- The paper introduces TRACE, a methodology that integrates evidence-linked primitives for threat modeling in distributed and decentralized organizations.
- It redefines conventional approaches by explicitly modeling collusion, distributed authority, and critical invariants across protocol, system, and organizational levels.
- The method enables rigorous pre-implementation risk assessments with a disciplined human-AI co-working framework to enhance reviewability and reduce false positives.
TRACE: A Threat Modelling Methodology for Distributed, Cloud-First, and Decentralized Organisations
Background and Motivations
Traditional threat modelling methodologies such as STRIDE, PASTA, Trike, OCTAVE, LINDDUN, attack trees, and adversary behavior catalogues (e.g., MITRE ATT&CK) were formulated for environments with a clear institutional boundary, centralized ownership, and a strict separation between technical and operational risk. The contemporary expansion of cloud-first, distributed, and decentralized organizations fundamentally erodes these legacy assumptions. Present-day organizations are characterized by fragmented authority, spanning founders, contractors, vendors, multisigs, committees, and substantial automation. The security perimeter is no longer network-centric, and complex value chains expose an expanded and ambiguous attack surface, with substantial risk emanating from authorized but adversarial insiders, collusion across weak trust boundaries, supply-chain assaults on CI/CD infrastructure, and operational failures.
Analysis of prominent threat modelling approaches reveals that while each framework is robust within its native scope, critical classes of threats in these modern settings—especially those involving distributed authority, collusion, control- and supply-chain compromise, and human operations—are either omitted or externally scoped. Notably, these are empirically observed as dominant causal factors in numerous recent high-impact incidents. Consequently, modern security analysis paradigms require an explicit, evidence-linked modelling methodology to cover the complexities introduced by these design and operational realities.
Comparative Survey and Gap Analysis
The structured review of existing methodologies exposes key limitations in their application to distributed, cloud-first environments:
- Dissolved Perimeter: STRIDE and similar models presuppose a trust boundary, a premise invalidated by zero-trust architectures and multifaceted cloud/SaaS infrastructures.
- Unmodelled Authority: Existing frameworks model authorisation (action-permission conformance) but largely ignore the damage potential of fully-authorized actor misuse, which is now a primary threat vector.
- Absent Collusion Modelling: No mainstream framework treats collusion and coordinated action among privileged actors as first-class analytical objects, a critical omission in systems reliant on multiparty governance, quorum, or vendor independence.
- Neglected Control Planes and Supply Chains: While post facto knowledge bases (e.g., ATT&CK) catalogue attack techniques, design-time methods fail to analyze build/deployment control planes and third-party integrations as loci of risk.
- Human and Operational Blind Spots: Recent compromise events increasingly reflect failures in human or procedural controls, yet these are often out of scope or only loosely coupled to technical threat catalogues.
- Unarticulated Invariants: Without requiring analysts to state critical system invariants, threat analysis lacks clear prioritization anchors, leading to arbitrary or myopic severity judgement.
- Pre-AI Era Workflow: All legacy methods predate the era of effective LLMs, and thus lack formal mechanisms to integrate and discipline human-AI conjoined analysis.
The TRACE Methodology
TRACE redefines the threat modelling stack for modern organizations by instantiating five core, evidence-linked modelling objects:
- Threat Actors: All entities capable of influencing the system, including insiders, contractors, third-party vendors, economic adversaries, and governance actors.
- Roles: Scope-based positions conferring access or authority, essential for localizing privilege and investigation of separation-of-duties and escalation risks.
- Assets: Everything of value or operational criticality, including control channels, governance keys, credentials, and continuity resources.
- Critical Invariants: Explicit, system-specific properties vital to safety (e.g., solvency, integrity, approval correctness), providing a rigorous anchor for severity assessment and prioritization.
- Edges: Points of trust, authority, or value transference between domains (e.g., through identity providers, CI/CD pipelines, API surfaces), elevating every crossing as discrete analytical units especially within zero-trust contexts.
TRACE operationalizes these primitives through a sequential, gated workflow with explicit human review at each analytical inflection point. This process forces traceability between threat, evidence, and mitigation. It scales across three analytical pillars—protocol (design-level), system (infrastructure/architecture), and organization (operations and human factors)—which are applied iteratively based on input heterogeneity, emphasizing invariant definition, authority mapping, and collusion analysis in each context. The methodology's stack-agnostic architecture enables robust applicability, including but not limited to Web3 and highly decentralized environments.
Human-AI Co-Working and Reviewability
A central innovation in TRACE is a disciplined framework for human-AI co-working. LLMs are leveraged as accelerants for source material extraction, preliminary object candidate identification, and attack path enumeration. However, TRACE mandates that all AI-generated artifacts remain provisional until reviewed by senior analysts. The methodology incorporates rigorous evidence linkage throughout: model objects must provide source citations or be explicitly labelled as inferred; threats, attack tree nodes, and mitigations are all cross-referenced to maintain traceability and review accountability. AI-generated content is categorically excluded from final definitions of system invariants or collusion surfaces, and severity assessment remains an expert-driven process to mitigate automation bias.
Theoretical and Practical Implications
TRACE presents both methodological and pragmatic advancements. Theoretically, it augments threat modelling with primitives attuned to modern organizational reality—distributed authority, collusion, and the operational-context alignment of human, procedural, and technical risk. By modeling explicit invariants, TRACE provides a lens for criticality-driven ranking, superseding generic property enumeration and reducing the frequency of false positives and misprioritizations. The integration of disciplined AI-augmentation with explicit human review gates addresses both the substantial scale of source material and the imperative for trustworthy, audit-ready analysis.
Practically, TRACE enables rigorous, pre-implementation threat analysis for organizations with fragmented governance stacks and complex cross-organizational operational chains. It composes with, rather than replaces, established tools (e.g., STRIDE for elicitation, attack trees for decomposition) but re-bases them over a more realistic object and evidence model that dissolves perimeter assumptions. In operational security reviews, TRACE has utility for ongoing risk assessment as organizational realities shift (e.g., team changes, vendor integrations, or evolving incident response strategies).
Limitations and Future Directions
TRACE’s primary limitation lies in its current validation status: while derived from significant professional practice, controlled empirical evaluations (e.g., inter-analyst agreement rates, improvement over STRIDE-only coverage) remain to be conducted. Model quality is inherently bounded by input accuracy and reviewer expertise, and the method’s full workflow introduces notable analytical overhead, particularly in the collusion and organizational pillars. Severity ranking, while invariant-anchored, retains a degree of subjectivity.
Future work includes empirical benchmarking of coverage and robustness, formalization of invariant and edge definitions into machine-interpretable schemas for automated validation, and quantitative integration with accountable consensus and mechanism design theory to model collusion and incentive alignment with greater rigor.
Conclusion
TRACE systematically addresses the dominant classes of threats in distributed, cloud-first, and decentralized organizational settings by treating invariants, distributed authority, collusion, and cross-domain edges as first-class, evidence-linked objects. The methodology’s sequential, review-gated workflow, discipline around source traceability, and designed-in human-AI co-working framework directly attack the structural limitations of legacy threat modelling methods. TRACE thus enables more accurate, prioritized, and reviewable risk analysis within environments where legacy perimeter and authority assumptions have failed. The methodology is openly released, inviting ongoing empirical evaluation and community refinement.