Skip to content

Threat Modeling Diagrams

Diagrams make threats visible
Drawing your system architecture reveals components , data flows , trust boundaries , and attack surfaces that text descriptions miss

Diagram Types

Data Flow Diagrams (DFD) Most common threat modeling diagram type

  • External Entity - Outside the system boundary (user, third-party API)
  • Process - System component that processes data
  • Data Store - Where data is stored (database, filesystem)
  • Data Flow - Movement of data between elements
  • Trust Boundary - Where privilege level changes
sequenceDiagram
    participant User
    participant LoginAPI as Login API
    participant Database

    User->>LoginAPI: login
    LoginAPI->>Database: query
    Database-->>User: response
    Note over LoginAPI,Database: Trust boundary

Trust Boundaries

Identify these explicitly because threats cross boundaries:

  • Network boundary (internal vs external)
  • Process boundary (user-space vs kernel)
  • Privilege boundary (user vs admin)
  • Organizational boundary (your system vs third-party)
  • Security domain boundary (different classification levels)

Example Mermaid DFD:

flowchart TD
    subgraph External
        User((User))
        Attacker((Attacker))
    end
    subgraph "DMZ Trust Boundary"
        LB[Load Balancer]
        API[Web API]
    end
    subgraph "Internal Trust Boundary"
        Auth[Auth Service]
        DB[(Database)]
    end

    User -->|HTTPS| LB
    Attacker -->|Malicious Request| LB
    LB --> API
    API -->|Auth Request| Auth
    Auth -->|Query| DB
    API -->|Query| DB

Attack Trees

Visualize attacker goals and sub-goals:

flowchart TD
    Goal[Goal: Steal User Credentials]
    Goal --> Phishing[Phishing Campaign]
    Phishing --> Clone[Clone legitimate login page]
    Phishing --> Email[Send convincing email]
    Phishing --> Collect[Collect credentials]
    Goal --> DB[Database Breach]
    DB --> SQLi[SQL injection]
    DB --> CompromiseDB[Compromise database server]
    DB --> Dump[Dump credentials table]
    Goal --> MITM[MITM Attack]
    MITM --> ARP[ARP spoofing on local network]
    MITM --> SSLStrip[SSL stripping]
    MITM --> Capture[Capture login traffic]
    Goal --> Brute[Brute Force]
    Brute --> Spray[Password spray]
    Brute --> Stuffing[Credential stuffing]
    Brute --> Dict[Dictionary attack]

Sequence Diagrams for Threats

Show the order of operations in an attack:

sequenceDiagram
    participant Attacker
    participant WebApp
    participant Database

    Attacker->>WebApp: SQL Injection Payload
    WebApp->>Database: Malicious Query
    Database-->>WebApp: Data Dump
    WebApp-->>Attacker: Results

    Note over Attacker,Database: No input sanitization!

Common Diagramming Tools

  • Draw.io / diagrams.net - Free, integrates with Google/OneDrive
  • Microsoft Threat Modeling Tool - Built for STRIDE, generates threat lists
  • OWASP Threat Dragon - Open-source web-based
  • Mermaid.js - Code-to-diagram (MkDocs compatible)
  • PlantUML - Code-based diagrams
  • Lucidchart - Commercial , collaboration features

What Every Threat Model Diagram Needs

  1. All entry points (where data enters the system)
  2. All trust boundaries (where privilege levels change)
  3. All data stores (where data persists)
  4. All data flows (how data moves between components)
  5. External dependencies (third-party services, APIs)
  6. Authentication/authorization points

For Each Element Ask

  • External Entity - Can it be impersonated?
  • Process - Can it be compromised?
  • Data Flow - Is it encrypted? Authenticated?
  • Data Store - Who can read/write? Is it encrypted at rest?
  • Trust Boundary - Is the boundary enforced?