Module quiz: Threat modeling :Advanced Cybersecurity Concepts and Capstone Project (Microsoft Cybersecurity Analyst Professional Certificate) Answers 2025
1. Question 1
Select all that apply
✅ Database
✅ User interface
❌ Operating system
Explanation:
Threat modeling decomposition focuses on data stores, data flows, processes, and interfaces. The OS is part of the underlying platform, not typically decomposed as an application component.
2. Question 2
✅ True
❌ False
Explanation:
Finding vulnerabilities requires static/dynamic code review and automated vulnerability scans.
3. Question 3
Correct answer:
✅ Privilege
❌ Privacy
❌ Authentication
Explanation:
STRIDE ends with Elevation of Privilege.
4. Question 4
Correct answer:
❌ Predicting specific attack methods
✅ Reducing the attack surface of a system or application
❌ Developing a threat encyclopedia
Explanation:
Threat modeling identifies threats early, helping reduce attack surface.
5. Question 5
❌ True
✅ False
Explanation:
PASTA has 7 stages, not four.
6. Question 6
Correct answer:
❌ Threat landscapes…
✅ Base Metrics, Temporal Metrics, Environmental Metrics
❌ Attack Vectors…
Explanation:
CVSS v3.1 uses these three metric groups for vulnerability scoring.
7. Question 7
Correct answer:
❌ Second option
✅ First option: unified visual view of security events
Explanation:
VAST = Visual, Agile, Simple Threat modeling — focuses on visual diagrams and enterprise-wide visibility.
8. Question 8
Correct answer:
✅ Not Applicable, Not Started, Needs Investigation, Mitigated
❌ Internal/External…
❌ Malware/Phishing…
Explanation:
These are the standard threat status classifications in Microsoft’s Threat Modeling Tool.
9. Question 9
Correct answer:
❌ Validate controls
❌ Create diagram
✅ Identify potential security threats and vulnerabilities
Explanation:
Phase 1 of SDL is all about analysis and threat identification.
10. Question 10
Select all that apply
✅ Structured approaches (STRIDE, kill chains, attack trees)
❌ Risk acceptance
❌ Elimination of threats
✅ Brainstorming
Explanation:
Threat identification methods include structured methodologies and collaborative brainstorming. Risk acceptance/elimination are responses, not identification techniques.
🧾 Summary Table
| Q# | Correct Answer |
|---|---|
| 1 | Database, User interface |
| 2 | True |
| 3 | Privilege |
| 4 | Reducing attack surface |
| 5 | False |
| 6 | Base, Temporal, Environmental |
| 7 | Unified visual view scenario |