PRIMER · METHODOLOGY

Threat-modeling methodologies and tools, compared

STRIDE, PASTA, DREAD, OCTAVE, VAST, Trike, LINDDUN, MAESTRO, the OWASP MAS Threat Modelling Guide v1.0, Shostack's Four Question Framework, and the 2026 agentic-AI specialisations of each, plus a survey of the open-source and commercial tools that automate them. Where each fits, what each costs in effort, and how Helmwart composes them for agentic systems.

Open the wizard → References →

Applied in Helmwart's wizard

Shostack Four Questions (scaffold) · MAESTRO (the CSA 6-step method: decomposition, per-layer, cross-layer propagation, risk, mitigation, monitoring) · OWASP Agentic AI: Threats & Mitigations v1.1 (base T1–T17) + MAS Threat Modelling Guide v1.0 (normalized scenario additions) · MITRE ATLAS (adversary techniques).

Surveyed below for context

STRIDE, PASTA, DREAD, OCTAVE, VAST, Trike, LINDDUN, STRIFE. These are described for comparison; the wizard does not apply them. CSA built MAESTRO precisely because classical methods "were never designed" for agentic attack surfaces (emergent behaviour, autonomy, no trust boundary). LINDDUN appears as an optional privacy callout in Q2 when personal or regulated data is in scope.

Helmwart also offers an optional, bring-your-own-key AI-assist (prompt design adapted from the CSA MAESTRO Threat Analyzer, MIT) for systems the catalogue can't reach. Model output is non-deterministic, advisory, and never enters the posture score.

The lay of the land

Threat-modelling frameworks split along two axes: scaffold versus enumeration (a process that asks the four big questions versus a catalogue of what to look for), and horizontal scope (per element, per business process, per architectural layer, per data class). Helmwart picks Shostack's Four Question Framework as the scaffold and layers the OWASP v1.1 base T1–T17 catalog, Helmwart-normalized MAS scenario additions, MAESTRO L1–L7 + CL, and MITRE ATLAS as the Q2 enumeration lenses.

The 2025–2026 shift is real: classical frameworks now have AI-specialised variants (ASTRIDE, PASTA-AI, LINDDUN-AI), pure-LLM threat-modelling tools have emerged (STRIDE-GPT, MAESTRO Playbook), and OWASP + CSA have published agentic-native methodologies (MAESTRO, MAS Threat Modelling Guide v1.0). Helmwart stays deterministic by design: same answers always produce the same threat list, mitigation ranking, and residual risk.

Methodologies

Order: scaffold first, then enumeration lenses by age, then the agentic-native frameworks, then the governance scaffolds.

Threat Modeling Manifesto

Shostack, Tarandach, et al., 2020

What: The values + principles document underwriting modern threat modelling. Explicitly framework-agnostic.
Strengths: Sets a shared vocabulary every other framework can plug into.
Trade-offs: Not a methodology by itself; cannot be "used" alone.
Best fit: Read once to anchor the why.
Composes: Substrate for everything below.

Shostack: Four Question Framework

Adam Shostack, 2014; paper rev. Nov 2024

What: Four questions: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job?
Strengths: Methodology-agnostic scaffold; hosts STRIDE, MAESTRO, LINDDUN as Q2 lenses. Microsoft TMT, IriusRisk, and several academic papers now frame their workflows in these four questions.
Trade-offs: Does not tell you which enumeration lens to use; you still have to pick.
Best fit: Self-service walkthroughs; mixed audiences.
Composes: Wizard spine on /threat-modeling/.

STRIDE

Microsoft, late 1990s

What: Per-element enumeration: Spoofing / Tampering / Repudiation / Information disclosure / Denial of service / Elevation.
Strengths: The most widely deployed enumeration lens; deep tooling support; pedagogically robust.
Trade-offs: Per-element ergonomics struggle on agentic systems where emergent, cross-component behaviour is the threat.
Best fit: Conventional DFD-based systems; education.
Composes: Cited by every modern lens. Not used as Helmwart's Q2 default; layered as ATLAS adversary pivots and OWASP MAS catalog instead.
AI variant: ASTRIDE : STRIDE+A adds an "A" category for AI-Agent-Specific Attacks (prompt injection, unsafe tool invocation, reasoning subversion). The implementation uses a fine-tuned vision-language model to read DFDs and a reasoning LLM to emit threat models; it is explicitly LLM-driven.

DREAD

Microsoft (deprecated)

What: Rating scheme: Damage, Reproducibility, Exploitability, Affected users, Discoverability.
Strengths: Simple to score.
Trade-offs: Microsoft deprecated it because scoring proved inconsistent between reviewers. Replaced by CVSS-style or framework-native severity.
Best fit: Historical reference only.
Composes: Not used.

