STRIDE is a structured threat classification methodology used to systematically identify and enumerate security vulnerabilities during the design phase of a system. Each letter corresponds to a specific violation of a desired security property: Spoofing violates authenticity, Tampering violates integrity, Repudiation violates non-repudiation, Information Disclosure violates confidentiality, Denial of Service violates availability, and Elevation of Privilege violates authorization.
Glossary
STRIDE

What is STRIDE?
STRIDE is a threat modeling framework developed by Microsoft that categorizes security threats into six distinct types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
Applied to machine learning pipelines, STRIDE helps security engineers map threats such as data poisoning attacks against training integrity (Tampering), model inversion attacks extracting sensitive information (Information Disclosure), and adversarial examples causing misclassification (Denial of Service). The framework integrates with data flow diagrams to pinpoint where each threat category manifests, enabling targeted deployment of defenses like data provenance verification and robust aggregation.
The Six STRIDE Threat Categories
STRIDE is a threat modeling framework developed by Microsoft that categorizes security threats into six distinct types. Each category maps to a specific security property that can be violated, providing a systematic approach to identifying vulnerabilities in software systems.
Spoofing
Spoofing violates the security property of authenticity. An attacker pretends to be a different person, system, or entity to gain unauthorized access.
- Examples: Using stolen credentials, forging an IP address, or presenting a fake biometric sample
- In ML systems: An adversary impersonates a legitimate federated learning client to inject poisoned model updates
- Mitigation: Strong authentication protocols, multi-factor authentication, and cryptographic signatures
Tampering
Tampering violates the security property of integrity. An attacker maliciously modifies data, code, or model parameters in transit or at rest.
- Examples: Modifying training data labels, altering model weights during deployment, or injecting backdoor triggers
- In ML pipelines: An adversary intercepts and alters a serialized model file before it reaches the inference server
- Mitigation: Artifact signing, checksums, and tamper-evident logging
Repudiation
Repudiation violates the security property of non-repudiability. A malicious actor performs an action but denies having done so, and the system lacks sufficient proof to attribute the action.
- Examples: Deleting audit logs, submitting poisoned data without traceability, or denying a model inference request was made
- In ML governance: A data engineer alters a training dataset and claims the original version was used, with no data provenance records to disprove the claim
- Mitigation: Immutable audit trails, digital signatures on all artifacts, and secure logging
Information Disclosure
Information Disclosure violates the security property of confidentiality. An attacker gains unauthorized access to sensitive data, model parameters, or intellectual property.
- Examples: Extracting training data via model inversion attacks, inferring membership through membership inference probes, or stealing proprietary model weights
- In privacy-preserving ML: An adversary queries a model API and reconstructs faces from a facial recognition training set
- Mitigation: Differential privacy, homomorphic encryption, and output perturbation
Denial of Service
Denial of Service violates the security property of availability. An attacker overwhelms system resources to prevent legitimate users from accessing the service.
- Examples: Flooding a model inference API with requests, triggering computationally expensive adversarial inputs, or exploiting memory leaks
- In ML operations: An adversary submits sponge examples—inputs specifically designed to maximize energy consumption and latency during inference
- Mitigation: Rate limiting, input validation, resource quotas, and auto-scaling infrastructure
Elevation of Privilege
Elevation of Privilege violates the security property of authorization. An attacker gains permissions beyond what they are legitimately entitled to, enabling broader system compromise.
- Examples: Exploiting a vulnerability to escalate from a read-only data scientist role to a model deployment admin, or bypassing access controls on a training pipeline
- In ML platforms: An attacker compromises a Jupyter notebook with limited permissions and exploits a container escape to access the underlying Trusted Execution Environment
- Mitigation: Principle of least privilege, role-based access control, and regular privilege audits
Applying STRIDE to Machine Learning Pipelines
A systematic adaptation of Microsoft's STRIDE threat modeling framework to identify and categorize security threats unique to machine learning systems, from data ingestion to model deployment.
STRIDE is a threat modeling framework that categorizes security threats into six dimensions: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. When applied to ML pipelines, STRIDE maps each category to specific attack vectors—such as data poisoning as tampering or model inversion as information disclosure—providing a structured methodology for security engineers to systematically audit every component of the ML lifecycle.
In practice, STRIDE analysis on an ML system examines threats like spoofing of training data sources, tampering with model weights during transfer, repudiation of inference decisions without cryptographic logging, information disclosure through membership inference attacks, denial of service via adversarial examples that degrade availability, and elevation of privilege through prompt injection that bypasses model constraints. This framework integrates directly with MITRE ATLAS to map identified threats to known adversarial tactics.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about Microsoft's STRIDE framework for identifying and categorizing security threats in machine learning and software systems.
STRIDE is a threat classification framework developed by Microsoft that categorizes security threats into six distinct types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. The framework works by systematically decomposing a system into its component elements—data flows, data stores, processes, and external entities—and then mapping each element to the specific threat categories that apply to it. For each element-threat pair, the security engineer asks a structured question: for example, 'Can an attacker spoof the identity of this external entity?' or 'Can data flowing between these processes be tampered with in transit?' This methodical approach ensures comprehensive threat coverage without relying on the analyst's ability to brainstorm attacks from scratch. In the context of machine learning pipelines, STRIDE extends naturally to cover threats like model weight tampering, training data spoofing, and inference API denial of service.
Related Terms
Core concepts for understanding and mitigating threats identified by the STRIDE framework in machine learning pipelines.
Model Inversion Defenses
Protections against Information Disclosure attacks that reconstruct private training data from model parameters. These techniques prevent adversaries from extracting sensitive information through repeated queries.
- Differential Privacy SGD (DP-SGD): Adds calibrated noise to gradients
- Membership Inference Protections: Prevents determining if a record was in training
- Gradient Clipping: Caps per-example influence to bound information leakage
Adversarial Training
A defensive technique against Spoofing and Tampering threats that augments training data with adversarial examples. This forces the model to learn robust decision boundaries that resist manipulation.
- Evasion Attack Defense: Hardens models against input perturbations
- Certified Robustness: Provides mathematical guarantees via Randomized Smoothing
- Clean-Label Poisoning Resistance: Mitigates attacks using correctly labeled but perturbed samples
Model Supply Chain Security
Controls against Tampering and Elevation of Privilege threats throughout the ML lifecycle. Ensures the integrity and authenticity of all components from pre-trained weights to datasets.
- Artifact Signing: Cryptographically signs model weights and data
- Data Provenance: Documents lineage and chain of custody
- MITRE ATLAS: Knowledge base of adversary tactics for AI systems
Backdoor Detection & Mitigation
Techniques to identify and neutralize hidden triggers injected during training—a classic Tampering threat. These methods reverse-engineer or prune the malicious pathways attackers embed in models.
- Neural Cleanse: Reverse-engineers potential triggers via optimization
- Fine-Pruning: Removes dormant neurons activated only by triggers
- Activation Clustering: Separates clean and poisoned data by analyzing hidden layer activations
Red Teaming for ML Systems
Structured adversarial assessment that simulates real-world attacks across all STRIDE categories. Security teams proactively probe for vulnerabilities before malicious actors can exploit them.
- Trigger Reconstruction: Recovers embedded backdoor patterns
- Model Inspection: Analyzes weights and decision boundaries for anomalies
- Distributional Shift Detection: Flags statistical deviations indicating potential poisoning

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us