Most threat modelling methods assume a perimeter: a network boundary, a fleet of corporate laptops, a data center to defend. The teams we work with have none of that. They run across cloud services, SaaS platforms, identity providers, personal devices, contractors, and public blockchains. Authority over the assets that matter is spread across multisigs, governance processes, and handshake agreements between people.
TRACE is our answer to that. It’s a threat modelling methodology for exactly this kind of setup: decentralized, cloud-first, remote-first, no clean edge to defend. We built it through our Web3 work and published it openly under CC BY 4.0.
The five model objects
TRACE takes whatever you’ve got (white papers, architecture docs, interviews, access reviews, source code) and turns it into one structured model built from five kinds of object.
Threat actors are anyone with the capability, incentive, or authority to affect the target: external attackers, insiders, vendors, compromised users.
Roles are the privileged or operational positions inside it: signers, maintainers, deployers, administrators, responders.
Assets are what has to be protected, whether that’s value, control, data, authority, or just staying online: funds, keys, production control, governance power, brand trust.
Critical invariants are the things that have to stay true: segregation of duties, approval integrity, bounded authority, deployment integrity, the ability to recover.
Edges are the places where trust, value, data, or control crosses a boundary: signer paths, API boundaries, the jump from CI/CD to deployment, the identity provider into the cloud.
The whole thing runs on evidence. Every threat we raise should trace back to a source, a model object, an assumption, a boundary, or an attack path.
Three pillars, one method
The method is the same at three layers. What changes is the input and where the weight falls.
TRACE for Protocols works at the design stage: specs, mechanisms, governance rules, economic models, code. You get an invariant map, a STRIDE threat catalogue, and attack trees for the threats that matter most.
TRACE for Systems works at the architecture and infrastructure stage: cloud accounts, IAM, CI/CD, deployment paths, dependency chains. Every edge turns into a zero trust question. Who’s crossing this boundary, with what identity, and what happens if they’re already compromised?
TRACE for Organisations works on how the team actually operates: workshops, interviews, access reviews, custody procedures, incident response. You get a human and process risk register, plus a 30/60/90-day hardening roadmap.
Real risk almost always crosses these layers. A protocol audit can come back clean while the deployment key sits in a Slack message. A multisig can be implemented perfectly while the signing ceremony is a mess. Cover one layer and you’ve bought yourself a false sense of security.
Where to start
The methodology spec and the presentation materials live in the TRACE repository on GitHub. If you want a TRACE model built for your protocol, system, or organisation, talk to us.