Validating Threat Modeling Results with the Help of Vulnerable Test Applications

Computer Science > Cryptography and Security [Submitted on 22 May 2026] Validating Threat Modeling Results with the Help of Vulnerable Test Applications Oleksandr Adamov, Davide Fucci, Felix Viktor Jedrzejewski, Ricardo Britto, Nishrith Saini Validating threat modeling results remains difficult because completeness is hard to judge without an external oracle. Existing studies often rely on expert-produced reference models and other human baselines, but these can contain omissions or disagreements. This paper evaluates a complementary, vulnerability-grounded validation approach. We apply threat modeling to intentionally vulnerable applications with a known vulnerability set to measure the number of related vulnerabilities that can be discovered. We compare ThreMoLIA, an LLM-assisted threat modeling solution developed by our team, with the Microsoft Threat Modeling Tool (MTMT) across two vulnerable applications: AzureGoat and the Vulnerable Bank Application (VulnBank). The inputs to both tools are limited to architecture, data flow diagrams, and their descriptions. The results show that ThreMoLIA achieved higher vulnerability coverage on both systems. We show that vulnerable test applications provide a practical benchmark for assessing threat coverage and complement expert-based validation. Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2605.23695 [cs.CR]   (or arXiv:2605.23695v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2605.23695 Focus to learn more Submission history From: Oleksandr Adamov [view email] [v1] Fri, 22 May 2026 14:50:33 UTC (34 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-05 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)