VerSprite’s PASTA Threat Modeling Service
Simulate Real-World Attacks and Prioritize Business Risk with the Methodology We Created
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
PASTA (Process for Attack Simulation and Threat Analysis) is the risk-centric threat modeling methodology co-created by VerSprite CEO Tony UcedaVélez and Marco M. Morana. It treats cyber threat mitigation first as a business problem: by simulating realistic attacks against your applications and mapping them to business impact, PASTA produces an evidence-based, prioritized view of the risks that actually matter — and the countermeasures that address them.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
What Is PASTA Threat Modeling?
PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric, seven-stage threat modeling methodology that identifies, analyzes, and prioritizes threats to an application or organization by simulating real-world attacks and aligning them to business impact. Co-created by VerSprite CEO Tony UcedaVélez and Marco M. Morana and documented in their book Risk Centric Threat Modeling (Wiley, 2015), PASTA goes beyond categorizing threats: it correlates real threats to your attack surface, validates them through exploitation testing, and ties their viability to sustained business impact — enabling security decisions driven by business objectives.
FREE DOWNLOAD
Download the PASTA Threat Modeling eBook
The Risk-Based Threat Modeling eBook walks through the full PASTA process and the tactical steps for mapping attacks to business-asset targets.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
The 7 Stages of PASTA Threat Modeling
Stage 1 — Define Objectives
Establish the business and security objectives for the analysis, including the application’s inherent risk profile and business-impact considerations, early in the SDLC or for a given sprint.
Stage 2 — Define Technical Scope
Decompose the technology stack and infrastructure that support the application components delivering those business objectives. You can’t protect what you don’t know exists.
Stage 3 — Application Decomposition
Map the data flows among application components and services, identifying assets, interfaces, trust boundaries, and access controls in the threat model.
Stage 4 — Threat Analysis
Review threat assertions from environmental data and relevant industry threat intelligence tied to the application’s services, data, and deployment model.
Stage 5 — Vulnerability & Weakness Analysis
Identify the vulnerabilities and weaknesses in the application’s design and code, and correlate them to the threat assertions from the prior stage to confirm which are supported.
Stage 6 — Attack Modeling
Emulate attacks that could exploit the identified weaknesses, using attack patterns and attack trees to determine threat viability.
Stage 7 — Risk & Impact Analysis
Quantify the business risk of validated threats and prioritize remediation — addressing countermeasures for non-accepted risks and providing remediation alternatives based on impact, likelihood, and cost.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Why the PASTA Framework Has Been Adopted Worldwide
PASTA looks at cyber threat mitigation as a business problem first. It provides an in-depth process for simulating attacks against your applications; by analyzing the threats those simulations reveal, organizations can address real risk rather than theoretical issues.
VerSprite’s testing methodology is built on this foundation — assessing operational impact and business threats before evaluating the security of the applications, services, and infrastructure in scope. Each engagement begins by modeling the threat to understand attacker motivation and likely targets, then identifies attacks that cross technologies, people, and processes, and assesses how well countermeasures resist them. Mitigation decisions are therefore made on the basis of operational risk to the business.
From that first phase, VerSprite captures the business objectives for the asset in scope, the most critical business and abuse cases, the likely threat actors and their principal motives, and the targeted information and assets — the inputs that drive realistic attack simulation throughout the engagement.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Key Characteristics of Risk-Centric PASTA Threat Modeling
It’s a Methodology
A repeatable seven-stage process with defined activities in each stage, built to guide both new and experienced threat modelers.
Risk-Focused
PASTA weighs threat, vulnerability, countermeasure, and impact — and, crucially, the probability of each, along with threat motives, current evidence, and countermeasure effectiveness.
Collaborative
Effective threat modeling isn’t just for developers. PASTA brings in architects, DevOps, systems engineers, business analysts, and SOC members, because applications depend on design, infrastructure, and managed services (SSO, IAM, PKI) beyond any one team’s view.
Prescriptive
PASTA prioritizes the exploitable vulnerabilities that matter most and, in its final stage, provides prescriptive remediation guidance based on risk impact, threat likelihood, and cost of countermeasures.
Evidence-Based
Quantitative business-impact values, threat-intelligence-driven assertions, and attack trees with probabilities on each branch support realistic threat-likelihood estimates.
Maturity-Model Integration
The activities in each PASTA stage map to BSIMM and OpenSAMM maturity models, so teams at any level can track improvement over time.
Pre-emptive Compliance
PASTA folds technical and regulatory requirements into its first stage, since non-compliance affects product assurance against regulatory obligations.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Applying PASTA to Penetration Testing
PASTA guides the penetration test that follows it. Depending on how much information is shared, VerSprite performs black box (DAST-style, no prior knowledge), white box (SAST-style, with source code), or grey box (authenticated, mixed dynamic and static) testing. VerSprite takes a manual-first approach; automated testing is used for breadth of coverage or to complement specific tests, which yields deeper understanding, no false positives, and real proofs of concept for each finding.
For full detail on the testing approaches, see Penetration Testing.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
PASTA vs. STRIDE
STRIDE classifies threats into fixed categories (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) and is useful for quickly enumerating technical threat types. PASTA is broader and business-aligned: it starts from business objectives and works through seven stages to connect technical risk to business impact, validated by attack simulation. The two are complementary — STRIDE can help enumerate threats during PASTA’s threat-analysis stage, while PASTA supplies the business context, evidence, and prioritization STRIDE alone doesn’t provide. PASTA suits organizations that need deeper, attacker-driven risk analysis.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Industries We Serve
VerSprite delivers PASTA threat modeling across industries where security failures translate directly to financial loss, safety risk, or regulatory exposure:
Financial Services & FinTech
Model threats across banking apps, payment platforms, and financial APIs; identify fraud and abuse cases; align mitigation to regulatory requirements.
Healthcare & Life Sciences
Model threats to ePHI systems and clinical workflows; analyze trust boundaries across EHRs, devices, and partners, aligned to HIPAA.
SaaS & Technology Providers
Decompose cloud-native and microservices architectures; model threats to authentication, APIs, tenant isolation, and CI/CD.
Retail & E-Commerce
Model threats to checkout, payment, and account management; analyze payment and logistics integrations.
Manufacturing & Critical Infrastructure
Model threats across IT/OT convergence; identify attack paths that could disrupt operations or safety.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
PASTA Threat Modeling for Cybersecurity: OWASP All Chapters 2020 Presentation
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
PASTA Threat Modeling FAQs
What is PASTA threat modeling?
PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric threat modeling methodology designed to identify, analyze, and mitigate application and organizational threats. It focuses on simulating real-world attacks and aligning security risks with business impact.
What are the 7 stages of the PASTA methodology?
The seven stages are: Define Objectives, Define Technical Scope, Application Decomposition, Threat Analysis, Vulnerability & Weakness Analysis, Attack Modeling, and Risk & Impact Analysis.
How is PASTA different from other threat modeling frameworks?
Unlike frameworks such as STRIDE, which focus on categorizing threats, PASTA is risk-driven and attacker-centric. It emphasizes real-world attack simulation and prioritizes threats based on business impact, making it more actionable for enterprise security programs.
Why should organizations use PASTA threat modeling?
PASTA helps organizations align security efforts with business objectives by identifying the most critical risks. It improves decision-making, enhances risk visibility, and supports proactive security strategies across the development lifecycle.
What is included in a PASTA threat modeling engagement?
A PASTA engagement typically includes business and technical scope definition, application architecture and data flow analysis, threat and vulnerability identification, attack simulation scenarios, and risk prioritization and remediation planning.
How does PASTA support DevSecOps?
PASTA integrates into DevSecOps by providing a structured framework for identifying and prioritizing risks early in the development lifecycle, enabling continuous security validation and informed decision-making within CI/CD pipelines.
What types of threats can PASTA identify?
PASTA can identify business logic vulnerabilities, authentication and authorization weaknesses, API and integration risks, advanced attack paths and chained exploits, and insider and external threat scenarios.
Is PASTA suitable for enterprise environments?
Yes. PASTA is designed for complex enterprise environments where understanding business impact and attack paths is critical. It scales across applications, infrastructure, and organizational risk models.
Who should be involved in a PASTA threat modeling exercise?
PASTA requires collaboration between security teams, developers, architects, product owners, and business stakeholders to ensure risks are evaluated from both technical and business perspectives.
What makes VerSprite’s PASTA threat modeling approach different?
VerSprite enhances the PASTA methodology with a research-driven, attacker-focused approach that incorporates real-world threat intelligence, proprietary techniques, and business-contextual risk analysis to deliver actionable security insights.
What is the difference between PASTA and STRIDE?
STRIDE focuses on categorizing threats such as spoofing, tampering, and denial of service, while PASTA is a risk-centric methodology that simulates real-world attacks and prioritizes threats based on business impact. PASTA is more suitable for organizations that need deeper, attacker-driven risk analysis.
When should organizations use PASTA threat modeling?
Organizations should use PASTA during application design, major architecture changes, digital transformation initiatives, or when handling sensitive data. It is especially valuable for enterprises aligning security decisions with business risk and regulatory requirements.
Who created the PASTA threat modeling methodology?
PASTA was developed by Tony UcedaVélez and Marco Morana to provide a structured, risk-based approach to analyzing application and organizational threats through attacker simulation.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Resources
We’re Not a Vendor
We’re Your Security Partner
- Risk-centric security
- True extension of your team
- Executive-level experience
