4 weeks
from start to full risk register
3½ hrs
total time spent by client staff
2 suppliers
new supply chain risks discovered
This case study focusses on an individual threat modelling engagement with this customer, one of several threat models we've created for them over time.
About the customer
A global retail group with £3B in gross sales runs a centralised CRM that sits at the core of its customer operations. The system manages five million customer records and powers loyalty programmes, gift card processing, and point-of-sale integrations across multiple markets. Third-party developers, internal DevOps teams, and global brand partners all interact with it. The CISO had responsibility for this system without documentation of its dependencies, third-party integrations, or data flows.
The situation
There was no comprehensive record of what connected to the CRM, who maintained it, or which external parties had access. Multiple teams were modifying the system independently. The CISO was accountable for it but had no single source of truth to work from.
Every security investment needed a board-level business case. Without knowing which risks were most significant, prioritising spend was guesswork. Generic compliance frameworks did not map to the specific architecture in place. And the consequence of getting it wrong was not an abstract IT problem. A CRM outage or breach meant gift card failures, loyalty scheme disruption, and customer data exposure across multiple markets.
The CISO had a rough sense of what was at stake. What he did not have was evidence. He needed a clear picture of the risk he knew about, and a way to surface what he did not.
How we worked
Threatplane really impressed us with the way they were able to assess risk and security in this system, which is core to our business, used by many teams and quite complex in its configuration. Their expertise and advice were really valuable in making the right balance of security decisions going forward, and justifying these to senior leadership.
Head of Governance
We ran the engagement over 20 days (4 weeks) with minimal demands on the client team. The full exercise required four workshops totalling around 3½ hours of the CISO's time. We conducted targeted interviews with team leads and developers to build an accurate picture of system dependencies before any threat analysis began.
Findings were mapped using the RROC framework — Revenue, Reputation, Operations, and Compliance — giving each risk a direct business context. The CISO could see which API integrations posed a revenue risk through point-of-sale dependency, and which compliance gaps were relevant to data sovereignty obligations across different markets. That framing produced outputs he could use in board conversations without translation.
During architecture mapping, we uncovered two integrated systems that were entirely unknown to the CISO. An active development environment with a CI/CD pipeline and a third-party backup platform had both been connected to the CRM outside the security procurement process. Neither had been reviewed. Identifying them materially changed the risk picture and produced an additional set of controls for each.
The result
For the first time, I have a clear view of where our risks actually sit. This isn't just a security report — it's the roadmap I need for the board.
CISO, Global Retail Group
The CISO came out of the engagement with a full documented architecture of the CRM and its dependencies — something that had not existed before. The two shadow systems were identified, documented, and incorporated into a prioritised risk register with business-justified controls for each. Every finding was mapped to RROC categories, giving him a ready-made language for the board conversation he needed to have.
The entire engagement took 20 days (4 weeks) and required 3½ hours of his time. He arrived at the end of it with a clear view of his actual risk position, a defensible investment case, and a security programme he could stand behind.
Our threat modelling fed directly into decisions on controls and vendor selection. The two newly discovered supply chain integrations prompted a review of authentication, access control and monitoring across both. Separately, the models surfaced a number of Salesforce security gaps around privileged access and monitoring — leading to the adoption of a dedicated monitoring solution.
The depth of findings, and the reasoning behind each recommendation, gave the CISO a precise, justified set of controls rather than a generic checklist. The threat models were instrumental in building the business case for that investment — providing the documented evidence of risk that made it straightforward to justify to senior leadership.