Written by Laurent Dupont

Threat Modeling Insider Newsletter

40th Edition – January 2025

Welcome!

New Year, Same Quality-Driven Threat Modeling Insider!

We’re excited to bring you another year filled with valuable Threat Modeling insights, and we’re kicking off 2025 with a bang! In our guest article, Jeroen Verwoest explains how you can enhance your penetration tests using threat modeling techniques. Meanwhile, our Toreon blog post covers Risk Patterns, with Sebastien Deleersnyder discussing their potential and how they can boost your threat models.

But that’s not all—let’s dive in!

Welcome!

New Year, Same Quality-Driven Threat Modeling Insider!

We’re excited to bring you another year filled with valuable Threat Modeling insights, and we’re kicking off 2025 with a bang! In our guest article, Jeroen Verwoest explains how you can enhance your penetration tests using threat modeling techniques. Meanwhile, our Toreon blog post covers Risk Patterns, with Sebastien Deleersnyder discussing their potential and how they can boost your threat models.

But that’s not all—let’s dive in!

On this edition

Guest article
How to Enhance Your Pentest Using Threat Modeling, by Jeroen Verwoest

Toreon Blog
Risk Patterns: Your Secret Weapon for Smarter Threat Modeling, by Sebastien Deleersnyder

Curated content
OWASP TOP 10 for LLM Applications 2025

Curated content
Steven Wierckx’s Choice: The Best Threat Modeling Talk of 2025

Tips & tricks
Threat composer workspace

Training update
An update on our training sessions for 2025.

Guest article

How to Enhance Your Pentest Using Threat Modeling

Written by Jeroen Verwoest, Product Owner of Threat Modeling, ABN AMRO Bank

Introduction

Before we go into how a threat model can help you get more value from a security penetration test (pentest), let me provide some context and purpose. This article is based on my experience as a former professional requesting pen tests and utilizing their outcomes to ensure security assurance and requirements. Additionally, I have introduced threat modeling at my current company and continuously develop, evolve, and embed it into our security and development processes.

I hope this article will inspire you to harness the strengths of both tools to maximize the return on investment in pentesting and threat modeling.

Pentesting

How can you ensure your application withstands a hacker’s attack? How far should you go to protect it, and is it worth the time, effort, and money? Pentesting is a powerful tool to assess how well-protected you are against attacks. However, there are challenges in conducting pentests and utilizing their results effectively:

Limited or Unclear Scope: An ambiguous scope can lead to bias and a narrow focus on specific attack vectors, creating blind spots and resulting in missed vulnerabilities or false negatives.
Misinterpreted Reporting: Issues reported solely based on “ease of exploitation” can lead to findings being misjudged as more critical (false positives) or less critical (false negatives) than they actually are.
Cost and Resource Intensity: Pentesting is expensive and requires time, expertise, and resources. Given the costs, it is crucial to maximize its value.
Unrelatable Test Report: Reported test results are not relatable to the business value of the application. The severity of the findings can be rejected because of this mismatch. The absence of business context hinders the creation of clear priorities for the application’s responsible parties.
Compliance-Driven Testing: Performing tests just because they are regulatory requirements can deprioritize potentially vulnerable applications. Skipping or delaying such tests requires specialist knowledge and clear rationale, especially in regulated sectors like finance.

Threat Modeling

Assuming you’re already familiar with threat modeling, let’s focus on how we position and perform it. Our practice uses threat modeling as a mandatory activity for teams managing applications of specific classifications. Governance ensures these applications maintain up-to-date threat models.

We use STRIDE-by-component, where components include data, technical elements, and processes. To guide the interaction between development teams and security specialists, we rely on Adam Shostack’s four questions:

What are we doing?
What can go wrong?
What are we going to do about it?
Did we do a good job?

Our process comprises four steps: intake, brainstorming, handover, and testing/review.

