In 2023, a mid-size financial firm suffered a complete domain compromise. The entry point wasn't sophisticated—it was an unpatched VPN appliance that three different teams assumed someone else was responsible for. The vulnerability had been public for eleven months. This isn't a story about missing patches; it's a story about missing risk assessment. If no one systematically asks "what can go wrong and who owns it," the answer eventually reveals itself in an incident report.
Why Traditional Vulnerability Scanning Isn't Enough
Vulnerability scanners tell you what's wrong. Threat modeling tells you what matters. A scan might flag 12,000 CVEs across your environment, but without understanding asset criticality, attack paths, and business impact, you're triaging in the dark.
Risk assessment bridges the gap between raw findings and strategic action. It answers: If an attacker targets us, what's the most likely path, and what's the blast radius?
Building a Threat Model for Infrastructure
I use a modified STRIDE framework adapted for infrastructure rather than application security. The process has four phases:
1. Asset Inventory and Classification
You can't protect what you don't know about. Start with automated discovery:
# Nmap service discovery across your internal ranges
nmap -sV -O --top-ports 1000 -oX infrastructure_scan.xml 10.0.0.0/8
# Parse results into a structured inventory
python3 nmap-parse-output infrastructure_scan.xml csv > asset_inventory.csvClassify each asset by confidentiality, integrity, and availability requirements. A domain controller and a print server are not equal-priority targets.
2. Attack Surface Enumeration
Map every entry point: VPN gateways, exposed management interfaces, cloud API endpoints, third-party integrations. For external surfaces:
# Enumerate externally exposed services
masscan -p1-65535 --rate 10000 -oJ external_surface.json YOUR_PUBLIC_RANGES
# Check for known vulnerable versions
searchsploit --nmap infrastructure_scan.xml3. Threat Scenario Development
For each critical asset, document realistic attack scenarios. I use a simple structured format:
| Scenario | Entry Point | Lateral Movement | Target Asset | Impact |
|---|---|---|---|---|
| VPN compromise → DA | SSL VPN (CVE-2024-XXXX) | Pass-the-hash via SMB | Domain Controller | Full domain compromise |
| Supply chain backdoor | Compromised update server | Agent-based execution | Database servers | Data exfiltration |
| Insider threat | Legitimate credentials | Direct access | Financial application | Fraud / data theft |
4. Risk Scoring and Prioritization
I use a quantitative approach: Risk = Likelihood × Impact × Exposure
Each factor scored 1–5. This produces a ranked list that leadership can actually act on—not a 200-page scan report.
Automating Ongoing Assessment
Threat models decay fast. Automate continuous validation:
# Example: scheduled attack path analysis with BloodHound CE
# docker-compose.yml snippet
services:
bloodhound:
image: specterops/bloodhound:latest
ports:
- '8080:8080'
environment:
- bhe_disable_cypher=false
# Run SharpHound collection on a schedule via your RMM
# and ingest results weekly to detect new AD attack pathsAdditionally, integrate risk context into your SIEM. In Splunk:
| inputlookup asset_criticality.csv
| join dest_ip [search index=vuln_scan severity=critical]
| where asset_tier="tier1"
| sort -risk_scoreThis ensures Tier 1 assets with critical vulnerabilities trigger immediate alerts, not just dashboard entries.
Operationalizing Threat Models
A threat model sitting in Confluence is shelf-ware. Make it operational:
- Feed prioritized risks into your patching SLAs. Tier 1 assets with modeled attack paths get 48-hour remediation windows.
- Use scenarios for purple team exercises. Hand your red team the top three scenarios and validate whether detection exists.
- Review quarterly. New infrastructure, new acquisitions, and new CVEs shift the landscape constantly.
Final Thought
The organizations that handle incidents best aren't the ones with the most tools—they're the ones that systematically imagined what could go wrong before it did. Threat modeling isn't a compliance checkbox. It's the difference between responding to a predicted scenario and scrambling through an unfamiliar one at 2 AM.
Start small. Pick your five most critical assets. Model three attack paths each. You'll learn more about your real risk posture in a week than a year of scan reports ever told you.
Have questions about risk assessment and threat modeling for infrastructure? I'm always happy to talk shop — reach out or connect with me on LinkedIn.