'Threat Modeling for Security Champs'
from Shostack & Associates

Enabling and accelerating threat modeling

Shostack & Associates offers a variety of threat modeling classes, with options ranging from Linkedin Learning through highly customized instructor led trainings.

Threat Modeling for Security Champs: Oct 19-23

We have seats available in an upcoming champs class. The group sessions will run 11AM through noon Pacific Monday Oct 19th-Friday Oct 23rd, 2020. A sample calendar invite is here, and we recommend adding an hour of reserved time daily to do the assignments.

Course Overview

This course enables security champs to support threat modeling work by their teams. The outcome is champs supporting threat modeling execution by product teams, not champs ready to train and leave.

Participants will be led through how to introduce threat modeling to teams, with or without Elevation of Privilege, learn about leading threat modeling work, and how to evaluate such work in depth.

Course Content

This course is 10 learning hours, roughly equivallent to a one day in person class. The time is split between short video 'lectures,' like the one below, homework assignments and group discussion via Zoom.


This course is for people who are already skilled in threat modeling. They can draw a DFD from either a specification or by interview. They can use STRIDE and the Kill Chain to address what can go wrong, and discuss when each might be appropriate.


Seats in this class are $1,600 each, and are offered on a first-come, first-served basis. Payment by credit card. Reach out to us and we'll send details.

Training Approach

We believe that training works best when people have a chance to develop specific technical skills, to apply them, and to reflect on how they and others have applied them. We focus our training on specific learning goals, including skills (technical and soft), values (the importance of security) and understanding (shifting left reduces rework).

All of our courses are aligned with the Four Question Framework:

By skills, mean both specific technical skills such as 'draw a Data Flow Diagram,' and the ability to discuss skills or tasks, such as 'compare between DFDs and swim lanes for this project.'

By analogy, people practice how to hold a knife, then using it to chop vegetables. Then they develop precision in chopping, repeatability in chopping, dicing and mincing. With those skills, they can decide when each is appropriate. When they use different knives on different ingredients, and cook them, they can start to discuss the tradeoffs between knives, or between cuts, or the importance of precision. Over time, and with practice, they can advise others on developing the appropriate skills. Our 100 level courses are very much skill focused: we teach people to chop vegetables. The 202 class is the first that introduces different ways to start answering the Four Questions. Additional skills, reflectivity and comparisons become increasingly important in the higher-level (300/400 level) classes. At the 200 level and above, our training engages participants through discussion, hands-on exercises, group work, and instructor led coaching.

Get in touch!

Call us: +1 917-391-2168, email us, or reach out on Linkedin.

Photo by Simon Veilleux