ATM is a methodology for analyzing the security posture of an application and it aims to help you lay out the foundations before starting the penetration testing activities. The document should address the security risks during the Architecture phase by identifying and quantifying them before project reaches the Development phase. You will see so many approaches out there for how to handle the threat modeling document (the best one that I recommend is the OWASP Application Threat Modeling document; check it out yourself and you will understand what I mean), but from my personal experience, I suggest you make it as simple as possible and don't waste your time over-describing the security risks of the application, because in this case, you're stepping on the feet of the information security risk assessment document. Use this document as a guide and a brainstorm to achieve the goal of the penetration tests' activities.

Before you start writing this document, you need to attend a few meetings (project kick-off meetings) so that you understand the application that you will be testing. Generally, at the end of the Architecture phase, a detailed architecture document will be produced, and this will allow you to finalize your work.