How-To Guide
How to do STRIDE threat modeling
STRIDE is one of the most widely used threat modeling frameworks. This guide walks through the six categories, the STRIDE-per-element chart, and a worked example you can copy. For the short definition, see the STRIDE glossary entry.
The six STRIDE categories
STRIDE is an acronym. Each letter is a category of threat that maps to a security property it violates:
| Threat | Violates | Example | Example mitigation |
|---|---|---|---|
| Spoofing | Authentication | An attacker logs in as another user | Strong authentication, MFA, session management |
| Tampering | Integrity | Modifying data in transit or at rest | TLS, input validation, integrity checks / signing |
| Repudiation | Non-repudiation | A user denies performing an action | Audit logging, tamper-evident logs |
| Information Disclosure | Confidentiality | Leaking PII from a database | Encryption, access controls, least privilege |
| Denial of Service | Availability | Flooding an API to take it offline | Rate limiting, quotas, autoscaling |
| Elevation of Privilege | Authorization | A normal user gains admin rights | Authorization checks, least privilege |
STRIDE threat modeling, step by step
- 1Diagram the system. Draw a data flow diagram showing the four element types — external entities, processes, data stores, and data flows — and mark where data crosses trust boundaries.
- 2Identify trust boundaries. Mark every point where the level of trust changes (user input, service-to-service calls, network edges). Threats concentrate here.
- 3Apply STRIDE to each element. Walk each element and ask which of the six STRIDE threats apply, using the STRIDE-per-element chart below as a guide.
- 4Document the threats. For each applicable threat, record what could happen, where, and the security property it violates.
- 5Decide mitigations. For each threat, choose to mitigate, reduce, transfer, or accept the risk — and assign the concrete control.
- 6Validate and iterate. Confirm the mitigations exist, then revisit the model whenever the system changes.
Steps 1 and 2 rely on a data flow diagram and trust boundaries— the foundation every STRIDE analysis builds on.
The STRIDE-per-element chart
You don't need to consider all six threats for every element. STRIDE-per-element maps each threat to the diagram element types it typically affects:
| Element | Applicable STRIDE threats |
|---|---|
| External entity | S, R |
| Process | S, T, R, I, D, E (all six) |
| Data store | T, R, I, D |
| Data flow | T, I, D |
(S = Spoofing, T = Tampering, R = Repudiation, I = Information Disclosure, D = Denial of Service, E = Elevation of Privilege.)
A worked example
Take a simple web app: a user (external entity) sends requests to a web service (process), which reads and writes a database (data store). A trust boundary sits between the user and the service. Applying STRIDE:
- •Spoofing: An attacker authenticates as another user → require strong auth and MFA at the login flow.
- •Tampering: A request is modified in transit → enforce TLS and validate all input server-side.
- •Repudiation: A user denies making a change → write tamper-evident audit logs.
- •Information Disclosure: The database leaks PII → encrypt at rest and apply least-privilege access.
- •Denial of Service: The service is flooded → add rate limiting and autoscaling.
- •Elevation of Privilege: A standard user reaches admin functions → enforce authorization checks on every action.
Common mistakes to avoid
- ✓Skipping the diagram — without a DFD, threats get missed.
- ✓Forgetting trust boundaries, where most real threats live.
- ✓Treating it as one-and-done — re-run STRIDE whenever the system changes.
- ✓Listing threats but never assigning concrete mitigations or owners.
How to automate STRIDE
Running STRIDE by hand in workshops doesn't scale to every release. With automated threat modeling, an agent infers the data flow diagram from your code, applies STRIDE per element automatically, and delivers prioritized findings — so STRIDE runs continuously instead of occasionally. See also STRIDE vs PASTA and the full threat modeling guide.
STRIDE on every change
Virantis runs STRIDE (and PASTA) automatically with agentic AI — no diagrams to draw. Request early access.
Request Early AccessFAQ
What are the six STRIDE categories?
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each maps to a security property: authentication, integrity, non-repudiation, confidentiality, availability, and authorization respectively.
How do you apply STRIDE to a system?
Diagram the system as a data flow diagram, mark trust boundaries, then go element by element asking which STRIDE threats apply. The STRIDE-per-element chart tells you which categories are relevant to external entities, processes, data stores, and data flows.
What is STRIDE-per-element?
STRIDE-per-element is a shortcut that maps each STRIDE threat to the data flow diagram element types it typically affects, so you don't have to consider all six threats for every element. For example, processes are susceptible to all six, while data flows are mainly susceptible to Tampering, Information Disclosure, and Denial of Service.
Can STRIDE threat modeling be automated?
Yes. Tools — increasingly agentic AI — can infer the data flow diagram from code, apply STRIDE per element automatically, and produce prioritized findings, so STRIDE can run on every change instead of in occasional manual workshops.