Threat Modeling and Pentesting

Pentesting integrates with the fourth step of threat modeling (testing and review), but there are additional opportunities to share information and integrate the two tools throughout the process. Using the mentioned process steps of intake, brainstorm, handover, review, and testing, we will answer the four questions and place the Threat Modelling and Pentest instruments side by side to solve the challenges mentioned above.

Intake

What Are We Doing?

Threat Modeling: Define the service, solution, or product being analyzed, understanding its purpose and business value. Create data flow diagrams detailing components, data classifications, and connections.
Pentesting: Use this information to scope the pentest. Understanding the business context allows for the creation of an effective test plan. Adding data value, flow, component purpose, and interfaces enables clear objectives for the test, identifying the targets.

As a result, the scope will align application value, attacker targets, and the technology in use, solving the challenge of “Limited or Unclear Scope.”

Brainstorm & Handover

What Can Go Wrong?

Threat Modeling: Identify and categorize threats using STRIDE. Place threats in categories with targets, descriptions or methods, actors, and severity. This serves as a technical reflection and translation of business concerns and risks.
Pentesting: These threats provide testers with a detailed understanding of where the targets reside. Testers will understand the undesired effect of the threat and its severity, supporting the design of the attack vector and plan.
“What would the attacker seek to achieve?”

What Are We Going to Do About It?

Threat Modeling: Collaborate with developers to assess feasibility, cost, and effort for implementation. Develop countermeasures as actionable security requirements.
Pentesting: Leverage the defined countermeasures to tailor attack plans. Pentesters can focus on potential vulnerabilities rather than redundant testing, saving time and resources. Efforts focus on simulating real-world attacker techniques effectively. Additionally, the countermeasures’ performance and effectiveness are tested.

Gathering information from the brainstorming session, the threats and countermeasures address the following challenges:

Misinterpreted Reporting: Findings related to the target, its value, and threat severity from the threat model. This helps contextualize any additional threat vectors or attack methods.
Cost and Resource Intensity: With known threats and undesired effects, an efficient test plan can be created. Testers can focus on how these threats might be successful. The test will still cost the same, but the return on investment will be improved.

Review and Testing

Did We Do a Good Job?

Pentesting: Report findings and relate them to the target in the identified threats and their countermeasures. Describe the severity of findings that are aligned with the threats and their severity. New threats can be related to an undesired effect based on the value of the target, impact, and ease of exploitation.
Threat Modeling: Review the threat model using pentest results and findings. The report will introduce new threats with relatable and more accurate severity, leading to the design of new countermeasures. These countermeasures can then be prioritized more effectively.

This approach solves the challenge of an “Unrelatable Test Report”. Using threat modeling results creates a report that businesses relate to. New threats or attack methods not identified in the threat model ensure application responsible parties are aware of them.

Compliance-Driven Testing

The problem of compliance-driven testing cannot be solved through individual threat models and their aligned pentests.

In industries with considerable IT security oversight, compliance will always drive pentesting. Threat models can help create a threat-based rationale for the prioritization of pentests. The following criteria should be in place:

High Data Quality and Consistency: Capture threats and countermeasures in a structured, consistent, and complete manner. Include metadata like data classification, severity, alignment with internal controls, and service.
Linking Threat Models: Applications in one threat model may represent part of an end-to-end process for a service, product, or solution. Connecting these using a nesting or linking technique provides more contextual knowledge about threats. It shows attack vectors as part of lateral movement from a low-value application to a high-value target in another application, enabling testing prioritization of overlooked applications.

Conclusion

Integrating threat modeling and pentesting can significantly improve the effectiveness and efficiency of security processes. By aligning these tools, organizations can create a seamless workflow where threat models inform pentests, and pentests validate or refine threat models. This synergy addresses common challenges such as unclear scopes, misinterpreted findings, and cost inefficiencies.

Incorporating threat modeling early in the development cycle—such as during the “Plan” phase of a DevOps workflow—ensures that pentests are scoped effectively and produce actionable insights. This approach fosters continuous improvement, aligning security efforts with business priorities and delivering more meaningful results.

