Management, compliance & auditing

Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more

Howard Poston
February 11, 2021 by
Howard Poston

Threat modeling is an exercise designed to identify the potential threats and attack vectors that exist for a system. Based upon this information, it is possible to perform risk analysis and develop countermeasures and strategies to manage and mitigate these risks.

However, identifying threats in a vacuum can be difficult and is prone to error. Using a threat modeling framework provides structure to the threat modeling process and may include other benefits, such as suggested detection strategies and countermeasures.

Let’s take a look at some well-known threat modeling frameworks.

Learn Threat Modeling

Learn Threat Modeling

Get hands-on experience with six threat modeling courses covering defense-in-depth, frameworks like STRIDE and Rapid Threat Model Prototyping (RTMP), agile architecture and more.

OWASP top 10

The OWASP Top Ten list is one of the most famous products of the Open Web Application Security Project (OWASP). As the name of the group suggests, its focus — and that of its Top Ten list — is on web application vulnerabilities. This famous list is updated every few years with the most common or dangerous vulnerabilities detected in web applications. The list is commonly a mix of exploitable vulnerabilities (such as Injection or Cross-Site Scripting) and poor development practices, such as a failure to perform proper logging and to monitor those logs and other data sources for signs of an attack.

The OWASP Top Ten list is a great starting point when performing a threat modeling exercise for web applications. It outlines the most common vulnerabilities in web applications, and, due to its high visibility, is also the starting point for many cybercriminals looking for vulnerabilities to exploit. Closing these potential attack vectors eliminates some of the low-hanging fruit for potential attackers.

However, while the OWASP Top Ten list is focused on web application vulnerabilities, this doesn’t mean that it only has value for web application developers. The mistakes described in the OWASP list can generally apply to other types of software as well, such as blockchain applications.

MITRE ATT&CK Framework

MITRE is a federally funded research and development center (FFRDC) of the US government. One of its areas of research is cybersecurity, and the MITRE ATT&CK framework — and the related Shield framework — is one of the products of this cybersecurity research.

MITRE ATT&CK is designed to support cybersecurity by providing a framework for threat modeling, penetration testing, defense development and similar cybersecurity exercises. MITRE ATT&CK breaks the lifecycle of a cyberattack into fourteen stages (called “Tactics” by MITRE). Each of these Tactics describes a specific goal that an attacker may need to achieve on their way to achieving their overall objective such as escalating privileges or gaining access to account credentials.

Under each Tactic is an array of Techniques and Sub-Techniques. Each of these describes a specific method of achieving the related goal. For example, user credentials may be acquired via a brute-force attack, dumping credentials from the operating system or browsers and other means.

The combination of Tactics and Techniques provides concrete guidance for a threat modeling exercise. While MITRE ATT&CK may not be a comprehensive list of every potential attack technique, it has impressive coverage. A simple “check the box” approach to determining if a system is vulnerable to each of the described Techniques and Sub-Techniques provides a solid understanding of the potential vulnerabilities within the system.

However, the value of the MITRE ATT&CK framework is not limited to its structured description of cyberthreats in Tactics and Techniques. Under each Technique or Sub-Technique, MITRE provides additional data, including:

  • Technique description
  • Affected platforms
  • Required permissions
  • Data sources for detection
  • “Procedures” (known malware, tools or threat actors using the technique)
  • Mitigations
  • Detection methods
  • References

This information can help to ensure that a potential threat is properly identified during threat modeling and provides guidance on how to mitigate the potential risk using a combination of detection and mitigation strategies.

MITRE Common Weakness Enumeration (CWE)

In addition to the ATT&CK and Shield frameworks, MITRE also maintains the Common Weakness Enumeration. This resource is similar to the OWASP Top Ten list in that it is designed to describe the common vulnerabilities and other issues that can exist within an application. The CWE is a much more comprehensive list of potential security issues and includes a list of the top 25 threats based on the probability of exploitation and impact of different CWEs.

Like the OWASP Top Ten, the CWE Top 25 is a great starting point for general threat modeling exercises. Investigation of the weaknesses described in the list provides coverage of the most common and commonly exploited vulnerabilities.

However, the CWE Top 25 is not the only useful view into the CWE database. MITRE’s CWE page also provides lists specific to certain programming languages, software development phases and more.

These more focused lists can be invaluable for performing threat modeling throughout the software development life cycle. Early in the process, developers or security team members can review the potential issues that can occur in the Design phase. Later, as solutions are being implemented, code can be tested for language-specific issues.

STRIDE threat modeling

STRIDE is a threat modeling framework developed by Microsoft employees and published in 1999. The STRIDE threat model is focused on the potential impacts of different threats to a system:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Escalation of privileges

By considering these potential impacts or goals and considering how they can be achieved, it is possible to identify attack vectors for the system under test. Based on this information, it is possible to assess the risk and impact of each potential threat and develop countermeasures to mitigate it.

Mapping STRIDE to other frameworks

STRIDE is a high-level threat model focused on identifying overall categories of attacks. This contrasts with the other threat models discussed in this article, which focus on specific threats to a system.

This difference in focus means that STRIDE and other threat models are often complementary. For example, a blog by (ISC)2 discusses integrating STRIDE with MITRE attack, using STRIDE for high-level modeling and ATT&CK for identifying specific threats.

Learn Threat Modeling

Learn Threat Modeling

Get hands-on experience with six threat modeling courses covering defense-in-depth, frameworks like STRIDE and Rapid Threat Model Prototyping (RTMP), agile architecture and more.

Selecting a threat modeling framework

The tools described here are only a subset of the threat modeling frameworks available. Frameworks like STRIDE include PASTA, DREAD and more. Additional tools for specific vulnerabilities exist as well, such as the CVSS list.

No “one size fits all” threat modeling framework exists. Different models are better for different situations and different teams. Understanding the available options and the benefits and limitations of each can help with making an informed decision and improve the effectiveness of threat modeling efforts.


Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at