Risk-Based Threat Modeling with PASTA and Avocado as an Automated Tool
This summary explores Risk-Based Threat Modeling through the Process for Attack Simulation and Threat Analysis (PASTA) and highlights how Avocado Automated Threat Modeling enhances this approach. PASTA is a business-driven methodology that prioritizes risks by aligning security efforts with organizational objectives, emphasizing the evaluation of threats and vulnerabilities based on their likelihood and business impact.
The integration of Avocado’s automated tools streamlines PASTA’s stages by providing real-time application visibility, dynamic threat detection, and actionable risk insights. Avocado Reveal and Protect complement the PASTA framework by automating key processes like attack surface mapping, threat and vulnerability correlation, runtime monitoring, and risk validation, making the implementation of PASTA more efficient, adaptive, and comprehensive. This synergy ensures proactive risk management, enabling organizations to prioritize and mitigate critical threats effectively.
What is Risk Based Threat Modeling?
Risk based Threat Modeling is a security approach that prioritizes threats and vulnerabilities based on their business impact and likelihood of occurrence, ensuring that the most critical risks are addressed first. It aligns security efforts with organizational goals, focusing on protecting assets that matter most to the business.
What is PASTA Risk-based Threat Modeling?
PASTA (Process for Attack Simulation and Threat Analysis) is a risk-based threat modeling methodology designed to integrate security analysis with business objectives. It provides a structured, seven-stage framework for identifying, analyzing, and prioritizing threats and vulnerabilities based on their likelihood and impact on the organization. PASTA is unique in its focus on aligning technical security efforts with business goals, emphasizing real-world attack scenarios and risk management. The methodology is designed to integrate security into the overall business strategy by identifying and mitigating the risks that pose the greatest impact to critical assets.
PASTA emphasizes a risk-centric approach to threat modeling by evaluating threats based on their likelihood and potential impact. The methodology’s stages are structured to create a detailed understanding of the application environment, from business objectives and technical architecture to real-world threat scenarios and attack feasibility. It aims to simulate realistic attack paths, validate the exploitability of vulnerabilities, and prioritize risks based on their relevance to the organization’s goals. This prioritization enables teams to address the most critical risks first, optimizing resource allocation and improving overall risk management.
Another key objective of PASTA is to foster collaboration between technical and business stakeholders. By translating technical vulnerabilities into business-relevant risks, it bridges the gap between development teams, security professionals, and risk managers. This facilitates informed decision-making and ensures that security measures support regulatory compliance, operational continuity, and business success. Ultimately, PASTA’s objectives are to enable proactive, business-aligned security strategies that protect critical assets and mitigate risks efficiently.
How a Risk-Based Methodology is Executed?
A risk-based methodology is executed by systematically identifying, analyzing, and prioritizing risks associated with an application, system, or infrastructure. The process begins with defining business objectives to align security efforts with organizational goals. This involves identifying critical assets, understanding their value to the business, and recognizing regulatory and compliance requirements. With clear objectives in place, the next step is to define the technical scope, mapping the application’s architecture, infrastructure, and dependencies to outline the attack surface and establish boundaries for the assessment.
The application is then decomposed into its functional components, including servers, APIs, data flows, and trust boundaries. This decomposition provides a detailed understanding of entry points and interdependencies, forming the foundation for threat analysis. Threats are identified using intelligence sources, frameworks like STRIDE, or custom threat libraries, focusing on how they could exploit vulnerabilities to impact critical assets. Following this, vulnerabilities in the system are analyzed, correlating them with identified threats to highlight the areas of greatest concern.
Risk assessment comes next, where the likelihood of a threat exploiting a vulnerability is evaluated alongside its potential business impact. This stage prioritizes risks based on their severity and relevance to the organization. Mitigation strategies are then developed to address the most critical risks, often involving security controls, patches, or architectural changes. The methodology concludes with validation and monitoring, where attack simulations and testing ensure that mitigations are effective. Continuous monitoring adapts the risk model to reflect changes in the application or threat landscape, ensuring an ongoing, proactive approach to managing risks. This comprehensive and iterative execution enables organizations to focus resources on the most impactful risks, aligning security efforts with business priorities.
The seven stages of PASTA (Process for Attack Simulation and Threat Analysis) provide a structured approach to aligning security efforts with business objectives and prioritizing risks based on their impact and likelihood.
- Define Objectives (DO): The process begins by identifying business objectives, critical assets, and compliance requirements. This ensures the threat modeling aligns with organizational goals and focuses on securing valuable resources.
- Define the Technical Scope (DTS): In this stage, the system’s architecture, infrastructure, and dependencies are mapped to define the attack surface. This establishes the boundaries for analysis and highlights the components at risk
- Decompose the Application (DA): The application is broken down into its components, identifying data flows, trust boundaries, and communication paths. This decomposition helps uncover entry points and dependencies for further analysis.
- Analyze the Threats (TA): Potential threats are identified by analyzing attack vectors and threat agents. Threat intelligence and frameworks like STRIDE are used to uncover how attackers might exploit the system.
