Threat Modeling

The Catalog That Collapses on First Contact

Many space organizations hold a threat catalog. It is usually impressive in length and usually assembled from three sources: intelligence community briefings, industry publications, and the most recent counterspace exercises. The catalog lists kinetic anti-satellite weapons, co-orbital approaches, high-power laser engagement, radio-frequency jamming, command-link spoofing, ground-segment cyber intrusion, supply-chain compromise, and a handful of novel items the analyst has read about in the last year. Each entry carries a plausibility rating. The document circulates to leadership, is signed off, and is filed.

The document’s problem is not that anything on it is wrong. The document’s problem is that it is an inventory, not a model. It lists what could happen without mapping who would do what to which part of the architecture, through which specific vulnerability, producing which concrete effect. Asked to prioritize, the reader has no structured way to decide which threats deserve the next dollar of defensive investment and which are acceptable residual risk. The inventory catalogs danger. It does not model it.

Threat modeling is the discipline that substitutes a relational model for the inventory — one in which actors, capabilities, intents, vectors, vulnerabilities, and impacts are connected to each other through explicit links, and in which priority emerges from the structure of those links rather than from a subjective ranking of dramatic scenarios.

From Military Intelligence to STRIDE and ATT&CK

Threat modeling as a discipline has two parents whose children later merged. The first parent is military intelligence tradecraft, whose concern with enemy capabilities, intent, and opportunity goes back centuries but whose modern formulation matured in the Cold War, when Soviet and Warsaw Pact capability assessments required structured methodologies to reconcile observable capability with inferred intent. The “capability × intent × opportunity” triad that still anchors likelihood assessments in threat modeling is inherited from this tradition, along with the insistence that intelligence gaps be flagged explicitly rather than obscured by confident prose.

The second parent is cybersecurity, where threat modeling became a structured discipline in the late 1990s and early 2000s as enterprise software systems grew too complex for ad-hoc vulnerability review. STRIDE, developed at Microsoft by Loren Kohnfelder and Praerit Garg in 1999, gave security engineers a checklist-style taxonomy — Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege — that could be applied systematically to every component of a system. PASTA (Process for Attack Simulation and Threat Analysis), developed later by Tony UcedaVélez and Marco Morana, integrated business-impact analysis with the technical threat mapping. MITRE’s ATT&CK framework, released in 2013 and continuously extended, added the empirical backbone by cataloging observed adversary tactics, techniques, and procedures against real-world systems.

The space-sector application drew from both traditions. Physical threats to orbital assets — kinetic ASAT, co-orbital engagement, directed energy — map naturally onto the intelligence-community vocabulary of capability and intent. Cyber threats to ground segments, telemetry-tracking-and-command (TT&C) links, and software update mechanisms map onto STRIDE and ATT&CK. Hybrid threats that combine physical and cyber elements — electronic warfare, supply-chain compromise, information operations against mission partners — require both lineages in combination. Modern space threat modeling treats these as one practice with multiple vocabularies, which is how practitioners who grew up in either tradition can still talk to each other.

What a Threat Model Sees That a Threat List Does Not

The characteristic analytical gesture of threat modeling is the construction of a relational map in which adversarial actors, attack surfaces, and system vulnerabilities are linked through specific vectors to specific impacts. A threat list enumerates entities. A threat model connects them.

Actor characterization

For each plausible adversary — nation-state, non-state actor, criminal group, insider, and even unintentional threat source — three dimensions are assessed: capability (what they can technically do), intent (what strategic objectives would motivate action), and opportunity (when and how access is available). The combination of these three is what generates a defensible likelihood estimate. Capability alone is not threat; a state that can destroy a satellite may have no strategic reason to do so, and an actor with high intent but no capability is at most a concern, not a threat. The method insists that none of the three dimensions be dropped.

Attack-surface mapping

The target system is decomposed into its entry points, interfaces, and dependencies — RF links, command channels, software update mechanisms, third-party components, orbital proximity windows, electromagnetic spectrum access, ground-segment network topology. Each element of the attack surface is labeled with the vulnerabilities it exposes and the preconditions required to exploit them. This decomposition is the counterpart of FMEA's bottom-up enumeration for technical risk, but oriented toward adversarial exploitation rather than intrinsic failure.

