Virantis logoVirantis

Threat Modeling Glossary

Plain-English definitions of the terms behind threat modeling, STRIDE, PASTA, and secure-by-design development.

Threat Modeling

A structured process for identifying, analyzing, and mitigating security threats to a system before they can be exploited.

STRIDE

A threat modeling framework that classifies threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

PASTA

Process for Attack Simulation and Threat Analysis — a risk-centric, business-aligned threat modeling methodology with seven stages.

Data Flow Diagram (DFD)

A diagram that maps how data moves through a system — its processes, data stores, flows, and external entities — used as the basis for threat modeling.

Trust Boundary

A point in a system where the level of trust changes — and where data should be validated, because it is a prime location for threats.

Attack Surface

The total set of points where an attacker could try to enter, extract data from, or otherwise interact with a system.

Shift-Left Security

The practice of moving security activities earlier in the software development lifecycle, so issues are caught during design and coding rather than after release.

DevSecOps

An approach that integrates security practices into DevOps, making security a shared, automated responsibility across the development lifecycle.

DREAD

A risk-rating model that scores threats across five factors: Damage, Reproducibility, Exploitability, Affected users, and Discoverability.

LINDDUN

A privacy-focused threat modeling methodology covering Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.

Secure SDLC (SSDLC)

A secure software development lifecycle that builds security activities — including threat modeling — into every phase of development.

Attack Tree

A tree diagram that models how an attacker could reach a goal, with the goal at the root and attack methods as branches.

MITRE ATT&CK

A globally accessible knowledge base of real-world adversary tactics and techniques, used to ground threat modeling in how attackers actually operate.

CI/CD Threat Modeling

Embedding threat modeling into the CI/CD pipeline so security analysis runs automatically as code is built, tested, and shipped.