What this page is
A public summary of how Rahoto runs its threat-modeling process. We don’t publish the full threat model on the open web — it would essentially be a how-to-attack-Rahoto document, useful only to attackers and uninteresting to legitimate buyers. The full document is shared under NDA during the procurement security review. Email [email protected].
What follows is what your security team usually needs to assess our maturity and process at the proposal stage.
Methodology
We use STRIDE, the Microsoft threat-modeling framework, applied per attack surface. For each surface we enumerate threats in six categories:
- Spoofing — pretending to be someone you’re not
- Tampering — modifying data in transit or at rest
- Repudiation — performing an action and denying it
- Information disclosure — leaking data outside its tenant
- Denial of service — making the platform unavailable
- Elevation of privilege — gaining capabilities you weren’t granted
For each identified threat, we document the mitigation, the enforcing service or control, and the test that verifies it works. Gaps are tracked in a public-internal gap log with severity, owner, and target date.
Scope
The current threat model covers eight distinct attack surfaces. We don’t list them publicly to avoid giving attackers a checklist, but they include the major external surfaces (HTTP, real-time transport, authentication, public report viewer, webhook receivers, administrative endpoints), the identity-federation surface (SAML / OIDC / SCIM), and the lateral-movement surface (customer-managed network connectors).
Cadence
- Updated each release. New surfaces or material changes to existing ones trigger a re-review.
- Living document. Gaps are tracked and re-prioritized monthly.
- Third-party pentest at least annually against the full surface inventory.
- Continuous monitoring for indicators of attempted exploitation against the surfaces we know about.
What we publicly commit to
| Severity | Acknowledge | Mitigate | Permanent fix |
|---|---|---|---|
| P0 (active exploitation, customer data exposed) | 1 hour | 4 hours | 24 hours |
| P1 (exploitable in production, no exposure yet) | 4 hours | 24 hours | 7 days |
| P2 (theoretical, requires unusual conditions) | 1 business day | 7 days | 30 days |
| P3 (best-practice gap, no exploit path) | 5 business days | 30 days | next release |
These are the same SLAs codified in our Remediation SLA document and quotable in MSAs.
What this summary deliberately does not cover
- The specific list of attack surfaces and how they’re separated
- The specific threats we’ve identified per surface
- Our internal compensating controls and where they’re deployed
- The current gap log: open issues, their severity, and their mitigation status
- Pen-test findings, including those already remediated
- Detection rules and indicators of compromise we monitor for
These are in the NDA-gated document. They’re not secret because they’re vulnerabilities — they’re under NDA because exposing them is reconnaissance for an attacker and gives no useful information to a procurement reviewer.
How to get the full document
Email [email protected] with your company name and a brief description of the engagement. We send the full threat model, the architecture document, and the latest pen-test summary as a bundle, under mutual NDA, within one business day.
If you have a specific security question that doesn’t require the full document, ask us directly — we frequently answer narrow questions (“Do you store passwords?” “How are SAML responses validated?”) without needing to send the whole bundle.