Scenario construction

Each plausible actor is paired with each relevant surface element to produce a concrete scenario: actor acts on vector to exploit vulnerability to produce impact. A scenario is not "the peer-state threatens the constellation" — that is still an inventory entry. A scenario is "peer-state adversary uses demonstrated co-orbital approach capability during predicted orbital window to close within proximity envelope X, producing mission-degrading effect Y on specific spacecraft elements Z, with detection latency W." The concreteness is what allows likelihood and impact to be rated honestly.

Clustering for prioritization

Scenarios are ranked by combined risk score — capability × intent × opportunity on the likelihood side, consequence severity on the impact side — and clusters emerge where multiple high-priority scenarios share common vulnerabilities or common actors. Clusters are strategically important because they identify mitigation investments with disproportionate leverage: a single hardening of a commonly-exploited vulnerability can retire multiple scenarios at once, while point mitigations addressing single scenarios may miss the structural weakness.

Assumptions and confidence

Intelligence gaps, behavioral assumptions about adversary decision-making, and the provenance of each scenario's plausibility are flagged. Unstated certainty misleads downstream risk decisions; stated uncertainty allows the model to be challenged, updated, and improved as new intelligence arrives.

A LEO Constellation Through Three Adversary Lenses

Consider the method applied to a generic commercial LEO communications constellation. The target scope is defined narrowly: the space segment (several hundred satellites), the ground segment (a set of teleports and operations centers), the TT&C network linking them, and the subscriber-facing service infrastructure.

Three actors are characterized in depth. A peer-state adversary has demonstrated ASAT capability, both kinetic and co-orbital, with intent clearly articulated in doctrinal documents to deny space-enabled communications in a high-tensions scenario; opportunity depends on the orbital regime and timing of any particular engagement. A criminal group has moderate cyber capability, no interest in kinetic action, and a ransomware-focused motive; opportunity depends on the cyber posture of the ground segment. An insider has low cyber capability by external comparison but high access — legitimate TT&C credentials, familiarity with command syntax, and physical access to specific operations consoles — with motive ranging from financial to ideological.

Actor	Capability	Intent	Primary vector
Peer state	Demonstrated ASAT (kinetic and co-orbital)	Denial of space-enabled communications in crisis	Kinetic/co-orbital on-orbit; ground-segment disruption below kinetic threshold
Criminal group	Moderate cyber, widely distributed	Ransomware, financial extortion	Ground-segment cyber intrusion
Insider	Low external-comparison cyber, high access	Financial to ideological	TT&C credential abuse from within operations

The attack surface decomposition exposes the usual layers. Uplink RF channels are vulnerable to jamming and to sophisticated spoofing if the link authentication is weak. The ground segment network is vulnerable to cyber intrusion through conventional enterprise attack vectors; the TT&C subsystem within the ground segment is vulnerable to both external cyber attack and insider credential abuse. Orbital proximity is a vulnerability only against the peer-state actor, because only they have the co-orbital capability to exploit it.

The scenario construction produces a matrix of plausible combinations. The peer-state-to-uplink-via-jamming scenario rates high likelihood in crisis, high impact on service continuity, moderate confidence because jamming attribution is imperfect. The peer-state-to-spacecraft-via-co-orbital-approach scenario rates lower likelihood outside conflict (because the strategic threshold for kinetic action is high) but very high impact if executed, with specific uncertainty around which spacecraft would be targeted first. The criminal-group-to-ground-segment-via-cyber-intrusion scenario rates moderate-to-high likelihood (because the motive is persistent and the capability is widely distributed), high impact on both service continuity and financial exposure, good confidence because ransomware campaigns are well-characterized empirically. The insider-to-TT&C-via-credential-abuse scenario rates low likelihood (because insider threats are rare in absolute terms) but very high impact (because an insider with TT&C access can effect immediate mission-kill on specific spacecraft), and moderate confidence because insider threat intelligence is sparse.

