Governance Capability Brief
Threat Modeling
We help teams identify security problems in their designs before those problems become vulnerabilities in their code. Structured, repeatable, and integrated into how you already build software.
What this is about
Security issues found in design cost a fraction of what they cost in production
The most impactful security flaws are often not implementation bugs but design decisions - an authentication boundary in the wrong place, a data flow that crosses a trust zone without validation, or an API that exposes more than it should. Threat modeling surfaces these issues during the design phase when they can be addressed with a design change rather than a costly rearchitecture. Casaba runs threat modeling sessions as structured, facilitated reviews that produce actionable output - not checkbox documents that sit on a shelf.
How we approach it
STRIDE analysis with data flow diagrams
Feature Walkthrough and Context Gathering
Every review begins with an overview of the feature under analysis: what it does, how it works, and what data it handles. We evaluate the sensitivity of that data across multiple dimensions - regulatory requirements, privacy implications, business impact, and security classification.
Data Flow Diagram Validation
The team presents or co-creates a threat model diagram showing data flows, processes, data stores, external entities, and trust boundaries. Reviewers validate in-scope vs. out-of-scope components, identify missing components or data flows, and ensure the diagram accurately represents the system as built.
STRIDE Threat Analysis
Systematic evaluation of each component and data flow against the six STRIDE threat categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. For each element in the diagram, we ask what can go wrong and identify specific threats that apply.
Trust Level and Mitigation Assessment
Reviewers evaluate component trust levels and the data each component handles to determine what vulnerabilities exist and what mitigations are required. This includes evaluating whether security controls like web application firewalls, input validation, and access controls are placed correctly relative to trust boundaries.
Encryption and Cryptographic Review
Checking encryption requirements across three dimensions: data in transit, data at rest, and protection of cryptographic and authentication material. We evaluate whether sensitive keys and credentials are stored using hardware-backed mechanisms like HSMs, and whether TLS configuration meets current standards.
Authentication and Authorization Review
Reviewing authentication methods and privilege levels across the system. We provide guidance on least-privilege design, secure token handling, and ensuring that authentication boundaries align with the trust zones identified in the data flow diagram.
Specialized review tracks
Issues that need specialist attention get routed to the right reviewers
AI and LLM Threat Modeling
Features integrating large language models or AI agents are evaluated for AI-specific threats: direct and indirect prompt injection, excessive agency, data poisoning through retrieval pipelines, and unsafe output handling. We assess whether the system's trust boundaries account for the fact that LLM outputs are inherently untrustworthy and should be treated as untrusted input by downstream components. Teams are also referred for responsible AI review when applicable.
Privacy-Focused Review
Features handling personal data or operating under privacy regulations are assessed for data minimization, purpose limitation, consent flows, and cross-boundary data transfers. Data retention practices are evaluated when teams maintain their own storage, with attention to whether retention periods align with regulatory requirements.
Cryptographic Implementation Review
Systems relying on custom cryptographic implementations, key management, or certificate handling are routed to specialist cryptographic review. This covers key generation, rotation, storage, and destruction as well as protocol selection and cipher suite configuration.
Third-Party and Supply Chain Review
Reviewers check for vulnerabilities introduced through external libraries and ensure automatic dependency scanning is properly configured and integrated into the build pipeline. This includes evaluating whether the team's dependency management practices would catch known vulnerabilities before they reach production.
What we deliver
Threat models that evolve with your product
Casaba delivers threat model documentation that is designed to be maintained, not filed away. If previous threat model notes exist for a feature, our review begins with what has changed since the last assessment. Each review produces an updated data flow diagram, a catalog of identified threats with their STRIDE classification, recommended mitigations mapped to specific threats, and a prioritized list of items requiring follow-up.
For organizations building threat modeling into their SDL, we help establish the program from the ground up - defining when reviews happen, who participates, how output is tracked, and how threat models feed into test planning for subsequent penetration testing engagements.
How we work
Our process
1. Scoping
We assess the number and complexity of features, services, or systems requiring threat modeling. Whether it is a one-time review of a critical feature or an ongoing program covering your entire product portfolio, we scope the engagement to match.
2. Preparation
We review available documentation, architecture diagrams, and any existing threat models. We identify stakeholders - developers, architects, product managers, and security engineers - who need to participate in the review sessions.
3. Facilitated Review Sessions
Interactive sessions where we walk through the system design, build or validate data flow diagrams, apply STRIDE analysis, and identify threats and mitigations. These are working sessions, not presentations - the team participates actively.
4. Documentation and Follow-Up
Completed threat model documentation with data flow diagrams, threat catalog, mitigation recommendations, and identified follow-up items. We present findings to stakeholders and can feed identified threats directly into test plans for penetration testing engagements.
Build security into your design before it becomes a problem in your code.
Let's talk about threat modeling for your team.
Get in touch