Threat modeling is a process used to assist testers and defenders to better understand the threats that inspired the assessment or the threats that the application or network is most prone to. This data is then used to help penetration testers emulate, assess, and address the most common threats that the organization, network, or application faces.

Having understood the threats an organization faces, the next step is to perform a vulnerability assessment on the assets to further determine the risk rating and severity.