Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
1.10 Domain 1 · Security & Risk Management

Threat Modeling

Apply threat modeling concepts and methodologies

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

Three threat modeling frameworks to know for the exam:

STRIDE (Microsoft) — software/application threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
OCTAVE (Carnegie Mellon) — organizational/enterprise risk assessment, self-directed by management.
VAST (Visual, Agile, Simple) — integrates into DevOps/Agile workflows with visual outputs for both developers and executives.

The exam tests which framework fits which context. STRIDE for apps, OCTAVE for enterprises, VAST for Agile teams.

Each framework serves a different audience and context:

  • STRIDE is used during software design. Developers draw data flow diagrams and systematically check each component for each STRIDE threat category. It's granular and technical — ideal for identifying application-level vulnerabilities before code is written.
  • OCTAVE is a self-directed, organization-wide risk assessment. Management identifies critical business assets, evaluates threats and vulnerabilities across the enterprise, and develops a protection strategy. It's broad and strategic — not designed for individual applications.
  • VAST creates two parallel models: an application threat model for developers (based on process flow diagrams) and an operational threat model for infrastructure teams and executives (based on DFDs). It's designed to scale across Agile sprint cycles without slowing delivery.

Key distinction: STRIDE and OCTAVE require dedicated workshops outside the development cycle. VAST is the only framework explicitly designed to run inside Agile sprints.

FrameworkOriginFocusBest ForAudience
STRIDE Microsoft Software threats Application design Developers
OCTAVE Carnegie Mellon Organizational risk Enterprise assessment Management
VAST Agile integration DevSecOps pipelines Developers + Executives
Key Takeaway

Threat modeling happens during DESIGN, not after deployment. If the answer says "model threats during testing" or "after go-live" — it's wrong. The purpose of threat modeling is to identify threats before they're built into the system. Remediation during design is orders of magnitude cheaper than post-deployment fixes.

The security team is choosing a threat modeling framework for the entire organization.

Scenario
Choosing the Right Framework
SaaS company · Agile development · 12 sprint teams
Lead Dev"Let's just use STRIDE for everything. It's thorough, well-documented, and our engineers already know it."
Security Dir"STRIDE is great for our applications, but it's too narrow for enterprise risk. It won't help us assess risks to our vendor supply chain or physical infrastructure."
Lead Dev"What about OCTAVE then? It covers everything."
Security Dir"OCTAVE requires dedicated workshops with management — it's too heavy for our 2-week sprint cycles. We'd never keep up. VAST gives us visual threat models that fit inside sprints, with separate dashboards for your engineers and our executives."
Lead Dev"So VAST for the org, STRIDE when we need deep dives on specific apps?"
Security Dir"Exactly. Match the framework to the context."
Real Talk — Career Context

In practice, most organizations use a hybrid approach. STRIDE for deep-dive application security reviews, VAST or a lightweight process for day-to-day sprint integration. Few organizations do pure OCTAVE unless they're running a formal enterprise risk assessment program.

On the exam: The question will describe a specific context (app design, enterprise risk, Agile team) and expect you to match it to the right framework. Don't overthink — match the audience and workflow.

Your organization is shifting from waterfall to Agile. The security team currently uses STRIDE for all threat modeling. Development teams are complaining that STRIDE workshops take too long and don't fit sprint timelines. You need to decide on the path forward.

Option A
Mandate STRIDE for all teams

STRIDE is the most technically thorough framework for software threats. Don't compromise security rigor for development speed.

Option B
Adopt VAST for Agile integration

Security must enable business processes. VAST is designed for Agile workflows and provides visibility for both developers and executives.

Option B is correct — security enables the business

Option B: A security framework that developers resist and skip is worse than a slightly less thorough framework they actually use. VAST was designed specifically for Agile environments. If the business uses Agile, security must integrate into that workflow — not fight against it.

Option A's kernel of truth: STRIDE is technically excellent for deep application threat analysis. It can still be used for high-risk components that warrant dedicated security reviews. But mandating it as the only approach in an Agile org creates friction and non-compliance.

On the exam: "Think like a manager" means enabling business objectives while managing risk. Security that blocks business processes is itself a risk.

Threat modeling after code is written
Threat modeling belongs in the design phase, not during testing or after deployment. If a question describes identifying threats during code review, penetration testing, or post-launch — that's vulnerability assessment or security testing, not threat modeling. Threat modeling is proactive; testing is reactive.
Why it's tempting: Both involve finding threats. But the timing and purpose are fundamentally different.
Confusing framework audiences
STRIDE is for developers (application-level threats). OCTAVE is for management (organizational risk assessment). VAST is for Agile teams (developers + executives). The exam will describe a team and ask which framework fits. If the question mentions "enterprise-wide risk assessment by senior management" — that's OCTAVE, not STRIDE.
Why it's tempting: All three frameworks deal with "threats." The differentiator is who uses them and at what scope.
Exam Signal

When you see a context description + "which methodology": Match the context to the framework. Agile/DevOps + visual outputs = VAST. Application design + developer audience = STRIDE. Enterprise-wide + management-led = OCTAVE. The exam rarely asks you to explain a framework — it asks you to select the right one for a described situation.

Quick Check — End of 1.10
An organization needs threat modeling integrated into Agile sprints with outputs for both developers and executives. Which methodology is MOST appropriate?
  • A STRIDE
  • B OCTAVE
  • C PASTA
  • D VAST

Correct: D. VAST (Visual, Agile, Simple Threat) is specifically designed for Agile environments and produces visual outputs for both technical and executive audiences. STRIDE is app-focused for developers only. OCTAVE is enterprise-wide but too heavy for sprints. PASTA is a risk-centric 7-stage process not designed for Agile integration.

Related Topics
→ 1.9 Risk Management (quantitative/qualitative) → 1.11 Supply Chain Risk (SCRM)
← 1.9 Risk Management ← Domain 1 Hub Next: 1.11 Supply Chain Risk →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official ISC2 content, is not endorsed by ISC2, and does not guarantee exam success. All practice questions are original and based on published exam objectives. Always refer to the official ISC2 CISSP Exam Outline as your primary reference.