← Docs
Recipe

Threat Model Doc

A structured template for documenting your application's threat model — assets, adversaries, attack surfaces, and mitigations.

Why write one

A threat model doc forces clarity. It answers who you're defending against, what they want, and how they'll try to get it. Without one, security decisions are guesswork.

Sections

  • Assets — what are you protecting? Source code, user data, signing keys, infrastructure.
  • Adversaries — who are they? Script kiddies, organized crime, nation-state, insider threat.
  • Attack surfaces — network, local, supply chain, social. Every entry point.
  • Threat scenarios — concrete stories. "Attacker compromises CI and injects backdoor into signed binary."
  • Mitigations — what you already do and what you plan to do.
  • Assumptions & gaps — be honest about what you're not covering yet.

Keep it alive

A stale threat model is worse than none — it breeds false confidence. Review it quarterly. Update it when architecture changes. Link it in your onboarding checklist.

This recipe pairs well with the Security Review and Incident Response recipes.