🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
Threat Modeling Basics
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
SecurityAssociateFreeComing Soon

Threat Modeling Basics

The Threat Modeling Basics course teaches structured approaches to identifying and mitigating threats during system design. Learners practice STRIDE, attack trees, data flow diagrams, and lightweight modern frameworks (Shostack's four-question framework, MITRE ATT&CK), and produce concrete mitigations for realistic systems.

Who Should Take This

Software architects, developers, and security engineers who design or review systems and want to integrate security thinking into the design process. Assumes familiarity with software architecture concepts. Learners finish able to lead a threat modeling session, produce a DFD, apply STRIDE, and prioritize mitigations.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Foundations
3 topics

Why Threat Model

  • Define threat modeling and identify its position in the SDLC: design-time, before code, complementary to runtime testing.
  • Compare design-time threat modeling with runtime testing (DAST, pen testing) and identify which classes of issues each is most likely to find.

Shostack's Four Questions

  • Identify Shostack's four questions: what are we building, what can go wrong, what are we doing about it, did we do a good job.
  • Apply the four-question framework to a small system (e.g., a webhook receiver) and produce concrete answers to each question.

Common Inputs and Outputs

  • Identify common threat-model inputs (architecture diagrams, asset inventories, security requirements) and outputs (threat list, prioritized mitigations, residual risk register).
2Data Flow Diagrams
3 topics

DFD Notation

  • Identify the four DFD primitives: external entity, process, data store, and data flow.
  • Apply DFD notation to draw a level-0 diagram of a sample web application showing user, web app, database, and external API.

Trust Boundaries

  • Define a trust boundary and identify common boundaries: process boundary, network boundary, machine boundary, organizational boundary.
  • Apply trust boundaries to a DFD and identify which data flows cross trust boundaries (where threats are concentrated).
  • Analyze a multi-tenant SaaS DFD and evaluate whether tenant-isolation boundaries are correctly placed.

DFD Levels and Decomposition

  • Distinguish level-0 (context) from level-1 (decomposed) DFDs and identify when to decompose further.
  • Apply progressive DFD decomposition for a complex system, stopping at the level where each process is small enough to threat-model concretely.
3STRIDE
3 topics

STRIDE Categories

  • Identify the six STRIDE categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
  • Identify the canonical STRIDE-to-property mapping: Spoofing↔Authentication, Tampering↔Integrity, Repudiation↔Non-repudiation, Info disclosure↔Confidentiality, DoS↔Availability, EoP↔Authorization.

STRIDE-per-Element

  • Apply STRIDE-per-element by examining each DFD element and asking which STRIDE categories apply (e.g., processes are vulnerable to all six; data stores not to spoofing).
  • Analyze a DFD process that spans a trust boundary and produce concrete STRIDE-derived threats grounded in real attack patterns.

STRIDE-per-Interaction

  • Distinguish STRIDE-per-element from STRIDE-per-interaction and identify when each granularity is appropriate.
  • Apply STRIDE-per-interaction on a critical request path (e.g., login → token issue → API call) and produce a prioritized threat list.
4Other Frameworks
3 topics

Attack Trees

  • Define an attack tree as a goal-rooted hierarchy of attacker objectives, sub-goals, and concrete attacks.
  • Apply an attack tree to 'attacker steals a customer's account' and decompose into at least three independent sub-goals each with concrete leaves.

PASTA

  • Identify PASTA's seven stages and identify it as a heavier, business-risk-aligned framework appropriate for high-stakes systems.
  • Compare PASTA with STRIDE in terms of effort, output, and target audience (engineering vs business risk leadership).

MITRE ATT&CK as Threat Reference

  • Identify MITRE ATT&CK as a knowledge base of real-world adversary tactics and techniques and identify the tactic categories (Initial Access, Execution, Persistence, etc.).
  • Apply ATT&CK as a 'reality check' on a threat model: cross-reference threats from STRIDE against known ATT&CK techniques to find missing scenarios.
5Mitigation and Prioritization
3 topics

Prioritization Approaches

  • Identify common prioritization approaches: DREAD (legacy), CVSS-style scoring, exposure-and-exploitability frameworks (EPSS), and business-impact alignment.
  • Compare DREAD with modern alternatives and explain why DREAD's subjective scores are generally avoided today.

Mitigation Patterns

  • Identify the canonical four responses to a threat: mitigate, transfer, accept, eliminate (avoid).
  • Apply mitigation selection: prefer eliminate (remove the feature/data) > mitigate > transfer > accept, with documented rationale at each step.

Documenting Residual Risk

  • Define residual risk and explain why an explicit residual-risk register is required when threats are accepted rather than mitigated.
  • Apply residual-risk documentation that includes the threat, the accepted reason, the responsible owner, and the review cadence.
6Operationalizing Threat Modeling
3 topics

Threat Modeling in the SDLC

  • Identify integration points: design review, architecture-decision records (ADRs), pull-request reviews for high-risk components, and pre-launch security reviews.
  • Apply lightweight per-feature threat modeling (Shostack's four questions in 30-60 minutes) and reserve full STRIDE for high-risk components.

Threat Modeling as Code

  • Identify threat-modeling-as-code tools (pytm, Threagile) and describe the value of versioning threat models alongside source code.
  • Apply pytm or a comparable tool to produce a textual threat model that re-renders to a DFD and a threat list on every commit.

Common Pitfalls

  • Identify common threat-modeling failure modes: too much detail too late, no follow-through on mitigations, security-only attendance, no version control of the model.
  • Analyze a stalled threat-modeling program and propose three specific changes grounded in 'culture, scope, and tooling'.
  • Apply 'small and often' threat modeling per feature instead of 'one giant model annually' and explain why incremental wins outperform big-bang reviews.
7Specialized Threat Models
7 topics

Cloud and Container Threat Modeling

  • Identify cloud-specific threats absent from traditional models: metadata-service abuse, shared-responsibility gaps, cross-tenant risks, IAM-policy misconfiguration.
  • Apply STRIDE to a cloud-deployed system and identify which threats are mitigated by the provider versus the customer.
  • Analyze a microservices-on-Kubernetes deployment and produce a threat model that includes pod-to-pod, service-mesh, control-plane, and image-supply-chain threats.

Authentication and Identity Threat Modeling

  • Identify common identity-system threats: credential stuffing, token theft, OAuth consent phishing, AiTM, federation trust abuse.
  • Apply STRIDE specifically to an OIDC-based SSO integration and identify spoofing, tampering, and elevation threats unique to federation.

Machine Learning Threat Modeling

  • Identify ML-specific threats: training-data poisoning, model extraction, membership inference, adversarial inputs, prompt injection in LLM systems.
  • Apply MITRE ATLAS as a complement to ATT&CK for ML/AI systems and identify how it organizes adversarial-ML tactics and techniques.
  • Analyze an LLM-powered customer-support agent and produce a threat model addressing prompt injection, data leakage via retrieval, and abuse of agent tools.

Embedded and IoT Threat Modeling

  • Identify IoT/embedded threats absent from typical web models: physical access, firmware extraction, supply-chain implants, OTA-update tampering, side-channel.
  • Apply LINDDUN-style privacy-aware threat modeling for an IoT device that collects in-home telemetry, prioritizing linkability and identifiability threats.

Privacy-Focused Frameworks

  • Identify LINDDUN as a privacy-focused threat modeling framework and identify its categories: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance.
  • Compare STRIDE (security) and LINDDUN (privacy) and analyze a system that requires both kinds of analysis (e.g., a healthcare data platform).

Adversary Emulation and Purple Teaming

  • Define adversary emulation and identify how it pressure-tests assumptions made during threat modeling.
  • Apply purple-team exercises that pair offensive simulation with defensive validation, mapping each emulated technique back to the threat model and detection coverage.

Working with Existing Frameworks

  • Identify how threat modeling aligns with NIST CSF, ISO 27001, and SOC 2 audit evidence — primarily by producing a defensible record of design-time risk decisions.
  • Apply threat-model artifacts as evidence in security audits without bloating documentation: keep the model lean, link to ADRs, and map to control frameworks only at the rollup level.
8Practical Application Patterns
3 topics

Quick-Start Templates

  • Identify the value of reusable threat-model templates for common system shapes: web app + DB, API gateway + microservices, batch ETL pipeline, mobile + backend.
  • Apply a templated threat model as a starting point and customize it for the system at hand, avoiding the blank-page problem.

Sample Walkthroughs

  • Apply a complete threat-modeling walkthrough on a sample 'photo-upload web app': DFD, trust boundaries, STRIDE-per-element, top-3 mitigations.
  • Apply a threat-modeling walkthrough on a sample 'webhook receiver that accepts vendor callbacks': identify spoofing, replay, and DoS as the primary categories.
  • Analyze the differences between the two sample walkthroughs and articulate which threats are universal vs system-specific.

Communicating Results

  • Identify common threat-model audiences (engineers, product managers, security leadership, executives) and tailor the level of detail to each.
  • Apply a 'one-page risk summary' format for executives and a detailed mitigations spreadsheet for engineers from the same underlying model.

Scope

Included Topics

  • Threat modeling goals and the design-time-vs-runtime tradeoff.
  • Data flow diagrams (DFDs) and trust boundaries.
  • STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege).
  • Attack trees and goal-driven analysis.
  • PASTA (Process for Attack Simulation and Threat Analysis) at conceptual depth.
  • Shostack's four-question framework: what are we building? what can go wrong? what are we doing about it? did we do a good job?
  • MITRE ATT&CK as a common-language threat-actor reference and how it complements design-time threat modeling.
  • DREAD scoring (and why it's discouraged today) and modern alternatives (CVSS, exposure-based prioritization).
  • Continuous threat modeling and 'threat modeling as code' patterns.
  • Common pitfalls and how to make threat modeling stick in engineering culture.

Not Covered

  • Penetration testing techniques and offensive tooling.
  • Compliance-mandated risk assessment frameworks (NIST 800-30) beyond conceptual mention.

Threat Modeling Basics is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified