In the modern digital landscape, the term "threat model" has increasingly become a casualty of buzzword-driven marketing. From the high-stakes debates surrounding Hybrid Post-Quantum Cryptography to the frantic legislative attempts to impose "age verification" on the internet, the phrase is frequently invoked but rarely understood. To many, it is a talismanic term meant to signal seriousness, yet it lacks the rigorous, foundational application required to actually secure systems.
As security professionals and software architects navigate an era of endpoint vulnerabilities and increasingly sophisticated state-sponsored signals intelligence, the ability to construct a competent threat model is no longer a niche skill—it is a baseline requirement for anyone building infrastructure.
Understanding the Core: What Is a Threat Model?
At its most fundamental level, a threat model is not an academic exercise in generating a hundred-page PDF filled with citations. It is a living, iterative mental and architectural map designed to answer specific questions about what you are building and why.
If you are starting from zero, the industry-standard frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) or system theory-based approaches like STPA provide excellent scaffolding. However, the true value of a threat model lies in its ability to force the architect to confront uncomfortable realities: What are our assets? Who are the potential adversaries? What are the failure modes?
The Seven Pillars of a Functional Model
A functional, albeit informal, threat model must provide clarity on seven specific fronts:
- The System Boundary: What exactly are we defining as "in scope"?
- The Assets: What are we protecting, and what is its value?
- The Adversaries: Who has the capability and motivation to attack this system?
- The Entry Points: Where can an attacker interact with our architecture?
- The Assumptions: What security guarantees are we taking for granted?
- The Accepted Risks: What are we consciously choosing not to defend against?
- The Mitigation Strategy: How do we address the identified threats?
The most common point of failure in modern development is the "assumptions" category. When engineers take core cryptographic assumptions—such as the uniqueness of a key in an AEAD (Authenticated Encryption with Associated Data) scheme—for granted while introducing new complexities like "confused deputies" or multi-key protocols, the resulting model collapses.

Chronology: The Evolution of Security Analysis
Historically, threat modeling was treated as a point-in-time snapshot—a document created during the design phase, filed away, and rarely revisited. This approach is inherently flawed in the face of modern agile development and rapid-cycle deployment.
In recent years, the industry has shifted toward the concept of "living" threat models. As seen in the development of key transparency protocols for the Fediverse, architects are increasingly embedding their threat models directly into the project specification. By tracking these models in public repositories alongside the code, teams allow for community scrutiny and iterative refinement.
However, this is not a universal standard. The contrast between projects that prioritize transparent threat analysis and those that bury it in abstract, high-level documentation is stark. For example, while the Matrix protocol includes a dedicated section for security in its specifications, it has faced sustained criticism from the security community for its tendency to list generic threats (e.g., "Resource Exhaustion") without mapping those threats to the specific, granular architecture of the system.
Supporting Data: Why Bad Models Lead to Fragile Systems
A "bad" threat model is often worse than no threat model at all, as it provides a false sense of security. An effective model forces the developer to drill down through layers of abstraction.
The "Fortnite" Approach to System Analysis
When analyzing a complex system, one should start at the highest level of architecture—treating the entire system as a single black box—and then iteratively "shrink the box," focusing on individual components. By mapping inputs, outputs, and relationships between components, you can identify "inappropriate relationships"—such as a database that unnecessarily exposes an RSS feed—and sever them before they become attack vectors.
The Credential Stuffing Case Study
Credential stuffing serves as the most prominent example of how threat modeling can drive design changes. Because developers identified the human reality—that users reuse passwords—the industry moved toward Passkeys. By cryptographically binding credentials to a specific domain, this design choice effectively neutralized phishing and credential stuffing in a single stroke, proving that security is not just about complexity, but about removing the expectation that humans will behave like computers.

Official Responses and Industry Friction
The tension between security ideology and practical implementation is currently playing out in the IETF (Internet Engineering Task Force) mailing lists regarding Post-Quantum Cryptography (PQC).
When the IETF proposed an RFC to establish a code point for non-hybrid ML-KEM (a post-quantum key encapsulation mechanism), the pushback was significant. Critics, including notable voices in the cryptographic community, argued that hybrid constructions—pairing PQ algorithms with classical ones like ECDH—are the only responsible way forward.
However, from a threat modeling perspective, the "official" opposition often misses the nuance of the objective. For organizations subject to government mandates like CNSA 2.0 or FIPS 140-3, the absence of an RFC-approved standard is not a security feature; it is an administrative barrier that forces them to either remain on insecure legacy systems or implement non-standard, unvetted solutions.
As one observer noted, the objective of the RFC is not to claim that ML-KEM is infallible, but to provide a standard that allows for consistent, interoperable implementations. Blocking the standard does not protect users; it merely prevents them from adopting a more secure, post-quantum-ready baseline.
Implications: The Future of Secure Design
The ultimate goal of threat modeling is not to achieve perfect security, but to force attackers into predictable, high-cost, and low-reward dead ends.
The "Harvest Now, Decrypt Later" Reality
In the context of quantum computing, the threat model has shifted. We are no longer solely worried about an adversary breaking the system on "Q-Day." We are worried about the "Harvest Now, Decrypt Later" strategy, where adversaries intercept and store encrypted data today to decrypt it once cryptographically relevant quantum computers (CRQCs) become viable.

A proper threat model acknowledges that hybrid PQC is a hedge against the uncertainty of new cryptographic algorithms. The most intellectually honest approach involves a "three-way hybrid"—combining multiple PQ algorithms with classical ones to ensure that even if one algorithm is found to be flawed, the confidentiality of the data remains intact.
Moving Beyond the Buzzwords
To build better systems, developers must move beyond the superficial use of the term "threat model." They must:
- Adopt a "PoC or GTFO" mentality: If a security claim is made, it must be supported by proof-of-concept evidence rather than fearmongering or theoretical hand-waving.
- Prioritize Usability: Security controls that are too cumbersome to use will be bypassed by users, rendering the entire threat model moot.
- Embrace Transparency: As the Fediverse key transparency project demonstrates, exposing your threat model to the public allows for the kind of peer review that catches errors before they reach production.
In conclusion, the practice of threat modeling is the primary tool for separating meaningful security design from performative technical posturing. It is a disciplined, often tedious process that rewards those who are willing to drill down into the details of their own architecture. While it won’t guarantee an impenetrable system, it will certainly ensure that you have built something worth defending—and that you know exactly how to defend it.

