Component Types
When building your system diagram, categorise each element using one of the standard component types. Choosing the right type helps generate relevant threat suggestions and makes your model easier for others to read.
Web Application
A user-facing application delivered via a web browser.
Examples: Customer portal, admin dashboard, SaaS product UI, public-facing website
Common attack surface: XSS, CSRF, injection, session management, authentication bypass
Typical trust level: Medium (authenticated) or Untrusted (anonymous public access)
API Gateway / API
A service that exposes functionality via HTTP(S) endpoints, consumed programmatically.
Examples: REST API, GraphQL API, gRPC service, API gateway (Kong, AWS API GW)
Common attack surface: Broken object-level authorisation (BOLA/IDOR), injection, rate limiting bypass, excessive data exposure
Typical trust level: High (internal) or Medium (external partner API)
Process
A background service, worker, or application process that runs without direct user interaction.
Examples: Background job worker, batch processor, message queue consumer, ETL pipeline
Common attack surface: Injection via message payloads, privilege escalation, insecure deserialization
Typical trust level: High (internal)
Data Store
A system that persists data — read and written by other components.
Examples: Relational database (PostgreSQL, MySQL), NoSQL database (MongoDB, DynamoDB), object storage (S3), cache (Redis, Memcached), message queue (Kafka, SQS)
Common attack surface: Injection, unauthorised access, unencrypted data at rest, insecure backups
Typical trust level: High (should be internal-only with no direct external access)
Service
An external or internal service that your system depends on, but which is not under your direct control or is a separately deployed component.
Examples: Payment processor (Stripe), email service (SendGrid), identity provider (Auth0, Okta), third-party API, internal microservice owned by another team
Common attack surface: Supply chain compromise, credential theft, data exposure via over-sharing, availability dependency
Typical trust level: Low (third-party services) or High (internal services)
User / Actor
A human actor who interacts with your system.
Examples: End customer, employee, administrator, internal service account
Common attack surface: Account takeover, credential phishing, insider threat, privilege abuse
Typical trust level: Medium (authenticated users) or Untrusted (anonymous/unauthenticated)
Mobile App
A native or hybrid mobile application running on a device controlled by the user.
Examples: iOS app, Android app, React Native app
Common attack surface: Insecure local storage, certificate pinning bypass, reverse engineering, deep link injection, push notification abuse
Typical trust level: Untrusted (like the browser — the device and app are outside your control)
External Entity
Any system or actor outside the trust boundary of your organisation that initiates or receives data flows.
Examples: Internet user, partner organisation’s system, regulatory body’s data submission endpoint, webhook consumer
Common attack surface: Source of untrusted input; may attempt spoofing, DoS, or injection
Typical trust level: Untrusted
Trust Levels
Assigning a trust level to each component helps identify which interactions cross trust boundaries — these are the highest-risk data flows.
| Trust Level | Description | Examples |
|---|---|---|
| High Trust | Internal, privileged, fully controlled by your organisation | Your own backend services, internal databases |
| Medium Trust | Authenticated but limited; constrained access | Logged-in users, partner services with API keys |
| Low Trust | External services not under your control | Third-party SaaS, external APIs |
| Untrusted | Potentially adversarial; all input must be validated | Internet users, mobile devices, browsers |
Rule of thumb: Any data flow between components of different trust levels should be analysed carefully for all six STRIDE threat categories.