Threat Modeling Without a Security Team
You do not need a CISO to threat-model. The framework is teachable in a sprint.
Why most teams skip
Most teams without a security team skip threat modeling because it sounds like specialist work. The result: vulnerabilities discovered after, not before.
The framework is light enough for engineers to run on themselves.
The four questions
- Q1: What are you building? Architecture sketch; data flows.
- Q2: What can go wrong? STRIDE shorthand: spoofing, tampering, repudiation, info disclosure, DoS, elevation of privilege.
- Q3: What will you do about it? Mitigations per identified threat.
- Q4: Did you do a good job? Review with a colleague.
Sprint-cadence integration
One threat-modeling session per sprint, 30-60 minutes, on the most-impactful new feature.
Cumulative: most features get a model within a quarter.
Output format
Output: one-page document with the four questions answered. Linked from the design doc. Reviewed at sprint demo.
The output is communication, not compliance. Keep it light.
Antipatterns
- Threat modeling once a year. Code drifts faster than the doc.
- Threat modeling without engineers. Compliance theatre.
- One mega-document. Nobody reads.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.