Introduction
The Four-Question Framework for Threat Modeling

Create a diagram from scratch

Let's jump straight in and get building some threat model diagrams

5
min
Last updated
November 25, 2024

Contents

Trust zones and components

Adding Component details 

Changing Component Visibility by Business Unit

In order to do this, you will need to know a lot about the architecture you are threat modeling. This is so you can easily drag and drop all of the components you will need for your diagram. 

Navigate to 'Projects', select the blue ‘New Project’ button. You will need to give your project a name, this can be changed later. Add any relevant tags or description for your application or architecture, and hit 'Create'. 

Trust zones and components 

A model questionnaire appears by default to assist you, close that and instead navigate the components on the left hand side to choose what you need to build your diagram. Simply drag and drop them onto the canvas. We recommend starting with your trust zones to group the components together, and to provide a level of trust and risk for those zones. However, you can still proceed with a full threat model without trust zones, if you are unsure of this detail. It can be added in at any time, and you are still able to update your threat model. If no trust zones are included, the default trust rating used will be zero.

You can enlarge the trust zones and move them around as you see fit. Next pick your components. You can expand the sections which are in alphabetical order, or use the search bar to find your ‘user’, ‘database’, ‘S3 bucket’ and many many more. New components are added in every product release. 

After adding some components, you can include data flows between them by hovering over a component and once the arrow appears, click this and drag it to another component.

Data flows and components can be annotated for additional context. Bidirectional flows and the type of data being transferred can be selected such as credit card data or personal information. 

Simply right click on the data flow line, the side model will show, where you can add your tags and the assets. Don’t forget to press 'Save' (top right button) so that these changes are reflected on your diagram.

Once these annotations have been made, you will see that the assets or tags are now visible on the data flow line:

Adding Component details 

Right click on a component to do similar actions such as adding tags by selecting ‘Component Details’. This allows you to add tags, description and other context for your component.

You can give even further context by right clicking a component and choosing ‘Component Questionnaire. For both options a model will appear on the right hand side. You can answer a variety of questions about your component. You will see how many questions are left to answer and you can skip those you feel are irrelevant to your use case. 

Once you are happy with your diagram - you can always go back and edit it later, or invite others to do so - press the orange ‘Update Model’ button to generate the associated threats and countermeasures. You have built your fist diagram! 

Changing Component Visibility by Business Unit

Let's say you have certain components you don't need your whole organization to see. Whether it be relevant to a specific group of users, or perhaps you don't want to add confusion by having components visible that a certain group won't ever use. Come out of a Project if you are already in one, back to the main menu. Click on 'Objects' at the top and then 'Components'. Find the component you wish to restrict, the example below is for Client Side. You can either toggle the button to 'Yes' to have visibility to all, or toggle it to 'No', and choose the relevant Business Units you want to have visibility of this for. Below you can see some example groups that can be selected.

Close Modal