I produce STRIDE-based threat models for applications and system architectures — systematically identifying what can go wrong, how likely it is, what the impact would be, and what controls mitigate it.
Process: architecture and data flow review; trust boundary mapping; STRIDE threat enumeration (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege); threat rating by likelihood and impact (CVSS or DREAD); attack tree construction for highest-risk threats; mitigation recommendations mapped to OWASP, NIST, or ASVS controls; and an executive summary with risk prioritization.
I work from architecture diagrams, data flow descriptions, and your tech stack documentation. I can produce the Data Flow Diagram myself from a written system description if you don't have one. No diagrams required upfront.
Output is formatted for compliance use (SOC 2 CC6/CC7, ISO 27001 A.14, PCI-DSS Req. 6) and stakeholder presentation. Common use cases: pre-launch security review, pre-pentest scoping, design review, and compliance evidence.