Ortelius Blog

Topics include Supply Chain Security, Microservice Management, Neat Tricks, and Contributor insights.

What is Threat Modeling?

What is Threat Modeling? - Basic Concepts to Get You Started


In a data-driven world digital security and awareness are vital for people, academy, industry, and government. A cyberattack can take away more than your breath. It can take away your network worth. For this reason, the implementation of forecasting and nowcasting models have become the basis for quick, informed decision on even minor risks within the scope of an attack. For most of us, cybersecurity, threat models, and software supply chain attacks are a new area of expertise, that impacts our DevOps practices. For this reason, education around key concepts in cybersecurity and DevSecOps is critical. When talking about Threat Modeling context matters; so, let’s freshen up our vocabulary, shall we?

  • Cybersecurity: is a collection of strategies to guard against cyberattacks, and it has three pillars: people, processes, and technology.
  • Risks: are vulnerabilities exploited by malicious attackers through at least one of the cybersecurity pillars.
  • Threats: are how malicious attackers target and act to damage or compromise cybersecurity pillars.
  • Mitigation: consists of measures taken to reduce the impact of said risks, endorsed by cyber policies.
  • Remediation: relies on processes to improve or correct cyber-vulnerabilities once they have been compromised by the attackers.
  • Models: provide guidelines to identify the scope of cyber threats for proper risk mitigation and remediation.

Hence, Threat Modeling covers the identification, communication, and understanding of threats alongside the mitigation required to secure systems and data.

Getting Started

You may wonder how to get started in threat modeling. Most of us have no experience in this area, and yet it will be needed in DevSecOps practices in the near future. Basic Software Engineering DevSecOps provides the framework to build upon threat modeling. It is the data from the DevSecOps pipeline which delivers the cyber risk assessment to connect the threats and the risk through the abstraction of the system, and the profiling of threats and attacks. Gathering and analyzing DevSecOps data is the focus of the Ortelius Threat Modeling project, focused around MITRE ATT&K.

Have you ever watched an old school sci-fi action movie where there’s someone behind a computer with green or blueish numbers running on the screen, and suddenly accessing all the secrets? Well it is just a movie. The reality is that cybersecurity threats do take time before they manage to disrupt the systems they are targeting. AI models and computing capabilities put cybersecurity specialist in a tricky situation. They must stay up to date with the trends and stay one step ahead of the bad guys. Worry not, for the MITRE ATT&CK knowledge base can help to model cyber adversaries’ tactics and techniques, whilst providing insights on how to detect or stop them. The best part is that is freely available to everyone to help develop specific threat models and methodologies.

Continue Learning

To learn more on Threat Modeling check out Michael Scovetta’s paper Threats, Risks, and Mitigation’s in the Open Source Ecosystem. This will give you a strong understanding of how to define your own threat model. But what we really need is generative AI to serve up threat models as part of the DevSecOps process.


Cybersecurity is not just about an all or nothing kind of approach, but the in between to achieve digital resilience by securing people, processes and technology. Ortelius will combine DevSecOps data and the MITRE ATT&CK knowledge base as a common language for defenders to have conversations about emerging threats and develop effective defensive strategies across the software supply chain. If you are interested in this area, consider becoming a contributor to the Ortelius project. Join the Ortelius Architecture meetings to get started.


Meet the Author

Learn More About:

Elizabeth Calderon