Seven worksheets covering the methodologies people actually use for threat modeling, plus five worked examples that show what the output looks like for real systems.
Every worksheet has three parts:
- Scope and when to use — what kind of system or analysis the methodology fits
- Template — the actual worksheet, fillable
- Pitfalls — failure modes the worksheet doesn't prevent
Every example has four parts:
- System description and DFD — the system being modeled, with data flows
- Threats — applied to the methodology in question
- Top mitigations — ordered, with effort and impact estimates
- Pitfalls noticed — what was hard, what got missed in the first pass
| # | Worksheet | Best for |
|---|---|---|
| 01 | STRIDE | Per-component analysis of generic systems |
| 02 | LINDDUN | Privacy-focused threats, especially for systems handling PII |
| 03 | PASTA | Risk-driven, business-aligned threat modeling |
| 04 | Attack tree | Decomposing a single high-impact attacker goal |
| 05 | Data flow diagram | Building the input most other methodologies need |
| 06 | Trust boundary | Identifying where data crosses authority levels |
| 07 | Abuse case | Use-case mirror; useful in agile teams that already write user stories |
| # | Example | System type |
|---|---|---|
| 01 | Web app | Standard web application with user accounts and a database |
| 02 | Mobile app | Mobile client with offline data and a backend API |
| 03 | ML pipeline | Training and serving pipeline for a production model |
| 04 | IaC pipeline | Terraform/Pulumi pipeline deploying cloud infrastructure |
| 05 | IoT device | Connected device with cloud control plane |
Pick a methodology that matches the question you have. STRIDE for "what can go wrong with this component"; attack trees for "how could someone achieve this specific bad outcome"; LINDDUN if privacy is the point; PASTA if you need leadership to fund mitigations.
The worked examples are not templates to copy — they're examples of completed output, included so you know what "done" looks like for each methodology before you start.
If you've used a methodology not covered here in production work, open a PR with a worksheet and at least one worked example. Worked examples are valued more than worksheets; methodologies have plenty of papers, applied examples are scarcer.
Part of a 10-repo security audit set.
Browser-based audit tools:
- iam-policy-analyzer
- terraform-security-linter
- kubernetes-manifest-security-scanner
- session-cookie-auditor
- regex-redos-checker
Reference collections:
- incident-response-runbooks
- ai-llm-security-audit
- api-security-audit-checklist
- secrets-leak-response-runbook
MIT. See LICENSE.