From STRIDE-LM to ISACA’s 5 Steps: Leveling Up Threat Modeling in a Startup

For the past few years, we relied on STRIDE-LM to perform ad hoc threat modeling across our product stack. It served us well in identifying technical threats and structuring security reviews. But over time, we found a recurring gap: our process rarely addressed business context or risk appetite. Threat lists were comprehensive, but often disconnected from what really mattered to business, say, customer trust, operational resilience, and regulatory exposure. We knew it was time to raise the bar.

Why ISACA’s 5 Steps Work Surprisingly Well (Even for a 2-Person Team)

When we discovered ISACA's whitepaper Threat Modeling Revisited, our initial skepticism was quickly dispelled. At first glance, the approach looked “enterprisey”. However, as we dug deeper, we realized it’s actually lean and adaptable for small teams.

Here’s how we put it to work and what each step delivered:

1️⃣ Identify Business Objectives and Define Scope

Instead of modeling random components that come into our way, we prioritize business outcomes (regulatory compliance, up-time, customer privacy).

Outcome: A shared understanding of what’s most critical to protect, aligning engineering and security on what matters.
How security fit it in: Join the weekly agile business refinement. During the meeting, we assess if there are any new or changed business objectives, or features that might impact security.
- If no new security concerns arise, we consider it case closed. This keeps workload efficient and avoids unnecessary meetings.
- If yes, we proceed to step 2.

2️⃣ Map the Business Ecosystem

We sketched diagrams of data flow, trust boundaries, and external integrations, flagging out vendor dependencies and sensitive data handling.

Outcome: Visual clarity over where threats lie, plus a direct way to spot weak points and key integrations.
How security fit it in: Sketch simple diagrams in Draw.io just enough to support risk discussions.

3️⃣ Identify and Prioritize Threats

We still applied STRIDE-LM to technical assets, but for each we now asked: How does this impact business objectives? We focused on threats with real business consequences (regulatory fines, cash losses, brand damage).

Outcome: A ranked list of threats mapped directly to business objectives.
How security fit it in: Brainstorm and rank threats for what’s in active development, simply using an Excel sheet on SharePoint.

4️⃣ Develop Mitigation Strategies

Mitigations were scoped to what was actually actionable and tracked in Jira. If a threat couldn’t be resolved in the same sprint, we would document it as a risk and request follow-up.

Outcome: Action items with owners, and a clear backlog of residual risks.
How security fit it in: Document mitigation in the sprint documentation. Create new risk scenarios if not mitigated within the sprint.

5️⃣ Review, Validate, Iterate

Instead of a dedicated formal review, we blended in threat model reviews as part of our quarterly "security retros". We would adjust risk posture and update our mitigation backlog.

Outcome: Continuous improvement and stakeholder communication, keeping the risk register alive and always relevant.
How security fit it in: Use quarterly retros as check-ins, keeping sessions under an hour.

Consolidating Outcomes with Our Risk Register

A key benefit of ISACA’s approach is that every prioritized threat and mitigation fed directly into our Risk Register. Identified threats with business consequences became new entries, each assigned a risk owner, mitigation plan, and review date. This made our register a living document. It's no longer just a compliance checkbox, but an active tool for tracking security outcomes in line with the company’s risk appetite.

Lessons Learnt

STRIDE-LM gave us a solid technical footing, but ISACA’s 5 steps brought context and business alignment.
The framework is manageable even for a two-person security team, if you stay focused, build on what’s already working, and ruthlessly prioritize.
Threat modeling outputs are naturally actionable as risk register updates, making executive consensus and compliance reporting much easier.
You can move fast and still be strategic about security, if you align with business outcomes.
Lean teams benefit most from clarity and focus, not exhaustive lists.
Continuous improvement, not one-off exercises, delivers real value.