ALVOR
Platform
PricingCompare
Advisory
AboutBlog
Get Demo
ALVOR
Platform
PricingCompare
Advisory
AboutBlog
Get Demo
← All Posts
July 16, 2026·10 min read

STRIDE vs PASTA vs LINDDUN: Choosing a Threat Modeling Methodology You Will Actually Run

STRIDE, PASTA, and LINDDUN answer three different questions. A practical comparison of what each methodology finds, what it costs to run, and how to combine them without building a bureaucracy.

Salman Khan·Threat ModelingEngineering

Ask five security engineers which threat modeling methodology to use and you will get a comparison of frameworks. That is the wrong altitude. STRIDE, PASTA, and LINDDUN are not three competing answers to one question; they are answers to three different questions, and picking between them without noticing that is how teams end up with a methodology they admire and do not run.

The three questions, plainly:

  • STRIDE answers: what can go wrong in this design?
  • PASTA answers: which attacks matter to this business, and how would they actually unfold?
  • LINDDUN answers: how does this system harm the privacy of the people whose data it processes?

Everything else in this guide follows from that distinction.

STRIDE: the diagram methodology

STRIDE came out of Microsoft in 1999, from Loren Kohnfelder and Praerit Garg, and it remains the default for a reason. It gives you six categories of threat (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and one instruction: walk the elements of your system diagram and ask which categories apply to each one. Processes attract all six. Data flows attract tampering, information disclosure, and denial of service. Data stores, external entities, and trust boundaries each have their own profile. Microsoft's own documentation still describes the category-to-element mapping in these terms.

The strength is repeatability. Because threats anchor to diagram elements, two engineers modeling the same system converge on similar lists, coverage is measurable (which elements have been walked, which have not), and the exercise is teachable in an hour. The prerequisite is honest: you need a real data flow diagram, with trust boundaries drawn, not a marketing architecture slide. If your team cannot produce that diagram, that is the actual problem to fix first, and it is a bigger one than methodology choice.

The weaknesses are equally honest. STRIDE says nothing about which threats matter most; a spoofing threat on an internal metrics endpoint and one on your payment API rank identically until you add business context. The categories overlap (a successful tampering attack is often an elevation of privilege), which bothers purists and does not matter much in practice. And STRIDE has no opinion about privacy: a system that lawfully-collected data flows through in ways users never expected passes a STRIDE review clean.

PASTA: the risk methodology

PASTA (Process for Attack Simulation and Threat Analysis) is a seven-stage methodology published by Tony UcedaVélez and Marco Morana in their 2015 book Risk Centric Threat Modeling. Where STRIDE starts from the diagram, PASTA starts from the business: define objectives, define the technical scope, decompose the application, analyze threats, find vulnerabilities and weaknesses, model attacks, and analyze risk and impact. The output is not a list of design flaws; it is an argument, traceable from business impact through attacker capability to specific attack paths, about which risks deserve money.

When PASTA is right, nothing else does its job. If you need to convince a board that a threat is worth a seven-figure remediation, a STRIDE spreadsheet will not do it; an attack simulation tied to revenue impact will. Regulated industries and high-value targets (payments, trading, critical infrastructure) get real value from stages that simulate how a motivated attacker chains weaknesses.

The cost is the honest problem. Seven stages is a program, not a working session. PASTA assumes threat intelligence input, attacker profiling, and analyst time that most product teams do not have per feature. Teams that adopt PASTA wholesale for routine design work tend to quietly stop threat modeling within two quarters, because every model is a project. The pattern that works is borrowing: PASTA's early stages, business objectives and impact, belong in your review intake (they are what a business impact analysis is), and the full simulation machinery is reserved for the systems whose tier justifies it.

LINDDUN: the privacy methodology

LINDDUN comes from the DistriNet research group at KU Leuven and is the only widely adopted methodology built for privacy rather than security. Its seven categories (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance) are walked over the data flow diagram much like STRIDE, which makes the two natural companions. The methodology, threat trees, and the lightweight LINDDUN GO card variant are published at linddun.org.

The point most teams miss: privacy threats are not security threats with a GDPR sticker. A system can be perfectly secure, every flow encrypted, every access authenticated, and still let an insurer link "anonymous" wellness data back to individuals. That is working-as-designed harm, invisible to STRIDE because nothing is broken. Notice also that non-repudiation, a goal in STRIDE's world, is a threat in LINDDUN's: sometimes users need plausible deniability. If your system processes personal data at any meaningful scale, or you run data protection impact assessments, a LINDDUN pass finds a class of problem nothing else in your toolchain is looking for.

The limitation is scope, and it is by design. LINDDUN does not replace a security methodology; it assumes one is already running.

The three side by side

STRIDE
  • Finds design flaws, element by element
  • Anchored to the data flow diagram
  • Teachable in an hour, repeatable by anyone
  • Silent on business priority and privacy
PASTA
  • Ties attacks to business impact
  • Seven stages, from objectives to risk
  • Output that executives can act on
  • Too heavy to run per feature
LINDDUN
  • Finds privacy harm, not just breaches
  • Walks the same diagram as STRIDE
  • The natural companion to a DPIA
  • Assumes a security methodology exists
Three methodologies, three different questions
STRIDEPASTALINDDUN
OriginMicrosoft, 1999UcedaVélez & Morana, 2015KU Leuven, DistriNet
Unit of analysisDiagram elementBusiness risk scenarioData flow and data subject
Question answeredWhat can go wrong here?Which attacks matter to the business?How does this harm user privacy?
Primary outputThreat list mapped to elementsRisk-ranked attack scenariosPrivacy threats and mitigations
Effort per modelHoursDays to weeksHours, given an existing DFD
Best forEvery design reviewHigh-tier systems, board-level casesSystems processing personal data

How to actually choose

  1. 1
    Do you have a data flow diagram?

    If not, stop comparing methodologies and draw one. Every methodology here consumes a diagram; none of them can rescue a system nobody can draw.

  2. 2
    Default to STRIDE on every design

    It is the only methodology cheap enough to run on everything, and consistent coverage of all designs beats deep analysis of two of them.

  3. 3
    Add business framing at intake

    Borrow PASTA's opening moves: what is this system worth, to whom, and what does an attacker gain? That context turns a flat threat list into a ranked one.

  4. 4
    Add a LINDDUN pass when personal data enters

    Same diagram, second lens. If the system processes personal data or feeds a DPIA, walk the privacy categories after the security ones.

  5. 5
    Reserve full PASTA for the top tier

    Payment flows, trading systems, anything whose compromise is a board agenda item: these justify attack simulation. Your internal admin tool does not.

A decision path that survives contact with a real backlog

Notice what this decision path optimizes for. Not analytical depth; operational survival. The methodology that wins is the one still running in eighteen months, after the champion who introduced it changed jobs. In our experience the failure mode of threat modeling programs is almost never that the methodology missed threats. It is that the methodology asked for more effort than the organization would pay, so the organization stopped paying.

The composite that works

Run STRIDE on the diagram for every reviewed design. Steal PASTA's business-impact framing for your intake questions. Add a LINDDUN pass wherever personal data flows. This is not methodological impurity; it is what the three were each built to do, used at the altitude where each is affordable.

The methodologies you did not ask about

Four others show up in every comparison listicle, so here is the honest one-line verdict on each. DREAD is a scoring rubric for ranking threats you have already found, not a way of finding them; Microsoft moved away from it because scores varied too much between raters (more in the FAQ below). Attack trees are not a rival but a complement: when STRIDE surfaces a threat that worries you, an attack tree is a fine way to decompose how it would actually be achieved. OCTAVE operates at a different altitude entirely, assessing organizational risk rather than the design of a system, so it does not belong in this comparison even though it keeps getting put there. VAST and Trike you will encounter in vendor marketing and academic papers respectively; neither has the practitioner community, published threat trees, or tooling ecosystem of the three above, and choosing a methodology your next hire has never heard of is a real cost.

Three ways teams get this wrong

The comparison itself has failure modes, and they are more expensive than picking the "wrong" framework:

  • Methodology shopping as procrastination. A quarter spent evaluating frameworks is a quarter of designs shipping unreviewed. The differences between running STRIDE adequately and running PASTA adequately are smaller than the difference between running something and running nothing. Decide in a week.
  • Letting the tool choose. Teams buy a platform first and inherit whatever methodology it encodes, at whatever depth its workflow allows. Choose the question you need answered, then the methodology, then the tooling that runs it well; the reverse order is how you end up simulating attacks on a marketing site.
  • Modeling once and calling it done. Every methodology here produces a snapshot. The system keeps changing after the snapshot, and a threat model whose diagram no longer matches production is worse than none, because it radiates false confidence. Whatever you run, decide what re-triggers it: a changed trust boundary, a new data flow, a new external integration.