PASTA

UcedaVélez, 2012

What: Seven-stage risk-centric process: define objectives, define scope, app decomposition, threat analysis, vulnerability analysis, attack modelling, risk analysis.
Strengths: Business-objective-first; integrates with risk management.
Trade-offs: Heavyweight; designed for committee work, not self-service.
Best fit: Regulated enterprise with formal risk owners.
Composes: Not used as wizard spine. Cited as the risk-centric counterpart.
AI variant: PASTA-AI (informal) : Per-stage extensions documented in community write-ups: Stage 2 adds adversarial ML and data poisoning, Stage 5 maps to MITRE ATLAS, etc. Not a formal release.

OCTAVE

CERT/SEI

What: Operationally Critical Threat, Asset, and Vulnerability Evaluation: a workshop-driven, organisational-risk lens.
Strengths: Suited to large-organisation governance.
Trade-offs: Slow; not technical-finding-oriented.
Best fit: Programme-level posture; not single-system threat models.
Composes: Not used.

VAST

ThreatModeler

What: Visual, Agile, Simple Threat: enterprise-scale, two-track (operational + application) modelling.
Strengths: Designed to integrate with CI/CD at scale.
Trade-offs: Vendor-tied (ThreatModeler).
Best fit: Enterprises already on ThreatModeler.
Composes: Not used.

LINDDUN

KU Leuven

What: Privacy-centric enumeration: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance.
Strengths: The standard privacy lens; aligns with GDPR / regulatory framing.
Trade-offs: Privacy-focused; does not cover non-privacy threats.
Best fit: Systems handling personal data; regulated industries.
Composes: Helmwart surfaces a LINDDUN callout in Q2 when industry / sensitivity flags indicate personal or regulated data.
AI variant: LINDDUN-AI (emerging) : Community work to extend each LINDDUN category with AI-specific failure modes (model inversion, training data linkability). Not a single formal release.

MAESTRO

Cloud Security Alliance + OWASP

What: Multi-Agent Environment, Security, Threat, Risk, Outcome. Seven architectural layers (Foundation Models → Agent Ecosystem) with vertical / horizontal / emergent attack propagation analysis.
Strengths: Purpose-built for agentic AI; layer model admits cross-layer threats; explicitly extends STRIDE / PASTA / LINDDUN / VAST.
Trade-offs: Layer model can feel abstract on small systems.
Best fit: Agentic systems of any size.
Composes: Helmwart's Q2 primary enumeration lens. Layers L1–L7 + CL are catalogued at /handbook/references/#maestro.

OWASP MAS Threat Modelling Guide v1.0

OWASP GenAI Security Project, April 2025

What: Companion multi-agent modelling guide. It walks three worked systems (RPA expense, ElizaOS, Anthropic MCP) through MAESTRO and reuses some identifiers for system-specific variants. Helmwart creates stable navigation entries and labels the renumbered RPA T16/T17 entries as T48/T49 alongside the later v1.1 base catalog.
Strengths: Concrete worked examples; explicit cross-layer scenario tables.
Trade-offs: Older than the v1.1 OWASP Agentic AI catalog (Dec 2025); its scenario-scoped numbering cannot be treated as a single globally unique catalog without normalization.
Best fit: The most direct reference for any threat model of a multi-agent system.
Composes: Helmwart normalizes MAS Guide scenario threats into T18–T49. The wizard's Q2 surfaces them automatically when their editorially linked base T1–T17 threat is selected.

OWASP Top 10 for Agentic Applications 2026

OWASP GenAI Security Project

What: Practitioner top-10 catalog (ASI01–ASI10) with OWASP mappings to the base threat taxonomy and the OWASP LLM Top 10; Helmwart adds editorial links to MAS-derived entries.
Strengths: The format security GRC readers recognise.
Trade-offs: Top-10 by design; not the full catalog.
Best fit: Briefing non-architects.
Composes: Catalogued at /handbook/references/#asi-top10.

MITRE ATLAS

MITRE

What: Adversarial Tactics, Techniques, and Common Knowledge for ML (AML.T#### IDs).
Strengths: The adversary-TTP knowledge base; ATT&CK's sibling for AI.
Trade-offs: A reference catalogue, not a methodology. Use it alongside a methodology.
Best fit: Q2 pivot from "what's the risk" to "what's the attacker actually doing".
Composes: Helmwart surfaces ATLAS chips on every threat where a clean technique mapping exists.

NIST AI RMF (AI 100-1)

NIST, Jan 2023

What: Govern / Map / Measure / Manage functions for AI risk; stop-build authority; third-party oversight.
Strengths: Governance backbone; widely adopted by regulators.
Trade-offs: High-level; needs a technical methodology underneath.
Best fit: Q4 governance scaffold.
Composes: Helmwart's Q4 surfaces a four-row Govern/Map/Measure/Manage prompt set drawn from AI 100-1 + AI 600-1.

