cisspSecurity and Risk Management· 11 min read· 15 May 2026
Threat Modeling Methodologies: STRIDE, PASTA, and DREAD for CISSP
Threat modeling is the structured process of identifying, categorising, and prioritising threats to a system or application before — or during — its design. For the CISSP exam, threat modeling is tested as an architectural and governance activity, not a technical implementation task. The exam rewards candidates who understand which methodology to apply in a given context and how threat modeling feeds into the broader risk management process.
This article covers the three most exam-relevant threat modeling methodologies: STRIDE, PASTA, and DREAD. It also explains when each is appropriate and how STRIDE maps to security properties — a pattern the exam tests directly.
What Is Threat Modeling and Why It Matters Architecturally
Threat modeling is a proactive security activity. Rather than waiting for a vulnerability to be discovered or exploited, threat modeling asks: given this system design, what could go wrong, who would cause it, and how?
The output of threat modeling informs security requirements, architecture decisions, control selection, and testing priorities. When performed early in the software development lifecycle — ideally during design, not implementation — threat modeling is one of the most cost-effective security investments an organisation can make. Fixing a design flaw identified in threat modeling costs significantly less than remediating a vulnerability discovered in production.
For the CISSP, threat modeling is part of the secure design principles covered in Domain 1 (risk management) and Domain 3 (security architecture). The exam tests whether candidates understand that threat modeling is an architectural activity that requires both technical and business context.
STRIDE: Microsoft's Threat Classification Model
STRIDE is a threat categorisation framework developed by Microsoft in the late 1990s. It identifies six categories of threats and maps each to a violated security property. The name is an acronym:
Spoofing threatens Authenticity. A spoofing attack involves impersonating another user, system, or process. Examples include ARP poisoning (impersonating a gateway), email spoofing (forging the From field), and IP spoofing (forging the source address of packets). The security property violated is authenticity — the assurance that a communication or identity is genuine.
Tampering threatens Integrity. A tampering attack involves unauthorised modification of data or code. Examples include man-in-the-middle attacks that alter data in transit, SQL injection that modifies database records, and malware that alters executable files. The security property violated is integrity.
Repudiation threatens Non-Repudiation. A repudiation threat involves the ability of a user or attacker to deny having performed an action. Examples include deleting audit logs after an attack, using anonymising networks to obscure identity, and failing to implement digital signatures on transactions. The security property violated is non-repudiation.
Information Disclosure threatens Confidentiality. An information disclosure attack involves exposing data to unauthorised parties. Examples include unencrypted data in transit, overly permissive file ACLs, verbose error messages that reveal system internals, and SQL injection that extracts data. The security property violated is confidentiality.
Denial of Service threatens Availability. A DoS attack prevents legitimate users from accessing resources. Examples include flooding attacks (volumetric DDoS), resource exhaustion (SYN flood), and application-layer attacks targeting specific functionality. The security property violated is availability.
Elevation of Privilege threatens Authorisation. An elevation attack involves gaining capabilities beyond what is authorised. Examples include exploiting buffer overflows to gain kernel privileges, abusing misconfigured sudo rules, and exploiting broken access controls in web applications. The security property violated is authorisation (the enforcement of what an authenticated user may do).
For the exam, the STRIDE-to-security-property mapping is directly tested. Memorise: Spoofing → Authenticity, Tampering → Integrity, Repudiation → Non-Repudiation, Information Disclosure → Confidentiality, Denial of Service → Availability, Elevation of Privilege → Authorisation.
STRIDE is most commonly applied to data flow diagrams (DFDs) — a graphical representation of how data moves through a system. Each element in the DFD (processes, data stores, data flows, external entities) is evaluated against each STRIDE category to identify applicable threats. This systematic approach ensures comprehensive coverage rather than relying on analyst intuition.
PASTA: Process for Attack Simulation and Threat Analysis
PASTA is a risk-centric threat modeling methodology that aligns threat modeling with business objectives and risk management. Unlike STRIDE, which is primarily a technical classification framework, PASTA is designed to bridge business and technical perspectives.
