What Is Threat Modeling and How to Do It With STRIDE

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Most security testing happens after the code is written: penetration tests, code reviews, and DAST scans all operate on existing systems. Threat modeling happens before the code is written, when security problems are cheapest to fix.
A design flaw caught during a 2-hour threat modeling session costs hours to fix: a redesign decision, some additional documentation, and a few architectural adjustments. The same flaw caught during a penetration test after deployment costs weeks of remediation, potential regression bugs, and the security debt of a live vulnerability window.
The Four Threat Modeling Questions
The OWASP threat modeling framework organizes the exercise around four questions:
-
What are we building? Create a data flow diagram (DFD) of the system showing: external actors (users, external services), processes (application components), data stores (databases, caches, file systems), and data flows (API calls, database queries, message queue messages). Every element in the diagram is a potential threat surface.
-
What can go wrong? Apply STRIDE categories to each element. For each data flow: what happens if an attacker spoofs the sender? Tampers with the data? For each data store: what is the impact of unauthorized information disclosure? For each process: what if an attacker gains elevated privilege?
-
What are we going to do about it? For each threat identified, define a mitigation: a technical control (encryption, authentication, rate limiting), an operational control (monitoring, alerting), or an accepted risk (documented decision that the threat is low-probability or low-impact and no additional control is warranted).
-
Did we do a good enough job? Review the threat model against your organization's risk appetite. Verify that high-severity threats have specific, testable mitigations. Schedule a follow-up review when the design changes significantly.
The Six STRIDE Categories: What Each Means and What Mitigates It
S: Spoofing: An attacker impersonates a legitimate entity: a user, a service, or a system component. The attacker pretends to be someone they are not.
- Examples: Sending an API request with a forged authentication token, a malicious service impersonating a legitimate backend
- Mitigations: Strong authentication (MFA, certificate-based auth), message signing, mutual TLS for service-to-service communication
T: Tampering: An attacker modifies data in transit or at rest without authorization.
- Examples: Man-in-the-middle modification of API responses, modification of data in a shared database, tampering with log files
- Mitigations: Integrity controls (HMAC signatures, digital signatures, checksums), TLS for data in transit, write-access restrictions on data stores
R: Repudiation: A user or system performs an action and later denies having performed it, and there is insufficient evidence to prove otherwise.
- Examples: A user denies making a financial transaction, a service denies sending a request that caused a downstream failure
- Mitigations: Tamper-evident audit logging, digital signatures on critical transactions, non-repudiation tokens
I: Information Disclosure: Sensitive information is exposed to parties who should not have access to it.
- Examples: Verbose error messages exposing stack traces or database queries, unencrypted data in transit, overly permissive API responses returning more fields than the caller needs
- Mitigations: Principle of least privilege for data access, encryption at rest and in transit, output filtering (return only the fields the caller is authorized to see), generic error messages
D: Denial of Service: An attacker degrades or eliminates the availability of a system or resource.
- Examples: Resource exhaustion via unlimited API requests, large file upload attacks, slow-loris HTTP attacks
- Mitigations: Rate limiting, resource quotas, input size limits, timeout configuration, CDN/WAF for volumetric DDoS
E: Elevation of Privilege: An attacker gains capabilities or access beyond what they are authorized for.
- Examples: IDOR/BOLA accessing another user's data, SQL injection gaining database admin, a low-privilege process exploiting a vulnerability to gain OS-level access
- Mitigations: Principle of least privilege, input validation, parameterized queries, sandboxing, authorization checks at every layer
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Running a STRIDE Session: Step by Step
A basic threat model for a single feature or system takes 2-4 hours with 3-5 people: a developer who knows the system design, a security person, and a product owner or architect.
Step 1: Create the data flow diagram (60 minutes)
Draw (on a whiteboard or in a tool like draw.io, Microsoft Threat Modeling Tool, or OWASP Threat Dragon) the system with four element types:
- External entities (rectangles): Users, external services, third-party APIs: anything outside your trust boundary
- Processes (circles/ovals): Application components, microservices, Lambda functions: anything that processes data
- Data stores (parallel lines): Databases, caches, queues, file systems: anywhere data rests
- Data flows (arrows): API calls, database queries, event messages: how data moves between components
Mark your trust boundaries as dashed lines: where does your organization's control end and external/user control begin?
Step 2: Apply STRIDE to each element (60-90 minutes)
For each data flow, process, and data store, work through each STRIDE category. Create a table:
| Element | Threat Category | Threat Description | Severity | Mitigation |
|---|---|---|---|---|
| Login API | Spoofing | Attacker forges authentication token | High | JWT signature validation, short expiry |
| User DB | Information Disclosure | Unauthorized read of all user records | Critical | Row-level access controls, query scoping to user ID |
| Payment flow | Tampering | Amount modified in transit | Critical | HMAC signature on payment requests |
Step 3: Prioritize and assign (30 minutes)
Score each threat by severity (impact * likelihood) using CVSS or a simpler High/Medium/Low scale. Assign each mitigation to a specific person and sprint. High and Critical threats should be mitigated before the feature ships; Medium can be scheduled in the next sprint.
Step 4: Validate in code review
When the feature is implemented, the threat model becomes a security code review checklist: each mitigation in the threat model should have a corresponding test or implementation detail to verify.