- Vulnerability Analysis (VA): This stage examines vulnerabilities in the application or infrastructure, linking them to identified threats. Weaknesses in servers, APIs, or configurations are assessed for their potential exploitation.
- Attack Analysis (AA): Simulated attack scenarios validate the exploitability of vulnerabilities and assess the effectiveness of existing defenses. This stage ensures that mitigations are effective against real-world threats.
- Risk and Impact Analysis (RIA): The final stage prioritizes risks based on their likelihood and business impact. A risk management plan is created, focusing on mitigating the most critical vulnerabilities to protect essential assets and meet compliance needs.
These stages collectively enable a comprehensive, business-aligned approach to identifying, analyzing, and mitigating risks in applications and systems.
How Risk-based Threat Modeling differs from other methodologies like STRIDE?
Risk-based threat modeling, such as PASTA (Process for Attack Simulation and Threat Analysis), differs from traditional developer-centric methodologies like STRIDE in its focus, scope, audience, and outcomes. PASTA is a business-driven, risk-centric approach designed to align security efforts with organizational goals by evaluating threats and vulnerabilities based on their likelihood and business impact. In contrast, STRIDE is a developer-oriented methodology that emphasizes identifying all potential technical threats in a static system design without prioritizing them based on real-world risks or business objectives.
PASTA adopts a holistic scope that spans the entire application lifecycle, incorporating elements like business objectives, runtime environments, and real-world attack scenarios. It dynamically adjusts to changes in architecture and integrates attack simulation and risk prioritization, making it highly adaptable and actionable. STRIDE, on the other hand, is focused on static design artifacts and component-level threats. It categorizes threats using predefined types such as spoofing, tampering, and denial of service, without factoring in external threat agents, runtime contexts, or broader organizational priorities.
The target audience for these methodologies also differs significantly. PASTA caters to risk managers, business stakeholders, and security leadership by producing outputs that prioritize risks and align security strategies with business goals. It facilitates communication across technical and non-technical teams, emphasizing the impact of threats on critical assets and compliance requirements. STRIDE is tailored for developers and engineers, offering a technical threat enumeration that supports design and implementation but lacks the broader risk management context.
In terms of outcomes, PASTA provides actionable risk assessments, attack simulations, and validation of mitigations, ensuring that threats are managed dynamically and effectively. Its outputs are designed to support decision-making at the strategic level, focusing on risks that matter most to the organization. STRIDE delivers a list of technical threats, primarily serving as a guide for development teams to address issues during the design phase. While STRIDE is valuable for its simplicity and focus on technical threats, PASTA excels in its ability to integrate security into the broader context of business priorities and risk management. This makes PASTA particularly suitable for organizations that require a comprehensive and adaptive approach to managing risks in complex environments. The differences are highlighted in this table:
| Aspect | PASTA (Risk-Based) | STRIDE (Developer-Centric) |
| Focus | Business-driven, risk prioritization | Technical threat enumeration |
| Scope | Holistic, including business impact and runtime | Component-focused, static design phase |
| Audience | Risk managers, CISOs, and business stakeholders | Developers and technical teams |
| Process | Seven stages, dynamic, includes attack simulation | Static, framework-based categorization |
| Outputs | Risk prioritization, actionable mitigations | List of potential threats |
What are the Key Benefits of Using Avocado for Executing Risk-Based Threat Modeling ?
Avocado enhances the PASTA threat modeling methodology by automating key stages, reducing manual effort in tasks like scoping, decomposition, threat identification, and vulnerability analysis. This streamlines the process, enabling faster and more accurate threat modeling. Its ability to provide real-time insights ensures that the threat model dynamically reflects changes in the live environment, including evolving threats and updates in architecture.
Avocado links technical vulnerabilities directly to business impact, empowering organizations to prioritize and address the most critical risks effectively. Additionally, it supports proactive mitigation through runtime monitoring, attack simulation, and virtual patching, enabling real-time defense against identified threats and ensuring a robust security posture. This comprehensive functionality makes Avocado a valuable tool for efficient, actionable, and proactive risk management.
How Avocado Helps to Automate PASTA Threat Modeling ?
Avocado Reveal and Protect seamlessly align with and automate the stages of the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology. By providing real-time visibility, dynamic threat detection, and actionable risk insights, Avocado enables organizations to implement PASTA efficiently and effectively across its seven stages. This is how:
In Stage 1, Avocado Reveal supports the identification of critical assets by mapping data flows and trust boundaries associated with business-critical components. This insight helps define security objectives for these components by linking them to their business value, ensuring that the modeling process aligns with organizational risk management and business goals
During Stage 2, Avocado automates the creation of a comprehensive process level technical scope of the application by dynamically identifying all application components, such as APIs, containers, databases, middleware, and backend services. It continuously monitors changes in architecture, highlighting new or modified technical scope of the components that need to be reassessed, ensuring that the technical scope remains current and complete.
In Stage 3, Avocado simplifies application decomposition by providing a real-time, runtime view of all servers, services, and communication paths/interactions. It automatically generates Data Flow Diagrams (DFDs), identifying trust boundaries and interdependencies, saving significant manual effort while ensuring accuracy. This reliable decomposition forms the foundation for subsequent threat analysis.
