Schedule a Free 10-Day Evaluation to Start Your Threat Modeling Journey with ThreatModeler

When selecting a threat modeling solution, it is essential for businesses to understand that not all threat modeling solutions are the same. There are various threat modeling methodologies used for enhancing IT cybersecurity practices, each with varying outputs. CISOs and other IT experts will want to understand which method aligns with their specific business goals and objectives best to maximize its effectiveness.

Here are five commonly used threat modeling methodologies to help educate decision makers about the available options:


One of the first threat modeling methodologies created, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), focuses on assessing operational risk and security practices rather than technology. This methodology uses a self-directed approach, meaning creating and implementing security strategies falls directly on internal IT teams.

This highly customizable approach allows organizations to direct, prioritize, and manage security practices for themselves, making OCTAVE threat modeling useful for creating risk-aware corporate cultures.


In 1999, Microsoft introduced the STRIDE threat modeling methodology for Windows software developers to identify security threats during the design process of applications. These security threats include Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. Security teams can use threat models to check applications against the STRIDE threat classification scheme to identify and mitigate security risks.

Learn More: ThreatModeler vs. TMT – Realistic Threat Modeling


PASTA threat modeling is a seven-step Process for Attack Simulation and Threat Analysis. This risk-centric methodology aligns business objectives with technical requirements to provide organizations asset-centric mitigation strategy. PASTA allows security experts to understand the attacker perspective on applications and infrastructure better, and then develop threat management, enumeration, and scoring processes.

The risk and business impact analysis aspect of PASTA threat modeling can elevate into a strategic business exercise for key decision makers rather than just a software development practice for IT teams.


The Trike threat modeling methodology uses a unique security auditing process from the perspective of risk management. Before security teams create threat models, stakeholders collectively assign accepted levels of risk to each asset class, creating a “requirements model.” After analyzing the requirements model, security experts produce a threat model.

Threats are then enumerated, and appropriate risk values are assigned from which users create attack graphs and controls to address prioritized threats. Finally, a risk model is generated based on asset, roles, actions, and calculated risk exposure.


The VAST methodology is an acronym for Visual, Agile, and Simple Threat modeling. In today’s world, threat modeling methodologies are only viewed as effective if it scales across the infrastructure and entire DevOps portfolio, integrates seamlessly into an Agile environment, and provides actionable outputs for key stakeholders, with or without IT expertise.

Automation, integration, and collaboration are the three pillars of scalable threat modeling that are foundational to the VAST methodology. These processes help establish a sustainable self-service threat modeling practice driven by DevOps teams that scale across thousands of threat models.

To provide actionable outputs for key stakeholders, VAST addresses differing security concerns of development and infrastructure teams using two types of threat models. Application threat models help development teams to address security concerns when designing applications, while operational threat models allow infrastructure teams to visualize and mitigate threats across an organization’s infrastructure. Specific security expertise is not required when creating or using these threat models due to unique application and infrastructure visualization schemes like process flow diagrams.

Comparison: Application Threat Modeling vs Operational Threat Modeling

The VAST methodology is ideal for enterprise businesses seeking actionable threat models that are unique to the needs of various stakeholders. ThreatModeler, the first commercially available automated threat modeling tool, utilizes the VAST methodology to identify threats based on a customizable, comprehensive threat library. The tool is intended for collaborative use across all organizational stakeholders.

Threat Modeling Methodologies

ThreatModeler is the #1 automated threat modeling solution that protects an enterprise’s SDLC by identifying, predicting and defining threats. Security and DevOps teams are empowered to make proactive decisions and minimize overall risk using holistic views of the attack surface.

Redefine your idea of the capabilities of enterprise threat modeling and experience the power of automated threat modeling. Complete the form to sign up for a free evaluation.