Software continues to be vulnerable to adversaries attempting to shut down or obtain sensitive information from systems. An analysis that identifies these threats ahead of time may be able to prevent systems from cascading failures that causes harms to users. One approach to identify security flaws is computing the amount of compromise that a software architecture can handle without complete service delivery stoppage. We show that this method qualitatively identifies parts of a software architecture that are not robust against security attacks and do not meet robustness standards. We define this method as robustness through trust boundaries, and formally define it in a formal modeling tool, Alloy. Three architectures taken from real world systems are used to demonstrate the effectiveness of trust boundaries in identifying security vulnerabilities of an architecture and evaluate the robustness of a system.