Training from Shostack + Associates


Threat modeling is the measure twice, cut once of cybersecurity. Structured techniques help you understand the danger so you can create a focused defensive security strategy.

In today’s fast-paced world with its rapidly evolving threat landscape, threat modeling gives you a way to find security bugs early and understand your security requirements so you can engineer better products that you deliver on time.

Why us?

We offer the best threat modeling training available.

Our founder is one of the leading experts in threat modeling and security engineering. Our training is laser-focused on threat modeling as the heart of security engineering work. We've trained thousands of people with methods that deliver results.

We know training works best when people have a chance to develop specific technical skills, to apply them, and to reflect on how they and others have applied them. We design our training on specific learning goals, including skills (technical and soft), values (the importance of security) and understanding (shifting left reduces rework). To meet your needs, we have instruction and logistics options, including a choice between live instruction or self-paced/computer-based training.

How do I choose?

People want training that suits their needs. To meet those needs, we’ve created variants of our courses. To help you think about what will work for you, we have a flowchart. The dashed orange line illustrates one possible set of choices.


Our approach

Hands on, practical, applied exercises where learners threat model in a safe, supported way is the core of our approach.

We believe that training works best when people have a chance to develop specific technical skills, to apply them, and to reflect on how they and others have applied them. We focus our training on specific learning goals, including skills (technical and soft), values (the importance of security) and understanding (shifting left reduces rework). Learners develop both specific technical skills, such as ‘draw a Data Flow Diagram,’ and the ability to discuss them in context, such as ‘compare between DFDs and swim lanes for this project.’

All of our courses are aligned with the Four Question Framework, created by Adam Shostack and widely adopted:

100 level
Our 100 level courses are very much skill focused: we teach people core skills, and the courses are under an hour, and are all delivered as computer-based training. These include the World’s Shortest Threat Modeling Course, Adam’s Linkedin Learning Courses, and Play Elevation of Privilege.
200 level
Our 200 level courses go into much more depth in answering the Four Questions, and we start to consider additional ways to answer each. Our 200-level courses are generally one to two days when delivered in-person. At this level (and above) our training engages participants through discussion, hands-on exercises, group work, and often, live feedback from instructors.
300 level
Our 300 level courses focus on additional skills. Reflectivity and comparisons become increasingly important.
400 level
At the 400 level and up, Adam teaches at the University of Washington, and doesn’t believe in course number inflation.

We regularly collaborate with instructional designers to help us develop, deliver and maintain great educational content.

Course delivery options

In 2020, we made the shift from in-person to distributed delivery. We invested heavily in instructional design and production, and our customers tell us they’re very happy with the learning experience. We learned about the real learning and logistical advantages of distributed courses. Those advantages include better integration into a workday, travel-free participation for distributed teams, and each participant’s ability to take their time with exercises.

Instruction options
Live instruction
  • In-person or distributed
  • Fixed meetings times, pace
  • Instructor + peer learning
  • Open or private
Computer-Based Training
  • Distributed only
  • Learn at your own time, pace
  • Peer, instructor interaction on Slack
  • Price advantage
Live instruction logistics options
In-Person delivery
  • Learn over 1-3 days
  • Different attention levels
  • Travel requirements
Distributed delivery
  • Learn over a week
  • Flexible homework time
  • No travel
Open courses
  • Open to anyone
  • No NDA
  • Committed calendar
  • Individual seats (no minimum)
Private courses
  • One customer
  • NDA
  • Negotiated calendar
  • Minimum seats

Open courses

When you want live instruction training for only a few people, our open courses are a great way to go. This can be getting new hires to align with a team, it can be dipping your toe in before making a larger investment, or maybe you’re at a smaller organization. Our open courses are a mix of distributed and in-person. All are taught personally by Adam Shostack.

Upcoming Open Courses
Course Logistics Date Get started
Threat Modeling Intensive Hosted by OWASP in Lisbon June 25-26 2024 More Information
Threat Modeling Intensive Hosted by Blackhat in Las Vegas August 3-4 or 5-6 Aug 3-4 or Aug 5-6


We work with a variety of partners because of their unique strengths and relationships. We know that many large organizations find it easier to work within existing relationships, and are always happy to engage through a partner. Our current list includes (alphabetically):

  • Agile Stationery logo

    Agile Stationery - Agile Stationery produces all our training materials, including games, stencils and whiteboard books, and was a real collaborator in bringing the ideas to life. (All of those tools are available from them). We also jointly deliver live instruction Elevation of Privilege Play to Learn sessions, at the same link.

  • Archimedes logo

    Archimedes Center for Health Care and Medical Device Cybersecurity - Archimedes is an independent, pioneering center focused on the education and advancement of medical device security where key industry players come together for learning in a safe place.

  • Blackhat 2021 training logo

    Blackhat - Many people appreciate the chance to get intensive training at a popular conference. Current Blackhat trainings are listed in the open trainings list above.

  • Center for Medical Device Security

    CMDC - We do in-person trainings for the medical device community with the University of Minnesota’s Center for Medical Device Cybersecurity.

  • IANS Research logo

    IANS Research - Adam is an IANS Faculty member, and regularly engages in Ask-An-Expert calls and consulting work via IANS.

  • IriusRisk logo

    IriusRisk - Secure software by design with automated threat modeling. Adam is an advisory board member, and IriusRisk is a close partner. IriusRisk customers can purchase training and coaching via IriusRisk.

  • LinkedIn Learning logo

    LinkedIn - Many people love the opportunity to self-pace their learning, and Adam has an ever-growing collection of courses, listed on Adam Shostack's Instructor Page at LinkedIn Learning.

  • MDIC Logo

    The Medical Device Innovation Consortium. We collaborated on the Playbook for Threat Modeling Medical Devices, and regularly deliver the original and best Threat Modeling Boot Camps.

  • Zatik Logo

    Zatik Security provides expert appsec guidance and staffing, and we partner with them including delivering training to their customers.

Please note we are using “partner” like normal human beings, and have a variety of business relationships with the companies listed.

Course catalog

100 level

Our 100 level courses are all delivered via computer based training, and include:

In partnership with Linkedin Learning, Adam has an ever-growing collection of courses at Adam Shostack's Instructor Page at Linkedin Learning. (These are only sold by Linkedin, so we don't have course numbers.) The most current list is always there, but currently the courses are:

200 level

Our 200-level courses are offered in-person or distributed, live-instruction or CBT, and open or private versions.

  • Threat Modeling Essentials (201, one day, formerly “For Engineers”)
  • Threat Modeling Intensive (222, two days) We also have industry-specific versions of this course available, including medical device maker focused-versions and others in development.

300 level

Our 300-level courses are a mix of delivery modes, appropriate to each course.

We also offer Corporate Training that can be customized for your organization's needs.