Threat Modeling

The pattern: enumerate “what can go wrong?” before it does. STRIDE (Spoofing / Tampering / Repudiation / Information Disclosure / Denial of Service / Elevation of Privilege) is one frame. Attack trees enumerate paths. OWASP Top 10 is the list of known-bad. Apply per feature, per deployment, per external API surface — not as a one-time exercise.

The trade-off: upfront effort vs. retrofit cost. Threat modeling is slow; engineers want to ship. The cost of not modeling is hidden until a breach or audit reveals a class of bug nobody looked for. The right cadence: thread modeling into any feature that touches identity, data, or external integration. Skip purely internal refactors. The output is a short doc per surface, not a 40-page deliverable.

Deepens in Year 2 Phase 10: AWS Deep Dive (cloud IAM surface) and reaches DEEP in Year 5 Phase 29: AI Surface — applying STRIDE-style thinking to the agent + LLM attack surface (OWASP LLM Top 10) on basecamp is where this earns DEEP.

Related patterns

• least-privilege — Elevation of Privilege in STRIDE is the threat that least-privilege most directly answers.
• zero-trust-security — Spoofing and lateral-movement threats are the surface zero-trust is designed for.
• defense-in-depth — threat models tell you which layers a given surface actually needs.
• secrets-lifecycle — Information Disclosure drives most secrets-lifecycle decisions.
• zero-trust-networking — the network-side answer to the same threats.
• platform-as-product — a platform should ship a threat-model template alongside its golden path.