Threat Modeling Whitepapers From Shostack & Associates

Enabling and accelerating threat modeling

Shostack & Associates is a specialized security consultancy, focused on meeting the unique needs of each client through a variety of services including threat modeling training and coaching.

One of the most common requests we get is for help enabling or accelerating threat modeling programs. The papers here share lessons we've learned and observations we've made helping our diverse customers succeed.


Our first corporate whitepaper, The Jenga View of Threat Modeling, breaks out different types of threat modeling work in a new way. The Jenga view helps you understand the diverse changes that happen to enable threat modeling, and through understanding, helps you accelerate.

We're so eager to share what we've learned that we've decided against even asking you to fill out a form. That is, we've decided that the threat of fake information and the work to wade through it outweighs the value. If you'd like our help, we're eager to talk, but we like high pressure sales even less than you do.

If you do want to sign up for "Adam's New Thing" to be notified, you can do so below. (List details and promises.)

* required information
Email Format

What is Threat Modeling?

Threat modeling is how to strategically and systematically discover what can go wrong in a system, even before you've built it. Threat modeling is engineering skills and practices, sometimes supported by tooling, sometimes just done at a whiteboard. It is one of the most important, and misunderstood, parts of a security development lifecycle.

Sometimes people conflate threat intelligence and threat modeling. Adam addressed the difference in Threat Modeling: What, Why, and How? for the MISTI Training Institute. You can also read Rolling Out a Threat Modeling Program there, and Security Engineering, the Who, What, Why and How at ISACA.

Get in touch!

Call us: +1 917-391-2168, email us, or reach out on Linkedin.

Photo by Simon Veilleux