What is STRIDE threat modelling?

STRIDE is a threat classification framework developed by Microsoft. The acronym stands for: Spoofing (impersonating users/systems), Tampering (modifying data/code), Repudiation (denying actions), Information Disclosure (data leakage), Denial of Service (disrupting availability), and Elevation of Privilege (gaining unauthorised access). STRIDE is widely used in BFSI for RBI Threat Risk Assessments.

Is threat modelling required under SEBI CSCRF?

Yes. SEBI CSCRF IS (Information Security) sub-categories IS.1–IS.4 require SEBI-regulated entities to perform threat modelling as part of their Secure SDLC (IS.3) and infrastructure risk assessment (IS.1). Documented threat models are also evidence required for the DE (Detect) function.

Does RBI require threat risk assessment (TRA)?

Yes. RBI's Master Direction on IT Governance (2021) requires banks to conduct a Threat Risk Assessment (TRA) for critical systems before implementation, after significant changes, and periodically. The TRA must identify threats using a structured methodology — STRIDE or PASTA are the two frameworks most accepted by RBI inspectors.

How do I export my threat model as a PDF?

After completing all 4 steps of the wizard (system description, STRIDE threat selection, risk rating, and summary), click the Export PDF button. The tool uses jsPDF to generate a structured PDF with your system description, threat table, risk matrix, and recommended mitigations — ready to attach to your RBI TRA or SEBI CSCRF submission.

What is the difference between STRIDE and PASTA?

STRIDE is attacker-centric: you enumerate threats by type against each system component. PASTA (Process for Attack Simulation and Threat Analysis) is business-risk-centric: you start from business objectives, define a threat profile, simulate attacks, and prioritise by business impact. RBI TRA typically uses STRIDE; SEBI CSCRF accepts both.

STRIDE Threat Model Scenario Builder — Export Your Threat Model as PDF

Why Threat Modelling is Non-Negotiable in 2026

Threat modelling is the structured process of identifying, enumerating, and prioritising threats to a system before code reaches production. Unlike penetration testing — which identifies vulnerabilities after the fact — threat modelling shifts security left, embedding risk thinking into architecture and design decisions. For organisations operating in Indian regulated sectors, it is no longer a best practice; it is a regulatory mandate.

STRIDE, developed at Microsoft, remains the most widely adopted threat modelling framework because of its completeness and practical applicability. It classifies threats into six categories that together cover the full attack surface of any software system — from credential abuse to data leakage to outage scenarios. Each category maps directly to a security property that the system must preserve, making STRIDE both a diagnostic tool and a control specification framework.

The Six STRIDE Categories

S
Spoofing — Impersonating another user, service, or system to gain illegitimate access. Covered by authentication controls, MFA, and certificate pinning.
T
Tampering — Maliciously modifying data at rest or in transit. Mitigated by integrity checks, signed messages, WAFs, and database activity monitoring.
R
Repudiation — Denying having performed an action due to insufficient audit trails. Addressed by immutable logging, digital signatures, and non-repudiation controls.
I
Information Disclosure — Exposure of sensitive data to unauthorised parties. Countered by encryption in transit and at rest, access controls, and API output filtering.
D
Denial of Service — Degrading or halting system availability. Addressed by rate limiting, DDoS protection, resilient architectures, and dependency management.
E
Elevation of Privilege — Gaining permissions beyond what is authorised. Mitigated by least-privilege, RBAC, IDOR protections, and IAM controls.

Indian Regulatory Context

All three major Indian financial regulators now explicitly require documented threat and risk assessments as part of system development and change management processes.

RBI TRA SEBI CSCRF IS.1–IS.4 IRDAI IS Audit DPDP Act §8(1)

The RBI’s Threat and Risk Assessment (TRA) guidelines require banks and NBFCs to conduct structured threat assessments for all critical information systems, with documented outputs retained for audit purposes. The assessment must consider threat actors, attack vectors, and asset sensitivity — precisely what STRIDE provides.

SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) mandates threat modelling as part of its secure SDLC requirements under controls IS.1 through IS.4. Market infrastructure institutions (MIIs), qualified stock brokers (QSBs), and registered investment advisors must embed threat assessment into every major development cycle.

The IRDAI Information Security Audit framework similarly requires insurers to document threat scenarios for customer-facing portals and policy administration systems as part of annual IS audits. STRIDE outputs serve directly as audit evidence.

Under the Digital Personal Data Protection (DPDP) Act, Section 8(1), Data Fiduciaries must implement “reasonable security safeguards.” Documented threat modelling demonstrating that technical measures were selected based on identified threats strengthens your §8(1) compliance posture and reduces regulatory exposure in the event of a breach investigation.

Why STRIDE Works for BFSI

STRIDE maps naturally to the threat landscape of banking, financial services, and insurance systems. Spoofing covers account takeover and credential stuffing — the top attack vectors against customer portals. Tampering addresses transaction manipulation and log falsification, critical concerns for payment systems and core banking. Repudiation directly addresses dispute resolution requirements in digital banking, where a customer challenging a transaction must be met with irrefutable audit evidence.

Information Disclosure covers PII and financial data leakage under both RBI data localisation and DPDP Act obligations. Denial of Service addresses business continuity risks for trading systems, payment rails, and insurance claim portals where downtime carries both financial and regulatory consequences. Elevation of Privilege covers insider threat scenarios — a category specifically highlighted in RBI’s Cyber Security Framework for Banks — where employees exploit overprivileged accounts to access customer data or authorise fraudulent transactions.

How to Use This Wizard

Describe your system: enter the name, type, data sensitivity classification, and applicable regulatory frameworks. This takes about two minutes and contextualises all downstream risk ratings.
Work through each of the six STRIDE categories. Select the pre-written threat scenarios that apply to your system architecture and add any custom threats specific to your technology stack or business context.
Rate each selected threat on a 2×2 risk matrix — likelihood and impact — to compute a risk level automatically. This step takes under five minutes for most systems.
Review the pre-suggested mitigations drawn from industry best practices, customise them to your architecture, then export a formatted PDF ready for audit evidence submission, CISO review, or architecture design records.

Privacy note: This tool runs entirely in your browser. No data is transmitted to any server. Your threat model is built and exported locally — safe for use with sensitive system descriptions and internal architecture details.

STRIDE Threat Model Scenario Builder

Why Threat Modelling is Non-Negotiable in 2026

The Six STRIDE Categories

Indian Regulatory Context

Why STRIDE Works for BFSI

How to Use This Wizard

Build Your STRIDE Threat Model

Ready to quantify cyber risk for the board?

STRIDE Threat Model Scenario Builder

Why Threat Modelling is Non-Negotiable in 2026

The Six STRIDE Categories

Indian Regulatory Context

Why STRIDE Works for BFSI

How to Use This Wizard

Build Your STRIDE Threat Model

Ready to quantify cyber risk for the board?

Related Articles