Threat Catalog
Product Security Hub includes a comprehensive, pre-built catalog of hundreds of threats designed specifically for connected products. Every threat is organized by STRIDE category, traced to relevant CWEs, linked to recommended security requirements, and pre-scored with both CVSS v3.1 and CVSS v4.
What's in the Threat Catalog?
STRIDE Organization
Every threat is categorized by STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
CWE Traceability
Threats are traced to Common Weakness Enumerations (CWEs), connecting your threat model to the industry-standard weakness taxonomy.
Linked Requirements
Each threat links to recommended security requirements that help eliminate or mitigate the risk, creating complete traceability.
Pre-Scored CVSS
Every threat includes baseline CVSS v3.1 and v4 scores, giving you a starting point for risk assessment that you can adjust for your context.
Organized by STRIDE
The threat catalog covers all six STRIDE categories, ensuring comprehensive coverage of potential attack vectors.
Spoofing
Threats where an attacker pretends to be someone or something else, bypassing authentication mechanisms.
Tampering
Threats involving unauthorized modification of data, code, or configuration—whether at rest, in transit, or in memory.
Repudiation
Threats where actions cannot be traced back to the actor, undermining accountability and audit trails.
Information Disclosure
Threats involving exposure of sensitive information to unauthorized parties through various attack vectors.
Denial of Service
Threats that disrupt availability by exhausting resources, crashing systems, or blocking legitimate access.
Elevation of Privilege
Threats where attackers gain higher-level permissions than intended, enabling unauthorized actions.
Example Threats
Here are a few examples from the catalog to illustrate the depth and structure of each threat entry.
Authentication Bypass via Default Credentials
CVSS 9.8An attacker gains unauthorized access by using factory-default usernames and passwords that were never changed during deployment.
CWE Mapping
CWE-798: Use of Hard-coded Credentials
Linked Requirement
Unique credential generation per device instance
CVSS Scores
v3.1: 9.8 Critical | v4: 9.3 Critical
Firmware Modification via Unsigned Updates
CVSS 8.1An attacker installs malicious firmware because the update mechanism does not verify cryptographic signatures before applying updates.
CWE Mapping
CWE-494: Download of Code Without Integrity Check
Linked Requirement
Cryptographic signature verification for all firmware updates
CVSS Scores
v3.1: 8.1 High | v4: 8.2 High
Sensitive Data Exposure via Unencrypted Storage
CVSS 6.5An attacker with physical or logical access extracts sensitive data (credentials, PII, PHI) stored in plaintext on the device or in logs.
CWE Mapping
CWE-312: Cleartext Storage of Sensitive Information
Linked Requirement
Encryption of sensitive data at rest using approved algorithms
CVSS Scores
v3.1: 6.5 Medium | v4: 6.8 Medium
The full catalog includes hundreds of threats across all STRIDE categories, each with complete CWE mappings, linked requirements, and CVSS scores.
Why a Pre-Built Threat Catalog?
Building a comprehensive threat catalog from scratch takes months of security expertise. Product Security Hub's curated catalog gives you a proven starting point based on real-world product security assessments.
- Skip the blank page. Start with hundreds of relevant threats instead of building from zero.
- Built-in traceability. Every threat already links to CWEs and requirements—no manual mapping needed.
- Consistent scoring. Pre-scored CVSS gives you a baseline that ensures consistency across your portfolio.
- Auditor-ready. Demonstrate comprehensive threat coverage with industry-standard categorization.
Catalog at a Glance
Ready to explore the full catalog?
Get access to all 300+ threats with complete traceability when you start using Product Security Hub.