Share this article

Our approach to threat modeling
Accelerating security solutions for small businesses Tagore offers strategic services to small businesses. | A partnership that can scale Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate. | Standing out from competitors Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market. |
In this series, you’ll hear directly from Vanta’s Security, Enterprise Engineering, and Privacy, Risk, & Compliance Teams to learn about the team’s approach to keeping Vanta — and most importantly, our customers — secure.
The following post comes from our Security Team and explains our approach to threat modeling.
What is threat modeling?
Threat modeling is the process of identifying and understanding the potential threats and risks that can impact a given business, system, network, or feature.
The goal of threat modeling is to make better decisions. We do this by building a better mental model of the world, keeping things in mind such as potential attacker’s profiles, motivation, goals, and likely attack vectors. Many of us model threats every day—when making decisions such as choosing to buckle your seatbelt, looking both ways before you cross the street, and more.
How does Vanta approach threat modeling?
At Vanta, we use threat modeling as a tool to help share knowledge and improve our mental model of Vanta as a company, and of the environment in which we operate. These exercises are most frequently run (though not always) by the Security team, and are held on recurring cadences and on an as-needed basis.
We don’t maintain a canonical “threat model” at any given point in time. Instead, we view the exercise itself as the primary mechanism through which we benefit. This is because the discussion that arises during a threat modeling exercise is what improves our mental model and enables us to make better decisions.
In other words: “Threat models are useless. Threat modeling is essential.”
When does the Vanta security team threat model?
We view threat modeling as a team and organizational muscle that requires regular exercise. It can be fun, enlightening and interesting! This means we get together for threat modeling exercises on at least a monthly basis, if not more frequently. Sometimes we'll threat model a given feature, and other times we’ll pick a sample scenario to model and discuss. For some added fun, sometimes we’ll even get together to model threats around a given theme, event, or season.
In addition, we strive to include a wide range of teammates across Vanta in our exercises. This can depend on the topic at hand but often includes individuals from our Enterprise Engineering, Privacy, Risk, & Compliance, Engineering, and Product teams, as well as from our operational and customer-facing teams. Not only does this help evolve our individual mental models of risk, but it also widens our collective lens on hidden risks and opportunities for improvement across the organization to make more informed decisions.
Keep in mind that if you’re focusing on a specific feature or project, it’s helpful to start as early as possible, such as in the design phase. This lowers the cost of any big changes that need to be made.
What are the core steps you follow?
Here are the core steps we follow for our threat modeling exercises:
1. Define your goals
Discuss and agree upon what your collective goals are for your threat modeling exercise, and jot this down to help ensure all teammates are on the same page. This could be to model threats for a given feature or project, or something more broad—such as to help inform your team’s planning for a given quarter. Defining your goals up front can help you keep your discussion more focused.
2. Define your scope
Identify the data, systems, and processes at hand that you’re protecting and understand how they’re used, as well as any dependencies. This helps your team to go into greater depth than they could if you had to keep expanding the breadth of your focus.
3. Identify threats
Brainstorm the most significant threats that could compromise the confidentiality, integrity, or availability of your system. While we often consider external attackers, be sure to also consider internal actors, whether intentional or unintentional.
4. Identify controls
Enumerate the controls that are either in place or could be put into place to mitigate each threat, including both preventative and detective controls.
5. Identify gaps
Model in the gaps that could result in controls failing to block a particular threat. For example, anti-malware doesn’t always detect the malware. What would happen next? What would the next stage of the attack be? Do you have further controls for that step?
6. Next steps
Based on the discussion, identify action items and make sure you address them. Walk away better informed and make good decisions!
During our threat modeling exercises, we use diagramming tools to communicate and connect information and create a clear visual representation of your threat model. This is particularly beneficial during exercises that incorporate a variety of stakeholders—we view these diagrams as primarily for those who are in the room instead of as an artifact for the future.
While we’ve experimented with a variety of tools, we tend to use Deciduous or a lightweight model in FigJam that allows us to collaborate and communicate effectively.

Tips for threat modeling
An important point to remember is that there are many approaches to threat modeling. Our recommendation is to find what works best for your organization to ensure that you’re able to threat model effectively when you need it most, instead of running an arduous exercise that’s both operationally challenging and outdated quickly.
Here are a few suggestions we have for ensuring threat modeling exercises run smoothly:
- Your team: Assemble a cross-functional team to ensure you’re incorporating diverse perspectives—such as teammates across your security, engineering, business, and operations teams. This can help reduce observational bias (e.g. the streetlight effect) when modeling threats. Be sure to share context beforehand or at the start of the session, especially if it’s your organization’s first time running a threat modeling exercise.
- Your roles: Assign clear roles and responsibilities ahead of time. For example, decide who’ll help run the exercise, update the threat model in real-time, and identify anyone who might play a specific role—such as teammates who represent the perspectives of the adversary, defender, developer, etc.
- Your tools: Identify which tools you’ll use and ensure you’re familiar with how they work prior to threat modeling. Remember, the point is to help create a high-bandwidth information session, not necessarily to capture your discussion for later.
Additional resources
Our goal is to make more informed decisions every day, and we hope you find threat modeling as fun, interesting, and valuable of an exercise as we do.
If you’re looking to learn more about threat modeling, whether individually, for your team, or even for your organization, here are a few resources that have been helpful for us:
- Deciduous: A Security Decision Tree Generator | Kelly Shortridge
- Threat Modeling, by Adam Shostack
- Shostack + Associates > Elevation of Privilege Game





FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.