Threat Modeling

Why Trust Techopedia

What Does Threat Modeling Mean?

Threat modeling is a systematic process for identifying and rating security-related threats to a specific information technology (IT) system. The process involves identifying security threats and rating them according to their severity and level of probability. Threat modeling plays an important role in risk management.


The goal of threat modeling is to evaluate attack surfaces, predict potential attack vectors and put procedures in place to lower the risk that an attack will be successful.

A well-developed threat model:

1. Documents how a particular information technology (IT) system is intended to function.

2. Identifies what attack vectors might be used against this particular system.

3. Explains what counter-measures have been put in place to protect the system.

Techopedia Explains Threat Modeling

Threat modeling is conducted early in the design phase of a system or application and is used to pinpoint the motives and attack vectors that could be used by an attacker. This involves thinking like an attacker and using two different types of models: a digital twin of what it is being built and a model of security threats likely to be used against it.

The strategies used to carry out threat modeling can be broadly divided into two groups, attack tree-based approaches and stochastic model-based approaches. Attack trees formally describe how secure a system is likely to remain against a variety of attacks. Stochastic models commonly convert system models to Markov chains to learn what dependencies might impact the probability that an attack will be successful.


Related Terms

Margaret Rouse
Senior Editor
Margaret Rouse
Senior Editor

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.