Threat Modeling VS Penetration Testing

by | Mar 16, 2023

Threat modeling vs pen testing

The field of Information Security always brings up images of hackers and crackers hacking and exposing systems. While it is entirely not false, there are plenty of ways and procedures to prevent these types of attacks or keep these attacks to a minimal level and improve the security of the organization.  Some of them are “Pen testing” and “Threat Modeling”. While the main motive behind threat modeling and pen testing is to reduce attacks and make systems more secure, they differ in their approaches and when they are done.

Let us see more about Pen testing and Threat Modeling and their differences in this post:

Before we delve into “Pentesting” and “threat modeling,” let us understand more about “vulnerability” and “threats” first. A vulnerability is defined as a weakness in a system. A threat is anything that exploits that vulnerability.

Pen Testing

“Pen testing” or “Penetration testing” is a simulated attack on a system and its defenses. Pen testers conduct various attacks against a system (similar to regular black hat hackers) which will expose the vulnerabilities of a system. 

Normally, outside contractors are hired to do “pen testing” since they will have no knowledge of an organization’s security measures. These outside contractors are also known as “Ethical hackers”. These contractors or pen testers will attack the system with all possible strategies to break the system. Pen testing is normally done before a system goes into production. 

There are five phases involved in a pen testing process. They are listed as follows:

  1. Planning and Reconnaissance
  2. Scanning
  3. Gaining access
  4. Maintaining access
  5. Analysis and WAF configuration

Once the vulnerabilities are discovered and a report is generated, it allows the system administrators to harden the system and seal it from future attacks.  

Here is a snapshot from a sample pen testing report

snapshot from a sample pen testing report

We can see the Risk factor of the vulnerability(Medium in this case), the description of the vulnerability, and the solution to seal the vulnerability. Once the bug fixes are done, the system is expected to be more secure now.

Threat Modeling

Having seen  “Pen testing” and its applicability, let us move on to learn more about “Threat Modeling”.

Threat modeling is the process of identifying threats and vulnerabilities in a system and mitigating them effectively. The primary aim of threat modeling is to reduce attacks and improve security. Some examples of threats include a DoS attack and unpatched systems. Hackers can exploit these threats and cause huge damage to systems. Threat modeling is done to reduce these threats and their impacts.

Threat modeling is mostly done during the design stage of the software development life cycle(SDLC) though it can be done during other stages of the SDLC too. Threat modeling can be repeated as and when the system design changes since business systems are constantly dynamic.   It can also be done when

  1.  A new feature is released
  2. A security incident occurs
  3. There are infrastructure changes.

There are ideally four questions and answers that help us to organize threat modeling:

What are we working on?

 We draw a Diagram to understand what we are working on

What can go wrong?

We try and understand the threats in this case 

What are we going to do about it?

We try and mitigate the threats

Did we do a good job?

Next, we validate them to know whether we have done a good job or  not” (Source:

Once the threat model is created, imminent threats to system design can be reduced. There are several threat models that are prevalent in the industry today. Some of them are the PASTA, DREADSTRIDE, and VAST threat models. 

Also, read to comprehensively understand Different Threat Modeling Methodologies

Having seen what is meant by pen testing and threat modeling, let us see their key differences:

  1. Threat modeling is mostly done during the design phase of the SDLC. Pen testing is ideally done before the system goes into production.
  2. Threat Modeling mostly fixes system design flaws. Pen testing fixes bugs
  3. Threat Modeling results in design changes, while pen testing results in fixing bugs.

threat modeling vs pen testing

In spite of their differences, threat modeling can be used along with pen testing to make systems more secure!

We have seen the concepts of pen testing and threat modeling in this post along with their key differences. Join us as we uncover more in the DevSecOps space!

To know more information about our Threat Modeling course, do visit the Certified Threat Modeling Professional’ (CTMP) course today!




Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like:

How to Improve Your Analytical Thinking in Threat Modeling

How to Improve Your Analytical Thinking in Threat Modeling

In the ever-evolving world of security, threats are becoming more complex. Threat modeling is an important methodology that helps to assess potential security risks to a system. However, effective threat modeling requires analytical skills. In this article, we will...