MAESTRO vs STRIDE

© 2025 Mamta Upadhyay. This article is the intellectual property of the author. No part may be reproduced without permission

Threat Modeling has always been one of the sharpest tools in the Appsec toolkit. For decades, frameworks like STRIDE gave us a structured way to ask “what can go wrong?” in applications and systems. STRIDE became second nature to security teams, shaping how we designed, tested and defended software.

But artificial intelligence is shifting the ground beneath us. AI systems don’t behave like the deterministic applications STRIDE was built for. They reason, adapt and sometimes fail in ways that feel closer to human error than software bugs. They use memory, call external APIs and orchestrate autonomous agents. When you apply STRIDE directly to AI systems, you quickly realize it catches part of the picture, but not the whole story.

This is where MAESTRO, the Cloud Security Alliance’s new framework for AI threat modeling, comes in. To understand why it matters, let’s look at STRIDE and MAESTRO side by side.


STRIDE: The Classic Lens

STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege. It’s a threat model that maps attacker goals against software components. Take a web application:

✔ Spoofing: Impersonating another user
✔ Tampering: Modifying requests or data in transit
✔ Repudiation: Performing actions without accountability
✔ Information Disclosure: Leaking sensitive data
✔ Denial of Service: Overwhelming the service
✔ Elevation of Privilege: Gaining unauthorized rights

It’s clean, intuitive and effective. If you have run a threat modeling session with developers, STRIDE gives everyone a checklist that’s both memorable and practical. But STRIDE was designed for “deterministic software”. Input goes in, code executes, output comes out and security flaws emerge when an attacker manipulates those deterministic paths.


Where STRIDE Falls Short for AI

Now swap out “deterministic application” for an AI system. Imagine a retrieval-augmented generation pipeline or a multi-agent system like LangGraph or AutoGen.

✔ The model may hallucinate even if inputs are valid.
✔ An agent may decide to keep looping instead of halting.
✔ A poisoned document in a vector store may silently alter the AI’s behavior.
✔ Two collaborating agents might pass hidden instructions to each other.

None of these failures fit neatly into STRIDE’s categories. They are not spoofing or tampering in the classic sense. They are the result of probabilistic reasoning and autonomy. STRIDE still helps with the infrastructure around AI (auth flows, API calls, databases) but it doesn’t capture what makes AI risky in the first place.


MAESTRO: A New Lens for AI Systems

To address this gap, the Cloud Security Alliance developed MAESTRO. It’s a framework designed specifically for AI systems, especially Agentic AI, where models use memory, call tools and chain tasks together. MAESTRO isn’t about replacing STRIDE. It’s about adding an AI-first layer to threat modeling. The acronym stands for:

✔ Model: Risks inherent to the AI model itself: hallucinations, adversarial prompts, misalignment.
✔ Agent: Risks introduced by agent orchestration: autonomy escalation, hidden instruction transfer, inter-agent collisions.
✔ Environment: Risks from the tools, memory and APIs the agent can access: tool abuse, data exfiltration, poisoned memory.
✔ Supply Chain: Risks from training data, embeddings, plugins or third-party models: dataset poisoning, compromised APIs or backdoor checkpoints.
✔ Trust & Safety: Misuse and harm risks e.g. jailbreaks, biased or unsafe outputs, insider abuse.
✔ Robustness: Stability under pressure: model drift, adversarial perturbations, cascading multi-agent errors.
✔ Operations: Risks in deployment and monitoring e.g. lack of logging, no kill switch, weak incident response

It’s a shift in mindset. Instead of asking only “what if an attacker tampers with this request?” MAESTRO pushes you to ask, “what if the agent itself decides to do something unexpected?


A Side-by-Side Example

Imagine an AI-powered research assistant that retrieves documents, summarizes them and emails a report.

STRIDE ViewMAESTRO View
Could someone spoof a user identity? (Spoofing)Could a poisoned PDF in the knowledge base inject hidden instructions into the summary? (Model, Environment)
Could a request to the database be tampered with? (Tampering)Could the agent loop endlessly, calling the email tool hundreds of times? (Agent, Operations)
Could a malicious user send crafted queries to the assistant but denies it later? (Repudiation)Could a malicious plugin intercept the report before sending? (Supply Chain)
Could the system be DOS’ed with too many queries? (Denial of Service)Could the agent’s outputs reinforce biased or harmful conclusions? (Trust & Safety)
Could the assistant could inadvertently expose confidential documents when queried with cleverly crafted prompts? (Information Disclosure)Could a small prompt perturbation trigger cascading failures across agents? (Robustness)
Could a low-privilege user exploit a flaw in the AI system’s plugin interface, gaining access to administrator-only features like sending emails on behalf of executives? (Elevation of Privilege)

Both perspectives matter. STRIDE keeps you honest about classic risks like auth and data tampering. MAESTRO forces you to confront risks that only emerge when intelligence and autonomy enter the picture.


Wrap

Threat modeling has always been about one deceptively simple question: what can go wrong? STRIDE gave us a way to ask that question for applications. MAESTRO now gives us a way to ask it for AI. They are not replacements for each other but instead they are complementary. Use STRIDE when thinking about the infrastructure around your system. Use MAESTRO when reasoning about the behavior of the AI itself. Together, they give security engineers a complete lens on both the software and the intelligence that drives it.

In my next post, I will put MAESTRO into practice by threat modeling an Agentic AI system end-to-end. That’s where the framework really shines: mapping risks across models, agents, environments and the operations that hold it all together.


Discover more from The Secure AI Blog

Subscribe to get the latest posts sent to your email.

Leave a Reply

Discover more from The Secure AI Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading