What if you could systematically find security flaws before attackers do?

That's exactly what threat modeling delivers. And STRIDE is the methodology that's helped security teams do it consistently for over two decades. Developed at Microsoft in 1999, STRIDE provides a structured framework for identifying threats that maps directly to the security properties you're trying to protect.

In this guide, you'll learn how to apply STRIDE to your systems—whether you're securing an API, a microservices architecture, or preparing for a compliance audit.

What is STRIDE?

STRIDE is a threat modeling methodology that categorizes security threats into six types. Each category maps to a security property that attackers try to violate:

Threat	What It Means	Security Property Violated
Spoofing	Pretending to be someone or something else	Authentication
Tampering	Modifying data or code without authorization	Integrity
Repudiation	Denying an action was taken	Non-repudiation
Information Disclosure	Exposing data to unauthorized parties	Confidentiality
Denial of Service	Making a system unavailable	Availability
Elevation of Privilege	Gaining access beyond what's authorized	Authorization

The power of STRIDE is its simplicity. For every component in your system, you ask: "How could an attacker spoof, tamper, repudiate, disclose, deny service, or elevate privilege here?"

A Brief History

STRIDE was created by Loren Kohnfelder and Praerit Garg at Microsoft to help developers think systematically about security threats. It's since become one of the most widely used threat modeling frameworks, incorporated into tools like Microsoft's Threat Modeling Tool and OWASP Threat Dragon.

When to Use STRIDE

STRIDE works best in these scenarios:

During Design (Ideal)

Threat modeling during the design phase catches issues when they're cheapest to fix. Before you write code, map out your architecture and run STRIDE against it.

On Existing Systems

Already in production? STRIDE still helps. Focus on critical components, data flows, and recent changes. You'll likely find issues that testing alone would miss.

For Compliance

Regulations like DORA, ISO 27001, and SOC 2 require documented risk assessments. A STRIDE threat model provides the systematic, auditor-ready documentation they expect.

Before Major Changes

Adding a new API? Integrating a third-party service? Moving to the cloud? These are ideal moments to revisit your threat model.

Step-by-Step: How to Apply STRIDE

Step 1: Define the Scope

Start by answering: What are we protecting?

Don't try to model your entire organization at once. Pick a specific system, application, or feature. Good starting points:

A single API or service

A user authentication flow

A payment processing pipeline

A data storage component

Step 2: Create a Data Flow Diagram (DFD)

Map how data moves through your system. A DFD includes:

External entities - Users, third-party services, anything outside your control

Processes - Your application components that transform data

Data stores - Databases, file systems, caches

Data flows - Arrows showing how data moves between components

Trust boundaries - Lines separating different trust levels (e.g., internet vs. internal network)

┌─────────────┐     HTTPS      ┌─────────────┐     SQL      ┌─────────────┐
│    User     │ ─────────────► │   Web API   │ ──────────► │  Database   │
│  (Browser)  │                │  (Process)  │              │   (Store)   │
└─────────────┘                └─────────────┘              └─────────────┘
       │                              │
       │         Trust Boundary       │
═══════╪══════════════════════════════╪═══════════════════════════════════
       │           (Internet)         │

Step 3: Identify Threats Using STRIDE

Now walk through each component and data flow, asking the STRIDE questions:

For each process, data store, and data flow:

Category	Question to Ask
Spoofing	Can an attacker pretend to be a legitimate user or component?
Tampering	Can an attacker modify data in transit or at rest?
Repudiation	Can a user deny performing an action? Do we have audit logs?
Information Disclosure	Can sensitive data leak to unauthorized parties?
Denial of Service	Can an attacker make this component unavailable?
Elevation of Privilege	Can an attacker gain admin or higher-level access?

