Skip to main content

Learn Threat Modeling Fundamentals

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain what threat modeling is and why it’s important.
  • Describe the threat modeling process.
  • Identify your team for conducting a threat modeling exercise.

Learn About Threat Modeling

Threat modeling is a structured approach for analyzing a system to assess risk, identify threats, and determine possible mitigations. In this context, a system is the entire set of interconnected components (like code, databases, services, and networks) that work together to deliver a function.

Modern systems are often too complex for any single person to fully understand, so at its core, threat modeling functions as a shared blueprint for system understanding by providing a framework to map system components, understand how they interact, and distribute the work of security analysis across a team.

This helps teams communicate clearly, agree on security objectives, and discuss potential attack paths. Because this analysis is documented, future team members can also understand earlier security decisions and continue the work as the system evolves.

By making system behavior and risk visible, teams can review potential threats earlier and make better decisions about what actions are worth taking, especially when working on complex or high-risk systems.

Define a Threat

Software systems are primarily built to deliver functionality, but in the context of security, the focus shifts to protecting the valuable things these systems create, store, or process. Those things are your assets. Assets often include sensitive data, credentials, internal services, APIs, and databases that store or process information. For example, customer data, authentication tokens, and configuration secrets are all valuable assets.

A threat is any intentional or accidental act or occurrence that could put those assets at risk. In many cases, threats take advantage of weaknesses in the system, but not all threats relate to a specific vulnerability. Some come from normal behavior, misuse, or external conditions even when the system is working as intended.

Threat modeling addresses this reality by helping teams identify risks early, while the system is still being designed. The goal is to design the system so that when it does fail, the impact is limited and controlled. When issues are found in the design stage, they can often be addressed with simple changes to how the system is built, rather than costly fixes later in production.

Threat Modeling Process

Threat modeling moves from understanding risk to analyzing how your system actually works. To do this, you need a clear view of your system’s components, how data moves between them, and where security boundaries are crossed. A data-flow diagram provides that view, allowing your team to focus on how the system behaves and where risks can appear.

The threat modeling process includes five steps.

  1. Agree on security objectives.
  2. Describe your architecture with a data-flow diagram.
  3. Identify threats.
  4. Identify possible mitigations.
  5. Implement, test, and validate protections.

When you use these steps to evaluate your project, it leads to predictable and repeatable results, which is important when it comes to security. Each step is explained in detail throughout this module.

Now, let’s create a team to conduct a threat modeling exercise.

A team of people are each bringing a piece of a puzzle to solve a problem.

Gather Your Team

Threat modeling works best when it includes people who manage different parts of the system. This often includes architects, developers, product managers, system owners, security engineers, and others who understand how the system is designed, built, and used, as well as those who can spot where assumptions about the system might break down or where the system could fail.

When assembling your team, ask:

  • Who understands how the system is supposed to work?
  • Who knows how it is implemented?
  • Who can identify where assumptions might break down?
  • Who has experience thinking about how systems can be misused?

You don’t need to document every specific token, private key, or line of configuration code before you start, because part of the value of threat modeling is that it helps surface hidden gaps, clarify assumptions, and shape how the system is built.

Now that you’ve identified what needs protection and who should be involved, the next step is to represent the system in a way that supports analysis.

Resources

Compartilhe seu feedback do Trailhead usando a Ajuda do Salesforce.

Queremos saber sobre sua experiência com o Trailhead. Agora você pode acessar o novo formulário de feedback, a qualquer momento, no site Ajuda do Salesforce.

Saiba mais Continue compartilhando feedback