Skip to content

L2.1.2 — STRIDE adapted for AI systems

Type: Theory · Duration: ~5 min · Status: Mandatory Module: Module 2 — AI Security Foundations Framework tags: foundational — supports NIST AI RMF Map 5.1; output feeds directly into L2.6 lab

Learning objectives

By the end of this lesson, the learner can: 1. Recall STRIDE's six original categories and what each catches. 2. Recognize the two AI-specific categories — Model Manipulation and Excessive Agency — and when to use them. 3. Apply the extended STRIDE to one element of a data-flow diagram.

Core content

STRIDE is Microsoft's mnemonic for the six classical threat categories. Per its name, one letter per category:

  • Spoofing — pretending to be someone (or something) you're not. Authentication failures.
  • Tampering — modifying data or code without authorization. Integrity failures.
  • Repudiation — denying you did something, with no way to prove otherwise. Audit/non-repudiation failures.
  • Information disclosure — leaking data to parties who shouldn't see it. Confidentiality failures.
  • Denial of service — making a system unavailable. Availability failures.
  • Elevation of privilege — gaining rights you weren't supposed to have. Authorization failures.

STRIDE is applied per element of the DFD — for each process, data store, and data flow, you ask "could each of these letters happen here?" Most threat-modeling exercises end up with a table where rows are DFD elements and columns are STRIDE letters; cells contain identified threats.

Where classical STRIDE falls short on AI

Classical STRIDE was designed for client-server software in the 1990s. Two whole AI attack classes have no obvious home:

  • Backdoors, evasion, jailbreaks — the model behaves correctly under normal inputs but maliciously under crafted ones. This is not tampering (the model's weights weren't modified post-deployment) and it's not elevation of privilege (the attacker isn't gaining new rights — the model is doing something it was already capable of). It's a category STRIDE doesn't name.
  • Tool-using agents that take real-world actions — when an LLM agent issues a refund, sends an email, or shells out to a tool, the agent might not be elevated, but it's been coerced into using its already-granted privileges for the attacker's purposes. Classical EoP misses the framing.

Two extra categories for AI

We add two letters: M and A. The mnemonic becomes STRIDE-MA.

  • M — Model manipulation. Any threat that changes the model's behavior without changing the model's authorized weights. Covers prompt injection (direct and indirect), jailbreaks, adversarial examples, backdoor triggers in pretrained weights, training-data poisoning.
  • A — Agency abuse. Any threat that coerces an agent/tool-using system into actions the deployer wouldn't sanction, using authority the agent already had. Covers excessive-agency exploits, tool-abuse, plan-injection, "confused deputy" patterns against LLM agents.

Both new categories often combine with classical ones in real attack chains: indirect prompt injection (M) leads to insecure output handling (I — information disclosure) leads to data exfiltration (E). That chaining is the point.

How to apply this

For every element of your DFD, walk through STRIDE-MA. Eight letters, eight quick "could this happen here?" prompts. Capture the ones that apply in your threat list with a one-line description, an impact estimate, and a likelihood estimate. You're done with the "what can go wrong" question.

This is precisely what you'll do in lab L2.6 against the RAG app from Module 1.

Real-world example

The Air Canada chatbot incident maps cleanly: the chatbot generated a refund policy that didn't exist (Model manipulation — hallucinated output the system treated as authoritative), the chatbot was authorized to commit the company to that statement (Agency abuse — the deployment treated model output as binding), and the user relied on it (Information disclosure — false-positive disclosure of a non-existent policy). One incident, three categories from extended STRIDE.

Key terms

  • STRIDE — the original six-category threat mnemonic.
  • STRIDE-MA — the AI-extended version with Model manipulation and Agency abuse added.
  • Per-element analysis — applying the mnemonic to each DFD element in turn.

References

  • Adam Shostack — Threat Modeling, chapters 4–6.
  • Microsoft STRIDE documentation — https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats
  • For comparison: PASTA, LINDDUN, attack trees — Shostack chapter 7.

Quiz items

  1. Q: What does STRIDE stand for? A: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
  2. Q: Indirect prompt injection. Which STRIDE-MA letter is its primary home? A: M — Model manipulation.
  3. Q: An LLM agent is tricked into sending email on the attacker's behalf via crafted retrieved content. Which letters apply? A: M (model manipulation via injection) + A (agency abuse) and often I (information disclosure of recipient's data).

