Score threats using the STRIDE model. Rate Spoofing, Tampering, Repudiation, Info Disclosure, DoS, and Elevation for aggregate risk.
STRIDE is Microsoft's threat modeling methodology that categorizes threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each category maps to a specific security property violation and helps teams systematically identify threats in system designs.
This calculator lets you score each STRIDE category on a 1–5 scale based on your assessment of the threat level for a specific system or component. It produces per-category scores, an aggregate risk score, and an overall threat level. Use it during design reviews, security architecture assessments, and threat modeling workshops to quantify and prioritize identified threats.
Quantifying this parameter enables systematic comparison across environments, deployments, and time periods, revealing optimization opportunities that improve both performance and cost-effectiveness. This analytical approach supports proactive infrastructure management, helping teams avoid costly outages and maintain the service levels that users and business stakeholders depend on.
Quantifying this parameter enables systematic comparison across environments, deployments, and time periods, revealing optimization opportunities that improve both performance and cost-effectiveness.
STRIDE provides comprehensive coverage of threat types, but without scoring, all identified threats appear equal. This calculator adds quantitative scoring to STRIDE analysis, enabling teams to prioritize which threats to address first based on severity rather than treating all threats equally. Precise quantification supports capacity planning and performance budgeting, ensuring infrastructure investments are right-sized for both current workloads and projected future growth.
Per-category score: 1–5. Aggregate = average of all 6 categories. Max possible = 5.0. Low: ≤2.0, Medium: ≤3.0, High: ≤4.0, Critical: >4.0.
Result: Aggregate: 3.5 — High
The system has the highest threat from Information Disclosure (5) and significant risks from Spoofing (4) and Elevation of Privilege (4). The aggregate score of 3.5 (High) indicates the system needs focused security attention, particularly on data protection and authentication controls.
Developed by Microsoft, STRIDE provides a systematic way to think about threats by categorizing them into six types. Each category corresponds to a violated security property: Authentication, Integrity, Non-repudiation, Confidentiality, Availability, and Authorization.
Rate each category based on: exploitability (how easy is it), impact (how bad if exploited), existing controls (what mitigations are in place), and likelihood (how probable given your threat landscape). A score of 5 means critical risk with inadequate controls.
Threat modeling is most valuable when integrated into the development lifecycle. Include it in design reviews, update scores after each sprint, and track aggregate scores as a security KPI. Automated tools can help maintain threat models as systems evolve.
Web applications typically have highest risk in Spoofing and Information Disclosure. APIs face Tampering and Elevation risks. Microservices architectures face amplified DoS risks across service dependencies. Understanding these patterns helps focus the assessment.
Spoofing: identity falsification. Tampering: data modification. Repudiation: denying actions. Information Disclosure: data exposure. Denial of Service: availability disruption. Elevation of Privilege: unauthorized access escalation. Each maps to a core security property.
Ideally during the design phase before implementation. Also perform it when major architectural changes occur, when new data flows are added, during security reviews, and when integrating with external systems. Earlier modeling costs less to act on.
STRIDE is threat-centric (focused on attacker actions). PASTA is risk-centric (focused on business impact). VAST is process-centric (integrated into DevOps). Attack trees are detailed technical maps. STRIDE is the most widely adopted due to its simplicity and completeness.
Spoofing → Authentication. Tampering → Integrity controls (hashing, signing). Repudiation → Logging and auditing. Information Disclosure → Encryption and access control. DoS → Rate limiting and redundancy. Elevation → Authorization and least privilege.
Prioritize components that handle sensitive data, authentication, or external input. Trust boundaries (where data crosses privilege levels) are the most critical points. For large systems, focus on the top-risk data flows rather than exhaustively analyzing every component.
Focus on aggregate scores, highest-risk categories, concrete business impact, and recommended mitigations with cost estimates. The visual score breakdown from this calculator helps non-technical stakeholders understand the threat landscape quickly.