attacker tier assumptions for sophisticated adversaries and shortens the window between vulnerability introduction and active exploitation.

Which threat modeling tool should I use in 2026?

Microsoft Threat Modeling Tool is well-suited for teams with Windows-heavy infrastructure and Microsoft technology stacks. It has built-in STRIDE template support and generates reports aligned to SDL (Security Development Lifecycle) processes. OWASP Threat Dragon is a better fit for teams that prefer open source tooling, work in web application contexts, and want a tool with active community development. IriusRisk and ThreatModeler are commercial options with automated threat generation and compliance mapping useful for larger enterprises. In 2026, any of these tools requires manual extension of the built-in threat libraries to include AI-era threat categories, since none yet ships with AI adversary threat patterns by default.

How do I quantify attacker dwell time assumptions in a PASTA threat model after Glasswing?

In PASTA Stage 6 (Attack Modeling and Simulation), dwell time assumptions feed directly into the probability and business impact scores for each attack scenario. Pre-Glasswing, a typical sophisticated-attacker dwell time assumption for a novel zero-day exploit chain was 30 to 90 days from discovery to weaponization. Glasswing demonstrated that an AI system can move from initial vulnerability discovery to a reproducible exploit in hours to days for the vulnerability classes in its benchmark set, compressing the attacker timeline by an order of magnitude for those classes. Practically, update your PASTA Stage 6 scenarios for AI-tier adversaries by reducing the exploit development dwell time assumption to less than 72 hours for browser, OS LPE, and protocol implementation bugs, and apply compensating controls (network segmentation, anomalous process monitoring, zero-trust lateral movement restrictions) that provide defensive value even when patch timelines cannot compress to match. Use the original 30-to-90-day window only for commodity and below threat actor tiers.

Sources & references

  1. Anthropic Project Glasswing 90-Day Report
  2. Microsoft STRIDE Threat Modeling
  3. OWASP Threat Dragon
  4. Microsoft Threat Modeling Tool
  5. PASTA Threat Modeling Framework
  6. NIST SP 800-154 Guide to Data-Centric System Threat Modeling

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.