Threat Modeling

Threat modeling is the disciplined practice of asking, before you build or deploy a system, "What can go wrong, who would do it, and what happens if they succeed?" Rather than reacting to breaches after the fact, you enumerate assets, map how data and trust flow between components, identify the boundaries an attacker could cross, and rank the resulting risks so that scarce time and money go to the threats that actually matter. For a sovereign Bitcoiner, the assets are usually seed phrases, signing devices, and the privacy graph linking your identity to your coins.

How a threat model is built

A practical model has four moving parts: what you are protecting (keys, miners, network), who you are protecting it from (a remote scammer, a thief, a coercive third party, a global passive adversary), how an attacker would reach each asset, and which mitigations are worth the friction. The widely cited STRIDE framework, created at Microsoft by Loren Kohnfelder and Praerit Garg, sorts threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege as a memory aid for "what can go wrong" at each trust boundary.

Why it matters for self-custody

Most self-custody failures are not exotic cryptographic breaks; they are unmodeled risks: a photographed seed, a phishing site, malware on the signing computer, or a supply-chain-tampered device. Naming those threats explicitly turns vague anxiety into a checklist you can actually defend against, and it stops you from over-defending against irrelevant ones while ignoring the obvious. A threat model is never finished; it is revisited whenever your stack, your stack size, or your adversaries change.

Threat modeling pairs naturally with attack surface reduction and a layered defense in depth posture, since the model tells you which layers are worth building.