Complete Guide

⚡ Intermediate

Refreshed: March 2026

Threat & Risk Assessment

After completing this section, you'll be able to scope and execute a formal threat and risk assessment on any solution — from a cloud-native SaaS platform to an AI/ML pipeline. You'll quantify risk using FAIR instead of guessing with heat maps, select the right framework for your regulatory context, assess supply chain and third-party risk, and communicate findings to both engineers and executives.

Why This Section Exists

Most security guides cover threat modeling as a design activity. This section treats it as an assessment discipline — the structured process of evaluating an existing or proposed solution against realistic threats, quantifying risk in business terms, and driving risk treatment decisions. Whether you're a security architect reviewing a design, a GRC analyst running a risk program, or a consultant delivering TRA engagements — this is your operational playbook.

What's Changed in 2025–2026

NIST AI RMF and EU AI Act now require formal risk assessment for AI/ML systems. DORA mandates ICT risk management for EU financial entities. PCI DSS 4.0 requires targeted risk analysis (Req 12.3.1). Supply chain risk exploded after XZ Utils (2024). And FAIR is replacing qualitative risk matrices in mature organizations. This guide covers all of it.

TRA Maturity Tiers

Not every organization runs TRAs at the same depth. Use these tiers to calibrate which parts of this guide to prioritize based on your current maturity and regulatory obligations.

TIER 1 Ad-hoc / Getting Started

Risk assessments happen informally or only when auditors ask. No standard methodology or templates.

• Sections 01–02: Learn fundamentals and scoping
• Section 04: Pick a threat modeling methodology
• Section 07: Choose a risk framework
• Section 12: Use templates to get started fast

TIER 2 Repeatable / Structured

Standard TRA process exists with templates and defined triggers. Risk register maintained. Regular cadence.

• All of Tier 1, plus:
• Sections 03, 05: Threat landscape and attack surface analysis
• Section 06: Quantitative risk analysis with FAIR
• Section 08: Supply chain and third-party risk
• Section 11: Risk treatment and executive reporting

TIER 3 Optimized / Continuous

TRA is automated and continuous. Risk-as-code in CI/CD. Real-time KRIs. Board-level risk dashboards.

• All of Tier 2, plus:
• Section 09: Cloud and AI/ML risk assessment
• Section 10: Continuous and automated TRA
• FAIR-based quantitative models with Monte Carlo
• Threat modeling as code in every delivery pipeline

What You Will Learn

Scope and execute a formal TRA from initial context through risk treatment and monitoring

Quantify risk using FAIR methodology with Monte Carlo simulation instead of qualitative guesswork

Select and apply the right risk framework (NIST 800-30, ISO 27005, OCTAVE, TARA) for your context

Assess supply chain, third-party, cloud, and AI/ML risks with dedicated modern methodologies

Automate threat modeling with pytm, Threagile, and risk-as-code integrated into CI/CD pipelines

Communicate risk to executives and boards with dashboards, registers, and treatment recommendations

Prerequisites

Security Foundations

• CIA triad and basic security concepts
• Familiarity with common vulnerability types
• Understanding of authentication and authorization
• Basic networking (TCP/IP, DNS, TLS)

Architecture Awareness

• Can read architecture diagrams and data flows
• Familiarity with cloud service models (IaaS/PaaS/SaaS)
• Understanding of APIs and microservices
• Helpful: experience reviewing system designs

Recommended Context

• Complete the Secure Architecture section first (or in parallel)
• Review the STRIDE Modeler tool
• Keep your organization's risk register handy
• Be ready to think like an assessor, not just a builder

How To Use This Section

Security Architects

Start with sections 01-06 to build assessment skills, then use 07-09 for framework alignment and domain-specific TRAs. Finish with 10-11 for continuous integration and reporting.

GRC / Risk Managers

Focus on sections 01, 06-07, and 11 for lifecycle, frameworks, quantification, and executive reporting. Use 08-09 for supply chain and AI/ML risk governance.

Consultants

Use sections 01-02 for engagement scoping, 03-06 for assessment execution, 11 for deliverables, and 12 for case studies and templates to accelerate delivery.

