Advanced Threat Defense

Use AI for threat modeling, zero-trust architecture design, penetration test preparation, and proactive defense strategies.

Premium Course Content

This lesson is part of a premium course. Upgrade to Pro to unlock all premium courses and content.

Access all premium courses
1000+ AI skill templates included
New content added weekly

← Back to course overview

Reactive security waits for attacks. Proactive security models threats, hardens defenses, and tests them before attackers do. AI makes proactive security practical for teams of any size.

🔄 Quick Recall: In the previous lesson, you automated compliance and governance — continuous evidence collection and policy management. Advanced threat defense is the proactive layer: anticipating attacks before they happen.

Threat Modeling with AI

STRIDE Threat Analysis

Perform a STRIDE threat model for our application:

Architecture:
- React frontend (CloudFront CDN)
- FastAPI backend (EKS, 5 microservices)
- PostgreSQL database (RDS, PII data)
- Redis cache (ElastiCache)
- S3 for file uploads
- Auth: OAuth 2.0 with JWT tokens

For each component and data flow, identify threats using STRIDE:
- Spoofing: Can an attacker impersonate a user or service?
- Tampering: Can data be modified in transit or at rest?
- Repudiation: Can actions be performed without audit trail?
- Information Disclosure: Can data leak to unauthorized parties?
- Denial of Service: Can availability be disrupted?
- Elevation of Privilege: Can permissions be escalated?

For each threat:
1. Description and attack scenario
2. Likelihood (High/Medium/Low)
3. Impact (High/Medium/Low)
4. Existing mitigations
5. Recommended additional controls
6. Priority (Critical/High/Medium/Low)

Attack Surface Analysis

Analyze the attack surface of our API:

Endpoints (from OpenAPI spec):
[Paste key endpoints with auth requirements]

For each endpoint, assess:
1. Authentication required? (public vs. authenticated)
2. Authorization level? (user vs. admin vs. service)
3. Input types? (strings, files, JSON objects)
4. Data returned? (PII, financial, metadata)
5. Rate limiting in place? (yes/no, what limits)

Identify:
- Endpoints with highest risk (public + PII + file upload)
- Missing security controls per endpoint
- Recommended WAF rules

✅ Quick Check: Your threat model identifies that your file upload endpoint accepts any file type, stores files in S3, and serves them back to users. AI identifies this as a critical risk. Why? (Answer: This is a stored XSS/RCE vector. An attacker uploads a malicious HTML file or SVG with embedded JavaScript. When another user views the file via the S3 URL, the malicious code executes in their browser. Mitigations: validate file types server-side, set Content-Disposition: attachment on S3 objects, serve files from a separate domain, and scan uploads for malware.)

Zero Trust Architecture

Zero Trust Migration Plan

Design a zero-trust migration plan for our infrastructure:

Current state:
- VPN-based access (all internal services trust VPN connections)
- 15 microservices in Kubernetes
- Service-to-service communication: unencrypted within cluster
- Database access: IP-based allowlisting
- Admin access: VPN + SSH keys

Target state:
- mTLS for all service-to-service communication
- Identity-based access (no VPN required)
- Per-request authorization checks
- Encrypted everything (transit + rest)
- Just-in-time admin access with audit trail

Generate a phased migration plan:
Phase 1: [low risk, high impact — what to do first]
Phase 2: [medium complexity — expanding zero trust]
Phase 3: [full zero trust — VPN removal]

For each phase:
- What changes
- Risk during migration
- Rollback plan
- Estimated effort
- Success criteria

Penetration Test Preparation

Scope Document Generation

Generate a penetration test scope document:

Organization: [company name]
Test type: Gray box (pen testers get architecture docs)
Duration: 2 weeks

In scope:
- Production web application (app.example.com)
- REST API (api.example.com)
- Admin portal (admin.example.com)
- AWS infrastructure (specific account)
- Kubernetes cluster

Out of scope:
- Third-party services (Stripe, SendGrid)
- Social engineering
- Physical access
- DDoS/load testing

Include:
- Rules of engagement
- Communication procedures
- Emergency stop procedures
- Data handling requirements
- Deliverable expectations

Pre-Test Security Hardening

Before our penetration test next month, generate a security
hardening checklist to address the most commonly exploited
weaknesses:

Application: Python FastAPI on Kubernetes/AWS
Auth: OAuth 2.0 + JWT

Check and fix:
1. Default credentials anywhere
2. Verbose error messages in production
3. Security headers (CSP, HSTS, X-Frame-Options)
4. CORS configuration
5. Rate limiting on auth endpoints
6. Input validation on all endpoints
7. SQL injection protection
8. File upload restrictions
9. Admin panel access controls
10. Dependency vulnerabilities (npm, pip)

For each item, provide the specific check command and fix.

Practice Exercise

Perform a STRIDE threat model on one of your applications using the template
Design phase 1 of a zero-trust migration for your infrastructure
Generate a penetration test scope document for your next security assessment

Key Takeaways

Threat modeling before building is cheaper than finding vulnerabilities after deployment
STRIDE provides a structured framework — AI applies it to your specific architecture
Zero trust is a migration, not a switch — phase it to avoid breaking existing access patterns
Penetration test preparation (hardening before the test) catches easy wins before testers do
Attack surface analysis identifies which endpoints need the most protection

Up Next

In the final lesson, you’ll organize everything into your integrated AI-powered security stack — tools, workflows, and automation for every layer of your DevSecOps practice.

Knowledge Check

1. AI generates a threat model for your application and identifies 25 potential threats. Your team has resources to address 5 this quarter. How do you prioritize?

Address the most technically interesting threats Use the DREAD or STRIDE risk rating for each threat, factoring in: exploitability (how easy to exploit), business impact (what's at stake), existing controls (what mitigations are already in place), and attacker motivation (how likely this will be targeted). AI ranks threats by actual risk to YOUR application, not theoretical severity Address the easiest 5 to fix

2. Your CTO says 'we should implement zero trust.' You currently have a VPN-based perimeter security model. What's the first step?

Remove the VPN immediately Start with identity verification for every request — not by removing the VPN (that's the last step), but by adding authentication and authorization checks at each service boundary. AI helps design the migration path: 'Given our current VPN-based architecture with 15 microservices, design a phased zero-trust migration that doesn't break existing access patterns' Zero trust is just a buzzword — ignore it

3. Before a penetration test, the pen test team asks for documentation about your architecture, network diagrams, and authentication flows. Should you provide it?

No — real attackers don't get documentation Yes, for a 'gray box' or 'white box' test, which is more efficient and realistic for most organizations. Providing architecture documentation means the pen testers spend time finding real vulnerabilities instead of spending 3 days mapping your infrastructure. AI can generate the documentation they need from your existing configs Only give them the public website URL

Answer all questions to check

Complete the quiz above first