Established threat modelling methodologies (STRIDE, PASTA, Trike, OCTAVE, LINDDUN, attack trees, and adversary-behaviour catalogues such as MITRE ATT&CK) were designed for software products and enterprises with a discernible security perimeter, a single owning organisation, and a clean separation between technical and operational risk. Modern organisations violate all three assumptions: they run on cloud and SaaS control planes they do not own, distribute privileged authority across founders, contractors, vendors, signers, committees, and automation, and expose value through human approval ceremonies and supply-chain edges rather than a network boundary. The dominant failures are authorised-but-malicious actors, collusion across nominally independent parties, control-plane and CI/CD compromise, and operational mishandling of high-value actions, which existing methods largely omit. We present TRACE, a methodology that treats threat actors, roles, assets, critical invariants, and trust/authority edges as first-class, evidence-linked objects spanning three layers: protocols, systems, and organisations. We compare nine widely used frameworks across ten dimensions, show where each falls short in distributed, cloud-first, zero-trust settings, and specify TRACE: its core model, three application pillars, sequential gated workflow, and an evidence-and-traceability discipline for human-AI co-working in which language models accelerate coverage while senior reviewers retain judgement over invariants, severity, and collusion. TRACE was developed through Web3 security practice but is stack-agnostic. We discuss its relationship to zero trust architecture and accountable Byzantine consensus, its limitations, and open questions around empirical validation.

翻译：暂无翻译