Vulnsy
Guide

What Is a Threat Model? a Practical Guide for Pentesters

By Luke Turvey31 May 202616 min read
What Is a Threat Model? a Practical Guide for Pentesters

A lot of pentests start with a familiar problem. You get handed a URL, a scope list, maybe a short note about “critical functionality”, and then you spend the first chunk of the engagement working out what matters most. That usually leads to broad testing, scattered notes, and a report full of valid findings that still misses the architectural weakness the client really needed you to uncover.

A threat model fixes that.

For pentesters, it isn't just a design document for developers. It's a working map of the system, the trust boundaries inside it, the assets worth protecting, and the attack paths most likely to matter. When you have that map before you test, you waste less time proving low-value issues and spend more time where compromise is realistic, damaging, and reportable.

What Is a Threat Model and Why Does It Matter

A threat model is a structured risk assessment. In NIST's definition, it models both attack and defence aspects of a logical entity such as data, an application, a host, a system, or an environment. In practice, that means identifying assets, trust boundaries, attackers, and likely attack paths so security controls can be designed before deployment. OWASP and Tufts add something important: a mature model should produce a prioritised list of security improvements and a validation step, which makes it useful rather than decorative (NIST threat modelling glossary).

That formal definition matters, but the practical version matters more. If you're asking what is a threat model, think of it as the document that answers four useful questions before testing starts:

  • What are we protecting
  • Who can reach it
  • How could they misuse it
  • What controls should already be in the way

Without that structure, pentesting often becomes an inventory exercise. You enumerate, fuzz, authenticate, poke at endpoints, and collect issues. With a threat model, the same technical work becomes more directed. You know which workflows deserve deeper abuse-case testing and which parts of the estate are lower value.

Why pentesters should care

Threat modelling is usually described as a design-time activity. That's correct, but incomplete. It also sharpens offensive testing. A system that processes payments, stores credentials, or exposes admin workflows doesn't need equal effort across every endpoint. It needs targeted effort around the places where trust changes hands.

Practical rule: If you can't explain the application's trust boundaries in a sentence or two, you're probably still too early in testing to judge which findings matter most.

This is also where threat modelling overlaps with risk assessment. A pentest finding becomes more useful when it sits inside a clear system narrative. If you need a broader framing of how teams evaluate likelihood, impact, and control gaps, Vulnsy's guide to risk assessment in security work is a useful companion.

What it changes in real engagements

A good threat model changes the quality of your questions. Instead of “What endpoints exist?”, you ask “Where can an untrusted user influence a privileged action?” Instead of “Is there IDOR anywhere?”, you ask “Which object references cross tenant or role boundaries?” That shift is where stronger findings come from.

The result isn't just a cleaner test plan. It's a better report, because each finding ties back to a meaningful attack path instead of appearing as an isolated bug.

Understanding the Core Components of a Threat Model

Threat models look complicated when people jump straight to named frameworks. The easier way to understand them is to break them into parts. If you were securing a physical building, you'd ask what valuables are inside, who can enter, where the checkpoints are, and what happens if someone bypasses them. The same logic applies to software.

A diagram illustrating the five core components of a threat model: assets, threats, vulnerabilities, controls, and risks.

In UK practice, that framing is close to how the NCSC treats threat modelling: a practical design activity that helps teams identify what could go wrong, prioritise risks, and decide which mitigations to build before deployment. The same view also expects teams to document assumptions, threats, mitigations, validation steps, trust boundaries, and a prioritised list of improvements (Tufts summary of threat modelling concepts aligned with NCSC-style practice).

Assets and what actually matters

An asset is anything worth protecting. That includes obvious targets like customer data and credentials, but also less obvious ones like admin workflows, deployment pipelines, audit logs, signing keys, and business-critical processes.

Junior testers often think in terms of vulnerable components. Senior testers think in terms of assets first.

A login endpoint matters because it protects session issuance. A file upload matters because it may give access to processing infrastructure. A support dashboard matters because staff workflows often bypass controls imposed on end users.

Trust boundaries and data flows

A trust boundary is where the system changes its assumptions. User browser to web app. Public API to internal service. Normal user to admin-only function. Third-party identity provider back into your session layer.

These boundaries are where interesting bugs live.

Data flows show how information moves between components. Even a rough sketch helps. Browser sends credentials to app. App calls identity service. Identity service returns token. App reads customer records from storage. Payment action triggers message queue. Queue wakes worker.

