The threat model is the primary security artefact for Module 9. It is a living document, version-controlled in the documentation repository, combining the methodology (STRIDE + MITRE ATLAS + OWASP LLM within a PASTA framework), the attack surface inventory (eight categories), the threat actor profiles (four categories), the enumerated threats with risk scores, the mitigations for each threat above the risk acceptance threshold, and the residual risks.

The threat model is produced using structured tooling (IriusRisk, OWASP Threat Dragon, or equivalent) and maintained by the Technical SME. It is reviewed annually and updated whenever the system’s architecture, data sources, deployment context, or threat landscape changes materially. The threat model feeds directly into the cybersecurity testing programme: every identified threat should be exercised by at least one test.

The threat model is retained for the ten-year period. Each version is preserved, enabling an assessor to understand how the threat landscape evolved over the system’s lifetime and how the organisation responded.

Key outputs

• Living threat model document (version-controlled, structured tooling)
• Annual review with change-triggered updates
• Ten-year retention with version history
• Module 9 AISDP evidence