The integration of these methodologies not only improves outcomes but also inspires confidence in security processes. While challenges remain in determining when to conduct pentests for a large volume of applications, structured approaches, better tools, and consistent data integration pave the way for scalable solutions. Use this framework as a starting point to explore how combining pentesting and threat modeling can transform your security practices.

Final Note

The described approach reflects our practices and is meant to inspire, not instruct. Adapt what resonates with your context and experiment with integrating pentesting and threat modeling for improved security outcomes. I consider creating a mapping table between the processes, if it does not yet exist.

Advance your career with our in-company Threat Modeling Practitioner certification - tailored training options available!

Testimonial from a Happy Customer:

The Threat Modeling training from Toreon was a game changer. The trainers were true experts, answering all our questions and guiding us through complex topics. The hands-on sessions and well-structured approach gave our team the confidence to tackle threat modeling effectively, no matter their experience level. It’s made a real impact on how we protect our organization.

Maxine McFarlane, Application Security SME, Lloyds Banking Group

CURATED CONTENT

Handpicked for you

Toreon Blog: Risk Patterns, Your Secret Weapon for Smarter Threat Modeling

OWASP TOP 10 for LLM Applications 2025

Worried that hidden security issues could derail your big launch? Risk patterns can help you catch vulnerabilities early without getting overwhelmed. These predefined sets of risk scenarios and mitigations allow you to focus on critical threats by identifying potential attackers, how they might exploit your system, and the right countermeasures. Discover how risk patterns streamline your threat modeling process, saving time and boosting security.

The OWASP Top 10 for Large Language Model Applications began in 2023 to address AI-specific security risks. Since then, LLMs have expanded across industries, revealing new vulnerabilities. The 2025 update, shaped by a global community of experts, reflects these evolving threats. Key changes include updates on resource management risks, guidance on securing embeddings, and addressing real-world exploits like System Prompt Leakage. The expanded focus on Excessive Agency highlights the dangers of granting LLMs too much autonomy in agent-based architectures.

Steven Wierckx’s Choice: The Best Threat Modeling Talk of 2024

We asked Threat Modeling expert Steven Wierckx to share his top pick for a 2024 talk on threat modeling. His choice? “Threat Modeling & AI | Create advanced attack trees with this AI-powered threat modeling tool” by Audrey Long.

Steven found this talk to be particularly insightful because it introduced him to new ways of integrating AI into Threat Modeling, expanding his approach beyond traditional methods. He appreciated that the talk didn’t focus on a single, all-encompassing solution, but instead addressed smaller, specific problems that could be solved separately.

Most importantly, Steven highlighted how the ideas presented were immediately applicable, allowing him to put the concepts into practice right away.

TIPS & TRICKS

Threat Composer Workspace

Threat Composer is a tool designed to help automate threat modeling processes within a workspace. It assists security professionals and developers in identifying, assessing, and mitigating potential security risks during the development and deployment of applications.

The dashboard in the link provides a user interface where users can create and manage threat models, track security controls, and visualize different components and potential risks in their application architecture. This kind of tool is particularly useful for building secure systems by proactively addressing vulnerabilities.

Our trainings & events for 2025

Book a seat in our upcoming trainings & events

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by NDC Security, Oslo

20-21 January 2025

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 17 March 2025

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by NorthSec, Montreal

10-11 May 2025

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by NDC Security, Oslo

20-21 January 2025

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 17 March 2025

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by NorthSec, Montreal

10-11 May 2025

Hands-on Threat Modeling AI (NEW TRAINING), in-person, hosted by OWASP Global AppSec, Barcelona

27-28 May 2025

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 18 August 2025

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, OWASP Global AppSec, Washington DC

4-5 November 2025

Hands-on Threat Modeling AI, in-person, hosted by OWASP Global AppSec, Barcelona

27-28 May 2025

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 18 August 2025

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, OWASP Global AppSec, Washington DC

4-5 November 2025

Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.