Product Security Hub Logo
Back to Resources
Quick Start 8 min read

Run Your First Threat Model

Once you've defined your architecture, Product Security Hub automatically generates a threat model based on your components and data flows. This guide walks you through reviewing, assessing, and managing those threats to build a comprehensive security picture of your product.

Review auto-generated threats
Understand STRIDE categories
Assess and disposition threats

Before You Begin

🔑 Key Concept: Threats from the Catalog

Product Security Hub doesn't generate threats from scratch—it matches your architecture against our curated catalog of 300+ threats organized by STRIDE categories. Each threat is pre-mapped to CWEs and pre-scored with both CVSS 3.1 and CVSS 4.0. Your job is to assess which threats apply to your specific product context.

1

Navigate to Your Threat Model

From your product page, click on the Threats tab in the navigation. You'll see the user instruction banner: "Review and update applicability of each threat, based on the design. Be sure to review the entire list!"

Each threat is associated with specific components from your architecture. If you haven't added components yet, you won't see any threats—add components first.

💡 Threat Count

The number of threats depends on the complexity of your architecture. A simple device might have 20-30 threats; a complex connected system could have 100+. Don't be overwhelmed—Product Security Hub helps you prioritize.

2

Add Custom Threats

While Product Security Hub auto-generates threats from your components, you can also add custom threats specific to your product. Click the + Add a New Threat button to open the Add New Threat modal.

In the Add New Threat modal:

  • Threat — Enter a description of the threat
  • Component — Select which component this threat affects
  • Potential Risk Impact — Choose the risk impact level
  • Requirement — Optionally link a security requirement

For bulk imports, you can use our Excel templates:

Download Blank Template

Start fresh with an empty template to add multiple custom threats at once.

Download Pre-Populated Template

Get a template pre-filled with your existing threats to review or extend.

After editing your Excel file, click + Import Threats/Requirements From a File to upload it. You'll see a review screen to verify and save your changes.

3

Update Threats in Bulk

Need to update multiple threats at once? Click + Update Threats to download a pre-populated Excel template containing all your current threats.

Bulk update workflow:

  1. Click + Update Threats to download the pre-populated template
  2. Edit the threats offline in Excel (update applicability, scores, justifications)
  3. Re-import the updated file back into Product Security Hub
  4. Review the changes on the review screen
  5. Click Save to apply your updates

💡 Great for team reviews

Export threats to Excel for offline review sessions with your security team, then import everyone's input back in one go.

4

Customize Your View

Click the Settings icon to open the column configuration modal. You can show or hide columns to focus on the information most relevant to your workflow.

Available columns:

Threat
Threat ID
Component
Applicable
Potential Risk Impact
CVSS Pre-Mitigation Score
AV, AC, PR, UI, S, C, I, A
PM Scoring Justification
CVSS4 Pre-Mitigation Score

💡 CVSS Vector Components

The individual CVSS columns (AV, AC, PR, UI, S, C, I, A) let you see the full CVSS vector breakdown: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, and Availability impacts.

5

Understand STRIDE Categories

Product Security Hub organizes threats using the industry-standard STRIDE methodology. Each threat falls into one of these categories:

S

Spoofing

Pretending to be someone or something else. Example: An attacker impersonating a legitimate user or device.

T

Tampering

Modifying data or code without authorization. Example: Altering firmware or configuration files.

R

Repudiation

Denying an action occurred. Example: A user claiming they didn't perform a configuration change.

I

Information Disclosure

Exposing data to unauthorized parties. Example: Leaking patient data through an insecure API.

D

Denial of Service

Making a system unavailable. Example: Flooding a device with requests to prevent normal operation.

E

Elevation of Privilege

Gaining unauthorized access levels. Example: A standard user gaining admin privileges.

You can filter threats by STRIDE category to focus on specific types of security concerns.

6

Review Individual Threats

Click on any threat row to open the Threat Detail Page. This page gives you full control over each threat's scoring, status, and documentation.