Once you lay that out, attack paths become more obvious. Untrusted input enters here. A privileged action happens there. That token crosses two systems. That worker processes data without user context.

A vague architecture creates vague testing. A simple diagram usually reveals more than another hour of endpoint enumeration.

Threats, vulnerabilities, controls, and risk

These four terms get mixed together, but they aren't the same.

Component What it means in practice Example question
Threats Things that could go wrong Can a user impersonate another account?
Vulnerabilities Specific weaknesses that enable compromise Is object access checked server-side?
Controls Measures that prevent, detect, or limit harm Is there authorisation on every request path?
Risk The combined effect of likelihood and impact If this fails, what does the attacker gain?

A common failure is producing a neat diagram with no decisions attached. A useful threat model ends with a prioritised set of changes. That could mean adding server-side access control checks, isolating a service account, tightening file handling, or changing the pentest scope to spend more time on a fragile trust boundary.

Exploring Common Threat Modelling Methodologies

There isn't one perfect methodology. Different models are better for different jobs. The mistake is treating the methodology itself as the goal. It isn't. The goal is to find realistic attack paths and turn them into action.

A table comparing common threat modelling methodologies including STRIDE, DREAD, PASTA, and LINDDUN with their key characteristics.

Mainstream guidance repeatedly points back to structured methods, especially STRIDE, for identifying spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. That same body of guidance has also converged around a repeatable sequence: define objectives, model the system, identify threats, mitigate them, and validate the result. That matters because threat modelling is no longer an expert-only exercise. It's a standard security process with expected artefacts such as attack trees, data-flow diagrams, and prioritised mitigation lists (overview of common threat modelling methodologies).

STRIDE for software-heavy engagements

If you're testing web applications, APIs, or internal services, STRIDE is usually the fastest place to start.

It gives you six categories:

  • Spoofing asks whether someone can pretend to be another user, service, or system component.
  • Tampering focuses on unauthorised modification of data, messages, or state.
  • Repudiation deals with whether actions can be denied because logging or accountability is weak.
  • Information disclosure looks for data exposure.
  • Denial of service checks whether availability can be degraded or broken.
  • Elevation of privilege targets paths from low privilege to higher privilege.

For pentesters, STRIDE works because it maps cleanly to common test activity. Session handling, parameter tampering, broken access control, logging gaps, weak segregation, and privilege escalation all fit naturally.

PASTA when business impact matters early

PASTA is more risk-centric. It pushes you to connect attacker behaviour to business impact rather than stopping at technical misuse cases.

Use it when the client cares less about a long bug list and more about questions like:

  • Which attack paths threaten regulated data
  • Which abuse cases would disrupt service delivery
  • Which privileged workflows deserve manual validation

PASTA is useful in consulting work where you're trying to align test effort with a business process. If the system supports finance, healthcare, legal workflows, or customer administration, that extra context pays off.

Attack trees for explaining complex abuse paths

Attack trees are simple and still very effective. Start with a goal such as “obtain another tenant's records” or “execute admin action without admin role”. Then break down the paths that could achieve it.

That decomposition is valuable for both testing and reporting. It helps you distinguish between:

  • Single-step exploitation such as an exposed admin endpoint
  • Chained exploitation such as weak role checks plus token reuse plus missing audit controls
  • Conditional exploitation where compromise depends on internal access, user interaction, or another weakness

Attack trees are also easy for clients to understand. A DFD tells you where data moves. An attack tree tells you how compromise can happen.

VAST and other scaled approaches

In larger environments, teams often need something that can scale across many systems and delivery squads. That's where methods such as VAST can fit. The appeal isn't academic completeness. It's operational consistency. If multiple teams need to model threats in the same way, a scalable approach helps them produce comparable outputs.

For most pentest engagements, though, you don't need a heavy enterprise method to begin. You need enough structure to avoid blind spots.

Selection test: Pick the methodology that helps you ask better questions about the target system. If the method slows you down without improving the questions, it's the wrong one for that engagement.

If you want a cleaner way to think about structured methods in general, Humantext.pro's guide to methodology papers is worth reading. It's not a threat-modelling manual, but it does a good job of showing how formal methods become repeatable working practice instead of loose theory.

