Threat Modeling Framework: STRIDE · PASTA · DREAD

Interactive reference + concise real-world use cases for automotive and e‑commerce systems.

Tip: click diagram nodes or example cards to reveal concise analysis.

Models at a glance

Three complementary approaches: STRIDE (threat categories), PASTA (process-driven & business risk), and DREAD (risk scoring). Use STRIDE for quick mapping, PASTA for process-driven adversary scenarios, and DREAD to prioritize mitigations.

STRIDE — categories PASTA — 7‑stage process DREAD — risk scoring

Visit a great STRIDE Threat Model framework App real-world use-case

STRIDE — Threat Categories

STRIDE maps threats to system elements: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Quick to apply against data flows, components and privileges.

Select a category

Click a node to reveal definition and a short automotive & e-commerce example.

PASTA — Process for Attack Simulation & Threat Analysis

Seven-stage, risk-centric methodology that drives from business objectives to attack simulation and mitigations. Useful for aligning security with business risk and compliance.

  1. Stage 1 — Definition: Business objectives, assets and security goals.
  2. Stage 2 — Technical Scope: Application & infrastructure mapping.
  3. Stage 3 — Decomposition: Data flow diagrams, trust boundaries, components.
  4. Stage 4 — Threat Analysis: Identify threats & attack vectors.
  5. Stage 5 — Vulnerability & Weakness Analysis: Map to vulnerabilities and exploitability.
  6. Stage 6 — Attack Modeling & Simulation: Simulate adversary actions (TTPs).
  7. Stage 7 — Risk & Remediation: Prioritize, fix, and re-test.

PASTA quick-use

PASTA is ideal when you need process-aligned threat modeling that maps to business impact — e.g., order fraud in e-commerce, OTA update attack paths in automotive.

DREAD — Risk Scoring

A quick scoring model (Damage, Reproducibility, Exploitability, Affected users, Discoverability) to prioritize threats. Use with STRIDE or PASTA outputs.

Damage
How severe is the impact?
Reproducibility
How easy to reproduce?
Exploitability
Required skill or tooling?

DREAD Result

Run a sample score to see how DREAD prioritizes mitigation.

Real-world use cases — concise

Connected Car — Threat model snapshot

  • PASTA: identify OTA update path, ECU trust boundaries, and supply chain inputs.
  • STRIDE: Spoofing (malicious ECU), Tampering (firmware tamper), Info disclosure (telemetry leak).
  • DREAD example: firmware tamper → High Damage, Medium Reproducibility, Medium Exploitability → prioritize signed firmware & runtime verification.
  • Mitigations: code signing, secure boot, hardware root-of-trust, anomaly detection in telemetry, segmentation of CAN/Ethernet domains.

E‑commerce Platform — Threat model snapshot

  • PASTA: map checkout flow, third-party integrations (payments, analytics), and trust boundaries.
  • STRIDE: Repudiation (disputed orders), Info disclosure (customer data leak), Tampering (cart manipulation).
  • DREAD example: order fraud via checkout manipulation → Medium Damage, High Reproducibility, Low Discoverability → prioritize input validation, server-side checks, and monitoring.
  • Mitigations: server-side validation, nonce-based anti-replay, payment provider integration best-practices, Sentinel-style SIEM use-cases for fraud detection.