AS-201b · Module 1

Threat Modeling Methodology

4 min read

Good news, everyone! Threat modeling is not guesswork. It is a structured methodology — and I am going to teach you one that works specifically for AI systems. The STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is the traditional starting point, and it still applies. But AI systems need an extension that covers the model-specific threats STRIDE was never designed to address.

I call the AI-specific extension PIPE: Prompt manipulation, Information leakage, Privilege escalation through tool use, and Evasion of safety constraints. PIPE sits alongside STRIDE — it does not replace it. For any AI system, you run both frameworks. STRIDE catches the infrastructure threats. PIPE catches the AI-specific threats. Together they give you a complete threat map.

  1. Step 1: Draw the Architecture Map every component: the user interface, the API layer, the model, the system prompt, the context window, connected tools, databases, and logging systems. Draw the data flows between them. Every arrow on this diagram is a potential attack path.
  2. Step 2: Apply STRIDE to Infrastructure Walk each component and each data flow through the six STRIDE categories. Can the API be spoofed? Can the conversation history be tampered with? Can access events be repudiated because logging is insufficient? Is PII disclosed in error messages? Can the model be denial-of-serviced through expensive prompt abuse? Can a regular user escalate to admin through the AI?
  3. Step 3: Apply PIPE to AI Components Walk the model and its connections through the four PIPE categories. Can the prompt be manipulated through user input? Can the model leak information from its system prompt, context, or training data? Can the model be tricked into using its tools in ways that escalate privilege? Can safety constraints be evaded through creative prompting?
  4. Step 4: Prioritize by Impact × Likelihood Not every threat deserves immediate mitigation. Rank each identified threat by potential impact (what happens if it succeeds) multiplied by likelihood (how easy is it to exploit). Address the high-impact, high-likelihood threats first. Document the rest with planned mitigation timelines.