Question 1

What is threat modeling?

Accepted Answer

Threat modeling is a structured way to find what can go wrong with a system before an attacker does, ideally before the system is built. You model what you are creating, enumerate the threats against it, decide how to handle each one, and verify your work. The practice is usually framed as four questions: what are we building, what can go wrong, what are we going to do about it, and did we do a good enough job. It is a design-time discipline, not a scan you run after the fact.

Question 2

What is STRIDE threat modeling?

Accepted Answer

STRIDE is the most widely used threat taxonomy, created at Microsoft. It is a mnemonic for six categories of threat, each tied to a security property it violates: Spoofing (authentication), Tampering (integrity), Repudiation (non-repudiation), Information Disclosure (confidentiality), Denial of Service (availability), and Elevation of Privilege (authorization). You apply all six questions to every element of your model, so threats are found by method rather than by memory. Alvor uses STRIDE as its default taxonomy and lets you anchor each threat to the specific component, data flow, or datastore it targets.

Question 3

How do you do threat modeling, step by step?

Accepted Answer

Start by modeling the system as a data flow diagram: components, datastores, the data flows between them, external entities, and the trust boundaries the data crosses. Then walk each element and enumerate threats, using STRIDE to ask the same six questions of everything. For each threat, decide a response: mitigate it with a control, accept it with a documented rationale, or rule it out of scope. Finally, measure coverage and revisit the model when the design changes. In Alvor those four moves happen on one canvas: model, anchor threats, map controls, track coverage.

Question 4

What is a data flow diagram and a trust boundary in threat modeling?

Accepted Answer

A data flow diagram (DFD) is the model you reason over. It shows processes or components, datastores, the data flows between them, and the external entities the system talks to. A trust boundary is the line where the level of trust changes, for example between the public internet and your service, or between an application and its database. Threats cluster on the flows that cross trust boundaries, so drawing those boundaries is what makes the interesting threats visible. In Alvor, components, datastores, data flows, external entities, and trust boundaries are all first-class elements you register on the canvas and number (C1, DS1, DF1, EE1, TB1).

Question 5

What is the difference between STRIDE, PASTA, and DREAD?

Accepted Answer

They answer different questions. STRIDE helps you find threats: it is a taxonomy of what can go wrong. PASTA (Process for Attack Simulation and Threat Analysis) is a heavier, seven-stage methodology that drives threat modeling from business objectives and attacker simulation. DREAD is a scoring model (Damage, Reproducibility, Exploitability, Affected users, Discoverability) used to rank threats once you have found them. They are complementary: many teams enumerate with STRIDE and prioritize with a risk score. Alvor leads with STRIDE for enumeration and carries severity and status on every threat so prioritization travels with it.

Question 6

How is threat modeling different from a risk assessment or a vulnerability scan?

Accepted Answer

A vulnerability scan finds known flaws in code or configuration that already exists. A risk assessment weighs the likelihood and impact of risks across an organization. Threat modeling is earlier and more structural: it reasons about how a design could be attacked before it is built, so you catch design flaws that no scanner will ever flag because there is no code yet. The three reinforce each other. In Alvor, design-phase threat modeling lives in Secure by Design, mitigations map to controls, and those controls and findings flow into the Risk and Compliance modules.

Question 7

When and how often should you threat model?

Accepted Answer

Threat model when you are designing something new or materially changing an existing design: a new service, a new data flow, a new trust boundary, a new integration. Because the model in Alvor is an object anchored to your architecture rather than a one-off document, it is revisited rather than rewritten. When the design changes, you update the affected elements and the coverage figures move with them, so the model stays current instead of being a snapshot that ages the moment it is filed.

Question 8

Does Alvor have a threat modeling tool, and is it automated?

Accepted Answer

Yes. Threat modeling is built into Alvor's Secure by Design module. You model the system on a canvas, register elements, and anchor threats directly to them. Alvor does the structural work for you: a reusable threat library so you are not starting from a blank page, automatic numbering of elements and threats, deduplication of library entries, automatic assignment of mapped controls to the project, and live coverage analytics including the count of unmitigated threats. The security judgment stays with your team; the bookkeeping, traceability, and follow-through are automated.

Question 9

Which frameworks and threat sources does Alvor support?

Accepted Answer

STRIDE is the default taxonomy. Threats can also reference MITRE ATT&CK techniques by ID, sit on a Cyber Kill Chain phase, and cite OWASP, CAPEC, or NIST sources, with an external reference recorded on each threat (for example T1110 or A03:2021). The threat library is seeded from these standard sources and grows as your teams model. Mitigating controls map back into the control families you already track for compliance.

Question 10

How does threat modeling connect to controls and compliance in Alvor?

Accepted Answer

Every threat can be mapped to one or more security controls as a primary or supporting mitigation, with notes on how the control addresses it. Mapped controls are assigned to the project automatically and flagged as threat-driven, so the design carries its own justification. Because those controls are the same ones Alvor cross-maps across 40+ frameworks (NIST CSF, ISO 27001, SOC 2, PCI DSS, CIS), a mitigation decided during threat modeling becomes evidence that satisfies the frameworks it touches. Threat modeling is included in every Alvor plan from Starter ($8,000/year) through Enterprise.

Threat modelingthat lives on your architecture.

What threat modeling actually is

What are we building?

What can go wrong?

What are we going to do about it?

Did we do a good enough job?

Six ways a component can be attacked

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of Privilege

From diagram to defended

Model the system on the canvas

Anchor threats to the elements they target

Map every threat to its controls

Track coverage as the design moves

Backed by the libraries the industry already trusts

A threat model is only as good as the gaps it makes visible

Threat modeling, answered

See how Alvor works for your role