Beyond STRIDE, how do data-flow diagrams, trust boundaries, and attack trees deepen a threat model?

STRIDE gives you threat categories; the artifacts give you where and how. A data-flow diagram (DFD) maps external entities, processes, data stores, and the flows between them — making the system's structure explicit. Trust boundaries are the lines on the DFD where the level of trust changes (browser↔server, app↔DB, tenant↔tenant, microservice↔microservice); data crossing a boundary is exactly where validation, authn/authz, and encryption must be enforced — so threats cluster there. Attack trees model an attacker goal as a root with refined sub-paths (AND/OR), helping you reason about the cheapest path to compromise and where a single control breaks many paths. Practically: draw the DFD, mark trust boundaries, apply STRIDE per element crossing a boundary, and use attack trees for the high-value goals.