Threat modelling has a reputation problem. Too many diagrams. Too many "security says no" meetings. Too theoretical to survive a quarterly delivery cycle. Yet every Indian retail bank, NBFC, and payment aggregator runs the same handful of flows that get compromised the same handful of ways — and not because the encryption was weak. Because the assumptions between systems were never written down, never challenged, and never tested.
PASTA — Process for Attack Simulation and Threat Analysis — is the seven-stage methodology designed to fix exactly this. It's risk-centric (not control-centric), evidence-driven, and produces output that survives a SEBI inspection, an RBI IT examination, and a CFO budget review. This walkthrough applies all seven stages to the single most fraud-targeted flow in Indian banking: add a new beneficiary, then transfer money.
STRIDE is a fine threat taxonomy (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege). It tells you the kinds of threats. It does not tell you whether they matter to your business, your regulators, or your CFO's risk register. PASTA wraps STRIDE inside a business-impact framework: every threat is traced to a business objective, a regulatory mapping, and a quantified risk decision.
| Dimension | STRIDE alone | PASTA (recommended for BFSI) |
|---|---|---|
| Starts from | Component / data flow | Business objectives & threat intel |
| Output | Threat list | Risk-prioritised attack scenarios with control mapping |
| Regulator fit | Partial | Aligns with SEBI CSCRF PR.4, RBI Cyber Framework Annex C, DPDP Sec 8 |
| Quantification | None | Connects to FAIR for ALE in ₹ |
| Update cadence | One-shot | Iterative — refreshed per release / threat intel update |
A retail customer opens the mobile app, logs in, adds a new payee (account number + IFSC), waits out the cooling-off window, and transfers funds. Behind that two-tap experience sits an authentication service, an OTP / step-up provider, a fraud-and-risk engine, the core banking ledger, an alert pipeline, and at least one external rail (NPCI / NEFT / RTGS / IMPS).
Data Flow Diagram — Add Beneficiary + Transfer
Pink boundaries mark high-consequence trust zones. Every arrow crossing the bank perimeter is an authentication or authorisation decision.
User simplicity is built on system complexity. Fraudsters don't break encryption — they exploit assumptions between systems.
Who is this flow for, and what would 'failure' actually cost?
Before listing threats, write down what the flow exists to do — in business terms, not control terms. For an Indian retail bank, the add-beneficiary + transfer flow exists to:
Loss-event quantification at this stage matters: what is the cost of a single successful fraud (direct loss + RBI ombudsman settlement + churn + brand)? What is the cost of a 12-hour outage during a settlement window? Pair this with FAIR to get a rupee number for each scenario — without it, every threat looks "high".
Every system the flow touches — including the boring ones.
Systems in scope for "add beneficiary + transfer" almost always include more than the AppSec team initially lists:
The "support tooling" line is the one that gets skipped — and the one CSAs (Customer Support Agents) get socially engineered through. If a CSA can lift a hold on a beneficiary, that capability is part of the threat model.
The exact handoffs, the exact data, the exact trust boundaries.
Decompose the user journey into discrete steps and the data each step writes:
| # | Step | Key data written | Trust transition |
|---|---|---|---|
| 1 | Login | Session token, device fingerprint | Device → API gateway |
| 2 | Initiate Add Beneficiary | Customer ID, intent flag | App → Auth svc |
| 3 | Submit beneficiary details | Account no., IFSC, nickname | API gateway → Core banking |
| 4 | Step-up OTP | OTP value, attempt counter | API gateway → OTP svc |
| 5 | Beneficiary stored (pending) | Beneficiary record + cooling-off ts | Core banking writes |
| 6 | Initiate transfer | Amount, beneficiary ref, channel | App → Risk engine |
| 7 | Risk decision | Risk score, decision (approve / step-up / reject) | Risk → Core banking |
| 8 | Execute transfer | Debit, credit instruction, settlement id | Core → NPCI / NEFT |
| 9 | Notify + log | SMS, push, audit log | Core → SIEM, customer |
The trust transition column is where the threats live. Each transition is an authentication, authorisation, or integrity decision — and each is a place where the next stage's threats actually land.
Real adversaries, real motives, real capabilities.
