The Complete Threat Modeling Resource Guide

Electronic Frontier Foundation's beginner-friendly guide to understanding who might want your data and why it matters.

Bruce Schneier's plain-English explanation of why threat modeling isn't just for spies and corporations.

Community-maintained walkthrough covering assets, adversaries, capabilities, and likelihood — with real examples.

45-minute talk breaking down the four-question framework: What are you building? What can go wrong? What will you do? Did you do it?

Free desktop tool for creating data flow diagrams and identifying threats using Microsoft's STRIDE methodology.

Open-source security community's comprehensive threat modeling resource with cheat sheets and methodology comparisons.

Adam Shostack's definitive book. 600+ pages covering every methodology, with practical exercises for beginners and pros.

Microsoft's Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege model.

Risk-centric 7-stage methodology that aligns technical requirements with business objectives. Popular in enterprise.

Copy-paste templates for STRIDE, LINDDUN, and attack trees. Fill in your context and identify gaps immediately.

Privacy-focused threat modeling: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance.

Open-source, cross-platform threat modeling tool with a web app and desktop version. Visual diagrams + auto-generated threats.

U.S. government's framework for assessing zero trust readiness. Useful for understanding modern security architecture assumptions.

The gold standard. Identify, Protect, Detect, Respond, Recover. Threat modeling maps directly to the Identify function.

Automated threat modeling platform. Integrates with CI/CD pipelines. Free community edition available for small teams.

Runtime application security that identifies threats in production. Useful for validating threat model assumptions against real attacks.

Free diagramming tool perfect for creating data flow diagrams — the foundation of any threat model. No account needed.

Real-world attack patterns database. Map your threats to known adversary tactics. The industry standard for threat intelligence.

Attack simulation tool that models your architecture and calculates risk probabilities. Enterprise-grade with academic roots.

Check if your email appears in known data breaches. Essential first step — you can't model threats to assets you don't know are exposed.

Search engine for Internet-connected devices. See what's publicly exposed on your network — a real eye-opener for threat modeling.

Step-by-step worksheet: identify what you want to protect, who you're protecting it from, and how likely the threat is.

Teaching materials designed for non-technical people. Includes personal threat model worksheets for journalists, activists, and everyday users.

30-minute practical walkthrough for people who aren't in tech. Covers common personal scenarios: travel, dating apps, smart home.

Pre-built threat model templates for common personas: journalist, activist, business owner, parent, student, and retiree.

Michael Bazzell's companion workbook. Includes personal threat assessment exercises and data exposure reduction checklists.

Real-world example of modeling the threat of phone number exposure. Shows how one data point leads to cascading vulnerabilities.

Counter-argument to fatalism. Explains why threat modeling is more productive than giving up — and how to set realistic privacy goals.

Google's IT security module includes a solid threat modeling section. Free to audit. Certificate available for $49.

Understand the human element of threats. Covers pretexting, elicitation, and how attackers model YOU to exploit trust.

3-hour course covering STRIDE, DREAD, and attack trees. Hands-on exercises with real scenarios. Free 10-day trial available.

Curated 12-video playlist from various security conferences. Covers beginner to advanced threat modeling techniques.

Short, focused book aimed at non-experts. 180 pages of practical exercises you can complete in a weekend.

Brian Krebs on how he personally threat models. Real examples from covering cybercrime for 20+ years. Practical and sobering.

Free online cybersecurity courses from SANS Institute. Includes threat identification modules suitable for complete beginners.