Video script (~600 words, ~4.5 min)

[SLIDE 1 — Title]

STRIDE adapted for AI. Five minutes. We're going to take the six-letter mnemonic you already know and add two letters that the AI era needs. By the end you'll have a tool you can apply to any data-flow diagram of any AI system.

[SLIDE 2 — STRIDE recap]

STRIDE recap. Six letters. Spoofing — pretending to be someone you're not. Tampering — modifying data without authorization. Repudiation — denying you did something with no way to prove otherwise. Information disclosure — leaking data. Denial of service — making the system unavailable. Elevation of privilege — gaining rights you weren't supposed to have.

[SLIDE 3 — How STRIDE is applied]

STRIDE is applied per element of the DFD. For each process, data store, data flow, you ask "could each of these letters happen here?" You end up with a table — rows are DFD elements, columns are STRIDE letters, cells are identified threats. That's classical STRIDE. It's been around for thirty years and it still works.

[SLIDE 4 — Where classical STRIDE falls short]

Where it falls short on AI. Two AI attack classes have no obvious home. First: backdoors, evasion, jailbreaks. The model behaves correctly under normal inputs but maliciously under crafted ones. This is not tampering — the weights weren't modified post-deployment. It's not elevation of privilege — the attacker isn't gaining new rights. The model is doing something it was already capable of, just under attacker direction. STRIDE doesn't name this category. Second: tool-using agents. When an LLM agent issues a refund or sends an email, the agent isn't elevated. It's been coerced into using its already-granted privileges for the attacker's purposes. Classical EoP misses this.

[SLIDE 5 — Two new letters: M and A]

So we add two letters. The mnemonic becomes STRIDE-MA. M is for Model manipulation. Any threat that changes the model's behavior without changing the model's authorized weights. Covers prompt injection, jailbreaks, adversarial examples, backdoor triggers, training-data poisoning. A is for Agency abuse. Any threat that coerces an agent or tool-using system into actions the deployer wouldn't sanction, using authority the agent already had. Covers excessive-agency, tool-abuse, plan-injection, confused-deputy patterns.

[SLIDE 6 — They chain]

Both new categories often combine with classical ones in real attack chains. Indirect prompt injection — M — leads to insecure output handling — I — leads to data exfiltration — E. That chaining is the whole point. Real incidents are rarely a single letter.

[SLIDE 7 — Air Canada walk-through]

Air Canada walk-through. The chatbot generated a refund policy that didn't exist — Model manipulation, hallucinated output the system treated as authoritative. The chatbot was authorized to commit the company to that statement — Agency abuse. The user relied on it — Information disclosure of a non-existent policy. One incident, three letters from the extended mnemonic.

[SLIDE 8 — How you'll use this]

How you'll use this. For every element of your DFD, walk through STRIDE-MA. Eight letters, eight quick prompts. Capture the threats that apply with a one-line description, an impact estimate, a likelihood estimate. You're done with the "what can go wrong" question.

[SLIDE 9 — Up next]

Lab L2.6 will have you do exactly this against the RAG app you built in L1.7. Before that, we look at the AI attack surface as a five-plane map — next lesson. See you there.

Slide outline

  1. Title — "STRIDE adapted for AI systems".
  2. STRIDE recap — six letters as a vertical list with one-line definitions.
  3. How STRIDE is applied — matrix: DFD elements × STRIDE letters, cells with example threats.
  4. Where STRIDE falls short — two cards: "Backdoors and jailbreaks" + "Tool-using agents", each with a small "doesn't fit ___" annotation.
  5. Two new letters — "M — Model manipulation" and "A — Agency abuse" as large add-on cards with example threats below each.
  6. They chain — diagram: Indirect PI (M) → Insecure output (I) → Exfil (E), with arrows.
  7. Air Canada walk-through — incident summary with three letter-tags called out.
  8. How you'll use this — matrix from slide 3 but with the two new columns added.
  9. Up next — "L2.2.1 — Mapping the AI attack surface, ~4 min."

Production notes

  • Recording: ~4.5–5 min. Cap 5.
  • Slides 4 and 5 are the most novel part of the lesson; slow down here. The rest can move faster.