Help and understanding
Owned by the PMO. Answered by the SMEs. Reviewed by GRC. Reported to the board, if needed.
How you answer
Every item across every phase uses the same response model. There are no free-text fields to fill in first — you respond to each item, then add supporting detail if needed.
This exists, applies, or is in place. It will appear in the Threat Model Receipt as a confirmed claim. It may need evidence linked to substantiate it later. "Yes" is a positive declaration — you are saying this is true.
This does not exist. A declaration of absence. There is no risk to accept, no accountability needed — you are mapping reality. Items left unanswered at the end will default to "No" (with a prompt to confirm before committing).
You are not sure whether this exists or applies. This is the most important response — it surfaces what you don't know. Three options appear:
Set a deadline date. A calendar file downloads with weekly reminders until that date. The item stays open until you come back and change the response.
Send the question to someone who would know — a subject matter expert. You provide their name, email, a reason for the delegation, and optional context. They receive an email with a scoped link giving access to just that question. Use this when the answer lives in someone else's head.
Acknowledge that you don't know and record that acceptance. This is not ignoring it — it's documenting that the gap exists and who chose to leave it open. It surfaces in the Residual Register with its gravitational impact on connected claims. Not available in Phase 0 — data declarations are foundational and cannot have gaps.
Not relevant right now. Explicitly recorded — not the same as unanswered. Skipped items surface in the Residual Register for later discussion. Not available in Phase 0.
Start with the data. Always.
Before you think about firewalls, IAM policies, or SOC coverage, you need to know what you're protecting. Phase 0 asks: what data types does this system handle? What legal obligations apply? What exceptions have already been accepted?
Every data type marked "yes" gets a named risk owner — a person accountable for the security of that data. This isn't optional. If you can't name the person, you can't claim the data is protected.
Why this matters: If you can't see the information journey, you can't protect it properly. Phase 0 is the lens everything else is viewed through. Skip it and every subsequent answer is ungrounded.
Follow the data through seven stages.
Collect, Transmit, Process, Store, Share, Retain, Dispose. At each stage, sub-prompts ask whether specific controls and considerations exist. A supporting text field captures the rationale. Confidence is scored per question.
This is information security and privacy — the journey the data takes through your system. It maps to GDPR processing principles, NCSC CAF contributing outcomes, and the Threat Modeling Manifesto's values.
Why this matters: Cyber security exists to ensure the application of controls are present to support information security's requirements and obligations. Following the data — visualising the data — is the best way to understand the conditions the data is exposed to, and whether that's inline with the security we're responsible for.
What infrastructure and controls protect the data.
Nine areas: Components, Processing, Geography, Access, Build, Suppliers, Identity and Access, Logging and Visibility, Permission Models. Each has specific items you confirm or deny.
For a component assessment, only the areas relevant to that component type are shown. An API doesn't need physical geography questions. A database doesn't need supplier assessments.
Why this matters: This is where most threat models start — and that's the problem. Starting here without Phase 0 and 1 means your controls aren't anchored to the data they're supposed to protect.
Who keeps it protected, day after day.
SOC, DFIR, Vulnerability Management, Patch Management, Change Management, Access Reviews, Monitoring and Alerting, BCP/DR. Eight areas covering the operational reality.
Without this phase, Phase 2 is a point-in-time snapshot that decays from the moment it's signed off. Phase 3 asks: who's watching, who responds, who patches, who reviews?
Why this matters: Most breaches don't happen because controls were never implemented. They happen because controls degraded, patches slipped, access drifted, and nobody was watching.
What we found, what's missing, what to do about it.
Threat Model Receipt
The factual record. Every answer, every respondent, every timestamp. No opinion. An auditor reads this and sees attributed facts. Exportable as JSON, CSV, or print.
Residual Register
Every gap, skip, and unconfirmed area with its gravitational impact. Framework cross-references (CAF, GDPR, NIS). Accountability matrix. Recommended actions. The board document.
Delegation and the "Don't know" decision tree
Any question can be delegated. The recipient gets an email with a scoped link — access to just that question, nothing else. Tracked, timestamped, with weekly calendar reminders until the deadline.
Find out
Set a deadline. Downloads a calendar file with weekly reminders. The item stays open until answered.
Delegate
Name, email, reason, context. They get a scoped email. Falls back if the deadline passes without a response.
Accept the gap
Acknowledged ignorance. Recorded with who accepted and when. Surfaces in the residual register. Not available in Phase 0.
Your dashboard
Your profile is the control centre for everything you've built and delegated.
Active delegations
Every question you've sent to someone else. Revoke access, chase, reassign. See what's outstanding and what's been answered.
Accountability receipts
Every confirmation, risk acceptance, and delegation — timestamped, attributed, exportable. The evidence trail that proves decisions were made consciously.
Invitation and access management
Control who has access to what. Revoke scoped links. See who's been invited, whether they've responded, and revoke access if needed.
Models over time
Track completion across your threat models. Revisit older ones. Compare versions. See how your security posture has changed — or hasn't.
Cross-model analysis
Across multiple threat models, patterns emerge. Which areas are consistently weak? Which data types appear without evidence? Which controls are claimed but never confirmed? This is the organisational view — thematic failures become visible before they become breaches.
Passkeys and sessions
Register, revoke, and manage your passkeys. See active sessions and revoke any. No passwords — phishing-resistant by default.
On the roadmap
Scheduled reviews
Set a review date for completed threat models. Get reminded to revisit. Security posture changes — your threat model should too.
Templates
Pre-configured starting points for common system types: SaaS platform, healthcare system, financial service, e-commerce, internal tool.
Vendor assessment
Send a scoped questionnaire to a third-party vendor. They fill in their part. Their responses are attributed and auditable.
Compliance mapping
Overlay your current state against specific frameworks — ISO 27001, SOC 2, Cyber Essentials, PCI DSS. See exactly which controls are evidenced and which are gaps.
Executive summary
Auto-generated one-page summary for board and C-suite. Maturity score, top risks, recommended actions.
Risk heatmap
Visual map of where risk concentrates across your systems. Which components, data types, and journey stages carry the most unresolved risk.
API access
Programmatic access for CI/CD integration. Check the security posture of a system before deploying.
Team workspaces
Share threat models within a team. Assign roles. Collaborate on assessments without sharing credentials.