This lesson explains how attack trees and Data Flow Diagrams (DFDs) work together for practical threat modeling. It covers definitions, how to build attack trees and DFDs, mapping between them (using STRIDE), AI-assisted drafting, incident response integration, reporting, and practical checklists.
Attack Trees and Data Flow Diagrams — The Dramatic Duo of Threat Modeling Ever watched a heist movie and thought, "If only the security team had sketched the plan like this"? Attack trees are the film's storyboard for the villains. Data Flow Diagrams (DFDs) are the building's blu...
Why both? Quick answer Attack Trees : show the ways an attacker can reach a goal (the "how"). DFDs : show the where data travels and where controls/boundaries exist (the "where"). Combine them and you get: "Which attack paths traverse high-value data flows and cross we...
Attack Trees — the anatomy of 'How to Break In' What it is : A hierarchical diagram where the root node is an attacker’s goal and branches represent alternative or combined sub-goals (AND/OR logic). When to use : When you want exhaustive (or deliberately creative) enumerations of how a s...
Data Flow Diagrams (DFDs) — the system's gossip map What it is : A diagram of external entities , processes , data stores , data flows , and trust boundaries . For IoT/OT, add physical devices, field networks, cloud AI services, and human operators. Why DFDs matter : STRIDE threats are eleme...
Mapping Attack Trees to DFDs — marry the story to the map For each leaf node in the attack tree, tag which DFD element it touches (flow F2? store D1? boundary between gateway and cloud?). Use STRIDE to color the DFD: Spoofing (E), Tampering (D), Repudiation (P), Info Disclosure (I), DoS (S), Ele...
AI's role — helpers and hazards Use AI to : Auto-generate initial DFDs from code repositories and network inventories. Produce candidate attack-tree leaves from known exploit patterns (CVE-to-attack-step suggestions). Rank and cluster similar attack nodes to reduce redundancy. Draft in...
From model to incident response and reporting Link attack-tree leaves to detection points: which IDS/telemetry signatures would show the attacker's actions? If none, that's a sensor gap. For each high-risk path, create a one-line IR playbook: detect -> contain -> eradicate -> re...
Closing — quick takeaways Attack trees tell you the paths ; DFDs tell you the terrain . You need both to prioritize risk and harden responses. Use AI as an assistant: it speeds drafting and ranking but can’t replace domain expertise or accurate inventories (DFD + SBOM). Always map model output...
10 study modes available based on your content