Threat Modeling for Pentesters
Premium roomLearn about the different frameworks for threat modeling.
medium
To access material, start machines and answer questions login.
It is your first week at a security consultancy, and the team lead drops a 50-page scope document on your desk. The client is Stratford Systems, a mid-sized financial services company. They want a penetration test of their customer-facing payment portal and supporting infrastructure. The engagement window is ten business days. The team lead looks at you and asks: "Where do you start?"
The instinct is to fire up nmap and start scanning. Resist it.
Stratford's network has hundreds of hosts, dozens of services, and multiple application layers. Ten business days is not enough to test everything. If you start scanning blindly, you will spend three days mapping low-priority internal file shares while the payment database with 200,000 customer credit card records sits untouched. The client's CISO does not care that you found a missing patch on a print server. They care about whether an attacker can reach the data that keeps their business alive.
This is the problem that threat modeling solves. Before you run a single scan, you build a structured understanding of what the client needs to protect, what could go wrong, and where to focus your limited testing time. A threat model is not a compliance checkbox or an architect's exercise; for a penetration tester, it is a targeting document. It transforms a vague scope into a prioritized attack plan.
Where Threat Modeling Fits in the Pentest Lifecycle
The Penetration Testing Execution Standard (opens in new tab) (PTES) defines seven phases that structure a professional engagement from start to finish:
- Pre-Engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post-Exploitation
- Reporting
Threat modeling sits at Phase 3, after you have gathered intelligence about the target but before you begin active vulnerability analysis or exploitation. This placement is deliberate. Intelligence gathering tells you what exists on the network; threat modeling tells you what matters and what to target first. Without it, vulnerability analysis becomes a scattershot exercise, and exploitation lacks strategic direction.
Consider the Stratford engagement. After intelligence gathering, you know the company runs a public-facing web application called StratPay Portal, an internal API gateway, an Active Directory domain (stratford.local), a Server database cluster, and a -accessible admin dashboard. That is a lot of surface area. Threat modeling is where you decide which components represent the highest risk to the business and deserve the most testing time.
Learning Objectives
By the end of this room, you will be able to:
- Explain why threat modeling is a critical pre-engagement activity for penetration testers
- Identify where threat modeling sits in the Penetration Testing Execution Standard (PTES) lifecycle
- Describe the four-question framework that underpins all threat modeling methodologies
- Recognize the three frameworks covered in this room and their complementary roles
Prerequisites
This room targets users with basic knowledge of cyber security along with familiarity with network architecture concepts. In particular, we recommend:
- Completing the Cyber Kill Chain room
- Familiarity with networking; you can check the Networking module
I am ready to learn about threat modeling!
Ready to learn Cyber Security?
The Threat Modeling for Pentesters room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in