A practical combination that works well is this: use STRIDE to discover threats, then apply a risk lens to prioritise them. If you already score risk with DREAD or a similar approach, Vulnsy's article on the DREAD risk assessment model is a useful reference point for deciding what deserves deeper validation during a test.

A Practical Five-Step Threat Modelling Workflow

Teams often do not need a large workshop or a polished architecture board to get value from threat modelling. They need a workflow they can repeat. The strongest version is simple enough to run before a pentest starts and flexible enough to refine during the engagement.

A five-step diagram illustrating a threat modelling workflow, including scope, assets, threats, risk analysis, and mitigation.

A defensible UK-aligned interpretation is to treat threat modelling as a design-time control. The practical workflow is straightforward: model the system, identify threats such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege, then prioritise mitigations by likelihood and impact and validate them with testing (Black Duck overview of threat modelling practice).

Step 1 defines scope

Start by drawing a hard line around what you're modelling. If you don't, the exercise expands until nobody wants to maintain it.

A useful scope statement names:

  • The target system such as a customer portal, internal admin app, or public API
  • The key user roles such as anonymous user, authenticated user, support staff, administrator, external integration
  • The critical assets such as PII, payment actions, account recovery, document storage, privileged functions

A weak scope says “model the platform”. A strong scope says “model the customer login, account management, and document access flows for the web app and supporting API”.

Step 2 models the system

You don't need a beautiful diagram. You need a truthful one.

For an application test, a basic data-flow diagram might include:

  1. Browser sends requests to web application
  2. Web application calls identity provider
  3. Web application reads and writes to database
  4. Background worker processes uploaded files
  5. Admin portal shares the same backend API

That sketch already exposes interesting questions. Does the admin portal rely only on client-side role hiding? Does the file worker trust metadata from the browser? Can a token issued for one path be replayed against another?

Keep the model close to how the system actually behaves. If the architecture diagram says one thing and packet captures show another, trust the packets.

Step 3 identifies threats

Now apply a method. STRIDE is usually enough for application work.

Take the file upload flow as a quick example:

  • Spoofing could a user submit a job as another tenant
  • Tampering could metadata or file content alter downstream processing
  • Information disclosure could processed outputs leak files across tenants
  • Denial of service could oversized or malformed uploads block the worker
  • Elevation of privilege could the upload path trigger code execution in a more privileged component

At this point, don't argue too early about severity. First capture plausible attack paths.

Step 4 prioritises what deserves testing effort

Not every threat gets the same time budget. Prioritisation is where the model becomes operational.

A quick working table helps:

Threat Why it matters Test depth
Cross-tenant document access Direct confidentiality impact Deep manual testing
Worker crash from malformed upload Availability issue with limited blast radius Targeted validation
Missing audit trail in support actions Governance and investigation risk Confirm and document

Experienced testers make better trade-offs. A lower-level bug on a critical trust boundary can be more important than a noisy issue on a peripheral feature.

Step 5 documents mitigations and validation

A threat model isn't finished when threats are listed. It becomes useful when every important item has one of three outcomes: test it, mitigate it, or accept it with reasons.

That output can include:

  • Security improvements such as stricter authorisation, stronger separation between roles, or validation in a backend service
  • Testing notes that explain which attack paths were exercised during the pentest
  • Validation evidence such as screenshots, request traces, or proof that a suspected path was blocked by effective controls

A simple attack tree or DFD attached to the engagement notes often saves time later. When you write the report, you already have the context needed to explain not just what broke, but why it was a credible route to compromise.

Integrating Threat Models into Pentesting and Reporting

The biggest mistake people make is treating threat modelling as extra work that sits outside the pentest. In practice, it makes the pentest sharper.

A professional man with a beard and glasses working on a laptop at a wooden desk.

Common guidance often stops at the definition, but the main gap is operationalisation. OWASP frames threat modelling as a structured representation of security-relevant information that should include validation and actions taken. That matters because teams need outputs that are repeatable, auditable, and useful after the workshop. That pressure is especially real in the UK, where the Cyber Security Breaches Survey 2024 figures quoted by OWASP note that 50% of businesses and 32% of charities reported a cyber breach or attack in the last 12 months, with 70% of medium businesses and 74% of large businesses affected.

How threat models improve the test itself

A threat model helps you focus the engagement before you touch Burp Suite, custom scripts, or cloud consoles.

