A Threat Model
Is Your Map To How Your Crown Jewels Could Be Taken.

With threat modeling, in just three steps, you can identify your exposure before you engage in a penetration testing project.

A customized threat model will give you a clear picture of the risk posed by attacks against your system or product so you can make effective decisions about the appropriate level of security to incorporate. Threat modeling is an important component of scoping your security project.

An effective threat model is one that follows these three key steps:

Step 1: Identifies the crown jewels you need to protect
Step 2: Identifies what could go wrong, leaving your key assets unprotected
Step 3: Identifies potential risk vectors

  • Why Threat Model?

    If a security company isn't already performing threat modeling for you before you engage them, how do they know what to recommend to you? Often there's a great divide between your organization's goals and the security industry. You want to make sure the business runs smoothly, while security companies want to ensure your risk is as low as possible. How do you strike a balance between these two extremes? Or, does your risk tolerance place you closer to one or the other? Threat modeling helps you define these important things before you get started with penetration testing.

What To Expect During A Threat Modeling Session With Fracture Labs

A threat modeling session is a collaborative brainstorming exercise with you and your team. An effective session will help ensure you and your security partners are on the same page and may uncover potential attacks you never would have considered!

  • Identify the Crown Jewels

    Identify the Crown Jewels

    We begin the process by sitting down with your team. We listen to you describe your organization and your project and ask questions to get to the root of what it is you’d like to protect — your crown jewels.

  • Identify the Risks

    Identify the Risks

    Once we've identified your crown jewels, we work with you to map out what could go wrong in protecting these assets. We take an honest look at the impact a breach could have on the confidentiality, integrity and availability of these assets to your business.

  • Identify the Threat Vectors

    Identify the Threat Vectors

    Now that we know what's important to you and what could go wrong, we turn to what our security consultants do best: we think like hackers and plan how we would actually attack your products or systems. We don't think in terms of the intended use of your products or systems — we think about how we could exploit them to help us get to the crown jewels.

This process can be very enlightening and will help you decide which level of security engineering and testing is appropriate for your project. The final deliverable is a mind map showing you exactly where we think you’re most at risk. We use this to help guide our testers during security assessments and penetration tests and map any issues we find back to the threat model. This allows your organization to prioritize which weaknesses to address first.


Example threat model deliverable from Fracture Labs

  • We Are The Experts

    Our background in engineering coupled with our expertise in hacking complex systems gives us unique insight into how your products or systems were built and where the weaknesses might be. Having been on the other end of security assessments for Fortune 500 companies in the past, our consultants know the importance of tailoring projects to meet your specific risk tolerance.

    Our custom tailored threat model includes:
    • A collaborative brainstorming threat modeling session with your IT team, product managers, and engineers to flesh out your protection needs
    • An extensive threat map diagram showing you types of misconfigurations and attacks that could lead to abuse of your key assets
    • Assistance building business cases for your management regarding the importance and level of security testing needed for your project

    We do all this for free — before we even sign a contract — to make sure you are getting exactly the right level of testing for your risk tolerance levels!

Threat Modeling Success Stories

Weaknesses in Aircraft Network

We identified attack vectors and weaknesses in the proposed design for an aircraft network that otherwise would have made it to the final implementation. This was before any testing activities.

Decreased Security Assessment Budget by 76%

We cut the effort and budget for a proposed web application security assessment by 76% through an extensive pre-testing threat modeling session focused on potential attack vectors. The testing still revealed severe issues for which we had previously predicted, but limited funds were able to be moved from testing to remediation with budget to spare!

From the blog

Check out our blog to get the latest infosec how-to articles, best practices and strategies written by our offensive security experts. Cyber crime isn't going anywhere, so stay informed and on top of it!

Big Breaks Come From Small Fractures.

You might not know how at-risk your security posture is until somebody breaks in . . . and the consequences of a break in could be big. Don't let small fractures in your security protocols lead to a breach. We'll act like a hacker and confirm where you're most vulnerable. As your adversarial allies, we'll work with you to proactively protect your assets. Schedule a consultation with our Principal Security Consultant to discuss your project goals today.