Comparison guide
STRIDE vs PASTA
Two threat-modeling methodologies, two very different costs - and only one is a fast match for an FDA submission.
Side-by-side breakdown
| Dimension | STRIDE | PASTA |
|---|---|---|
| Origin | Microsoft, 1999. | Process for Attack Simulation and Threat Analysis, 2012. |
| Type | Threat-categorization mnemonic (6 threat types). | Seven-stage risk-centric methodology. |
| Inputs | Data-flow diagram of the system. | Business objectives + technical scope + threat intelligence. |
| Effort per device | 1-3 weeks for a typical Class II device. | 6-12 weeks; requires business-impact workshops. |
| Output | Threat list mapped to STRIDE categories with mitigations. | Attack scenarios with business-impact scoring and mitigation roadmap. |
| FDA suitability | Direct fit - maps cleanly to the FDA's threat-modeling expectations. | Overkill for most submissions; useful for Class III or life-sustaining devices. |
| Tooling | Microsoft Threat Modeling Tool, OWASP Threat Dragon, IriusRisk. | IriusRisk, ThreatModeler (with custom PASTA templates). |
When to use which
Start every program with STRIDE on a current data-flow diagram. The output is exactly what reviewers want to see and what AAMI SW96 expects as the spine of the security risk file.
Layer PASTA only when the device class or harm profile demands business-impact analysis (typically PMA-class implantables). Use it to extend, not replace, the STRIDE output.
Frequently asked questions
Keep exploring
Ready when you are
Get FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.