PASTA, STRIDE, DREAD, Oh My! An introduction to Threat modeling frameworks

November 5th, 2025

The purpose of threat modeling frameworks like PASTA, STRIDE, DREAD, and Trike is to provide a systematic approach to quantifying, analyzing, and mitigating security threats to software during the development lifecycle.

PASTA (Process for Attack Simulation and Threat Analysis) is a threat modeling methodology that incorporates attack modeling to analyze threats to software.

PASTA is a 7 step process:

1. Identify Security Objectives

2. Define Technical Scope

3. Application Decomposition

4. Threat analysis

5. Vulnerability and Weakness analysis

6. Attack Simulation

7. Risk Impact analysis

The application is broken down into its smallest components and, with the help of decomposition diagrams, threat analysis is performed on each component. Discovered vulnerabilities are also analyzed and this information is used to view the threat model from an attacker perspective by modeling attack scenarios with attack trees and performing attack surface analysis. In the final step, risk and business impact is quantified, and necessary countermeasures are implemented.

DREAD is an acronym standing for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability and is used to quantify risk. Security architects evaluate the software application and quantify risk by scoring the application 1-3 in each category, with a score ranging from 12-15 being considered “high risk”.

STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of privileges. If DREAD’s purpose is to quantify risk, then STRIDE’s purpose is to categorize threats. Each threat category maps directly to key security objectives. STRIDE allows teams to systematically group, evaluate, and mitigate threats across all software components.

Lastly, Trike is a threat modeling framework that is different from STRIDE and DREAD in the sense that it links threats to business risks that are important to stakeholders. The goal of the Trike framework is to determine if the risk attributed to each asset is acceptable to its owners. There are many Trike framework tools that provide automated threat generation based on describing the security characteristics of an application and its architecture.

As cybersecurity professionals, we us threat modeling frameworks to proactively find and address vulnerabilities, improve security architecture, and make informed decisions about risk and mitigation strategies with the goal of developing and maintaining secure applications.

— Ben Skinner