What makes a methodology runnable

Whichever you choose, three properties decide whether it survives:

  • It anchors to an artefact you already produce. STRIDE and LINDDUN work because the data flow diagram is (or should be) a standard output of design work. A methodology that requires new artefacts per model compounds its own cost.
  • The output lands somewhere with consequences. A threat list in a spreadsheet is a finding; a threat mapped to a control, tracked to a live unmitigated count, with an owner, is a decision. If threats do not connect to your risk register and your build backlog, the model decays into documentation.
  • A non-expert can contribute. If every model needs your most senior security architect in the room, the methodology's real capacity is that person's calendar. The analysis framework should be simple enough that engineering can draft and security can judge.

That last property is where tooling earns its place, and where we should disclose our interest: we build threat modeling software that runs STRIDE on a live diagram, with threats anchored to elements, controls mapped from your catalog, and an AI studio that drafts the model for a human reviewer to approve or reject batch by batch. The methodology stays the same; the cost of practicing it is what drops.

Pick the question you need answered, pick the lightest methodology that answers it, and spend the effort you save on running it everywhere. Coverage beats sophistication. It is not close.

Questions this guide gets asked

Is STRIDE outdated?

No. STRIDE is from 1999 and it shows its age in places (the categories overlap, and cloud-native patterns need interpretation), but its core move, anchoring threat categories to elements of a system diagram, is still the most teachable and repeatable way to find design flaws. Most modern tooling, including ours, is built on it for exactly that reason.

Can I combine STRIDE and PASTA?

Yes, and you probably should, just not as two full processes. Run PASTA's early stages as your intake: business objectives, impact, and attacker interest. Then run STRIDE on the diagram for discovery. You get PASTA's business framing and STRIDE's systematic coverage without running a seven-stage program per feature.

Which methodology do compliance auditors expect?

None specifically. ISO 27001, SOC 2, and PCI DSS require evidence that you analyze threats and act on the results; they do not name a methodology. Auditors care that the process is documented, repeated, and produces tracked outcomes. STRIDE is the easiest to evidence because its output maps cleanly to threats, controls, and coverage. For GDPR data protection impact assessments, LINDDUN is the natural fit.

What about DREAD?

DREAD is not a discovery methodology; it is a scoring rubric (Damage, Reproducibility, Exploitability, Affected users, Discoverability) for ranking threats you have already found. Microsoft itself moved away from it because the scores proved too subjective to be consistent across raters. Rank with a simple severity scale tied to your risk register instead.

Which methodology is best for a small team?

STRIDE, without hesitation. It needs one artefact you should have anyway (a data flow diagram), it can be taught in an hour, and it produces a concrete threat list per element. PASTA's stages assume analyst capacity a small team does not have, and LINDDUN only earns its keep once you process meaningful personal data.

SK

Written by

Salman KhanCo-Founder & CEO, Alvor

Salman co-founded Alvor, the security and compliance platform, and leads its security architecture practice. He writes about design reviews, threat modeling, and running security programs that engineering teams don't route around.

Related in Alvor

Threat Modeling

Diagram-anchored STRIDE threat modeling with a reusable threat library, control mapping, and live coverage tracking.

Learn more →
← All Posts
ALVOR

Security architecture, management, and compliance: connected into one source of truth.

Security, Simplified.

Platform

  • Overview
  • AI Assistant
  • Security Architecture
  • Assets
  • Components
  • Dependency Mapping
  • Data Governance
  • Secure by Design
  • Security Design Review
  • Threat Modeling
  • Risk
  • Compliance
  • Policy
  • Program
  • Business Continuity
  • TPRM

Solutions

  • Startups
  • Mid-Market
  • Enterprise

Company

  • About
  • Advisory
  • Compliance
  • Blog
  • Security
  • Pricing
  • Compare

Legal

  • Privacy
  • Cookie Policy
  • Terms
  • Disclosure

© 2026 Alvor, Inc. All rights reserved.

LinkedIn