PASTA Threat Modeling

PASTA Threat Modeling Without ₹15-25L Consultants: A Practitioner's Guide to the 7-Stage Process

Threat modeling is a regulatory expectation under SEBI CSCRF (ID.2) and ISO 27001, but most organizations outsource it at ₹15-25L per engagement because they lack structured methodology. PASTA's 7-stage process can be executed in-house with the right framework — here's how.

📖 15 min read PASTA Framework 7 Stages 🔑 ₹15-25L Consultant Cost
₹15-25L
Typical consultant cost per threat model
7
PASTA methodology stages
85%
Organizations with no threat model
4-6wk
In-house execution timeline

Why Threat Modeling Is No Longer Optional

Threat modeling has transitioned from a "nice to have" security practice to a regulatory expectation. SEBI CSCRF control ID.2 explicitly requires threat and risk assessment. ISO 27001 Clause 6.1.2 demands systematic identification of information security risks, which effectively requires threat modeling methodology. RBI's cybersecurity framework expects banks and NBFCs to conduct regular threat assessments.

Yet 85% of Indian organizations have never conducted a structured threat model. When asked by auditors about their threat assessment methodology, most point to their VAPT reports — which are not threat models. VAPT finds existing vulnerabilities; threat modeling identifies potential attack paths before vulnerabilities are exploited.

The barrier is perceived complexity and cost. Traditional threat modeling engagements by Big Four or specialist consulting firms cost ₹15-25 Lakhs per critical application, with 8-12 week timelines. For an organization with 5-10 critical systems, that's ₹75L-2.5Cr — a budget most CISOs cannot justify.

PASTA: The 7-Stage Practitioner Methodology

PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric threat modeling methodology developed for real-world application. Unlike STRIDE (which is developer-focused) or DREAD (which is a simple scoring model), PASTA provides a structured 7-stage process that produces actionable, audit-grade output.

Stage 1: Define Business Objectives

Start with what matters to the business — not with technology. Document the application's business purpose, regulatory requirements it must satisfy, data it processes, revenue it generates, and the business impact of its compromise. This stage ensures the threat model is risk-relevant, not just technically interesting.

Output: Business context document with risk appetite statement, regulatory mapping, and criticality classification.

Stage 2: Define Technical Scope

Map the technical environment: application architecture, technology stack, data flows, integration points, authentication mechanisms, network topology, and deployment model (on-premises, cloud, hybrid). Include infrastructure dependencies and third-party services.

Output: Technical architecture diagram, data flow diagrams (DFDs), and system boundary definition.

Stage 3: Application Decomposition

Break the application into components and identify trust boundaries. For each component: what data does it handle? What privileges does it require? What interfaces does it expose? Where are the trust boundaries (transitions between different privilege levels or security zones)?

Output: Component inventory with trust boundary map and privilege matrix.

Stage 4: Threat Intelligence

Research the threat landscape relevant to your application type and industry. For capital markets: what are the known attack patterns against trading platforms, clearing systems, or investor portals? For banking: what threat actors target payment systems? Use CERT-In advisories, SEBI threat alerts, and industry-specific threat reports.

Output: Threat actor profiles, attack pattern library (mapped to MITRE ATT&CK), and industry-specific threat intelligence summary.

Stage 5: Vulnerability and Weakness Analysis

Overlay known vulnerabilities and architectural weaknesses against the threat landscape. This is where VAPT findings, code review results, configuration audit findings, and known architectural weaknesses are analyzed in the context of identified threats. The question isn't just "what's vulnerable?" but "what's vulnerable and targeted?"

Output: Vulnerability-threat correlation matrix. Prioritized weakness list by exploitability and impact.

Stage 6: Attack Modeling and Simulation

Build attack trees that map realistic attack paths from threat actor entry points to business impact objectives. Each attack tree traces: entry vector → exploitation technique → lateral movement → data access → business impact. This stage answers the question: "How would a real attacker compromise this system?"

Output: Attack trees for top 10-15 attack scenarios. Risk-scored attack paths with likelihood and impact assessment.

Stage 7: Risk and Impact Analysis

Score each attack scenario by: likelihood (threat capability × vulnerability exploitability × exposure), impact (business impact × data sensitivity × regulatory consequence), and residual risk (considering existing controls). Produce prioritized risk register with treatment recommendations.

Output: Prioritized risk register. Treatment recommendations per risk. Residual risk map. Board-ready risk summary.

Time Investment per PASTA Stage (In-House Execution)
S1: Business Objectives
2-3d
S2: Technical Scope
3-5d
S3: Decomposition
4-6d
S4: Threat Intel
3-5d
S5: Vuln Analysis
4-6d
S6: Attack Modeling
5-7d
S7: Risk Analysis
3-5d

"We spent ₹22 Lakhs on a consulting firm for threat modeling. The output was technically impressive but unusable by our team. When we did it in-house using PASTA stages with structured tooling, we got something our developers could actually act on — and it cost a fraction."

— AppSec Lead, Digital Payment Company

Before: Consultant Dependency

  • ₹15-25L per threat model engagement
  • 8-12 week timelines per application
  • Knowledge leaves when consultants leave
  • Output format varies by consultant
  • Cannot scale to all critical applications
  • Team doesn't learn the methodology

After: In-House PASTA Capability

  • ₹2-5L tooling cost (reusable across all apps)
  • 4-6 week execution per application
  • Knowledge retained within the team
  • Consistent output format and quality
  • Scalable to all critical applications annually
  • Team builds institutional threat modeling skill

Mapping PASTA to Regulatory Requirements

SEBI CSCRF ID.2 Compliance

PASTA Stage 1-2 satisfy the risk context requirement. Stages 3-5 satisfy the threat and vulnerability identification requirement. Stages 6-7 satisfy the risk assessment and treatment requirement. The PASTA output directly maps to CSCRF evidence expectations for the Identify domain.

ISO 27001 Clause 6.1.2

PASTA produces exactly what ISO 27001 auditors look for: a systematic method for identifying risks, analyzing risks in terms of likelihood and impact, and evaluating risks against criteria. The attack tree methodology (Stage 6) provides the traceability auditors value.

Board Investment Case: In-House Threat Modeling

Consultant cost per application₹15-25L
Cost for 5 critical apps (consultant)₹75L-1.25Cr
In-house tooling + training investment₹5-10L (one-time) + ₹2-5L (annual)
In-house cost for 5 critical apps₹8-15L (team time + tooling)
Cost savings (Year 1)₹60L-1.1Cr
Additional benefit: institutional capabilityPriceless for ongoing compliance

PASTA Threat Modeling — Practitioner Toolkit

Execute all 7 PASTA stages with guided workflows, threat library pre-populated with Indian regulatory context, attack tree builder, and risk scoring engine. Produce audit-grade threat models in-house without consultant dependency.

View All 11 Tools →
More Practitioner Insights
BCP/DR
BCP/DR Posture Assessment: Why RC.1-4 Show the Lowest Maturity in Indian Regulated Entities
13 min read · Read article →
CyberDrill
CyberDrill Tabletop Exercises: Building SEBI ID.5 and CERT-In Evidence That Auditors Accept
13 min read · Read article →
SEBI CSCRF
The SEBI CSCRF Evidence Crisis: Why 68% of Regulated Entities Fail Compliance
14 min read · Read article →