Threat modeling is the measure once, cut twice of cybersecurity. Structured techniques help you understand the danger so you can create a focused defensive security strategy.
In today’s fast-paced world with its rapidly evolving threat landscape, threat modeling gives you a way to find security bugs early and understand your security requirements so you can engineer better products that you deliver on time.
We offer the best threat modeling training available.
Our founder is one of the leading experts in threat modeling and security engineering. Our training is laser-focused on threat modeling as the heart of security engineering work. We've trained thousands of people with methods that deliver results.
We know training works best when people have a chance to develop specific technical skills, to apply them, and to reflect on how they and others have applied them. We design our training on specific learning goals, including skills (technical and soft), values (the importance of security) and understanding (shifting left reduces rework). To meet your needs, we have instruction and logistics options, including a choice between live instruction or self-paced/computer-based training.
How do I choose?
People want training that suits their needs. To meet those needs, we’ve created variants of our courses. To help you think about what will work for you, we have a flowchart. The dashed orange line illustrates one possible set of choices.
Hands on, practical, applied exercises where learners threat model in a safe, supported way is the core of our approach.
We believe that training works best when people have a chance to develop specific technical skills, to apply them, and to reflect on how they and others have applied them. We focus our training on specific learning goals, including skills (technical and soft), values (the importance of security) and understanding (shifting left reduces rework). Learners develop both specific technical skills, such as ‘draw a Data Flow Diagram,’ and the ability to discuss them in context, such as ‘compare between DFDs and swim lanes for this project.’
All of our courses are aligned with the Four Question Framework, created by Adam Shostack and widely adopted:
Our 200 level courses go into much more depth in answering the Four Questions, and we start to consider additional ways to answer each. Our 200-level courses are generally one to two days when delivered in-person. At this level (and above) our training engages participants through discussion, hands-on exercises, group work, and often, live feedback from instructors.
Our 300 level courses focus on additional skills. Reflectivity and comparisons become increasingly important.
At the 400 level and up, Adam teaches at the University of Washington, and doesn’t believe in course number inflation.
We regularly collaborate with instructional designers to help us develop, deliver and maintain great educational content.
Course delivery options
In 2020, we made the shift from in-person to distributed delivery. We invested heavily in instructional design and production, and our customers tell us they’re very happy with the learning experience. We learned about the real learning and logistical advantages of distributed courses. Those advantages include better integration into a workday, travel-free participation for distributed teams, and each participant’s ability to take their time with exercises.
In-person or distributed
Fixed meetings times, pace
Instructor + peer learning
Open or private
Learn at your own time, pace
Peer, instructor interaction on Slack
Live instruction logistics options
Learn over 1-3 days
Different attention levels
Learn over a week
Flexible homework time
Open to anyone
Individual seats (no minimum)
When you want live instruction training for only a few people, our open courses are a great way to go. This can be getting new hires to align with a team, it can be dipping your toe in before making a larger investment, or maybe you’re at a smaller organization. Our open courses are a mix of distributed and in-person. All are taught personally by Adam Shostack.
We work with a variety of partners because of their unique strengths and relationships. We know that many large organizations find it easier to work within existing relationships, and are always happy to engage through a partner. Our current list includes (alphabetically):
Agile Stationery - Agile Stationery produces all our training materials, including games, stencils and whiteboard books, and was a real collaborator in bringing the ideas to life. (All of those tools are available from them). We also jointly deliver live instruction Elevation of Privilege Play to Learn sessions, at the same link.
Archimedes Center for Health Care and Medical Device Cybersecurity - Archimedes is an independent, pioneering center focused on the education and advancement of medical device security where key industry players come together for learning in a safe place.
Blackhat - Many people appreciate the chance to get intensive training at a popular conference. Current Blackhat trainings are listed in the open trainings list above.
CMDC - We do in-person trainings for the medical device community with the University of Minnesota’s Center for Medical Device Cybersecurity.
IANS Research - Adam is an IANS Faculty member, and regularly engages in Ask-An-Expert calls and consulting work via IANS.
In partnership with Linkedin Learning, Adam has an ever-growing collection of courses at Adam Shostack's Instructor Page at Linkedin Learning. (These are only sold by Linkedin, so we don't have course numbers.) The most current list is always there, but currently the courses are: