Threat modeling identifies potential attacks before they happen. Attack simulations test defenses by mimicking real attackers in a controlled environment.
Example:
A company maps out all assets and possible attack paths. Simulated attacks test if security controls can stop an intruder.
Exercise: Draw a simple threat model for a web application, identifying critical assets and potential attack vectors.