A threat model looks at the use of entry points to possibly obtain access to an asset. When a threat is possible, it becomes a vulnerability of security requirement.