Threat Modeling Blog
Threat modeling guides, best practices, and product deep-dives.
What is Threat Modeling and Why Does It Matter?
A plain-language guide to threat modeling — what it is, why every team needs it, and how to get started with STRIDE, PASTA, and LINDDUN.
Threat ModelingHow to Build a Data Flow Diagram (DFD) for Threat Modeling
Step-by-step guide to drawing a DFD: processes, data stores, external entities, trust boundaries, and how they map to STRIDE threat categories.
Threat ModelingFrom Threat Model to Risk Register — Closing the Loop with ThreatTree
How to turn a completed threat model into an actionable, shareable risk register — and keep it alive as a living document, not a one-time audit.
Security StandardsWhy Your Risk Register Needs to Speak ISO 27001 — And How Threat Modeling Gets You There
ISO 27001 is methodology-neutral — it tells you what to document, not how to find risks. Here's how threat modeling fills that gap and produces a register auditors and security teams can both use.
Risk ManagementThe CVSS Trap: Why Vulnerability Severity Scores Break Down In Your Environment
CVSS scores measure exploitability in a generic context, not risk in your specific architecture. Here's why they mislead patch prioritisation — and how attack trees give you a more defensible picture.
ComplianceClosing the SOC 2 Evidence Gap: Threat Models as Living Compliance Documentation
SOC 2 auditors want continuous evidence of risk management — not a spreadsheet refreshed once a year. Here's how living threat models satisfy TSC CC3.2, CC3.3, and CC9.2.