PASTA consists of seven stages:
Stage 1: Define Objectives. Identify the business and security objectives for the system being modelled. What data does it handle? What are the regulatory requirements? What is the acceptable risk level?
Stage 2: Define the Technical Scope. Identify the technical components, infrastructure, and dependencies within scope.
Stage 3: Application Decomposition. Break down the application into components: data flows, entry points, trust boundaries, and assets. This produces artefacts similar to STRIDE's DFDs.
Stage 4: Threat Analysis. Identify current threats from threat intelligence sources. What attacker groups target similar systems? What techniques do they use?
Stage 5: Weakness and Vulnerability Analysis. Identify existing vulnerabilities in the components identified in Stage 3.
Stage 6: Attack Modelling. Simulate realistic attack scenarios that combine the threats from Stage 4 with the vulnerabilities from Stage 5.
Stage 7: Risk and Impact Analysis. Quantify the risk of each attack scenario in terms of business impact and likelihood, then prioritise remediation.
PASTA is particularly valuable in mature security programmes that have threat intelligence capabilities and need to connect technical threat analysis to business risk quantification. It is more complex and resource-intensive than STRIDE, but produces outputs that are directly usable by executives for risk-based decision-making.
For the exam: PASTA is risk-centric and business-aligned. It is the methodology to recommend when the question involves connecting threat analysis to business impact or executive decision-making.
DREAD: Attacker-Centric Risk Scoring
DREAD is a risk scoring model that quantifies the severity of a threat by scoring it across five dimensions. Like STRIDE, the name is an acronym:
Damage Potential: How significant is the impact if the threat is realised? (1-10 scale)
Reproducibility: How easily can the attack be repeated? A reliable, repeatable attack scores higher.
Exploitability: How difficult is it to launch the attack? Low skill requirement and freely available tools increase the score.
Affected Users: How many users or systems are impacted?
Discoverability: How easily can the vulnerability be found by an attacker?
Each dimension is scored 1-10 and the scores are averaged to produce a DREAD score. Higher scores indicate higher-priority threats.
DREAD was originally used internally at Microsoft but was eventually deprecated in favour of CVSS (Common Vulnerability Scoring System) for vulnerability prioritisation. Despite this, DREAD appears in the CISSP curriculum as an example of attacker-centric risk scoring.
For the exam: DREAD scores threats from the attacker's perspective to support prioritisation decisions. It is most relevant when the question involves ranking which threat to address first.
When to Apply Which Methodology
Exam scenarios often present a context and ask which threat modeling methodology is MOST appropriate. The selection logic is:
Use STRIDE when you need systematic, comprehensive threat identification across a system design. It is most effective early in development when creating or reviewing data flow diagrams. It is particularly valuable for development teams because the STRIDE-to-security-property mapping directly suggests countermeasures.
Use PASTA when you need to connect threat analysis to business risk and executive decision-making. It is most appropriate for mature programmes with access to threat intelligence and a need to quantify risk in business terms. It is valuable when presenting threat findings to non-technical stakeholders.
Use DREAD when you need to prioritise threats or vulnerabilities that have already been identified. It is a scoring and ranking tool, not an identification tool. Use it after STRIDE or PASTA has identified threats.
Threat Modeling in the Development Lifecycle
The CISSP exam emphasises that threat modeling should occur during the design phase, not after development is complete. This is consistent with the shift-left security principle: identifying and addressing security issues early dramatically reduces the cost of remediation.
In Agile development contexts, threat modeling can be incorporated into sprint planning and design sessions. For significant features or architectural changes, a brief threat modeling exercise should be conducted before implementation begins.
Threat models are living documents. They should be updated when the system changes significantly: new features, new integrations, new data types, or new threat intelligence that changes the threat landscape.
Exam Tip
STRIDE maps to security properties — Spoofing → Authenticity, Tampering → Integrity, Repudiation → Non-Repudiation, Information Disclosure → Confidentiality, Denial of Service → Availability, Elevation of Privilege → Authorisation. This mapping is directly tested. Also remember: threat modeling is an architectural activity that should be performed during design, and PASTA is the methodology to recommend when business risk alignment is required.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security and Risk Management
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.