Start with TRA Fundamentals Jump to Case Studies & Templates

TRA Lifecycle at a Glance

Every TRA follows a lifecycle from scoping through monitoring. This quick-start shows the stages and which sections cover each one — use it as a roadmap for both learning and real engagements.

tra-lifecycle.txt

text

TRA Lifecycle — End-to-End Assessment Flow

  PHASE 1: ESTABLISH CONTEXT              [Sections 01-02]
  ─────────────────────────────────────────────────────────
  • Define scope, objectives, and constraints
  • Identify assets, data flows, and trust boundaries
  • Classify assets by business value and CIA impact
  • Document regulatory and compliance requirements

  PHASE 2: THREAT IDENTIFICATION          [Sections 03-05]
  ─────────────────────────────────────────────────────────
  • Profile relevant threat actors
  • Map attack surface (cloud, API, identity, supply chain)
  • Apply threat modeling (STRIDE, PASTA, VAST, LINDDUN+)
  • Develop threat scenarios with ATT&CK mapping

  PHASE 3: RISK ANALYSIS & EVALUATION     [Sections 06-07]
  ─────────────────────────────────────────────────────────
  • Quantify risk using FAIR (LEF × LM)
  • Run Monte Carlo simulations for confidence intervals
  • Apply selected framework (NIST 800-30, ISO 27005, OCTAVE)
  • Evaluate risk against appetite and tolerance

  PHASE 4: DOMAIN-SPECIFIC ASSESSMENT     [Sections 08-09]
  ─────────────────────────────────────────────────────────
  • Assess supply chain and third-party risk
  • Evaluate cloud shared responsibility gaps
  • Assess AI/ML systems with MITRE ATLAS and NIST AI RMF

  PHASE 5: TREAT, REPORT & MONITOR       [Sections 10-12]
  ─────────────────────────────────────────────────────────
  • Automate TRA in CI/CD with threat-as-code
  • Select treatment: mitigate, accept, transfer, avoid
  • Build risk registers and executive dashboards
  • Establish continuous monitoring with KRIs
TRA Lifecycle — End-to-End Assessment Flow

  PHASE 1: ESTABLISH CONTEXT              [Sections 01-02]
  ─────────────────────────────────────────────────────────
  • Define scope, objectives, and constraints
  • Identify assets, data flows, and trust boundaries
  • Classify assets by business value and CIA impact
  • Document regulatory and compliance requirements

  PHASE 2: THREAT IDENTIFICATION          [Sections 03-05]
  ─────────────────────────────────────────────────────────
  • Profile relevant threat actors
  • Map attack surface (cloud, API, identity, supply chain)
  • Apply threat modeling (STRIDE, PASTA, VAST, LINDDUN+)
  • Develop threat scenarios with ATT&CK mapping

  PHASE 3: RISK ANALYSIS & EVALUATION     [Sections 06-07]
  ─────────────────────────────────────────────────────────
  • Quantify risk using FAIR (LEF × LM)
  • Run Monte Carlo simulations for confidence intervals
  • Apply selected framework (NIST 800-30, ISO 27005, OCTAVE)
  • Evaluate risk against appetite and tolerance

  PHASE 4: DOMAIN-SPECIFIC ASSESSMENT     [Sections 08-09]
  ─────────────────────────────────────────────────────────
  • Assess supply chain and third-party risk
  • Evaluate cloud shared responsibility gaps
  • Assess AI/ML systems with MITRE ATLAS and NIST AI RMF

  PHASE 5: TREAT, REPORT & MONITOR       [Sections 10-12]
  ─────────────────────────────────────────────────────────
  • Automate TRA in CI/CD with threat-as-code
  • Select treatment: mitigate, accept, transfer, avoid
  • Build risk registers and executive dashboards
  • Establish continuous monitoring with KRIs

TRA Tooling Stack (2026)

Tool / Framework	Category	Best For	Integration
STRIDE Modeler (Built-In)	Threat Modeling	Interactive STRIDE analysis with auto-threat generation	DREAD/CVSS scoring, CWE/CAPEC mapping, report export
Vendor Risk Tool (Built-In)	Third-Party Risk	ISO 27001, NIST CSF, SOC 2, GDPR vendor assessments	Weighted scoring, multi-format export, template builder
Threagile	Threat Modeling as Code	YAML-based threat modeling in CI/CD pipelines	CLI, auto-generated diagrams, risk tracking
pytm	Threat Modeling as Code	Python-based threat model definition and analysis	DFD generation, STRIDE mapping, CI integration
OpenFAIR / FAIR-U	Risk Quantification	FAIR-based quantitative risk analysis	Monte Carlo simulation, loss scenario modeling
OWASP Threat Dragon	Threat Modeling	Cross-platform collaborative threat diagrams	Open source, diagram editor, team sharing
IriusRisk	Enterprise TRA	Automated threat modeling at enterprise scale	Questionnaires, Jira, CI/CD, risk workflows
RiskLens / Safe One	Quantitative Risk	Enterprise FAIR-based cyber risk quantification	Board reporting, financial modeling, benchmarks

Guide Sections

TRA Fundamentals & Lifecycle

Understand what a TRA is, when to perform one, regulatory drivers, lifecycle stages, and how TRAs differ from pentests, red teams, and vulnerability assessments.

