July 5, 2016

Threat Model Chaining

Value of Building Threat Models and Threat Model Chaining

Every threat model is a standalone entity, detailing all the threats and risks to the components within the application. Understanding the threats to each shared component is important, as these components also interact internally with each other and externally with shared systems and infrastructure, such as single sign-on, databases and web servers. Understanding the entire application environment requires threat model chaining to provide the detailed insight into the interactions that occur between all of the application component threat models, the supporting systems and infrastructure.

Threat Model Chaining – Scalability and Visibility

Threat model chaining provides the ability to link all of the threat models together to provide a complete view of their interconnections and interdependencies. Visibility into these interdependencies allows for the rapid assessment of downstream impacts as a result of failure or compromise of a single element. For example, if single sign-on fails, the downstream impact would affect the application, shared systems and infrastructure.

Being able utilize threat model chaining ensures that the scalability necessary for enterprises whose applications may have hundreds or thousands of connections and interdependencies is available and enables them to see the entire picture.


  • Understand all of the interconnections and interdependencies between all of the components, systems and infrastructure.
  • Visualize the downstream impact of the failure of a single element.
  • Promotes reuse of common threat models.



Threat Model Chaining - ThreatModeler

In the image above, threat models have been built for the Online Banking and the Test applications. These threat models are included within the operational threat model diagram. This illustrates ThreatModeler’s chaining capabilities.

To learn more about threat model chaining with ThreatModeler please reach out to us and Schedule a Demo