Stage 6: Attack Modeling and Simulation

Stage 6 distinguishes PASTA by actively modeling and simulating attacks based on previous findings. Rather than theoretical analysis, this stage demonstrates how identified vulnerabilities could be exploited to achieve attacker objectives. This concrete evidence of risk proves invaluable for communicating with stakeholders and prioritizing remediation efforts.

Develop attack trees showing how attackers might achieve their objectives by exploiting identified vulnerabilities. Start with attacker goals derived from business objectives—steal customer data, disrupt operations, or gain unauthorized access. Work backward to identify attack paths using discovered vulnerabilities. Each path represents a potential attack scenario requiring analysis and mitigation.

Simulate representative attacks to validate their feasibility and impact. This doesn't require full penetration testing but rather focused proof-of-concept demonstrations. Show how SQL injection could extract customer data, demonstrate privilege escalation through authorization flaws, or prove that session hijacking enables account takeover. These demonstrations make abstract vulnerabilities concrete and compelling.

Document attack chains that combine multiple vulnerabilities to achieve significant impact. Real attackers rarely rely on single vulnerabilities but chain multiple weaknesses together. Show how information disclosure through verbose errors enables targeted SQL injection, or how cross-site scripting combined with weak session management allows account takeover. Understanding attack chains reveals where breaking any link in the chain could prevent entire classes of attacks.