The clustering produces the non-obvious insight. Across these three otherwise distinct actors, the ground segment emerges as the shared attack surface in a plurality of high-priority scenarios. The criminal group’s primary vector is the ground segment. The insider’s primary vector is the ground segment. The peer-state’s secondary and often-preferred vector, short of kinetic action, is also the ground segment — because in many doctrinal framings, denial of space-enabled communications through ground-segment disruption is a lower-threshold escalation than on-orbit kinetic action. The highest-leverage single mitigation — hardening of the ground segment network, segmentation of TT&C from enterprise systems, multi-person control on consequential commanding — retires or reduces scenarios across all three actor classes at once.

This finding is exactly the kind that an inventory-style threat list does not produce. The list would have shown ground-segment cyber as one of many entries; the model, with its relational structure, shows that the ground segment is the convergence point of three otherwise distinct adversaries and therefore the single defensive investment with the highest leverage.

Where It Earns Its Keep and Where It Falls Short

The method’s strength is adversarial legibility. For space security questions, no other method in the library produces the actor-vector-vulnerability-impact mapping that defensive planning requires, and the structured prioritization that emerges from clustering is the foundation of credible security investment. It is indispensable for any counterspace, orbital security, or space-cybersecurity analysis.

Its weaknesses are consistent with its nature. The method is heavily dependent on available intelligence about adversary capabilities and intent. Open-source gaps produce blind spots that the practitioner can only partially close through inference and assumption-flagging. Mirror-imaging is a persistent failure mode — assuming that adversaries think like the analyst, which produces threat models that miss genuinely asymmetric approaches. Red-team analysis is the principal complement that catches this failure mode, because red-teamers are specifically tasked to think unlike the incumbent.

Threat landscapes evolve rapidly. A threat model is a snapshot, and in a sector where new counterspace capabilities, cyber techniques, and supply-chain attack patterns emerge frequently, the snapshot ages quickly. Reassessment triggers — specific events that require the model to be re-run — are as important as the model itself, and a model without declared triggers decays into an artifact. The method also overweights exotic threats (orbital EMP, novel kinetic weapons) when practitioners find them more interesting than probable ones (ground-segment misconfiguration, credential reuse, supply-chain flaws), which is why the likelihood evidence discipline matters so much.

The method does not inherently address systemic or structural risks that exceed single-threat scope. A constellation resilient to any single threat may still be fragile to the aggregate pressure of multiple threats acting within the same window; resilience analysis is the complement that addresses this dimension. Threat modeling is also not suitable as a standalone basis for policy recommendation. Paired with risk-matrix assessment for aggregate prioritization and with kill-chain analysis for operational decomposition of the most consequential scenarios, it produces recommendations that decision-makers can act on.

The library treats threat modeling as tightly coupled with several neighbors. Its actor-vector-target combinations feed kill-chain analysis directly. Its likelihood and impact ratings feed the broader risk matrix. Its supply-chain attack vectors feed supply-chain dependency analysis. The systemic residuals it cannot address feed resilience analysis. A threat model built in isolation from these connections answers less than it should.

For the Practitioner

Reach for threat modeling when the strategic question is adversarial — “what could go wrong, who would do it, through which vector, producing which impact” — and when the answer must support defensive investment, mitigation prioritization, or security architecture decisions. Do not reach for it when the concern is intrinsic technical failure (technology risk assessment handles that) or systemic resilience to aggregate pressures (resilience analysis handles that).

Pair it with red-team analysis to defeat mirror-imaging, with kill-chain analysis to decompose the most consequential scenarios operationally, with risk matrix assessment for aggregate prioritization across technical and adversarial risks, and with supply-chain dependency analysis for sourcing-related attack vectors. The operational version of the method, with its actor-capability-intent-opportunity discipline, its explicit attack-surface decomposition, and its assumption-flagging protocol, remains the reference for practitioners who need the model to stand up to intelligence challenge rather than merely inventory concern.

Articles Using This Method

AI Sovereignty in Orbit: Threat Assessment for the On-Orbit AI Domain — 2026-05-06