Advanced Threat Defense
Use AI for threat modeling, zero-trust architecture design, penetration test preparation, and proactive defense strategies.
Premium Course Content
This lesson is part of a premium course. Upgrade to Pro to unlock all premium courses and content.
- Access all premium courses
- 1000+ AI skill templates included
- New content added weekly
Reactive security waits for attacks. Proactive security models threats, hardens defenses, and tests them before attackers do. AI makes proactive security practical for teams of any size.
🔄 Quick Recall: In the previous lesson, you automated compliance and governance — continuous evidence collection and policy management. Advanced threat defense is the proactive layer: anticipating attacks before they happen.
Threat Modeling with AI
STRIDE Threat Analysis
Perform a STRIDE threat model for our application:
Architecture:
- React frontend (CloudFront CDN)
- FastAPI backend (EKS, 5 microservices)
- PostgreSQL database (RDS, PII data)
- Redis cache (ElastiCache)
- S3 for file uploads
- Auth: OAuth 2.0 with JWT tokens
For each component and data flow, identify threats using STRIDE:
- Spoofing: Can an attacker impersonate a user or service?
- Tampering: Can data be modified in transit or at rest?
- Repudiation: Can actions be performed without audit trail?
- Information Disclosure: Can data leak to unauthorized parties?
- Denial of Service: Can availability be disrupted?
- Elevation of Privilege: Can permissions be escalated?
For each threat:
1. Description and attack scenario
2. Likelihood (High/Medium/Low)
3. Impact (High/Medium/Low)
4. Existing mitigations
5. Recommended additional controls
6. Priority (Critical/High/Medium/Low)
Attack Surface Analysis
Analyze the attack surface of our API:
Endpoints (from OpenAPI spec):
[Paste key endpoints with auth requirements]
For each endpoint, assess:
1. Authentication required? (public vs. authenticated)
2. Authorization level? (user vs. admin vs. service)
3. Input types? (strings, files, JSON objects)
4. Data returned? (PII, financial, metadata)
5. Rate limiting in place? (yes/no, what limits)
Identify:
- Endpoints with highest risk (public + PII + file upload)
- Missing security controls per endpoint
- Recommended WAF rules
✅ Quick Check: Your threat model identifies that your file upload endpoint accepts any file type, stores files in S3, and serves them back to users. AI identifies this as a critical risk. Why? (Answer: This is a stored XSS/RCE vector. An attacker uploads a malicious HTML file or SVG with embedded JavaScript. When another user views the file via the S3 URL, the malicious code executes in their browser. Mitigations: validate file types server-side, set Content-Disposition: attachment on S3 objects, serve files from a separate domain, and scan uploads for malware.)
Zero Trust Architecture
Zero Trust Migration Plan
Design a zero-trust migration plan for our infrastructure:
Current state:
- VPN-based access (all internal services trust VPN connections)
- 15 microservices in Kubernetes
- Service-to-service communication: unencrypted within cluster
- Database access: IP-based allowlisting
- Admin access: VPN + SSH keys
Target state:
- mTLS for all service-to-service communication
- Identity-based access (no VPN required)
- Per-request authorization checks
- Encrypted everything (transit + rest)
- Just-in-time admin access with audit trail
Generate a phased migration plan:
Phase 1: [low risk, high impact — what to do first]
Phase 2: [medium complexity — expanding zero trust]
Phase 3: [full zero trust — VPN removal]
For each phase:
- What changes
- Risk during migration
- Rollback plan
- Estimated effort
- Success criteria
Penetration Test Preparation
Scope Document Generation
Generate a penetration test scope document:
Organization: [company name]
Test type: Gray box (pen testers get architecture docs)
Duration: 2 weeks
In scope:
- Production web application (app.example.com)
- REST API (api.example.com)
- Admin portal (admin.example.com)
- AWS infrastructure (specific account)
- Kubernetes cluster
Out of scope:
- Third-party services (Stripe, SendGrid)
- Social engineering
- Physical access
- DDoS/load testing
Include:
- Rules of engagement
- Communication procedures
- Emergency stop procedures
- Data handling requirements
- Deliverable expectations
Pre-Test Security Hardening
Before our penetration test next month, generate a security
hardening checklist to address the most commonly exploited
weaknesses:
Application: Python FastAPI on Kubernetes/AWS
Auth: OAuth 2.0 + JWT
Check and fix:
1. Default credentials anywhere
2. Verbose error messages in production
3. Security headers (CSP, HSTS, X-Frame-Options)
4. CORS configuration
5. Rate limiting on auth endpoints
6. Input validation on all endpoints
7. SQL injection protection
8. File upload restrictions
9. Admin panel access controls
10. Dependency vulnerabilities (npm, pip)
For each item, provide the specific check command and fix.
Practice Exercise
- Perform a STRIDE threat model on one of your applications using the template
- Design phase 1 of a zero-trust migration for your infrastructure
- Generate a penetration test scope document for your next security assessment
Key Takeaways
- Threat modeling before building is cheaper than finding vulnerabilities after deployment
- STRIDE provides a structured framework — AI applies it to your specific architecture
- Zero trust is a migration, not a switch — phase it to avoid breaking existing access patterns
- Penetration test preparation (hardening before the test) catches easy wins before testers do
- Attack surface analysis identifies which endpoints need the most protection
Up Next
In the final lesson, you’ll organize everything into your integrated AI-powered security stack — tools, workflows, and automation for every layer of your DevSecOps practice.
Knowledge Check
Complete the quiz above first
Lesson completed!