How to Run a Threat Modeling Session: The 90-Minute Meeting That Actually Works

Run a threat model for:

• Any new feature that handles authentication, authorization, or sensitive data
• Any significant architectural change (new service, new data store, new external integration)
• Any feature that accepts external user input and processes it server-side
• Any feature involving payment, PII, health data, or credentials
• Pre-launch review of a new product or major release

Skip the formal threat model for:

• Pure UI changes with no backend logic changes
• Bug fixes that do not change data flow or trust boundaries
• Internal tooling with no access to sensitive data
• Changes already covered by a recent (last 6 months) threat model for the same component

The trigger: Build threat modeling into your SDLC as a ticket type. When an engineer creates an epic or design doc for a new feature, a threat model task is automatically added to the definition of done. The security team is not the gatekeeper -- the engineering team runs the meeting and the security engineer participates as a facilitator and subject matter expert, not as an approver.

Required attendees:

• The engineer or tech lead who designed the feature (they know the actual data flow)
• The product manager (they know the business logic and edge cases)
• One security engineer (facilitator)

Optional but valuable:

• A second engineer from the team (catches gaps in the tech lead's description)
• A QA engineer (good at finding edge cases)
• A representative from the team that will own the system in production (ops, SRE)

Maximum attendees: 6. More than 6 and the meeting becomes a performance rather than a working session.

Pre-meeting email template:

Subject: Threat Model — [Feature Name] — [Date] 90 min

Hi all,

We are threat modeling [feature name] before it ships.
This is a 90-minute working session, not a presentation.

Before the meeting, please:
1. Read the design doc or PRD: [link]
2. Be ready to walk through the data flow out loud
   (no slides needed -- we will draw it together)

We will produce:
- A data flow diagram
- A list of threats, each with a severity and owner
- Jira tickets for anything above 'informational'

Location: [room / Zoom link]
Facilitator: [security engineer name]

What to prepare as facilitator:

• A blank Miro, Lucidchart, FigJam, or whiteboard
• The STRIDE threat table template (see below)
• Read the design doc before the meeting -- you should understand the feature well enough to ask good questions, not well enough to explain it

Minutes 0 to 15: Draw the data flow diagram

Do not start with threats. Start with the system.

Ask the tech lead: 'Walk me through what happens when a user does [the core action of this feature].'

As they talk, draw. Use four symbol types:

• Rectangle: External entities (user browser, mobile app, third-party service, another team's API)
• Circle or rounded rectangle: Processes (your application code, your service, a Lambda function)
• Parallel lines: Data stores (database, S3 bucket, Redis cache, message queue)
• Arrow: Data flows (label each arrow with what data moves and in which direction)
• Dashed box: Trust boundaries (where data crosses from one trust level to another -- internet to your server, your server to the database, user-controlled to server-controlled)

The trust boundaries are the most important thing to draw correctly. Every arrow that crosses a trust boundary is a candidate for a threat.

Common DFD for a typical SaaS feature:

[Browser] ---(HTTPS: login request + credentials)---> [Auth Service]
[Auth Service] ---(SQL: user lookup)---> [Users DB]
[Auth Service] ---(JWT token)---> [Browser]
[Browser] ---(HTTPS + JWT: API request)---> [API Service]
[API Service] ---(SQL: data query)---> [App DB]
[API Service] ---(JSON response)---> [Browser]

Trust boundaries: internet/browser to your services; your services to the databases.

Minutes 15 to 65: STRIDE analysis

For each arrow and each component on the diagram, ask the six STRIDE questions. Do not try to ask all six for everything -- focus on the arrows crossing trust boundaries and the data stores.

For each threat you identify, record it immediately in the threat table. Do not evaluate severity during the meeting -- just capture. Evaluation comes at the end.

Minutes 65 to 80: Prioritization

For each identified threat, assign:

• Severity: High / Medium / Low
• Likelihood: High / Medium / Low
• Priority: High x High = P1, High x Medium = P2, everything else = P3 or informational

Use DREAD or a simple 2x2 matrix. Do not spend more than 2 minutes per threat on prioritization -- the goal is a rough sort, not a precise calculation.

Minutes 80 to 90: Ticket creation

For every P1 and P2 threat, create a Jira ticket before the meeting ends. Assign it to the engineer who owns the affected component. The ticket needs three things:

1. What the threat is (one sentence)
2. What the impact would be if exploited
3. A proposed mitigation direction (does not need to be the final solution)

Do not leave the meeting without tickets. A threat model that produces a document but no tickets produces zero security improvement.

Use this table structure during the session. Fill it in a shared Google Doc, Confluence page, or Notion so everyone can see it in real time.

| ID | Component / Data Flow | STRIDE Category | Threat Description | Impact | Likelihood | Priority | Owner | Ticket |
|----|----------------------|-----------------|-------------------|--------|------------|----------|-------|--------|
| T1 | Login endpoint | Spoofing | Stolen session tokens can be replayed -- no token expiry or revocation | High | Medium | P2 | Backend | JIRA-1234 |
| T2 | Auth -> Users DB | Information disclosure | SQL error messages returned to client expose table structure | Medium | High | P2 | Backend | JIRA-1235 |
| T3 | API endpoint | Tampering | BOLA: user can modify `userId` param to access other users' data | High | High | P1 | Backend | JIRA-1236 |
| T4 | Login endpoint | Denial of service | No rate limiting on login -- brute force possible | Medium | High | P2 | Infra | JIRA-1237 |
| T5 | App DB | Information disclosure | DB backup stored in same S3 bucket as app assets -- no access separation | High | Low | P2 | Infra | JIRA-1238 |

Standard mitigations by STRIDE category (to reference during the session):

A single security engineer cannot run threat models for every feature at a company growing faster than one feature a week. The solution is to train engineers to run the sessions themselves.

The security champion model:

Identify one engineer per team who is interested in security (not necessarily an expert). Train them to:

1. Recognize when a feature needs a threat model (the trigger criteria above)
2. Facilitate the DFD drawing session
3. Ask the STRIDE questions
4. Fill in the threat table
5. Escalate any P1 findings to the security team for review

The security engineer reviews the completed threat table asynchronously, not in the meeting. This shifts the ratio from 'one security engineer required per meeting' to 'one security engineer reviews ten meetings per week.'

Lightweight threat modeling for smaller changes:

For minor features that do not warrant a 90-minute session, use a three-question async review in the design doc:

Security self-review (complete before marking design doc as ready for review):

1. What sensitive data does this feature handle? 
   (Credentials, PII, payment data, health data, access tokens)

2. What are the two most plausible ways an attacker could abuse this feature?
   (Think about: spoofing users, accessing other users' data, bypassing rate limits, 
    injecting malicious input, escalating privileges)

3. How does this feature mitigate each of those attack paths?
   (Note: 'we will add it later' is not a mitigation)

If the engineer cannot answer question 3, the design is not ready for implementation review.

Storing and referencing past threat models:

Store all threat model outputs (DFD + threat table) in your engineering wiki, linked from the design doc. When similar features are built later, the prior threat model is a starting point. Over time, you build a pattern library of threats for your specific architecture -- new engineers learn the security model of the system by reading prior threat models.