The resources here are intended for participants of the Let’s Go Threat Modelling! workshop by Richard Adams.

Bit of quick admin

  1. All content is my own (aside from when I’m deliberately linking to stuff).
  2. I am very happy for you to reuse these resources to help you introduce threat modelling to your teams.
  3. Please done remove my name or web addresses etc.
  4. If you’re going to be paid above your salary for using my resources, please be nice and buy a deck of cards.


Playing the game as part of the workshop and stuck? Here’s a few ideas:

  • Pick an element and think about how you might spoof it, or attack that element through spoofing. No idea? How could you tamper?
  • Remember that you don’t need to know exactly how the attack works. Know of “replay attacks” but no idea how it works, suggest it. It might be valid, you might start a good discussion and you might learn something.
  • Use the OWASP STRIDE Reference Sheet. Go through one line at a time – does it apply? Say that.
  • Not sure on what defences a system might use against your attack? Look at the Counter Agents cards or more detailed page hat’s available.
  • Think social as well as technical. It’s easier to phone a random extension and pretend to be IT asking for a password than break into the network and sniff for traffic with credentials.
  • It is OK to assume you’ve already broken through outer layers. Consider “zero trust”.


WE ARE ANGRY Data Flow Diagram

Resources Slide

  • Ministry of Testing for talks
  • Threat Modeling: Designing for Security Paperback – Adam Shostack
  • Elevation of Privileges card game
  • Threat Agents card game at
  • OWASP STRIDE Reference Sheet
  • My Twitter: @oxygenaddictuk