Tools and When to Threat Model
Free tools:
- Microsoft Threat Modeling Tool: Free Windows application that auto-generates STRIDE threats from a DFD you draw: good for teams new to threat modeling
- OWASP Threat Dragon: Open-source browser-based tool with STRIDE support, integrates with GitHub
- draw.io / diagrams.net: Flexible diagramming tool for the DFD: use the STRIDE worksheet separately
When to run a threat model:
- Before starting development on any new feature that introduces: authentication, authorization, data storage, API endpoints, external integrations, or cryptographic operations
- Before significant architectural changes (adding a new service, changing the authentication mechanism, integrating a new third party)
- As part of the annual security review for systems handling sensitive data
- After a security incident: threat model what went wrong to identify systemic design issues
Scope management: keeping sessions productive: A threat model that tries to cover an entire application in one session becomes unmanageable. Scope each session to a single feature, integration, or data flow. A series of focused 2-hour sessions is more effective than a single exhausting 8-hour exercise.
The minimum viable threat model: If a full STRIDE session is not feasible, a 30-minute 'security design question' review covers the most critical ground:
- Where does authentication happen, and can it be bypassed?
- Where does authorization happen, and is it checked at every data access point?
- What sensitive data is stored, and who can read it?
- What happens if this component receives malformed or malicious input?
These four questions surface the majority of design-level security flaws without requiring formal threat modeling training.
The bottom line
Threat modeling with STRIDE applies six threat categories (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to each component and data flow in a system diagram, producing a prioritized list of security threats and specific mitigations. Run a 2-4 hour session before any feature that introduces authentication, authorization, data storage, or external integrations. A design flaw caught in threat modeling costs hours; the same flaw caught post-deployment costs weeks. Scope each session to a single feature to keep it productive.
Frequently asked questions
What is STRIDE in threat modeling?
STRIDE is a threat categorization framework developed by Microsoft that applies six threat types to each component in a system: Spoofing (impersonating a legitimate entity), Tampering (unauthorized data modification), Repudiation (denying an action occurred), Information Disclosure (unauthorized data exposure), Denial of Service (availability degradation), and Elevation of Privilege (gaining unauthorized capabilities). Applying these six categories to each data flow and component produces a comprehensive list of potential security threats to address before deployment.
When should you do threat modeling?
Threat modeling should be done before development begins on any feature that introduces authentication, authorization, data storage, API endpoints, or external integrations: when design changes cost hours rather than weeks. A 2-4 hour STRIDE session before a feature is built is significantly cheaper than remediating the same design flaw after deployment.
What is the STRIDE threat modeling framework?
STRIDE is a threat classification model developed by Microsoft with six categories: Spoofing (identity impersonation), Tampering (unauthorized data modification), Repudiation (denying actions without audit trail), Information disclosure (data exposed to unauthorized parties), Denial of service (resource exhaustion or availability disruption), and Elevation of privilege (gaining unauthorized permissions). For each component in a system diagram, teams systematically ask which STRIDE categories apply and what controls mitigate each threat. STRIDE is the most widely used framework for developer-facing threat modeling because it maps directly to common software vulnerabilities.
What tools are available for threat modeling?
Microsoft Threat Modeling Tool (free): generates STRIDE threats automatically from data flow diagrams (DFDs) drawn in the tool, with built-in mitigation suggestions. OWASP Threat Dragon (free, open-source): web-based DFD diagramming with threat generation. IriusRisk and ThreatModeler: commercial platforms with CI/CD pipeline integration for automated threat model updates. For teams without a dedicated tool, threat modeling can be done with a whiteboard, a DFD sketch, and a structured STRIDE checklist applied to each component and data flow. Start with the simplest approach that gets participation: a 2-hour whiteboard session is more valuable than a sophisticated tool no one uses.
What is a data flow diagram (DFD) in threat modeling?
A data flow diagram maps all components in a system and the data flows between them: user clients, servers, databases, external services, and trust boundaries (lines that separate different security zones). Threat modeling uses DFDs to systematically identify where each STRIDE category could occur: trust boundaries are where Spoofing and Elevation of Privilege threats are most common; databases are where Information Disclosure and Tampering threats apply. The DFD does not need to be formal: a whiteboard sketch showing what calls what and where data crosses trust zones is sufficient to drive a productive STRIDE session.
How do you integrate threat modeling into an agile development workflow?
The friction point with threat modeling in agile teams is that traditional threat modeling sessions are long, infrequent, and disconnected from sprint planning. The fix is to reduce the scope and increase the frequency. Treat threat modeling as a story-level activity rather than a project-level activity: when a new story introduces a trust boundary crossing, authentication change, or new data storage, add a 30-minute threat modeling requirement to the story's definition of done. Assign a security champion per team who leads these micro-sessions rather than requiring a security engineer for every review. Use a threat modeling card deck (OWASP Cornucopia, Elevation of Privilege card game) to structure rapid threat identification without formal training: the card game format makes it practical in a sprint review or planning session. For larger features or new service boundaries, run a full STRIDE session as part of the technical design phase before story sizing: this makes it a design activity rather than a gate. Track threats as security-tagged stories in your backlog: each identified mitigation becomes a story with a severity label (Critical mitigations block the feature from shipping; High and Medium are backlog items scheduled in the next 1-2 sprints). This approach makes threat modeling a continuous input to sprint planning rather than a one-time checkpoint.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
