A Threat Scenario is a short sentence describing a probable malicious action an attacker could take, that impacts an asset or service, similar to the concept of Critical User Journeys (CUJ) but it’s an Attacker User Journey (AUJ).

A typical Threat Scenario (or Attacker User Journey, AUJ) is typically constructed as such:

[low, medium, high, maximum], The Attacker/Actor compromises asset/system/service/project with vulnerability which causes description of impact, with standard level justification.

How are Threat Scenarios defined?

Figuring out the right threats is an exercise of it’s own which can be fairly rapid to get a general idea, but take days to fine tune.

1. Figure out the threats

Threat Scenarios are generally defined through a threat model or risk assessment, such as the RRA for Services. When existing threat models exist with various “attack models”, “tree”, “scenarios”, or equivalent examples - these can and should be reformated as Threat Scenarios. In other words, Threat Scenarios are defined by humans through specifically focused brain-storming exercises.

  • Concise, to the point. Just a line or so, not a paragraph.
  • High level example of a threat that could be realized, without too much technical details.
  • Not a MITRE TTP (However: TTPs can be tied to Threat Scenarios).
  • The level represents the probable worse-case impact, not risk. It’s also called “risk impact” (not risk).
  • The justification of impact does not need to be part of the Threat Scenario when shared, but the justification exercise needs to be recorded.

At this point you should end up with a list of Threat Scenarios extracted from your threat models - many may be similar (and effectively are derivate of other scenarios - think of them as aliases or variants). You goal is to deduplicate these scenarios and justify them with adequate levels. It’s up to you to brainstorm and select the most appropriate scenario. Keep in mind that you can and may improve these over time!


  • [Selected] An attacker picks up an item at the supermarket, hides it on their person and walks out of the store.
  • [Variant] A group of attackers enter the store and pick up various items then exit the store without paying.
  • [Variant] An employee regularly picks up an item from the store and exits without paying.

2. Justify the selected Threat Scenario

In order to justify the Threat Scenario is correct and be able to rank it with Standard Levels, you must go through each categories described by the levels: Reputation, Productivity, Finances, Competitive Advantage.


An attacker picks up an item at the supermarket, hides it on their person and walks out of the store.

  • Reputation: medium Internal chatter expected but no lawsuits, customers are unlikely to notice or remember.
  • Productivity: low Filling policy report, low impact on the supermarket workforce.
  • Finances: medium The attacker generally can’t pick-up more than a few items without being intercepted which caps our worse-case to about 1000 USD of loss, that we consider medium impact per event on our scale.
  • Competitive Advantage: N/A.

Some of these justifications involve some type of likelihood, but are not used to calculate or declare the probability of the Threat Scenario itself.

3. Rank the Threat Scenario itself

Ranking the Threat Scenario’s risk impact is simple: take the highest level selected for any of the justifications and assign it. In our examples, the highest is medium and so that’s what we’ll select:

medium An attacker picks up an item at the supermarket, hides it on their person and walks out of the store. The store loses up to 100 USD every day the attacker visits.