CISSP Question #539: Real Exam Question with Answer & Explanation

Question

What is the threat modeling order using process for Attack simu-lation and threat analysis (PASTA)?

Options

• AApplication decomposition, threat analysis, vulnerability detection, attack enumeration, risk/impact
• BThreat analysis, vulnerability detection, application decomposition, attack enumeration,
• CRisk/impact analysis, application decomposition, threat analysis, vulnerability detection, attack
• DApplication decomposition, threat analysis, risk/impact analysis, vulnerability detection, attack

Explanation

PASTA (Process for Attack Simulation and Threat Analysis) follows a specific seven-stage methodology. The correct ordering begins with application decomposition, proceeds through threat analysis and vulnerability detection, then attack enumeration, and concludes with risk/impact analysis.

Common mistakes.

• B. This option incorrectly places threat analysis before application decomposition, which is technically backwards - you cannot meaningfully identify threats without first understanding the application's structure, components, and trust boundaries.
• C. This option incorrectly places risk/impact analysis at the beginning of the process, whereas in PASTA, risk/impact analysis is the final stage performed after all technical analysis (decomposition, threat analysis, vulnerability detection, and attack enumeration) has been completed.
• D. This option incorrectly inserts risk/impact analysis between threat analysis and vulnerability detection, disrupting the logical PASTA flow where risk assessment must come after attack enumeration, not before vulnerability detection.

Concept tested. PASTA threat modeling methodology stage ordering

Reference. https://learn.microsoft.com/en-us/security/engineering/threat-modeling-aiml

No community discussion yet for this question.