Quiz Entry - updated: 2026.07.14
What are the four steps in the Threat Modeling process?
Diagram → Identify → Mitigate → Validate: draw the system, find threats with STRIDE, design fixes, then check the fixes hold — repeated as the system changes.
* DFD notation — the four element types: Process (circle = service/component), Data Store (file/DB/queue), Source/Sink (rectangle = external), Data Flow (arrow). *
* The threat-modeling cycle — Diagram, Identify (STRIDE), Mitigate, Validate; repeated as the design evolves. *
The four steps are Diagram → Identify → Mitigate → Validate:
| Step | Action | Output |
|---|---|---|
| 1. Diagram | Draw Data Flow Diagrams (DFDs) | Visual of components, data flows, trust boundaries |
| 2. Identify | Find threats using STRIDE | List of potential security issues |
| 3. Mitigate | Design countermeasures | Security requirements and fixes |
| 4. Validate | Test mitigations work | Verified, updated threat model |
This is a continuous cycle - revisit whenever the system changes.
Mnemonic: "DIMV" = "Did I Miss Vulnerabilities?" - Diagram, Identify, Mitigate, Validate
Go deeper:
OWASP Threat Modeling Process — scope → identify threats → countermeasures → assess, with STRIDE and DFDs.