Threat Detail Page Sections:

Editable   Read-only

Header

ID Select Component Is Applicable
Select Risk Impact Risk

Threat Information

Threat Expanded Threat Unique ID
Threat Addendum Risk Impact Addendum

PM CVSS 3.1

Score AV, AC, PR, UI, S, C, I, A Scoring Justification

PM CVSS 4.0

Score All CVSS 4.0 vectors Scoring Justification

References

Requirements (links) Req Met / Not Met / N/A Vulnerabilities
Residual Risks / Scores Patches Select Status
Threat Notes

CWE & Mitigations

CWE Mapping CWE Mapping Addendum CWE
CWE Addendum Chained Attack Chained Attack Addendum
Design Feature Mitigation

💡 CWE Traceability

Each threat links to specific CWE entries, giving you industry-standard references for documentation, audits, and regulatory submissions.

7

Set Threat Status

For each threat, set a Status to track your mitigation progress. Use the Status dropdown on each threat row:

⏳ WIP

Work in progress—you're actively addressing this threat.

✓ Eliminated

The threat has been completely eliminated from your product.

✓ Mitigated

Controls are in place that fully address this threat.

◐ Partially Mitigated

Some controls exist but the threat isn't fully addressed.

✗ Unmitigated

No controls are currently in place for this threat.

— N/A

The threat doesn't apply to your specific product context.

Update the status as you implement mitigations. This helps track your security posture over time.

8

Document CVSS Scoring Justification

Each threat has PM Scoring Justification fields for both CVSS 3.1 and CVSS 4.0. This is where you document why you scored the pre-mitigation CVSS the way you did.

Generate

AI-Assisted Justification

Click the Generate button to have AI draft a scoring justification. The AI pulls in context from:

  • • The threat description and component
  • • Potential risk impact category
  • • Current CVSS score and vector
  • • Product metadata (profile, name, version, classification, description, cybersecurity details)

💡 FDA Expectation

The FDA expects justification for your CVSS scoring decisions. Use this field to document your reasoning for auditors and reviewers.

9

Track Linked Requirements & Risks

As you work through your requirements, the Threats page becomes a live dashboard showing the status of linked items:

Columns automatically populated:

Req Met — Requirements satisfied
Req Not Met — Requirements not yet met
Req N/A — Requirements marked N/A
Vuln ID — Linked vulnerabilities
CRA ID — Residual risks
Patch ID — Associated patches

This gives you full traceability from threat → requirements → residual risks → vulnerabilities → patches, all in one view.

10

Print Threats to PDF

Need to share or archive your threat model? Click the Print icon (🖨️) in the toolbar to open Print Settings.

Print Settings options:

  • Column selection — Check/uncheck which columns to include (Threat ID, Component, Threat, Applicable, Potential Risk Impact, CWE, Requirement IDs, Patch ID, Status, etc.)
  • Column ordering — Drag and drop columns to change the order they appear
  • Save & Print — Generates a printer-friendly page you can save as PDF

💡 Tip: Audit-ready exports

Customize your print output to match what auditors or regulators need to see. Include CWE mappings for technical reviews or focus on status and requirements for management summaries.

How Threats Link to Requirements

One of Product Security Hub's most powerful features is the automatic linkage between threats and requirements:

Threat

Requirement

Framework

When you mitigate a threat, Product Security Hub shows which security requirements address that threat, and which frameworks (NIST, ISO, FDA) those requirements satisfy. This creates full traceability from threat to control to compliance.

Best Practices

Start with high-risk areas

Focus first on threats affecting patient data, external interfaces, and authentication systems.

Document your reasoning

Every assessment should include notes explaining why you made that decision. Future auditors will thank you.

Review with your team

Threat assessment benefits from multiple perspectives. Include developers, architects, and security experts.

Keep it current

When your architecture changes, review the threat model. New components may introduce new threats.

What's Next?

Now that you've started your threat model, continue building your security posture:

  1. 1
    Manage Security Requirements

    Define security requirements that address your identified threats

  2. 2
    Learn CVSS Scoring

    Score your threats with CVSS 3.1 and 4.0

  3. 3
    Import Your SBOM

    Add software components for vulnerability scanning

Need help with threat modeling?

We can walk you through the threat assessment process for your specific product.

Schedule a Call Back to Resources