Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


Threat Modeling: 6 Mistakes You’re Probably Making

Data Security

Threat Modeling

Threat modeling is the new normal for modern cybersecurity teams. Predicting threats and testing all possible permutations of those threats and vulnerabilities is a difficult job. Companies spend hundreds of work hours to develop a comprehensive security strategy and the appropriate threat modeling to test, verify, and enhance the strategy over time. We will discuss mistakes security teams make while creating their threat models, along with strategies on how to use threat modeling as a proactive measure for cybersecurity.

What is Threat Modeling?

Threat modeling is the proactive process of identifying potential risks and threats, then creating tests and countermeasures to respond to potential threats. Threat modeling for cybersecurity is a rapidly evolving discipline: you can create threat models for almost any scenario you can imagine.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Successful threat modeling requires identifying potential threats, analyzing the possible effects of those threats, and determining if the threat is significant and requires a neutralization strategy. Cybersecurity teams encounter new threats constantly, and adapting to the latest malware or ransomware could protect the company from a large data breach penalty.

Note: Threat modeling is the process to create threat models. Threat models are the parameters that define a threat. Not all threat models apply to every system, and not all threat modeling will develop a new threat model.

How Threat Modeling Works

Threat modeling is asking and answering questions about the thing you are working to protect. It requires that you step out of the day-to-day whirlwind of data security and imagine the future. It’s important to not only create threat models as part of an implementation plan for new systems but also to set aside time to create or update threat models for older systems as well.

In addition to security team members, a threat modeling team should be made up of representatives from application owners, architects, administrators, and even customers. Pull all of those people into a room to ask questions, flag concerns, discuss potential resolutions, and troubleshoot issues. Here are some threat modeling example questions to get you thinking about that process:

Threat Modeling Questions to Ask

What are we building?

In order to understand the system you are threat modeling, you need to break down the system into smaller parts. For example, what kind of application is it? Does it have several components? Who does the application serve? By working through the system all the way down to the smallest components, you’ll have a decent framework to continue building the threat model.

What can go wrong?

Now review all of the “What if?” scenarios the team can imagine. What if a hacker steals someone’s account? What if someone breaks into the database? What if we get hit with a ransomware attack? Be creative and do your research. NIST and SANS have guidance to create comprehensive cybersecurity plans. Use that research to formulate your own questions. Be realistic and thorough with the “What Ifs?” – and let those questions drive threat modeling forward.

What are we going to do about that?

With the “What if?” questions prepared, the team needs to then spec out the impact of that scenario, how to manage the scenario, and the protections needed to defend against that scenario. There might be several mitigation options for each question, while some mitigation options might apply to several questions. Some “What ifs” might not require a response at all.

Did we do a good enough job?

Threat modeling isn’t a one and done meeting: schedule a recurring meeting to review the threat model’s performance and update the threat model. The threat model might need to be updated based on new cybersecurity threats that attackers employ, new variants, or new types of attacks. Whatever the case, take the time to bring the threat modeling team back together and do some further brainstorming and answer a few more “What ifs.”

6 Threat Modeling Mistakes

Threat Modeling Mistakes


  1. Think like an attacker. While this might seem like good advice at first, you probably aren’t, in fact, an attacker. At best, you’ll be guessing what an attacker is thinking about – or how they’re planning to behave. It’s not the worst thing you can do as part of your threat modeling, but make sure you cover the cybersecurity basics from the NIST or SANS guidelines before you get into the more esoteric.
  2. Don’t get esoteric. No, extra-terrestrials are not going to corrupt your data with their advanced system interface technology. And if they could, what are you actually going to do about it? Focus on the risks that are real and manageable.
  3. My threat model is complete. This is a two-edged sword. Never assume that the threat modeling team can imagine every potential threat that ever will exist, and don’t hold off deployment of a new system because there is a miniscule amount of risk either. So when the boss asks if the threat model is complete? Give them a realistic risk assessment and tell them that when the risk profile changes, there’s a plan to update the threat models.
  4. No CISSP, no dice. Gather a diverse team and include the stakeholders as well as customer voices, if possible – no certifications required. If necessary, have someone stand in for the customer – support techs are good at that role. Bring cybersecurity expertise to the team, but don’t exclude anyone based on that criteria alone.
  5. Don’t worry about that old system, we don’t need to develop a threat model for that. This is a huge mistake – just look at some of the recent data breaches making headlines. Go back through the service catalog and build threat models for any systems that don’t have one. It could be a colossal task, but the cost of not protecting your data and systems is only getting higher.
  6. Fail to use Varonis Threat Models to protect data. We’ve already put in the time, research, and analysis to get you started – with hundreds of out-of-the-box threat models. Varonis threat models reduce the time required to complete your threat modeling by providing pre-configured and thoroughly researched threat models out of the box. Our threat models analyze behavior and activity across multiple platforms, and alert on suspicious activity and other behavior that indicates a potential data breach.

How Does Varonis Make Threat Modeling Easier?

Varonis has developed hundreds of threat models to detect potential malware, cyberattacks, security vulnerabilities, and unusual behavior. Our dedicated research lab of security experts and data scientists continually develop new threat models to help detect everything from evolving strains of ransomware to the stealthiest of zero-day malware to types of known cyberattacks based on behavioral profiles.

Check out a free 1:1 demo to see how Varonis threat models can help protect your data.


Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.