Skip to content
← Back to Library

Threat Model

Required security threat_model
Agent Prompt Snippet
Ensure the project has a threat model identifying attack surfaces, trust boundaries, data flow risks, and mitigation strategies.

Purpose

A threat model identifies attack surfaces, trust boundaries, data flow risks, and mitigation strategies specific to connected hardware to protect against physical and network-based threats.

This is a Required document — every project of this type should have one. Without it, the team risks misalignment, rework, or undetected issues that compound over time.

What Makes It Good vs Bad

A strong version of this document:

  • Identifies specific threat models and attack vectors relevant to the project
  • Defines concrete controls with implementation details, not just aspirations
  • Includes verification steps — how to test that security measures work
  • References established frameworks (OWASP, NIST, CIS) where applicable
  • Specifies incident response procedures and escalation paths

Warning signs of a weak version:

  • Vague statements like ’the system will be secure’ without specifics
  • Missing threat model — no analysis of who attacks, how, and what’s at risk
  • No connection between identified threats and chosen mitigations
  • Ignores operational security (key rotation, access reviews, audit logging)
  • Written once and never updated as the threat landscape changes

Common Mistakes

  • Treating security as a checkbox rather than an ongoing practice
  • Focusing only on external threats while ignoring insider risks
  • Documenting controls without specifying how to verify they work
  • Not updating the document when new vulnerabilities or attack patterns emerge

How to Use This Document

Start by identifying the assets worth protecting and the threat actors most likely to target them. Use a framework like STRIDE or OWASP Top 10 to structure your analysis. For each identified threat, document the specific control that mitigates it and how that control is verified. Review the document at least quarterly or whenever the system architecture changes significantly.

For AI agents: When generating or reviewing this document, cross-reference the project’s architecture to ensure every external-facing surface has a corresponding security control documented.

Starter Template

SpecBase includes a ready-to-use template for this document: kb/templates/security/threat_model.md.tmpl. Use the SpecBase CLI or MCP integration to generate it pre-filled for your project.

# Generate stubs via CLI
specbase init <archetype> --features <features> --dir ./docs
  • Threat Modeling: Designing for Security by Adam Shostack — The definitive guide to identifying and mitigating security threats systematically.
  • Security Engineering by Ross Anderson — Comprehensive reference covering security principles from cryptography to physical security.
  • The Web Application Hacker’s Handbook by Dafydd Stuttard & Marcus Pinto — Practical guide to web application security testing and common vulnerability patterns.

Appears In