Designed in. Not bolted on.
Remediating a security flaw found in production costs orders of magnitude more than designing it out before the first line of code. We work at the architecture layer — where the decisions that determine the security properties of a system for its entire lifetime are made.
NIST SP 800-207NIST SP 800-160SABSAISO/IEC 27034STRIDEPASTA
THREAT MODELLING
The core discipline of secure architecture.
Threat modelling makes attack surface visible, drives design decisions, and produces prioritised requirements before implementation begins.
Methodology
- STRIDE — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege; applied per component and per data flow
- PASTA — Process for Attack Simulation and Threat Analysis; risk-centric methodology that ties threats to business impact
- Attack trees — hierarchical decomposition of attacker goals into constituent steps; effective for complex multi-stage attack scenarios
- LINDDUN — privacy-specific threat modelling for systems processing personal data under GDPR or similar obligations
What We Produce
- Data flow diagrams (DFDs) with trust boundaries, assets, and data classification marked
- Threat catalogue: identified threats with likelihood, impact, and risk rating
- Abuse cases: attacker-perspective scenarios tied to design decisions
- Mitigations mapped to each threat with design recommendation or control reference
- Residual risk register: accepted risks documented with rationale
Integration with Development
- Threat model updated at each architecture decision milestone — not a one-time document
- Security requirements derived from threat model fed directly into sprint backlog
- Review criteria for code review and testing derived from identified threats
- Developer-facing threat model summary for use in PR reviews and design discussions
ZERO TRUST & DESIGN
Trust boundaries you can actually enforce.
Zero Trust Architecture
- Identity as the control plane — every access decision anchored to a verified, context-enriched identity regardless of network origin
- Micro-segmentation design — workload isolation at the service level; lateral movement is architecturally constrained, not just monitored
- Least-privilege access patterns — just-in-time and just-enough access models built into the architecture; no standing permissions for sensitive resources
- Device trust integration — device health and compliance status as inputs to access policy decisions
- Continuous verification — access tokens with short lifetimes, session re-evaluation on context change, and anomaly-based re-authentication triggers
Trust Boundary & Service Design
- Service trust boundaries — explicit mapping of which services trust which callers, under what conditions, and with what verification — documented and enforced, not assumed
- Tenancy and data isolation models — multi-tenant architecture patterns with cryptographic, logical, and physical isolation options evaluated against the threat model
- Secrets architecture — KMS integration, envelope encryption patterns, secret rotation strategy, and secret injection at runtime rather than build time
- API authorisation design — OAuth 2.0 scope design, token binding, resource server architecture, and inter-service auth (mTLS, SPIFFE/SPIRE)
- Fail-secure defaults — deny-by-default posture, graceful degradation that does not open access on failure, and circuit-breaker design with security implications considered
REFERENCE PATTERNS
Encode it once, default it everywhere.
Reference Architectures & Patterns
- Reference architecture diagrams with security annotations for common patterns: microservices, event-driven, data pipelines, mobile backend
- IaC modules implementing reference architectures with security controls embedded and tested
- Secure-by-default application framework scaffolding eliminating common first-time implementation mistakes
Guardrails & Prevention
- Policy-as-code — admission policies enforcing architecture decisions in CI/CD and Kubernetes admission
- Architecture fitness functions — automated tests that verify security properties of the architecture on each build
- Drift detection — comparison of deployed infrastructure state against approved baseline with alerting on deviation
- Security design review checklist embedded in feature and project planning templates
DELIVERABLES
Durable artefacts, not one-shot consultancy.
Threat Model
- Data flow diagrams with trust boundaries, assets, and classification
- Threat catalogue with STRIDE / PASTA analysis and risk ratings
- Mitigations and residual risk register
- Security requirements derived from threats, suitable for sprint backlog
Architecture
- Architecture decision records (ADRs) with security rationale for every significant design choice
- Reference architecture diagrams with security control placement annotated
- Trust boundary specification and service authorisation matrix
- IaC modules implementing approved patterns
Governance
- Security requirements specification tied to threat model findings
- Policy-as-code rules and guardrail configuration
- Developer guidance document: secure design patterns for your stack
- Security review checklist for use in feature planning and PR review
Get a written proposal
Send scope + timeline. Detailed SoW within 1 business day.
Open the form →
Email a senior practitioner
Direct line for scoping questions. NDA available on request before you share details.
hello@grillisecurity.com →
Active incident?
24/7 incident line. Triage call + retainer set-up inside the hour for new engagements.
+372 5610 1641 →
