Security Model Analysis

Why a Security Model Matters

The line between a bug and a feature can be razor-thin. An intended function in one context can be a glaring error in another – it all depends on the product’s specifications.

This principle holds true for security as well. Without a well-defined Security Model, vulnerabilities can masquerade as features, leaving your web service, IoT device, physical appliance, or platform exposed.

The service aims to provide the client with a documented model of the security requirements of the product/service as understood by our team. These requirements are delivered as a document, describing roles in the system (user, power user, administrator, etc.), as well as their respective privileges in the system about different types of data, endpoints, other users, etc. Any functionality outside of this description should be considered a security defect, as it violates the Security Model.

Our Security Model Analysis Service

After the first draft delivery, the client reviews the Security Model and discusses it with our security researchers. Then the CyResLab team provides an updated version, correcting any security model misconceptions.

Additionally, the CyResLab team can reformulate the security model in terms of negative user stories (e.g. “Attacker Mallory fails to log in as Alice, using an expired session”), suitable for either in-company QA & testing professionals to verify, or strongly increase the efficiency of any other security testing services, performed by CyResLab.

Service includes

  • A Security Model – a document listing security requirements for the analyzed product/service.
  • A meeting with the client’s requirements engineers / product management staff to validate the security model, as well as a revised version of the Security Model (if necessary)
  • (Available additionally) A list of negative user stories to be used during development and testing.

Ideal for

  • Companies developing new software products or services.
  • Organizations seeking to establish a solid foundation for secure development.


Upon successful completion, attendees will receive a certificate from ESI CEE.

Enroll today and empower yourself to build secure and resilient systems!

Contact us here.

Skip to content