JustAppSec

Threat Modelling Without the Ceremony

By Davy Rogers

Four questions. Not week-long workshops.

Four questions

  1. What are we building?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good enough job?

STRIDE, PASTA, attack trees, data flow diagrams - all just structure around these questions.

The AI-assisted approach

Go to the JustAppSec threat model editor, click Generate with AI, copy the prompt, paste into your coding agent (Copilot, Claude, Cursor). The agent generates a .justappsec file (plain JSON). Open it back in the editor.

You get: open threats, mitigations already in place, deliberate trade-offs. Each threat has severity, status, attack scenario, and affected component paths. The editor renders paths visually so you can see attack surface at a glance.

Make changes in the editor - update statuses, add owners, close handled threats. Ask your agent questions. Ask it to fix or expand. The schema is embedded, so the AI always has context.

It lives in your repo

Commit it. It versions with the code. When design changes, update affected threats and commit the diff. Reviewers see exactly what the security thinking was.

Automate it too: CI can propose threat model updates when code changes. See automated threat model updates with GitHub Actions.

The traditional approach

Sketch the system - user, browser, API, database, third-party services. Draw data flow arrows. Walk each component: spoofing? Tampering? Information disclosure? Denial of service? Privilege escalation?

For each threat: mitigate, accept, transfer, or avoid. Write it down. Check after implementation.

When to do it

Before you write the code - during design, when changes are cheap.

Triggers:

  • New feature handling sensitive data
  • New external integration
  • Changes to trust boundaries
  • Significant architecture change

You don't need to threat model every bug fix.

Common mistakes

  • Boiling the ocean. Model what you're changing, not the entire system.
  • Only external attackers. Insiders, compromised dependencies, misconfigured infra are threats too.
  • Stopping at identification. Finding threats is only useful if you decide what to do.
  • One-time event. Revisit when things change.

The takeaway

AI does the first draft. You bring judgment. Commit the file. Catch design-level flaws before code exists.

PreviousSecurity Mindset for DevelopersNextAttack Surface of a Modern Web App
Want a professional to look at it?Get an AppSec Health Check.