Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Before you start testing, you threat-model: what are the attacker's likely goals (data theft, ransomware, fraud), what paths get there, what does success look like. The threat model focuses your time on what matters; otherwise you spend 4 days on theoretical XSS and miss the unauthenticated SSRF that drains the cloud.
For a SaaS pentest, attacker goals: (1) read other customers' data, (2) compromise the platform admin, (3) exfil source/configs, (4) extort via ransomware. For each, sketch the most likely paths. Prioritise paths the existing controls don't address.
Use these three in order. Each builds on the one before.
In one paragraph, explain pentest-time threat modelling.
Walk me through threat-modelling a SaaS pre-engagement.
Design a threat model template you'd use across multiple pentests.