Threat Modeling with Microsoft DREAD

Threat modeling is a method for detecting and prioritizing potential threats to a system and calculating the value of possible mitigations in decreasing or eliminating such threats.

Organizations have developed several methodologies to model cyberthreats and analyze cybersecurity risks and vulnerabilities as the prevalence and costs of cybercrime rise. The Microsoft DREAD Threat Model, a threat modeling framework developed by Microsoft, is one of these risk analysis approaches.

The DREAD model is a quantitative way of calculating the severity of a threat using a scaled grading system so that you can address high-severity concerns first. Even though Microsoft has subsequently abandoned the DREAD security approach due to worries about its subjectivity, small firms, Fortune 500 companies, and the military continue to employ it.

With that, this article will help you learn the following:

What is Threat Modeling?

Threat modeling is essentially an organized approach with the following key targets:


  • Determine the security needs
  • Identify potential security threats and vulnerabilities
  • Determine the criticality of danger and a vulnerability
  • Emphasize remediation methods

Importance of Threat Modeling

You must build any program or system to be resistant to attacks. However, determining the security standards required to accomplish this might be difficult.


In this regard, threat modeling is a proactive approach to identifying threats that are not normally evaluated or discovered through code reviews or other audits.


Furthermore, threat models are an essential aspect of the security development process. Developers can embed security into a project during the development and maintenance phases when threat modeling is part of the DevOps process. This process eliminates frequent omissions, including failing to check input, having poor authentication, not handling errors properly, and not encrypting data.

What is Microsoft DREAD Threat Model?

DREAD is a Microsoft threat modeling application first published in David LeBlanc and Michael Howard’s Writing Secure Code 2nd edition in 2002. The DREAD security model gets divided into five distinct categories:


  • Damage Potential: Recognize the possible damage that a specific threat can cause.
  • Reproducibility: Determine the ease with which you can replicate an attack.
  • Exploitability: Analyze the system’s flaws to see if it is vulnerable to cyberattacks.
  • Affected Users: Determine the number of users who a cyberattack might impact.
  • Discoverability: Assess the ease with which you can discover susceptible points in the system infrastructure.

Threat Modeling with DREAD

In each of the above categories, the DREAD model can be used for enabling analysts to rate, compare, and prioritize threats. The ultimate rating, derived from the average of these category scores, reflects the overall risk.


You may estimate the quantitative risk throughout the organization by assessing threats across these five categories and assigning a value, which can provide a sense of urgency relative to other difficult to compare risks and security vulnerabilities.

Damage Potential

Damage potential aims to categorize threats based on two areas of concern: the type of data safeguarded and the level of access that a threat actor will have. If the data safeguarded is highly sensitive, including financial, health, classified, or other protected data, the damage score is assessed at a high level.


  • 0: No damage
  • 5: Information disclosure
  • 8: Non-sensitive user data about individuals or employers have gotten compromised
  • 9: Non-sensitive administrative data was compromised
  • 10: The destruction of an information system; the inaccessibility of data or applications


Reproducibility is concerned with the relative simplicity and ease with which you can exploit the threat repeatedly. To appropriately assign a value to the repeatability of risks, you must consider many different kinds of data.


For instance, the value is extremely low if an attacker has complete knowledge of a threat but cannot exploit it reliably. Exploits that can be repeated and dependably with little or no effort are on the opposite extreme of the spectrum. The most prevalent and highly rated features or configurations are insecure by default.


  • 0: Difficult or impossible
  • 5: Complex
  • 7.5: Easy
  • 10: Very easy


Unlike reproducibility, exploitability only considers the work necessary to exploit a threat. The total amount of work required gets considered to determine exploitability.


A threat exploited by remote unverified attackers using tools produced by others, or dangers so well-known that they can be automated and actively exploited, would be rated the highest. Finally, you should evaluate the overall amount of work necessary when considering exploitability.


  • 2.5: Advanced programming and networking skills
  • 5: Available attack tools
  • 9: Web application proxies
  • 10: Web browser

Affected Users

Affected Users attempts to quantify the overall number of users affected or the importance of users involved, depending on the degree of threat modeling.


For instance, in one scenario, you could estimate the number of users affected concerning the overall number of users. Alternatively, you may assign a relative priority to the type of user or users that may be affected by a more thorough review. To understand the appropriate value to assign, you can examine both of these elements, as you would other DREAD risk components.


  • 0: No users
  • 2.5: Individual user
  • 6: Few users
  • 8: Administrative users
  • 10: All users


Discoverability can get defined as the amount of effort a threat actor needs to locate a specific threat and analyze it. In many DREAD model implementations, standard practice is assigning the greatest possible value.

Discoverability is connected to the concept of security by obscurity. Obscurity should be conveyed to the greatest extent possible through reproducibility and exploitability, respectively.

  • 0: Hard to discover the vulnerability
  • 5: HTTP requests can uncover the vulnerability
  • 8: Vulnerability found in the public domain
  • 10: Vulnerability found in web address bar or form


The Microsoft DREAD threat model for threat modeling is adaptable to your needs. To properly employ a subjective risk analysis framework like the DREAD model, you will require substantial cybersecurity experience to verify that your cyber threat analysis is accurate.

Cloud Data Security with Satori

Satori, The DataSecOps platform, gives companies the ability to enforce security policies from a single location, across all databases, data warehouses and data lakes. Such security policies can be data masking, data localization, row-level security and more.

Learn more: