IT security audit : is threat modelling key to reproducible success of just following a methodology (ex : ethical hacking)

To sum up the methodology of ethical hacking, what you do is :

  • Information gathering (gets the IP, domains, etc…)
  • Fingerprint the IP (what OS, what services are running, etc…)
  • Vulnerability assessment (are any services or vulnerable application found to be vulnerable ?)
  • Exploitation : verify the result of the step above

But, I came to realize during my security audit that end up either asking google questions like “what should I do to hack system A ?” or questions like “what are the tools to assess the security of system A ?”

It’s like looking for a looking for a needle in a haystack.

Then I read a paper in which the audit started with threat modelling. I was just asking myself how would a hacker (either a script kiddy or an ethical hacker) should perform threat modelling in order to have results meaningful to integrate and follow the methodology (info gathering, fingerprinting, vuln assessement, etc…)

I’m starting to believe this would make the security audit more professional and its results more reproducible. What do you think ?