Basic threats are identified in A.3.2, and valuated in A.3.3 for likelihood and degradation.

Most usually, threat identification and valuation follow TSV specification.


You may add labels to assets. These labels are text strings, and may be strings from the CPE catalog of the NVD.


The National Vulnerability Database (NVD) is a comprehensive cybersecurity resource managed by the National Institute of Standards and Technology (NIST). It provides detailed information on vulnerabilities in software and hardware, including:

  1. CVE (Common Vulnerabilities and Exposures) Entries: Unique identifiers for publicly known vulnerabilities.
  2. CVSS (Common Vulnerability Scoring System) Scores: Metrics to assess the severity of vulnerabilities.
  3. CPE (Common Platform Enumeration): Standardized identifiers for IT products and platforms.
  4. Vulnerability Descriptions: Detailed explanations of vulnerabilities, their impacts, and affected systems.
  5. Remediation Guidance: Recommendations for mitigating or fixing vulnerabilities.


You may use the official CPE dictionary or your own labels. See A.3.4.


You may associate CVEs, either from an external feed, or your own, using CPE labels to associate CVEs to assets. See A.3.5.


CVEs are analyzed as threats implying a risk on the associated assets, until patched.