Product Security Hub Logo
← Back to Resources
Complete Workflow Guide

End-to-End: From Architecture to Compliance Evidence

Master the complete Product Security Hub workflow—from drawing your first architecture diagram to exporting audit-ready compliance evidence.

25 min read Complete workflow

The Complete Product Security Hub Workflow

Product Security Hub connects your architecture, threats, requirements, and vulnerabilities into a unified security posture. Here's how everything flows together:

1

Architecture

Draw diagrams & map to components

2

Components

Auto-populate from diagrams or add manually

3

Threats & Requirements

Auto-generated based on component types

4

Residual Risk

Assess gaps when requirements aren't met

5

SBOM & Vulnerabilities

Track dependencies & known CVEs

6

Export & Evidence

Generate compliance-ready artifacts

1

Phase 1: Build Your Architecture

Every security program starts with understanding what you're protecting. Product Security Hub includes an embedded draw.io editor that lets you create architecture diagrams directly in the platform.

Creating Your Diagram

  1. a

    Navigate to Architecture — Open your product and click the "Architecture" tab to access the diagram editor.

  2. b

    Add shapes from the palette — Drag components like servers, databases, APIs, users, and external services onto the canvas.

  3. c

    Draw data flows — Connect shapes with arrows to show how data moves through your system.

  4. d

    Define trust boundaries — Group components by trust level (internal network, DMZ, external, etc.).

🔗 Linking Diagram Assets to Components

This is the key step that powers Product Security Hub's automation. Each shape in your diagram can be linked to a component type from Product Security Hub's catalog.

  • Select a shape in the diagram editor
  • In the properties panel, choose a Component Type from the catalog (e.g., "Web Server", "Database", "API Gateway")
  • This link enables Product Security Hub to auto-generate relevant threats and requirements for that asset
2

Phase 2: Manage Your Components

Components are the building blocks of your product's security model. Product Security Hub gives you two ways to populate your component inventory:

From Architecture

When you link a diagram shape to a component type and save, Product Security Hub can automatically add that component to your inventory.

Benefit: Keeps your diagram and component list in sync. Visual changes flow directly into your security model.

Manual Entry

Navigate to the Components page and click "Add Component" to manually add components that may not appear in your diagram.

Use case: Internal services, shared infrastructure, or inherited components that aren't product-specific.

⚡ What Happens When Components Are Added

Once a component is added to your product (via diagram or manually), Product Security Hub automatically pulls in the associated threats and security requirements from the catalog based on that component type. No manual mapping required—the intelligence is built into the component definitions.

3

Phase 3: Review Threats & Requirements

With components in place, Product Security Hub auto-generates a tailored threat model and requirements checklist. Your job is to review and assess each one.

Working with Threats

Product Security Hub uses the STRIDE methodology to categorize threats. For each threat, you'll need to set a disposition:

Mitigated

You have controls in place that address this threat

Transferred

Risk is handled by a third party (e.g., cloud provider)

Accepted

Risk is acknowledged and accepted by stakeholders

Not Applicable

Threat doesn't apply to your specific implementation

Working with Requirements

Security requirements are linked to threats—meeting them helps mitigate the associated risks. For each requirement, indicate your compliance status:

Met

Requirement is fully implemented

Partially Met

Some controls exist but gaps remain

Not Met

Requirement is not implemented

🚨 When Requirements Aren't Met: Residual Risk

Marking a requirement as "Not Met" triggers an important workflow: Product Security Hub automatically creates a residual risk record tied to the associated threat(s).

This ensures that unmitigated risks are tracked, documented, and visible to stakeholders—not hidden in a spreadsheet.

4

Phase 4: Assess Residual Risk

Residual risks represent the exposure that remains when security requirements can't be fully met. Product Security Hub helps you document and manage these gaps systematically.

Residual Risk Assessment Process

  1. 1

    Review auto-created risks — Navigate to the Residual Risk page to see risks generated from unmet requirements.

  2. 2

    Assess severity — Use the CVSS calculator or your organization's risk matrix to rate each residual risk.

  3. 3

    Document justification — Explain why the requirement can't be met and what compensating controls exist (if any).

  4. 4

    Get approval — Route significant residual risks through your risk acceptance process.

💡 Pro Tip: Use AI to Draft Justifications

Product Security Hub's AI assistant can help you draft risk justifications and CVSS score rationales. Click the "Generate" button on any text field to get a starting point, then refine as needed.

5

Phase 5: Track SBOM & Vulnerabilities

Beyond architecture-level threats, Product Security Hub helps you track vulnerabilities in your software dependencies through SBOM management.

The SBOM Workflow

1

Import your SBOM — Upload a CycloneDX file, use the Excel template, or add components manually.

2

Scan for vulnerabilities — Click "Scan Now" or configure automatic scanning to check against Google OSV.

3

Triage results — Review discovered CVEs and prioritize based on severity and exploitability.

4

Track remediation — Document patches, updates, and workarounds applied to address vulnerabilities.

📝 Manually Documenting Patches

Product Security Hub allows you to manually add patch records and tie them to specific vulnerabilities and risks. This is useful for:

  • Documenting vendor-provided patches that update multiple components
  • Recording custom fixes or workarounds for vulnerabilities
  • Creating an audit trail of security updates over time
6

Phase 6: Export Compliance Evidence

Once your product's security posture is documented, Product Security Hub makes it easy to export everything for audits, reviews, or integration with other tools.

Excel Export

Export your entire product security profile to a comprehensive Excel workbook with multiple sheets:

  • • Product overview & metadata
  • • Components list
  • • Threats with dispositions
  • • Requirements with compliance status
  • • Residual risks
  • • SBOM components & vulnerabilities

JSON Export (Product Security Hub Format)

Export to Product Security Hub's structured JSON format—a product security data structure designed for:

  • • Integration with CI/CD pipelines
  • • Programmatic analysis and reporting
  • • Backup and version control
  • • Data migration and import to other Product Security Hub instances

How to Export

  1. 1

    Navigate to your product's main dashboard

  2. 2

    Click the Export button in the action bar

  3. 3

    Choose your format: Excel (.xlsx) or JSON (.json)

  4. 4

    Download and share with auditors, stakeholders, or archive for records

Putting It All Together

The Product Security Hub workflow creates a connected security story—from the architecture you draw, to the threats you identify, to the evidence you export.

Architecture → Components → Threats → Requirements → Residual Risk → Evidence

Dive Deeper

Build Architecture

Deep dive into diagramming

Threat Modeling

STRIDE methodology guide

Vulnerability Scanning

SBOM & CVE workflow

Ready to Start Your Security Journey?

From first diagram to compliance evidence—Product Security Hub guides you through every step of building a robust product security program.

Request a Demo View Pricing