Realistic threat actors against an Indian retail bank's transfer flow:
| Actor | Capability | Primary technique | Goal |
|---|---|---|---|
| Mule-network operator | Low / mid | Credential stuffing + SIM swap | Drain low-value accounts at scale |
| Targeted social engineer | Mid | Phishing + voice impersonation | Drain high-value accounts |
| Mobile-malware crew | Mid / high | Overlay / accessibility-service abuse | Session hijack on customer device |
| Insider (maker level) | Low | Lift cooling-off / approve faster | Collude with external mule |
| Insider (admin level) | High | Direct DB / config changes | Whitelist mule beneficiaries |
| Nation-state APT | Very high | Supply-chain / SDK compromise | Strategic disruption |
| STRIDE | Where it lands | Concrete threat in this flow |
|---|---|---|
| S — Spoofing | Login, OTP | Stolen credentials + intercepted OTP appear as the customer |
| T — Tampering | API gateway → Core | Intercept and alter beneficiary IFSC mid-request |
| R — Repudiation | Audit log | Customer denies transfer; logs missing device / geolocation |
| I — Info disclosure | Logs, support tools | CSA tools expose beneficiary data without masking |
| D — Denial of service | OTP svc, rails | Attacker drains OTP quota to trigger fail-open |
| E — Elevation of priv. | Insider, admin tools | Maker lifts cooling-off without checker approval |
Where 'we shipped fast' becomes 'we got drained'.
The vulnerabilities most often surfaced when this flow is threat-modelled honestly:
Chain the leaves of the attack tree into the news article that almost wrote itself.
Vulnerabilities by themselves don't fund a money-mule operation. Chained vulnerabilities do. The attack tree below shows three sub-goals an adversary must satisfy — and at least one viable leaf under each.
Attack Tree — Goal: Move funds to attacker-controlled account
What does this cost — and which control kills the most paths for the least UX?
Risk-prioritise the findings using likelihood × impact, and pick the controls that disrupt the most attack-tree leaves with the least conversion cost:
| Finding | Likelihood | Impact | Risk | Suggested control |
|---|---|---|---|---|
| No step-up on beneficiary creation | High | High | CRITICAL | Distinct OTP + device-binding check at create time |
| Cooling-off can be lifted by CSA | Medium | High | HIGH | Mandatory checker workflow + 4-eye log |
| Velocity counts amount, not pattern | High | High | CRITICAL | Sub-threshold burst rule + new-payee weight |
| Alerts arrive post-settlement | High | Medium | HIGH | Pre-settlement scoring + transfer-hold queue |
| Insider maker can act alone | Low | Very high | HIGH | Maker-checker enforcement + privileged-action SIEM |
| Logs lack device / geo for repudiation | Medium | Medium | MEDIUM | Enrich audit log with device, geo, ASN, IP |
One control — step-up authentication at beneficiary creation — disrupts six of the nine attack-tree leaves with negligible UX cost. That is risk-aware design.
A threat model that sits in a Confluence page is a science project. A threat model that maps each finding to a regulatory control is an audit deliverable. Indian BFSI regulators expect — and increasingly inspect for — this traceability:
| Regulator / Framework | Relevant clause | What inspectors look for |
|---|---|---|
| SEBI CSCRF | PR.4 (Application Security) | Threat-model artefact per critical app, refreshed per major release, with risk-prioritised findings |
| SEBI CSCRF | DE.1 / RS.1 | Detection-rule coverage tracing back to threat model scenarios |
| RBI Cyber Security Framework | Annex C — Application Sec. | Secure SDLC with documented threat model and remediation evidence |
| RBI Digital Payment Sec. Controls | § 5 (App. & API) | Risk-tiered authentication for state-changing actions (e.g. add beneficiary) |
| DPDP Act 2023 / Rules 2025 | Sec. 8 — Reasonable Sec. | Demonstrable risk-based controls protecting personal data flows |
| CERT-In Directions (Apr 2022) | § 4 — Logging & Reporting | Log retention (180 d) and 6-hour incident reporting fed by detection rules in DE.1 |
| ISO 27001:2022 | A.8.25 / A.8.26 | Secure dev. lifecycle and security requirements for application services |
Every BFSI security team we've worked with runs into the same five blockers when trying to make PASTA a recurring practice:
Built for Indian BFSI Threat Modellers
Practitioner Toolkit provides the PASTA threat modelling framework guide, step-by-step stage worksheets, STRIDE threat catalogue, and SEBI CSCRF / RBI / DPDP / ISO 27001 control mapping templates — so your AppSec team spends time on judgement, not formatting.
Related Reading
Convert the impact half of every PASTA scenario into Annual Loss Expectancy. Tooling that takes BFSI inputs and returns numbers your CFO will engage with.
Read article SEBI CSCRFThreat-model artefacts feed directly into PR.4 evidence. Here is the assessment calendar that keeps it inspection-ready.
Read article CERT-In SOPWhen the threat model becomes reality — the hour-by-hour SOP, portal field checklist, and the 12 reporting mistakes that trigger enforcement.
Read articleWe use cookies and analytics (Google Analytics) to improve your experience. Under India's Digital Personal Data Protection Act, 2023, we require your consent before collecting any usage data. Privacy Policy