In practice, it changes scoping in three ways:

  • It points you at high-value workflows. Account recovery, delegated admin, file processing, payment actions, and API trust between services often deserve more effort than brochure features.
  • It reveals architecture-level attack paths. You stop looking only for isolated issues and start testing whether multiple small weaknesses combine into a meaningful compromise.
  • It improves negative testing. If the model shows a boundary between tenant data sets or privilege levels, you naturally test boundary failure instead of generic functionality.

That last point matters. Some of the best findings in an engagement don't come from exotic payloads. They come from understanding where the system should say no, then proving it doesn't.

How threat models improve the report

A report lands better when findings sit inside a visible attack story.

Instead of writing “Broken access control in endpoint X”, you can write something closer to this: the application allows an authenticated user to cross a tenant boundary in the document retrieval flow, which sits between the public user role and protected customer records. That wording is stronger because the threat model already identified the asset, the trust boundary, and the abuse path.

Useful artefacts to embed in a report include:

  • A simplified DFD that shows where untrusted input enters and where privileged processing occurs
  • A small attack tree that explains a chain, especially when no single issue looks dramatic in isolation
  • Assumptions and exclusions so the client understands what was or wasn't validated
  • Prioritised remediation notes tied to the risky path rather than just the vulnerable parameter

If you're mapping findings to adversary behaviour or presenting test coverage in a broader detection context, the MITRE ATT&CK framework overview can help anchor those explanations for clients and internal stakeholders.

This is also where reporting platforms matter. A modern workflow should let you attach the threat model artefacts directly to findings or methodology sections instead of leaving them in a separate slide deck. Vulnsy is one example of a reporting platform that can support this by storing reusable findings, attaching screenshots and proof material, and producing consistent client-ready outputs without the usual Word reformatting cycle. The practical benefit isn't marketing fluff. It's that architecture diagrams, attack paths, and validation evidence stay connected to the report rather than getting lost in analyst notes.

The best pentest reports don't just prove a bug exists. They prove why the bug matters in that system.

Making Threat Modelling a Repeatable Habit

Threat modelling works best when it stops being a special event.

You don't need a perfect model, a massive workshop, or a formal document for every engagement. Start with one feature, one service, or one risky workflow. Identify the asset, sketch the trust boundaries, list the plausible attack paths, and use that to guide your testing and reporting.

What good looks like over time

A repeatable habit usually has a few traits:

  • Short models get updated instead of abandoned
  • Threats link to testing activity instead of sitting in a backlog
  • Reports include context artefacts instead of only isolated findings
  • Teams refine assumptions after each engagement

If you're still asking what is a threat model, the practical answer is simple. It's the tool that helps you test with intent and report with context. That's valuable whether you're designing a new service, scoping a pentest, or trying to explain to a client why one flaw deserves immediate attention and another can wait.

Start small. Model the next login flow, file upload, admin action, or integration boundary you test. If you keep doing that, your testing gets sharper, your reports get stronger, and your recommendations become easier for clients to act on.

If you want a cleaner way to turn threat-model context, evidence, and findings into professional deliverables, Vulnsy gives pentesters and security teams a structured reporting workflow with reusable findings, evidence handling, and branded exports that fit real engagements.

what is a threat modelthreat modelling guidesecurity risk assessmentpentesting workflowstride methodology
Share:
LT

Written by

Luke Turvey

Security professional at Vulnsy, focused on helping penetration testers deliver better reports with less effort.

Related Articles

Master Web Application Testing: Pro Strategies for 2026
Guide

Master Web Application Testing: Pro Strategies for 2026

Master web application testing with a practical, step-by-step methodology. Learn to plan, execute, and report security tests like a pro.

16 min read30 May 2026
UK Compliance Reporting Requirements: A Practical Guide
Guide

UK Compliance Reporting Requirements: A Practical Guide

Master UK compliance reporting requirements. Our guide explains key frameworks (UK GDPR, ISO 27001), mandatory elements, and how to automate deliverables.

18 min read29 May 2026
Master Excel Report Automation Tools
Guide

Master Excel Report Automation Tools

Discover the best Excel report automation tools. Compare VBA, Power Query, & Office Scripts to streamline workflows and learn migration strategies.

16 min read28 May 2026

Ready to streamline your pentest reporting?

Start your 14-day trial today and see why security teams love Vulnsy.

Start Your Trial — $13

Full access to all features. Cancel anytime.