Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) is Microsoft's category framework for threats. It's not a deep theory — it's a vocabulary that lets a team enumerate threats without skipping classes. The discipline isn't memorising the letters; it's running through them deliberately for each component you ship.
Apply STRIDE to a POST /api/login endpoint and you immediately surface: Spoofing (credential stuffing), Tampering (injection), Repudiation (no audit), Information disclosure (timing oracle), DoS (rate of brute force), Elevation (post-auth IDOR). Each is a real category of work.
Use these three in order. Each builds on the one before.
In one paragraph, explain STRIDE's six categories with one example per category.
Walk me through applying STRIDE to a microservices system: where do you draw the boundaries, and what do you analyse per boundary?
Compare STRIDE to PASTA and LINDDUN. When does each give you a better signal?