Skip to main content
Secle

Threat Modeling

We model threats against the real architecture to find problems on a whiteboard, not in production.

The problem

Finding a design flaw on a whiteboard costs a meeting. Finding it in production costs an incident. Most teams design systems without explicitly asking where an adversary would get in, which assets they could compromise, and what trust boundaries are implicit in the design.

Our approach

We work from real diagrams of your architecture. We identify critical assets, adversary entry points, and trust boundaries. We model threats using proven methodologies (STRIDE, data flows) and prioritize mitigations by real risk, implementation cost, and exposure. The result isn't a document that gets filed away: it's a living model the team reuses when designing the next system.

How we use AI here

We use AI tools to suggest common threats based on architecture type and components. Prioritization, system-specific context analysis, and decisions about what to mitigate first are always made by a human with threat modeling experience. AI accelerates initial coverage; the person provides the judgment.

What we deliver

  • Living threat model (updatable diagrams + reasoning documentation)
  • Mitigation backlog prioritized by real risk, cost, and exposure
  • Reusable secure-design criteria for the team's future systems
  • Trust assumption register by component (what's assumed and what should be verified)
  • Recommendations integrated into the team's workflow (issues, ADRs, PR comments)

How we work

  1. 01We survey the architecture with the team: data flow diagrams, components, and current trust boundaries.
  2. 02We identify critical assets and possible adversary entry vectors.
  3. 03We model threats using STRIDE and prioritize by real risk, implementation cost, and exposure.
  4. 04We validate the model with the team: which trust assumptions are implicit? Which should be explicit or controlled?
  5. 05We deliver a living model + mitigation backlog. The process is usually run in short, iterative workshops, adapted to the team's pace.

Spec sheet

Includes
Modeling on real architecture (DFDs), identification of trust boundaries and vectors, STRIDE analysis, and mitigation prioritization by risk, cost, and exposure.
Deliverable
A living threat model, a prioritized mitigation backlog, and reusable secure-design criteria.
Who it's for
Teams building or redesigning systems where data, money, or high-impact decisions are at stake.

Example threat scenario

STRIDE TamperingLikelihood HighImpact Critical

Tampering in the payment authorization flow

Frontend → API Gateway → Authorization service

Threat description

The transaction amount is calculated on the client and travels unsigned to the authorizer. The trust boundary between the frontend and the authorizer has no active integrity control: the server assumes the received data wasn't tampered with.

Current state

There's no integrity validation on the server. The authorization service trusts the data coming from the frontend. The trust boundary is implicit in the design but neither documented nor controlled.

Recommended mitigation

Move the amount calculation to the authorization server. Implement HMAC signing on payment requests to guarantee integrity across the boundary crossing. Explicitly document the trust boundary in the data flow diagram.

Trust boundary

Frontend (low-trust zone) → API Gateway → Authorizer (high-trust zone). The crossing has no integrity verification mechanism at all.

Can your fundamentals survive an honest look?

A technical conversation, no sales script. We start with the basics done right, which is exactly what an attacker tries first.

[email protected]