NIST 800-30 • ISO 27005 • PCI 4.0 • NIS2 • DORA • RACI

Scoping & System Decomposition

Establish business and threat context, decompose systems into components, classify assets by CIA impact, map data flows, and define trust boundaries.

Crown jewels • Data flows • Trust boundaries • Asset classification

Threat Landscape Analysis

Profile threat actors by capability, intent, and opportunity. Integrate CTI feeds, map MITRE ATT&CK techniques, and build industry-specific threat catalogs.

STIX/TAXII • ATT&CK mapping • Actor profiling • Threat scenarios

Advanced Threat Modeling

Go beyond introductory STRIDE with per-element analysis, full PASTA walkthroughs, VAST for enterprise scale, LINDDUN+ for privacy, and hybrid approaches.

STRIDE per-element • PASTA 7-stage • VAST • LINDDUN+ • Manifesto

Modern Attack Surface Analysis

Map cloud control planes, API surfaces (REST/GraphQL/gRPC), supply chain dependencies, identity surfaces, and SaaS integrations with ASM tooling.

Cloud planes • API enumeration • Identity surfaces • ASM tools

Risk Quantification & FAIR

Move beyond heat maps with FAIR methodology, Monte Carlo simulation, loss event frequency analysis, and quantitative risk ranges that executives understand.

FAIR taxonomy • Monte Carlo • LEF/LM • ALE • OpenFAIR

Risk Assessment Frameworks

Walk through NIST 800-30, NIST RMF, ISO 27005:2022, OCTAVE Allegro, CORAS, and TARA with a framework selection decision tree for your context.

NIST 800-30 • RMF • ISO 27005 • OCTAVE • CORAS • TARA

Supply Chain & Third-Party Risk

Assess software supply chain risk with SBOMs, vendor tiering, OSS criticality scoring, SaaS risk evaluation, and Nth-party concentration analysis.

SPDX • CycloneDX • NIST SSDF • Vendor tiering • SaaS risk

Cloud & AI/ML Risk Assessment

Apply TRA to cloud-native architectures, shared responsibility gaps, multi-cloud IAM, LLM-specific threats, MITRE ATLAS, and EU AI Act classification.

Shared responsibility • MITRE ATLAS • LLM risks • NIST AI RMF

Continuous & Automated TRA

Implement threat modeling as code with pytm and Threagile, integrate TRA into CI/CD pipelines, codify risk policies, and set up continuous risk monitoring.

pytm • Threagile • Risk-as-code • KRIs • Shift-left TRA

Risk Treatment & Reporting

Choose treatment strategies, define risk appetite, maintain risk registers, build executive dashboards, and communicate risk to boards and auditors.

Risk registers • Executive dashboards • GRC tools • Waivers

Case Studies & Templates

Walk through five complete TRAs (e-commerce, healthcare API, financial SaaS, AI/ML engine, IoT fleet) with downloadable templates and regulatory mapping.

E-commerce • Healthcare • FinTech • AI/ML • IoT • Templates

Quick Reference

Core Principles

• Assess risk in business terms, not just technical severity
• Quantify when possible — FAIR beats heat maps
• Threat model the solution, not just the technology
• Continuous assessment, not point-in-time snapshots

Key Standards

• NIST SP 800-30 Rev 1 — risk assessment process
• FAIR — quantitative cyber risk analysis
• ISO 27005:2022 — risk management within ISMS
• NIST AI RMF — AI system risk management

Ready to Begin?

Start with TRA Fundamentals to understand the assessment lifecycle, then work through scoping, threat identification, and risk quantification. If you already run TRAs and want to level up, jump to FAIR quantification or continuous automated TRA.

Start the Guide

Related Guides & Resources

Secure Architecture

Design patterns, Zero Trust, cloud-native security, and reference architectures

Threat Intelligence

CTI feeds, MITRE ATT&CK mapping, and threat actor profiling

STRIDE Modeler

Interactive STRIDE threat modeling with DREAD and CVSS scoring

Legal & Compliance

Standards, regulatory frameworks, and compliance checklists

CI/CD & Supply Chain

Pipeline security, dependency analysis, and SBOM generation