# Threat Modeling ![Threat Modeling](/files/oNSVywuFuY1BFLYTPQwc) ## Threat Modeling > **Section focus:** Threat Modeling.\ > **Best use:** start with the section map below, then move into the deeper pages that match your role or stack.\ > **Design note:** this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing. ### Start with these pages | Page | Why open it first | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | [🧭 Threat Modeling Methods and Workflows](/application-security-and-secure-sdlc/index/threat-modeling-methods-and-workflows.md) | High-value page inside **Threat Modeling**. | | [🏒 Multi-Tenant and Microservice Threat Modeling](/application-security-and-secure-sdlc/index/multi-tenant-and-microservice-threat-modeling.md) | High-value page inside **Threat Modeling**. | | [πŸ“ Architecture Review Question Bank and Decision Records](/application-security-and-secure-sdlc/index/architecture-review-question-bank-and-decision-records.md) | High-value page inside **Threat Modeling**. | | [☸️ Threat Modeling Process β€” Kubernetes Example](/application-security-and-secure-sdlc/index/kubernetes-threat-modeling-process-example.md) | High-value page inside **Threat Modeling**. | | [🧱 Security Requirements, Trust Boundaries, Data Flows, and Architectural Trade-offs](/application-security-and-secure-sdlc/index/security-requirements-trust-boundaries-data-flows-and-architectural-trade-offs.md) | Fast reference page for the core secure-design concepts reviewers keep re-explaining. | | [🧭 STRIDE, DREAD, and PASTA β€” Practical Comparison](/application-security-and-secure-sdlc/index/stride-dread-and-pasta-practical-comparison.md) | Practical comparison of classic threat-modeling methods, where they fit, and how to translate findings between them. | ### Related sections * [DevSecOps Lifecycle](/devsecops-cicd-and-supply-chain/index.md) * [Application Security](/application-security-and-secure-sdlc/index-1.md) *** > **Intro:** Threat modeling is the planning layer that explains why the controls in this archive exist. The useful version is not a one-time workshop. It is a repeatable review habit that helps teams pick the right controls, not just more controls. > > **What this page includes** > > * practical threat-modeling workflows for product teams > * multi-tenant and microservice review patterns > * architecture review question banks and decision records > * cross-links into API, cloud, and detection work > > **Working assumptions** > > * the model should be fast enough to use before design freeze > * the output should change backlog, defaults, or gates, otherwise the exercise was too abstract ### Section map | Page | Why it belongs here | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------- | | [Threat Modeling Methods and Workflows](/application-security-and-secure-sdlc/index/threat-modeling-methods-and-workflows.md) | Turns threat modeling into a repeatable operating rhythm instead of a ceremonial workshop. | | [Multi-Tenant and Microservice Threat Modeling](/application-security-and-secure-sdlc/index/multi-tenant-and-microservice-threat-modeling.md) | Focuses on the trust boundaries that repeatedly matter in SaaS products. | | [Architecture Review Question Bank and Decision Records](/application-security-and-secure-sdlc/index/architecture-review-question-bank-and-decision-records.md) | Gives reviewers concrete questions and a durable way to record trade-offs. | | [Security Requirements, Trust Boundaries, Data Flows, and Architectural Trade-offs](/application-security-and-secure-sdlc/index/security-requirements-trust-boundaries-data-flows-and-architectural-trade-offs.md) | Gives concise definitions and a review table for the concepts that anchor most threat-model outputs. | | [STRIDE, DREAD, and PASTA β€” Practical Comparison](/application-security-and-secure-sdlc/index/stride-dread-and-pasta-practical-comparison.md) | Explains where each model helps, where it misleads, and how teams can map outputs between methods. | ### Core principle A threat model is useful when it changes one of four things: 1. a design decision; 2. a default platform control; 3. a release or review gate; or 4. a monitoring and response requirement. If none of those moved, the exercise probably produced vocabulary rather than security. ### Related pages * [API Security](/architecture-api-crypto-and-identity/index.md) * [Detection and Response](/attack-paths-testing-detection-and-hardening/index.md) * [Secure Architecture Patterns](/architecture-api-crypto-and-identity/index-1.md) ### Suggested reference links * [OWASP ASVS](https://github.com/OWASP/ASVS) * [OWASP Microservices Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_Security_Cheat_Sheet.html) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/application-security-and-secure-sdlc/index.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.