In Stage 4, Avocado Reveal enhances threat identification by monitoring runtime environments and detecting malicious or untrusted traffic, such as East-West lateral movements. It provides contextual insights into threat agents, distinguishing between internal and external sources. These insights can be integrated into tools like OWASP Threat Dragon and ThreatModeler for detailed analysis and visualization.
During Stage 5, Avocado automates the discovery of vulnerabilities in application components, such as unpatched servers, libraries, and frameworks. It correlates these vulnerabilities with identified threats, enabling teams to focus on the most impactful issues. This real-time vulnerability reporting ensures that threat models remain dynamic and reflect the current state of the environment.
In Stage 6, Avocado’s automated view of vulnerable components (e.g. servers, services, APIs etc) helps the execution of attack-driven test to validate the exploitability of vulnerabilities by simulating real-world attack paths. When detecting malicious traffic associated with specific exploits, it allows organizations to test and validate mitigation strategies. In cases of active threats, Avocado Protect supports virtual patching, blocking malicious traffic in real time until a permanent fix is implemented.
Finally, in Stage 7, Avocado helps prioritize risks by correlating vulnerabilities, threats, and attack paths with their potential business impact. Its insights enable risk managers to focus on critical threats that affect compliance, operational continuity, and sensitive assets. By supporting audits and aligning with frameworks like Zero Trust Architecture and CISA Secure-by-Design, Avocado ensures a robust risk management process.
This is summarized in the table here below:
| PASTA Stages | Avocado Tool Performance |
| Stage 1: Define Objectives | Avocado Reveal supports the identification of critical assets to protect such as servers and services of an application at run-time. This insight helps define security objectives by linking these assets to their business value, ensuring alignment with risk management goals and application security requirements, including regulatory requirements. |
| Stage 2: Define Technical Scope | Avocado automates the extraction of the technical scope of the application in real time by accurately identifying all application components,. When changes in the deployed architecture occur, it highlights new or modified components that need to be reassessed for threat modeling, ensuring the scope remains current and complete. |
| Stage 4: Analyze Threats | Avocado Reveal enhances threat identification by monitoring runtime environments and detecting malicious or untrusted traffic, such as East-West lateral movements. It provides contextual insights into threat agents, distinguishing between internal and external sources. These insights can be integrated into threat modeling tools for detailed analysis and visualization. |
| Stage 5: Vulnerability Analysis | Avocado automates the discovery of vulnerabilities in application components, such as unpatched servers, libraries, and frameworks. It correlates these vulnerabilities with identified threats, enabling teams to focus on the most impactful issues. This real-time vulnerability reporting ensures that threats are correlated with components and vulnerabilities in these components in real time hence reflecting the current risk profile of the application by considering both threats and correlated vulnerabilities. |
| Stage 6: Attack Analysis | Avocado can support the test of the exploitability of vulnerabilities by simulating real-world attack paths. It detects malicious traffic associated with specific exploits, allowing organizations to test and validate mitigation strategies. In cases of active threats, Avocado Protect supports virtual patching, blocking malicious traffic in real time until a permanent fix is implemented. |
| Stage 7: Risk and Impact Analysis | Avocado helps prioritize risks by correlating vulnerabilities, threats, and attack paths with their potential business impact. Its insights enable risk managers to focus on critical threats that affect compliance, operational continuity, and sensitive assets. By supporting audits and aligning with frameworks like Zero Trust Architecture and CISA Secure-by-Design, Avocado ensures a robust risk management process. |
References:
PASTA Threat Modeling for Cybersecurity | OWASP All Chapters 2020 Presentation
About the Author Field CISO Marco Morana:
Marco Morana is a Field CISO specializing in financial services cybersecurity, application security architecture, and cloud security governance. With over 15 years of leadership experience in highly regulated industries, he as held senior security roles at global financial institutions, focusing on threat modeling, secure cloud transformations, DevSecOps integration, and safeguarding high-value financial assets.
A recognized expert in threat modeling, he is the co-author of the PASTA risk-centric threat modeling methodology, widely adopted for application security risk management. In addition to contributing to security frameworks and industry best practices, he has authored multiple books, research papers, and industry publications on topics related to cybersecurity, application security, and application risk management ( Reference: https://mmorana1.github.io//marcom/publications and Ref https://mmorana1.github.io//marcom/portfolio/).
As a trusted advisor to security and technology leadership, he has driven enterprise-wide security transformations, ensuring alignment with global cybersecurity frameworks and regulatory requirements. With expertise in cloud security architectures, zero-trust security models, and multi-tiered financial applications, he has developed security blueprints, secure authentication models, and cloud-native security governance.
Passionate about mentoring security teams and advancing application security and deploy solutions that integrate advanced cyber-threat detection and protection for financial clients empowering CISOs to deploy attack-resilient, secure financial services and ecosystems. More details about his professional contributions can be found on LinkedIn (Ref https://www.linkedin.com/in/go4it/ )
