Add Your Heading Text Here

LEARNING PATH: Threat Modeling

Threat Modelling Essentials

Having an effective Threat Model for your apps is like creating a game plan for developers. AppSec moves a lot faster, and is far less error-prone when you analyse your application, know where a potential attacker is likely to start, and find the most probable attack vectors. When you possess this much information, defending against threats becomes a systematic, efficient process. Just like a well-oiled machine.

In the Threat Modelling Essentials course, we’re going to show you everything you need to know about Threat Modelling your apps. We start with a background into the subject, discussing various methodologies old and new. As we move into system-wide Threat Modelling, you’re going to learn about inputs, branches and mapping your Threat Model. The final module explores mitigations for Threat Models.

Our courses emphasise learning using hands-on material, giving you a look at strategies, techniques and methodologies that are used in actual product development environments. All our learning material is a distillation of years of security testing experience, knowledge, and original research across our entire team. Once you’ve completed this course, you’ll be able to use what you’ve learnt to create functioning Threat Models at your organization. 

Try for freeExplore Threat Modeling
Proficiency Intermediate
Audience DevSecOps
Lessons​ 7
Cloud Labs​ 2
  • Background and Introduction
    • What is Threat Modeling? Why is it important?В 
    • STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privileges)
    • Attack Trees
    • OCTAVE and NIST
    • PASTA Threat Modeling Methodology
  • System-Wide Threat Modeling
    • Scoping your Threat Model
  • Threat Modeling Inputs
    • Requirements for a successful threat modeling
    • Facilitated Threat Model – Requirements and Design stage
    • Use of STRIDE and Elevation of Privilege Card Game for Threat ModelingВ 
    • Diagramming for Threat Models – Approaches with Data and Process Flow
  • Threat Model Branches
    • Attack and Mitigation Models
    • Attacker Lists and Threat Trees
    • Helpful Tools and Tips
    • Threat Modeling Alternatives and Complements:В 
    • Table-top Exercises
  • Mapping and Prioritizing System-Wide Threat Model
    • Baselining a System-Wide Threat ModelВ 
    • Scoring a Threat Model based on multiple Qualitative and Quantitative Metrics and Measurements
  • Mitigations for Threat Model
    • Comprehensive Approach to identifying mitigations against identified threat model
    • Mapping scored threat models to mitigations to identify viability of mitigations against existing Threat Model
    • Mapping Mitigations to Key Actions and Tasks for mitigation
    • Leveraging existing control frameworks to mitigation plans for higher speed of Threat Modeling
    • Artifacts produced from the Threat Model in terms of:
      • Identified and scored Threat Scenarios
      • Mitigation Plans captured against Threat Scenarios
      • Segues from Mitigation Plans, including Tasks and Key Results
  • An Overview of Trust Zones
  • Find the STRIDE Threats
  • System Threat Modeling Case Study — Acme Electronics
Get startedExplore Threat Modeling