Threat Modeling's Blind Spots: Navigating the Complexities of Scope Definition

TLDR

Scope definition is a challenging aspect of threat modeling
Blind spots often exist in the spaces between systems and responsibilities
Modern systems’ interconnectivity makes boundary definition increasingly complex
A well-defined scope is essential when threat modeling, but in practice, the scope often lacks the necessary detail
Effective scope management requires continuous refinement and stakeholder engagement

“Our most significant threats often hide in plain sight, not within the systems we closely examine, but in the spaces between what we choose to inspect and what we unknowingly overlook.”

Threat model scope

At the heart of threat modeling lies the concept of “threat model scope,” which defines the boundaries of the system, application, or environment under analysis. This involves clearly outlining the tangible and intangible assets requiring protection, identifying the users who interact with the system, and establishing the trust boundaries that delineate different levels of privilege and access.

The Scope Challenge

A well-defined scope is essential when threat modeling, but in practice, the scope often lacks the necessary detail. This becomes particularly evident in modern environments where system boundaries are increasingly fluid and interconnected. The complexity of today’s systems, coupled with rapid development cycles and evolving architectures, makes scope definition a challenging aspect of threat modeling.

Fig. 1: Fundamental challenges in threat modeling scope definition

The Challenge of Setting Boundaries - Where to Start?

Clearly defining the boundaries for threat modeling is not an easy task…

For broader contexts, such as complex enterprise environments, the scope could potentially extend to capture interconnected systems such as cloud infrastructure, third-party integrations, mobile apps, employee devices, customer data repositories, and network perimeters.

Similarly, in critical infrastructure sectors like healthcare, the scope could include patient data systems, medical devices, facility access controls, and the interfaces between clinical and administrative networks, all of which present unique attack vectors.

One option is to start with what you directly control, then systematically expand to include critical areas based on your specific context and threat landscape.

Creating a detailed connectivity matrix helps visualise these relationships and establish clear boundaries. A focus on finding technical threats using the connectivity matrix as a reference can help simplify the process, because the structure and data-flow of your system is something deterministic that you should be able to analyse with certainty.

Fig. 2: Considerations for scope definition

Finding the Right Balance

In light of these boundary challenges, threat model practitioners face a practical question: how deep and how wide should we go? The answer isn’t one-size-fits-all, but rather a delicate balance between zooming in and stepping back. Two complementary approaches could be considered:

Modular Decomposition Approach

The modular decomposition approach is generally preferred because it:

Enables granular focus on discrete areas
Minimises operational/resource impact through targeted scheduling
Facilitates recurring evaluation cycles for key assets

Enterprise-Wide Assessment Approach

However, periodic enterprise-wide assessments remain essential to:

Uncover cross-domain vulnerabilities invisible to siloed evaluations
Analyze system interdependencies and integration points
Validate consistent implementation of security controls across the organisation

This balanced methodology ensures both depth in specific domains and breadth across the enterprise security landscape.

Real-World Security Implications

The importance of balancing these approaches becomes apparent when examining real-world attack scenarios. While modular evaluations provide necessary depth, they may miss critical systemic vulnerabilities that enterprise-wide assessments are designed to identify. This limitation of narrow-scope evaluations manifests in many security scenarios:

Attackers frequently employ a chain of compromises to reach their ultimate target. A narrow focus on a single component might fail to detect the initial breach point and the subsequent steps an attacker takes to navigate the system.

In the context of emerging technologies like Artificial Intelligence (AI), a limited scope might fail to identify data poisoning or model extraction attacks. Traditional threat modeling scopes might not adequately address the unique threat landscape associated with AI systems. For example, manipulating the training data used to build an AI model (data poisoning) or stealing the underlying model itself (model extraction) are attack vectors specific to AI that might be missed by a narrowly defined scope based on conventional software security principles.

To illustrate these points, the following table provides examples of how a narrow threat model scope can lead to overlooked attacks:

Table 1: Examples of potential attacks missed due to narrow threat model scope

Narrow Scope Focus	Potential Missed Attacks
Application Code Only	Infrastructure Misconfigurations (e.g., weak network security)
Internal System Components	Supply Chain Attacks (via compromised third-party integrations)
Technical Vulnerabilities	Social Engineering Attacks, Insider Threats
Isolated Component Analysis	Lateral Movement Attacks across the system
Traditional Software Security	AI-Specific Attacks (e.g., data poisoning, model extraction)

Discovery and Identification Approaches

Technical Discovery: Beyond Documentation

System documentation aims to describe how systems should work, but actual connectivity patterns often tell a different story. Log analysis and technical discovery methods reveal how systems truly interact in the real world. This gap between documentation and reality exists because humans create documentation, and we all make mistakes or work with incomplete information.

Documentation quality frequently suffers toward project completion when teams rush to document before moving to new priorities. Cognitive biases also play a role here—we tend to document what we think we built rather than meticulously verifying every connection and interaction.

This is why high-quality threat modeling engagements focus on the reality of deployed systems rather than potentially outdated documentation. By analysing logs and actual system behavior, security teams gain invaluable insights that might be missed by relying solely on documentation.

Organisational Discovery: The Importance of Human Insight

Technical solutions alone never tell the complete story. Human factors, including cross-team collaboration and engagement with subject matter experts (SMEs) significantly enhance threat modeling effectiveness.

Development teams understand implementation details, operations staff know real-world system behavior. When these different perspectives collaborate, they identify vulnerabilities that might be missed by any single team working in isolation.

SMEs possess specialised knowledge about specific system components, business processes, and regulatory requirements. Their expertise helps identify domain-specific threats and prioritise protective measures based on business impact. Engaging SMEs early in the threat modeling process ensures that technical findings are properly contextualised.

Optimal Outcome

The ideal outcome combines both technical and organisational discovery methods to produce:

A detailed connectivity matrix capturing all system interactions, protocols, and data flows
Documentation of business processes and their technical implementations
Identification of critical assets and their protection requirements
Mapping of system dependencies and integration points
Recognition of operational constraints and business priorities
Business impact analysis information that quantifies potential losses from security incidents
Criticality ratings that align technical vulnerabilities with business consequences

This creates a foundation for an effective threat modeling engagement and reflects both the technical reality and the business context in which systems operate.

Fig. 3: Discovery and identification

Continuous Scope Management

Adaptive Review Processes

Systems evolve, threats change, and so must the scope of our security assessments. Determining suitable review intervals requires balancing ongoing reviews with operational practicality.

Effective scoping demands thoughtful consideration of review frequency. High-risk components may require more frequent threat modeling, while stable systems may need less intensive assessment.

Integrating Security into Development

Early detection of issues is key in modern dev environments. Regular threat modeling sessions with dev teams during sprint planning and design phases help identify potential vulnerabilities before they become embedded in production systems. This proactive stance not only reduces remediation costs but strengthens the collaborative relationship between security and development stakeholders.

In agile environments, threat modeling must align closely with rapid dev cycles. Ensuring new features (evolving scope) are continually assessed.

Scope should evolve in tandem with the product itself. This requires teams to maintain strong partnerships with product teams, understanding upcoming features and architectural changes before they’re implemented.

Leveraging Pre-Approved Patterns

The usage of pre-approved patterns significantly enhances the threat modeling process by streamlining security assessments. By developing and maintaining a library of security-vetted templates, such as Infrastructure as Code (IaC) configurations for AWS S3 buckets with proper encryption, access controls, and logging enabled, teams can accelerate secure development while maintaining consistency.

These expert-reviewed patterns serve as trusted building blocks that teams can implement minimising duplication of threat modeling sessions, reducing workload while maintaining security standards.

Documenting previously reviewed components creates an inventory that helps teams prioritise their threat modeling efforts on new or high-risk elements, directing resources more effectively.

For example, a pre-approved S3 bucket pattern might include:

Server-side encryption enabled by default
Public access blocked
Appropriate bucket policies
Lifecycle rules for data retention
CloudTrail and CloudWatch logging configurations

Fig. 4: Continuous scope management

Learning from Experience

Harnessing Hindsight

History provides many lessons regarding the consequences of improper scope definition. Major security breaches frequently involve overlooked systems, such as third-party plugins, neglected legacy systems, or shadow IT processes handling sensitive data without adequate oversight.

By systematically analysing past incidents teams can identify recurring patterns and blind spots in previous assessments.

Industry-Specific Insights

Understanding common attack patterns and vulnerabilities within your industry helps prioritise threat modeling efforts toward the most relevant risks. Financial services organisations, healthcare providers, and critical infrastructure operators each face unique threats that can potentially inform scoping decisions.

Open-source Intelligence

Open-source intelligence data also offers another rich source of insight. These community-maintained resources document common tactics and techniques employed across various threat scenarios, helping teams anticipate potential attack vectors that might otherwise be missed during scoping activities.

The integration of both organisational experience and industry knowledge creates a powerful learning loop. As threat modeling matures within an organisation, the quality of scoping decisions improves, leading to better coverage and fewer security gaps. This continuous refinement process ensures that scoping decisions become increasingly effective at identifying the boundaries that matter most.

Moving Forward: Embracing Complexity

Effective threat modeling requires an organisational mindset that values:

Challenging existing assumptions about system boundaries and interactions
Actively searching for potential blind spots rather than reacting to incidents
Cross-functional collaboration involving diverse stakeholders across disciplines
Embracing systematic review processes that evolve with the organisation

The best threat modeling practices continuously challenge scope assumptions, revealing grey areas and edge cases that automated tools often miss.

By acknowledging the inherent complexity of modern systems and fostering shared responsibility for security across traditional boundaries, organisations can build protective measures that more accurately align with the real-world business environments they aim to safeguard.