Threat Models Simplified (AI Edition)
Classic frameworks like STRIDE, DREAD and PASTA are widely used, but like any framework - there is an audience that needs it but isn’t big enough for the granularity. I have distilled these models into four simplified categories that are easier to apply in SIEM monitoring and modern AI-driven environments.
How to use this guide
This is not a checklist of things for your to check off. Its a template for a business exercise. The categories help you build towards
Four Simplified Categories
1. Identity and Access
Phrase: Who is in your system and what they can do
SIEM focus: Authentication logs, IAM events, PAM activity, VPN access, MCP access events, AI Crawl events
2. Data Integrity
Phrase: Ensuring data is not altered without authorization
SIEM focus: File integrity monitoring, database audit logs, Email access logs, source control activity, MCP actions taken
3. Confidentiality
Phrase: Keeping sensitive information from leaking
SIEM focus: DLP alerts, email security, cloud storage access logs, endpoint exfiltration patterns, LLM usage compared to authorized platforms,
4. Cybersecurity systems
Phrase: Systems stay online, actions remain traceable, and things that do alerts keep alerting SIEM focus: Firewall and IDS/IPS logs, system and application logs, service health events, audit trail completeness, EDR / Antimalware / Endpoint Security alerts, Service Disprutions
Why This Matters
By consolidating the core components of STRIDE, DREAD, and PASTA into four categories, you can assess both technical and business risk without the future governance debt of trying to align to whatever your CISO kicks out when you’ve 3x’d your organization. Incorporating AI into this categorization strengthens the summary, ensuring coverage of both traditional and emerging threats.
The original models
| Threat Model | Acronym | Letters & Meaning |
|---|---|---|
| STRIDE | S | Spoofing identity |
| T | Tampering with data | |
| R | Repudiation (denying actions) | |
| I | Information disclosure | |
| D | Denial of service | |
| E | Elevation of privilege | |
| - | - | - |
| DREAD | D | Damage potential |
| R | Reproducibility of attack | |
| E | Exploitability | |
| A | Affected users | |
| D | Discoverability | |
| - | - | - |
| PASTA | P | Process for Attack Simulation |
| A | Attack Simulation | |
| S | Threat Analysis | |
| T | Threat Analysis (continued emphasis in methodology) | |
| A | Alignment with business impact |