STRIDE, PASTA, and other widely used threat modeling methodologies are often applied to simple applications and services. However, as systems scale and grow in complexity, these traditional approaches tend to fall short, often resulting in missed threat scenarios and incomplete threat surface analysis.

In this paper, we will define what constitutes a complex system and explore various types, including distributed networks, microservices, third-party integrations, cloud environments, and IoT devices. As systems expand and involve increasingly interconnected components, the risk of overlooking vulnerabilities rises. We will also discuss how to effectively perform threat modeling for such complex systems, emphasizing the need for more advanced, adaptable techniques that address the unique challenges posed by these evolving architectures.