A service can be secure in isolation while the system around it remains exposed. The API validates its inputs. The identity provider enforces strong authentication. The deployment pipeline protects its branch. Risk appears in the handoff: what one component assumes the next component already proved.
Draw the transfer, not only the boxes
Architecture diagrams emphasize components. Threat models should emphasize what crosses between them: identity claims, credentials, files, messages, administrative authority, and decisions. For every transfer, ask who created it, who can change it, how the receiver validates it, and how long it remains trusted.
This exposes questions a component review can miss. Does the API trust a header because a proxy should have removed external copies? Does a deployment trust an artifact because it came from the expected bucket? Does an operator inherit production access through a group managed by another team?
A trust boundary is not just where data moves. It is where one part of the system accepts another part’s conclusion.
Model failure at the boundary
Consider stale, missing, replayed, reordered, and forged inputs. Then consider operational failure: the receiving service times out, the identity provider is unavailable, or a team uses an emergency bypass. Secure behavior under normal conditions is only half the model.
The best questions are concrete: What happens if this claim is valid but too old? If this queue message arrives twice? If the artifact is legitimate but built from an unreviewed commit? If an administrator must work while the normal approval service is down?
Give every handoff an owner
Cross-team controls often fail because each side owns its component while nobody owns the contract. Name the team responsible for the schema, validation rule, credential lifecycle, and failure behavior. Version the contract when possible and monitor rejection as well as acceptance.
A useful threat model does not need to predict every attack. It needs to reveal where the system is relying on an assumption that has no evidence, no expiration, or no owner. Handoffs are a good place to look.