Public summary

STRIDE threat model

Public summary of our threat-modeling process. The full document — with attack surfaces enumerated, specific threats per surface, and the remediation roadmap — is available under NDA.

Audience
Enterprise security teams, procurement, auditors (full version)
Last reviewed
2026-05-15

What this page is

A public summary of how Rahoto runs its threat-modeling process. We don’t publish the full threat model on the open web — it would essentially be a how-to-attack-Rahoto document, useful only to attackers and uninteresting to legitimate buyers. The full document is shared under NDA during the procurement security review. Email [email protected].

What follows is what your security team usually needs to assess our maturity and process at the proposal stage.

Methodology

We use STRIDE, the Microsoft threat-modeling framework, applied per attack surface. For each surface we enumerate threats in six categories:

  • Spoofing — pretending to be someone you’re not
  • Tampering — modifying data in transit or at rest
  • Repudiation — performing an action and denying it
  • Information disclosure — leaking data outside its tenant
  • Denial of service — making the platform unavailable
  • Elevation of privilege — gaining capabilities you weren’t granted

For each identified threat, we document the mitigation, the enforcing service or control, and the test that verifies it works. Gaps are tracked in a public-internal gap log with severity, owner, and target date.

Scope

The current threat model covers eight distinct attack surfaces. We don’t list them publicly to avoid giving attackers a checklist, but they include the major external surfaces (HTTP, real-time transport, authentication, public report viewer, webhook receivers, administrative endpoints), the identity-federation surface (SAML / OIDC / SCIM), and the lateral-movement surface (customer-managed network connectors).

Cadence

  • Updated each release. New surfaces or material changes to existing ones trigger a re-review.
  • Living document. Gaps are tracked and re-prioritized monthly.
  • Third-party pentest at least annually against the full surface inventory.
  • Continuous monitoring for indicators of attempted exploitation against the surfaces we know about.

What we publicly commit to

SeverityAcknowledgeMitigatePermanent fix
P0 (active exploitation, customer data exposed)1 hour4 hours24 hours
P1 (exploitable in production, no exposure yet)4 hours24 hours7 days
P2 (theoretical, requires unusual conditions)1 business day7 days30 days
P3 (best-practice gap, no exploit path)5 business days30 daysnext release

These are the same SLAs codified in our Remediation SLA document and quotable in MSAs.

What this summary deliberately does not cover

  • The specific list of attack surfaces and how they’re separated
  • The specific threats we’ve identified per surface
  • Our internal compensating controls and where they’re deployed
  • The current gap log: open issues, their severity, and their mitigation status
  • Pen-test findings, including those already remediated
  • Detection rules and indicators of compromise we monitor for

These are in the NDA-gated document. They’re not secret because they’re vulnerabilities — they’re under NDA because exposing them is reconnaissance for an attacker and gives no useful information to a procurement reviewer.

How to get the full document

Email [email protected] with your company name and a brief description of the engagement. We send the full threat model, the architecture document, and the latest pen-test summary as a bundle, under mutual NDA, within one business day.

If you have a specific security question that doesn’t require the full document, ask us directly — we frequently answer narrow questions (“Do you store passwords?” “How are SAML responses validated?”) without needing to send the whole bundle.