CISSP · Question #539
What is the threat modeling order using process for Attack simu-lation and threat analysis (PASTA)?
The correct answer is A. Application decomposition, threat analysis, vulnerability detection, attack enumeration, risk/impact. PASTA (Process for Attack Simulation and Threat Analysis) follows a specific seven-stage methodology. The correct ordering begins with application decomposition, proceeds through threat analysis and vulnerability detection, then attack enumeration, and concludes with risk/impact
Question
Options
- AApplication decomposition, threat analysis, vulnerability detection, attack enumeration, risk/impact
- BThreat analysis, vulnerability detection, application decomposition, attack enumeration,
- CRisk/impact analysis, application decomposition, threat analysis, vulnerability detection, attack
- DApplication decomposition, threat analysis, risk/impact analysis, vulnerability detection, attack
How the community answered
(59 responses)- A92% (54)
- B3% (2)
- C2% (1)
- D3% (2)
Why each option
PASTA (Process for Attack Simulation and Threat Analysis) follows a specific seven-stage methodology. The correct ordering begins with application decomposition, proceeds through threat analysis and vulnerability detection, then attack enumeration, and concludes with risk/impact analysis.
PASTA follows a staged process where you first decompose the application to understand its components and data flows, then perform threat analysis to identify potential threats, followed by vulnerability detection to find weaknesses, attack enumeration to simulate specific attack scenarios, and finally risk/impact analysis to prioritize remediation based on business impact. This order ensures that risk decisions are informed by the full context of application structure, threats, vulnerabilities, and attack paths discovered in prior stages.
This option incorrectly places threat analysis before application decomposition, which is technically backwards - you cannot meaningfully identify threats without first understanding the application's structure, components, and trust boundaries.
This option incorrectly places risk/impact analysis at the beginning of the process, whereas in PASTA, risk/impact analysis is the final stage performed after all technical analysis (decomposition, threat analysis, vulnerability detection, and attack enumeration) has been completed.
This option incorrectly inserts risk/impact analysis between threat analysis and vulnerability detection, disrupting the logical PASTA flow where risk assessment must come after attack enumeration, not before vulnerability detection.
Concept tested: PASTA threat modeling methodology stage ordering
Source: https://learn.microsoft.com/en-us/security/engineering/threat-modeling-aiml
Topics
Community Discussion
No community discussion yet for this question.