Getting Started

This guide walks you through the seven steps of the threat modelling tool. Each step builds on the previous one, so work through them in order for best results.

Before You Begin

Gather the following information before starting:

  • A system or feature to threat-model (start small — a single service or user journey is ideal)
  • A rough idea of the components involved (web server, database, third-party APIs, etc.)
  • 30–90 minutes of focused time (invite colleagues for the best results)

Step 1: Project Setup

Fill in the project name, a brief system description, and the scope.

Tips:

  • Keep the scope tight. “Customer login and authentication” is better than “the entire platform.”
  • The description doesn’t need to be long — two or three sentences is enough.
  • Choose the system type that best describes what you’re modelling.

Step 2: System Components

Add every significant part of your system. Think about:

  • Users and external actors — who initiates actions?
  • Applications — web frontends, mobile apps, desktop clients
  • Services and APIs — backend services, third-party integrations
  • Data stores — databases, caches, file storage, message queues

For each component, set a trust level:

  • High Trust — internal, privileged components (your own backend services)
  • Medium Trust — authenticated users or services with limited scope
  • Low Trust — third-party services you don’t fully control
  • Untrusted — the internet, anonymous users, external inputs

Minimum viable model: 3–5 components is enough to produce a useful threat analysis.

Step 3: Data Flows

Data flows describe how information moves between components. Focus on flows that:

  • Carry sensitive data (credentials, PII, financial records)
  • Cross trust boundaries (e.g. from the internet into your backend)
  • Are not encrypted or authenticated

For each flow, record:

  • Source and destination
  • What kind of data is transmitted
  • Whether it’s encrypted and authenticated
  • Whether it crosses a trust boundary

Tip: Data flows that cross trust boundaries are the most important to analyse. The tool automatically flags these.

Step 4: Threat Identification

This is the core of threat modelling. For each component and data flow, work through the STRIDE categories:

  • Spoofing — can an attacker impersonate this component or its users?
  • Tampering — can data flowing through or stored here be modified unauthorised?
  • Repudiation — can actions on this component be denied without proof?
  • Information Disclosure — can sensitive data be exposed to unauthorised parties?
  • Denial of Service — can this component be made unavailable?
  • Elevation of Privilege — can a user gain capabilities they shouldn’t have?

The tool provides suggested threats based on the component type you selected. Use these as a starting point, then add your own.

Tip: Don’t try to be perfect. A rough list of 10–20 threats is better than an empty list waiting for the perfect model.

Step 5: Risk Assessment

For each threat, score:

  • Likelihood (1–5): How probable is this attack?
  • Impact (1–5): How severe would the outcome be?

The tool calculates Risk = Likelihood × Impact and categorises it as Critical, High, Medium, or Low.

Start with Critical and High threats — these are where you should focus your mitigation effort.

Step 6: Mitigations

For each threat, especially Critical and High ones, define at least one mitigation.

Good mitigations are:

  • Specific — describe the exact control to implement
  • Assigned — identify an owner or team
  • Tracked — set a status (Planned, In Progress, Implemented)

You can also change a threat’s status to Accepted (risk acknowledged and consciously accepted) or Transferred (risk moved to a third party, e.g. via insurance or contractual obligation).

Step 7: Final Report

The report gives you:

  • A summary of threat counts by risk level and status
  • A full threat register table, sorted by risk score
  • A component inventory

Use Print / Save as PDF to share the report with your team or attach it to a security review. Use Export JSON to save your threat model and reload it later.

Saving Your Work

The tool auto-saves your session to your browser’s local storage. Your progress is preserved if you close and reopen the tab.

To back up your work or share it with colleagues, use Export JSON and store the file. To resume, use Load JSON.

Common Pitfalls

PitfallBetter Approach
Modelling the whole platform at onceStart with a single service or user journey
Only security engineers attend the sessionInvite engineers who built the system
Identifying threats but not scoring themScore every threat — even a rough score is valuable
Identifying threats but never mitigatingSet mitigation status and owner for each Critical/High threat
Doing it once and never revisitingSchedule an annual review; update when the system changes