DREAD · Threat Modeling · Rolling Thunder Security

DREAD was created at Microsoft around the same time as STRIDE. Unlike STRIDE (which is a discovery tool — "what threats exist?"), DREAD is a rating tool — "how serious is this threat?" You score each threat 1–10 across five attributes; the sum (or average) is the DREAD score, and you triage from highest to lowest.

DREAD is famously imperfect. Microsoft itself deprecated it internally for inconsistent scoring. But it remains useful as a structured first-pass triage when you have many threats and limited time — especially when paired with a STRIDE walkthrough.

The five letters

Damage

Reproducibility

Exploitability

Affected users

Discoverability

Damage

How bad is the worst-case outcome if this threat is realized? Data loss? Full system compromise? Reputational damage? Regulatory penalty?

1–3: Minor leak of non-sensitive data · 4–6: Loss of sensitive data, service degradation · 7–9: Substantial data exfiltration, system takeover · 10: Catastrophic — full root, full database, regulated PII at scale

Reproducibility

How reliably can the attack be carried out by someone who knows the technique?

1–3: Very hard — race conditions, narrow timing windows · 4–6: Requires specific conditions but achievable · 7–9: Easy once you know the trick · 10: Always works; can be automated

Exploitability

How much skill and access does the attacker need? An exploit that requires kernel-level expertise plus physical access is less exploitable than one that needs just a browser.

1–3: Requires advanced skill + special access · 4–6: Skilled attacker, normal access · 7–9: Average attacker with a known tool · 10: Any internet user can do it with copy-paste

Affected Users

What fraction of users (or what kind of users) does a successful attack impact?

1–3: One user, narrow scope · 4–6: Some users (a department, a tenant) · 7–9: Most users · 10: All users; all tenants; the whole platform

Discoverability

How likely is it that an attacker will find this vulnerability? A bug in a public API endpoint with bug-bounty bounty is highly discoverable; a bug in an internal admin tool that requires a VPN is less so.

1–3: Internal-only; would require source code or insider knowledge · 4–6: Discoverable with targeted research · 7–9: Discoverable via a routine scan or public docs · 10: Published, in the wild, exploit kit included

A worked example

Threat: "Public S3 bucket exposes customer PDF reports." Score it:

DREAD rating: Public bucket exposes PDF reports

Attribute	Score	Reasoning
Damage	8	Customer PII in reports; potential regulatory exposure
Reproducibility	10	HTTP GET request — trivial to repeat once URL known
Exploitability	10	No skill required; bucket-enumeration tools are free
Affected users	9	All customers whose reports are in the bucket
Discoverability	8	Bucket enumeration scans run constantly across the internet
DREAD score	45 / 50	Critical — fix immediately

Compare that to a different threat: "Local-only admin tool accepts SQL injection from authenticated admins."

DREAD rating: SQLi in admin-only tool (authenticated)

Attribute	Score	Reasoning
Damage	9	SQLi against the admin DB is catastrophic if exploited
Reproducibility	9	Repeatable once attacker is in
Exploitability	5	Requires existing admin authentication; not trivial to gain
Affected users	8	Most users via downstream data access
Discoverability	3	Tool not internet-reachable; would require source/insider
DREAD score	34 / 50	High — fix soon; not first in queue

Both are bad. DREAD lets you put the public bucket above the admin SQLi in the priority queue without arguing about feelings.

Why DREAD is controversial

Subjective scoring. Two reviewers will rate the same threat differently. A 7 to one engineer is a 5 to another. This makes the absolute scores meaningless, only relative ranking useful.
Discoverability is squishy. "How likely will an attacker find this?" depends on the attacker. Some teams omit Discoverability entirely (calling it "DREA").
Sum can mislead. A threat with one high score and four low scores can outrank a threat with three medium scores, even when the latter is more dangerous in context.
Microsoft deprecated it. The MS SDL moved to a custom risk scoring approach. DREAD lives on because nothing simpler has replaced it for fast triage.

Use it like this: DREAD is a forcing function for conversation. Two engineers scoring the same threat together and arguing about the numbers will surface assumptions that just saying "this is bad" would hide. The argument is the value; the score is the artifact.

Alternatives worth knowing

CVSS (Common Vulnerability Scoring System) — the industry standard for scoring published vulnerabilities. More rigorous than DREAD; complex enough that ad-hoc threat-model use is awkward. See the CVE & CVSS page.
OWASP Risk Rating Methodology — like DREAD but split into "likelihood" and "impact" axes with sub-factors for each.
FAIR (Factor Analysis of Information Risk) — quantitative, dollars-and-probabilities. The right tool when the audience is the CFO.
Just "high/medium/low" — for many small projects, the overhead of numerical scoring isn't worth it. A three-bucket triage is enough.

The point

DREAD is the simplest thing that gets you to "score and sort." It is imperfect; everyone using it knows it is imperfect; it remains in use because the alternative for fast triage is "everyone shouts about what's important," which is worse.

Pair it with STRIDE for a complete cycle: STRIDE discovers, DREAD prioritizes, the team fixes from the top down. When you have time and money, swap DREAD for CVSS or OWASP RRM and you'll get more defensible numbers — but the workflow is the same shape.

References

Formatted in APA 7. Alphabetized by first author's last name.

Howard, M., & LeBlanc, D. (2003). Writing secure code (2nd ed.). Microsoft Press.
Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving web application security: Threats and countermeasures. Microsoft Patterns & Practices.
OWASP Foundation. (n.d.). OWASP risk rating methodology. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
Shostack, A. (2014). Threat modeling: Designing for security. Wiley.