Manual with process
A security consultant (internal or external) follows a threat modeling playbook with the development tech lead to identify threats and ultimately security controls to mitigate relevant threats.
The playbook includes guidance on what questions to ask, which tools to use and when. The output highly depends on the quality of the playbook.
Resources
- Step-by-step threat modeling process (also explains STRIDE) https://owasp.org/www-community/Threat_Modeling_Process
- Step-by-step threat modeling using PASTA https://versprite.com/blog/what-is-pasta-threat-modeling/