NIST AI 600-1: GenAI Profile

NIST, Jul 2024

What: Twelve GAI risk categories (Confabulation, Information Integrity, Information Security, Value Chain Integration, …), each with Govern/Map/Measure/Manage actions.
Strengths: Standards-grounded cross-walk for hallucination, supply-chain, memory, and output-moderation controls.
Trade-offs: Companion to AI 100-1, not a standalone methodology.
Best fit: Anchoring Q4 prompts to a formal risk category set.
Composes: Cited inline on the Q4 NIST AI RMF mini-checklist.

STRIFE

Aviatrix, 2026

What: Newer alternative framework discussed in vendor write-ups.
Strengths: Recent.
Trade-offs: Less established than STRIDE or MAESTRO; limited tooling.
Best fit: Watch list.
Composes: Not used.

Tools landscape

Open source

STRIDE-GPT checked 2026-05-19

LLM-powered (OpenAI / Ollama / LM Studio).
User describes application; LLM generates STRIDE threats + attack trees.
2025 additions: OWASP ASI + LLM Top 10 + MAESTRO pattern detection.
Output quality scales with prompt + model.

Agent Wiz checked 2026-05-19

Python CLI; parses LangGraph / AutoGen / CrewAI / Swarm / Pydantic orchestrators.
Emits MAESTRO + ATLAS threat assessment from code.
Code-as-input rather than diagram-as-input.

OWASP Threat Dragon checked 2026-05-19

Generic DFD-based threat modelling; not agentic-specific.
v3.x moving to the TM-BOM schema.

OWASP Threat Model Library checked 2026-05-19

Dataset / schema to fine-tune LLMs for threat modelling.
A substrate, not a runtime tool.

MAESTRO Playbook checked 2026-05-19

A Markdown playbook designed to be opened in Claude Code or another LLM agent.
Walks ten phases of MAESTRO threat modelling interactively.
LLM-agent driven; conversational.

Threagile checked 2026-05-19

YAML-driven; infrastructure-and-application focused.
Not agentic-specific; not visual.

pytm checked 2026-05-19

Python DSL for threat modelling.
Code-only DSL; not visual.

Closed source / commercial

ThreatModeler + IriusRisk checked 2026-05-19

ThreatModeler acquired IriusRisk in Jan 2026 (vendor announcement; verify before citing).
IriusRisk ships a MAESTRO "Streamlining" workflow.
Enterprise SaaS; closed source.

Trent AI checked 2026-05-19

Agentic Threat Assessor: extends STRIDE for agentic systems using real architecture as context.
SaaS; LLM-driven.

SD Elements checked 2026-05-19

Long-running commercial threat-modelling platform (Security Compass).
AI features added recently; checklist-driven.

Tutamantic checked 2026-05-19

Enterprise threat-modelling SaaS.

Repello AI checked 2026-05-19

Commercial layer on top of the open-source Agent Wiz CLI.
Ships the Hermes Agent Security reference threat-model set.

Microsoft AI red team

PyRIT checked 2026-05-19

Python Risk Identification Toolkit.
Multi-turn attacks (Crescendo, TAP, Skeleton Key) across text/audio/image/video.
Findings auto-classified by severity; mapped to OWASP LLM Top 10 + MITRE ATLAS + NIST AI RMF.

Counterfit checked 2026-05-19

Adversarial-ML CLI; bundles multiple attack libraries.
Repeatable evaluation scripts.

Microsoft Threat Modeling Tool checked 2026-05-19

Classical STRIDE on DFDs.
Documentation now frames the workflow in Shostack's four questions, setting a precedent for this wizard's scaffold.

Evaluation / benchmark

TM-Bench checked 2026-05-19

Benchmark for LLM-driven threat-modelling tools.
Evaluation framework, not a tool itself.

How Helmwart composes the landscape

Four Questions as the scaffold. Microsoft Threat Modeling Tool, IriusRisk, Snyk Labs, and several recent papers all frame their workflows in Shostack's four questions. Using the same shape lets the wizard sit alongside familiar tooling without asking the reader to re-learn a process.
OWASP v1.1 + MAESTRO / MAS Guide + ATLAS as Q2 lenses. The v1.1 publication supplies the base T1–T17 taxonomy; the MAS Guide applies MAESTRO to three worked multi-agent systems; ATLAS provides an adversary-technique pivot. Helmwart combines these as base threats, normalized MAS scenario entries, architectural layers, and TTP links.
Deterministic, not LLM-generated. The same answers always produce the same output. No API key needed; no model output variance; works in a static-site browser tab. STRIDE-GPT, MAESTRO Playbook, ASTRIDE, and Trent AI are all LLM-driven; worth pairing with, not replacing.
Diagram-first. The canvas at /canvas/ is the architectural source of truth. Findings emerge from the graph rather than a checklist. The workflow page is the on-ramp for users who want a guided pass before they sit with the canvas.
Open source. No vendor lock-in. ThreatModeler + IriusRisk and SD Elements are excellent at enterprise scale; Helmwart sits in the gap below them.