Stage 2: Define Technical Scope

With business objectives established, Stage 2 defines the technical landscape that supports these objectives. This involves creating architectural diagrams, identifying technologies used, documenting data flows, and establishing the boundaries of your analysis. The technical scope must be comprehensive enough to capture all relevant threats while remaining focused enough to be actionable.

Create detailed architectural diagrams showing all components, connections, and trust boundaries. Unlike simpler methodologies that might use basic data flow diagrams, PASTA encourages comprehensive technical documentation. Include network diagrams showing segmentation and access paths, application architecture diagrams detailing components and interactions, data flow diagrams tracking sensitive information movement, and deployment diagrams showing infrastructure and platform dependencies.

Document all technologies involved in your system. This includes programming languages and frameworks, databases and data storage solutions, third-party libraries and dependencies, infrastructure platforms and services, and security controls and monitoring tools. Each technology brings its own vulnerabilities and attack patterns that must be considered in later stages.

Establish clear boundaries for your analysis. While it's tempting to expand scope to include every connected system, practical threat modeling requires focus. Define what's in scope based on direct support of business objectives, access to sensitive data or critical functionality, and potential impact on security posture. Document what's explicitly out of scope and why, ensuring stakeholders understand and agree with these boundaries.