Example findings for a Web API:

Component	Threat	STRIDE Category	Description
Web API	Spoofing	S	Attacker uses stolen JWT to impersonate user
Web API	Tampering	T	Man-in-the-middle modifies API requests
Web API	Repudiation	R	No audit log for sensitive operations
Database	Information Disclosure	I	SQL injection exposes customer data
Web API	Denial of Service	D	No rate limiting allows resource exhaustion
Web API	Elevation of Privilege	E	IDOR allows access to other users' data

Step 4: Prioritize with Risk Assessment

Not all threats are equal. Prioritize based on:

Likelihood - How easy is this to exploit?

Impact - What's the damage if exploited?

Existing controls - Do we already mitigate this?

Many teams use DREAD scoring alongside STRIDE:

Factor	Question	Score (1-10)
Damage	How bad is the impact?
Reproducibility	How easy to reproduce?
Exploitability	How easy to exploit?
Affected Users	How many users impacted?
Discoverability	How easy to find?

Focus your mitigation efforts on high-risk threats first.

Step 5: Define Mitigations

For each prioritized threat, define how you'll address it:

Threat	Mitigation	Implementation
Stolen JWT (Spoofing)	Short token expiry + refresh tokens	Set JWT expiry to 15 min
MITM (Tampering)	TLS 1.3 everywhere	Enforce HTTPS, HSTS headers
No audit logs (Repudiation)	Implement audit logging	Log all sensitive operations
SQL injection (Info Disclosure)	Parameterized queries	Use ORM, input validation
No rate limiting (DoS)	Implement rate limiting	Redis-based rate limiter
IDOR (Elevation)	Authorization checks	Verify user owns resource

Step 6: Document and Track

Your threat model isn't useful if it lives only in someone's head. Document:

Scope and assumptions

Data flow diagram

Identified threats (with STRIDE category)

Risk ratings

Mitigations (implemented and planned)

Date and participants

Store this alongside your architecture documentation. Review it when the system changes.

Common STRIDE Mistakes to Avoid

1. Doing it once and forgetting it

STRIDE isn't a one-time exercise. Your system evolves, new threats emerge. Review your threat model quarterly or when making significant changes.

2. Scope too broad

Trying to model everything leads to analysis paralysis. Start small, go deep, then expand.

3. Ignoring trust boundaries

The most interesting threats happen where trust levels change—between the internet and your app, between services, between user roles. Pay extra attention here.

4. Skipping the DFD

It's tempting to jump straight to listing threats. Don't. The DFD forces you to understand your system systematically. Threats become obvious once you see the data flows.

5. Not involving developers

Security teams can't threat model in isolation. Developers know how the system actually works—including the shortcuts and workarounds that create vulnerabilities.

Tools for STRIDE Threat Modeling

Free:

OWASP Threat Dragon - Open source, web-based

Microsoft Threat Modeling Tool - Windows desktop app

Draw.io / Lucidchart - For creating DFDs manually

Commercial:

IriusRisk - Automated threat modeling platform

ThreatModeler - Enterprise threat modeling

AI-Assisted:

Ansvar - AI-powered analysis with expert review

Key Takeaways

STRIDE categorizes threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege

Start with a clear scope and data flow diagram before identifying threats

Prioritize threats based on likelihood and impact—not everything needs immediate action

Document your threat model and review it when systems change

STRIDE identifies threats; pair it with DREAD or similar for severity ranking

Iterate—threat modeling is ongoing, not one-and-done

Next Steps

Ready to threat model your system but short on time? Our AI-powered platform delivers expert-reviewed threat models in days, not weeks.

Get started with Ansvar and see how systematic threat identification can strengthen your security posture.

Sources:

OWASP Threat Modeling Process

OWASP Threat Modeling Cheat Sheet

Practical DevSecOps - STRIDE Guide

Drata - STRIDE Tutorial

Found this helpful?

Share it with your network

Written by

Jeffrey von Rotz

Founder

Building tools to make threat modeling accessible to every development team.

Ready to automate your threat modeling?

Join security teams using Ansvar to build comprehensive threat models in days, not weeks.

Get Started