Top Threat Modeling Frameworks
by Dan.C
Threat Modeling Frameworks Explained: STRIDE, MITRE ATT&CK, PASTA, CVSS, TMaaC
Table of Contents
- Introduction
- What is Threat Modeling?
- Frameworks Deep Dive
- Comparison Table
- Bringing It All Together
- Conclusion
- You May Also Like
Introduction to Threat Modeling
Imagine you’re building a banking app. You’ve encrypted passwords, secured the database, and applied patches. But have you really thought like an attacker? What if someone tries to spoof a user, escalate privileges, or exploit an overlooked vulnerability?
That’s where threat modeling frameworks come in. They give security teams structured ways to anticipate, prioritize, and mitigate threats—long before attackers exploit them. In this guide, we’ll explore the most widely used frameworks: STRIDE, MITRE ATT&CK, PASTA, CVSS, and TMaaC.
What is Threat Modeling?
Threat modeling is a structured process for identifying what can go wrong in a system and how to defend against it.
Think of it like architecture: when designing a building, architects consider earthquakes, fire hazards, and break-ins. In cybersecurity, we consider spoofing, denial of service, and privilege escalation.
Different frameworks provide different perspectives: some focus on attacker behavior, some on risk scoring, and some on automation.
Threat Modeling Frameworks Deep Dive
STRIDE
- Purpose: Identify different categories of threats.
- How: Six categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- Best For: Developers designing new systems.
- Example: Protecting a login form from spoofing and privilege escalation.
MITRE ATT&CK
- Purpose: Map real-world attacker behaviors.
- How: Knowledge base of Tactics → Techniques → Procedures (TTPs).
- Best For: SOC teams, detection engineering, incident response.
- Example: Mapping a phishing campaign to Initial Access and Execution tactics in the MITRE matrix.
PASTA (Process for Attack Simulation and Threat Analysis)
- Purpose: A risk-centric, 7-step methodology for aligning business impact with technical risks.
- How: Simulates attacks, evaluates impact, and guides mitigation.
- Best For: Enterprises needing a business-aligned risk analysis.
- Example: An e-commerce site simulating SQL injection and measuring impact on revenue.
CVSS (Common Vulnerability Scoring System)
- Purpose: Standardize vulnerability severity scoring.
- How: Scores vulnerabilities (0–10) based on exploitability, impact, and complexity.
- Best For: Vulnerability management, patch prioritization.
- Example: A CVSS 9.8 vulnerability → urgent patch; CVSS 3.1 → lower priority.
TMaaC (Threat Modeling as Code)
- Purpose: Integrate threat modeling into DevSecOps pipelines.
- How: Use code (YAML/DSL) to model threats, automate checks in CI/CD.
- Best For: Agile teams, cloud-native systems.
- Example: Automatically generating a threat model when deploying a new microservice.
Frameworks Comparison
| Framework | Goal | Strength | Best For | Example Use Case |
|---|---|---|---|---|
| STRIDE | Identify threat categories | Simple, systematic | Developers | Designing a login system |
| MITRE ATT&CK | Map attacker behaviors | Real-world focus | SOC/Blue Teams | Phishing detection |
| PASTA | Risk-based simulation | Business alignment | Enterprises | E-commerce site analysis |
| CVSS | Score vulnerabilities | Global standard | Security managers | Patch prioritization |
| TMaaC | Automate threat modeling | DevSecOps-friendly | Agile teams | CI/CD threat integration |
Bringing All Together
No single framework solves everything. Instead, they complement each other:
- Use STRIDE during design.
- Use CVSS to prioritize vulnerabilities.
- Use MITRE ATT&CK to understand attacker behavior.
- Use PASTA for business-level risk assessment.
- Use TMaaC to bring it all into your DevOps pipelines.
Together, these frameworks form a toolbox for thinking like an attacker, defending like a pro, and scaling security across teams.
Conclusion
Back to our banking app—would you start with STRIDE to identify possible threats, or rely on MITRE ATT&CK to map out attacker behaviors?
The right answer depends on context. The important thing is knowing that frameworks exist to guide you through the complexity of cybersecurity.
If you’re new, start small with STRIDE or CVSS. As your security practice matures, explore MITRE ATT&CK, PASTA, and TMaaC.
You may also like:
The earlier you model threats, the stronger your defenses will be. — Dan.C
tags: threat-modeling - STRIDE - MITRE - PASTA - CVSS - TMaaC - security