Vigilon Risk Assessment & Threat Modelling
Systematically identify, analyse and prioritise security risks to make informed decisions about where to invest your security resources.
Why Risk Assessment Matters
You can't protect everything equally. Risk assessments help you focus your security efforts on the threats that matter most — the ones with the highest likelihood and impact. For regulated products, a documented risk assessment is a mandatory requirement under the Radio Equipment Directive, Cyber Resilience Act, and ETSI EN 303 645.
Our Approach
Asset Identification
We work with your team to identify and classify security-relevant assets including data, interfaces, services, hardware components, and trust boundaries.
Threat Modelling (STRIDE)
Using the STRIDE methodology, we systematically identify threats across six categories:
- Spoofing — can an attacker impersonate a legitimate entity?
- Tampering — can data or code be modified without detection?
- Repudiation — can actions be denied without accountability?
- Information Disclosure — can sensitive data be exposed?
- Denial of Service — can availability be disrupted?
- Elevation of Privilege — can an attacker gain unauthorised access?
Attack Tree Analysis
For critical assets, we develop attack trees that model the different paths an adversary could take to achieve their objective. This provides a structured view of your attack surface and highlights the most efficient attack paths.
Risk Scoring & Prioritisation
Each identified risk is scored based on likelihood and impact, using a framework aligned with ISO 27005 and the specific requirements of your regulatory context. Risks are prioritised to guide your remediation investment.
Mitigation Recommendations
For each identified risk, we provide practical, implementable mitigation recommendations — ranging from technical controls to process improvements.
Deliverables
- Comprehensive risk register with scored and prioritised risks
- Threat model documentation (data flow diagrams, STRIDE analysis, attack trees)
- Executive risk summary for board-level stakeholders
- Remediation roadmap with estimated effort and priority
- Regulatory-ready documentation for RED, CRA, and ETSI compliance
When to Conduct a Risk Assessment
- During product design — to build security in from the start
- Before EN 18031 or CRA compliance testing
- After a significant architecture or feature change
- Following a security incident
- As part of your annual security review cycle
"A risk assessment is the foundation of every good security programme. Without one, you're guessing where your vulnerabilities are."
Combine risk assessment with our penetration testing services for a complete view: understand where the risks are, then validate them with hands-on testing.