Threat Modeling Should Be A Team Sport

Pen-tester, Vulnerability Scanning, Risk Management, and Threat Modeling should be one engagement.

In 2020, a group of threat modeling practitioners, researchers, and authors wrote the Threat Modeling Manifesto. The manifesto contains values and principles connected to the practice and adoption of threat modeling:

Threat modeling is the process of capturing, organizing, and analyzing this information. This is applied to software and risk identification elements. Typical threat modeling efforts also produce a prioritized list of security improvements to an application’s concept, requirements, design, or implementation.

Threat modeling is a structured method of assessing risks associated with a system or application. Developers must take time to understand what threats exist to their system. Once they know what threats exist, they must assess the impact of each threat and decide if any of them pose a high enough risk to warrant mitigation.

Commonalities with Vulnerability Scanning, Pen-testing, and Risk management Audit.

By analyzing each auditing method, each has common characteristics with other assessments.

They include:

  1. Form a team. This team should include all stakeholders, including business owners, developers, network architects, security experts, and C-level execs.
  2. Establish the scope. Define and describe what the model covers. Create an inventory of all components and data and map them to architecture.
  3. Determine likely threats. Create what-if exercise builds and threat scenarios, including the threat or attack trees, to identify possible vulnerabilities or weaknesses.
  4. Rank each threat. Determine the level of risk each threat poses and rank them to prioritize risk mitigation.
  5. Implement mitigations. Decide how to mitigate each threat or reduce the risk.
  6. Document results. Document all findings and actions so future changes to the application, threat landscape, and operating environment are assessed and the threat model updated.

Collaboration between Pen Testing and Threat Modeling.

Threat modeling teams that test applications and platforms use similar techniques as pen testers. Threat modeling is usually carried out by internal AppDev, DevOps, and SecOps teams. Pen testers, however, are typically a 3rd party external with the expertise for ethical hacking engagement.

The 1st level of engagement could include collaboration across the threat modeling team and the pen testers achieved in the same agile sprints. While selecting the team for the threat modeling, defining the scope, and documenting the expected threats, a 3rd party white-hat pen tester could be a team member. White-hat pen engagements often involve the AppDev and pen tester working together to determine a full scope engagement. The white-pen tester customarily granted access to usernames and passwords, IP addresses of the targeting hosts, and the expectation of testing criteria. Forming a collaboration between a white-hat 3rd pen tester and the internal threat modeling team would produce a complete 360-degree view. Without a partnership, threat modeling results would be based solely on internal resource knowledge.

The 2nd level of engagement would be a collaboration between a black-hat pen tester and a threat modeling team. The black-hat tester would have no prior knowledge of the application or platform within this collaboration engagement. SecOps would be the internal sponsor of this engagement, not AppDev, DevOps, and NetOps.

Threat Collaboration Modeling Across the Application Lifecycle

Threat modeling is best applied continuously throughout a software development project. The process is essentially the same at different levels of abstraction, although the information gets more and more granular throughout the lifecycle. Ideally, a high-level threat model should be defined early in the concept or planning phase and then refined throughout the lifecycle.

Updating threat collaboration models is advisable after events such as:

  • The App Dev team released a new feature
  • Security incident occurs
  • Architectural or infrastructure changes

This threat modeling pen-testing collaboration workstream should be added as a business operational function with every application or variance of a platform.


In the spirit of the DevOps movement, risk management, pen-testing, and vulnerability scanning should be considered a “sprint” within the agile security model supporting threat modeling engagements. Small to mid-size enterprise organizations could save money while gaining greater insight into their environment by executing these audits into a unified project instead of silo (waterfall) work cycles. The true benefactor of this new model would be the risk management team. By pulling together outputs from these “sprints” into a centralized contextual risk scoring methodology, organizations will better assess the environment by cross-correlation data sources from pen-testing, scanning, and IT audit control reviews.




John P. Gormally, born February 1964 in Morristown New Jersey. A veteran of military service from 1982 to 1988, serving in the United States Marine Corps, earni

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Flutter MacOS APP隱藏程式圖示於Dock中

How to make your own music app?

A content management system is an application that helps create and change any content.

Smart Contract Javafication: Web3j Wrappers and Other Sorceries

How we do an Incident Retrospective

Why did we allow the Big Tech to ruin our profession?

What exactly is an API? Explained in simple terms

A Thousand Days of Edtech, Part 2 of X

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John P. Gormally, SR

John P. Gormally, SR

John P. Gormally, born February 1964 in Morristown New Jersey. A veteran of military service from 1982 to 1988, serving in the United States Marine Corps, earni

More from Medium

Wireshark for Cybersecurity and Threat Hunting — Log4J Exploit —  CyberDefense

Defense in Layers — TCP/IP/OSI Reference Model

Man in the Middle Attack Using Bettercap

Security Blue Team’s BTL1 Certification