Threat modeling is the measure twice, cut once of cybersecurity. Structured techniques help you understand the danger so you can create a focused defensive security strategy.
In today’s fast-paced world with its rapidly evolving threat landscape, threat modeling gives you a way to find security bugs early and understand your security requirements so you can engineer better products that you deliver on time.
Why us?
We offer the best threat modeling training available.
Our founder is one of the leading experts in threat modeling and security engineering. Our training is laser-focused on threat modeling as the heart of security engineering work. We've trained thousands of people with methods that deliver results.
We know training works best when people have a chance to develop specific technical skills, to apply them, and to reflect on how they and others have applied them. We design our training on specific learning goals, including skills (technical and soft), values (the importance of security) and understanding (shifting left reduces rework). To meet your needs, we have instruction and logistics options, including a choice between live instruction or self-paced/computer-based training.
How do I choose?
People want training that suits their needs. To meet those needs, we’ve created variants of our courses. To help you think about what will work for you, we have a flowchart. The dashed orange line illustrates one possible set of choices.
Our approach
Hands on, practical, applied exercises where learners threat model in a safe, supported way is the core of our approach.
We believe that training works best when people have a chance to develop specific technical skills, to apply them, and to reflect on how they and others have applied them. We focus our training on specific learning goals, including skills (technical and soft), values (the importance of security) and understanding (shifting left reduces rework). Learners develop both specific technical skills, such as ‘draw a Data Flow Diagram,’ and the ability to discuss them in context, such as ‘compare between DFDs and swim lanes for this project.’
All of our courses are aligned with the Four Question Framework, created by Adam Shostack and widely adopted:
Our 200 level courses go into much more depth in answering the Four Questions, and we start to consider additional ways to answer each. Our 200-level courses are generally one to two days when delivered in-person. At this level (and above) our training engages participants through discussion, hands-on exercises, group work, and often, live feedback from instructors.
300 level
Our 300 level courses focus on additional skills. Reflectivity and comparisons become increasingly important.
We regularly collaborate with instructional designers to help us develop, deliver and maintain great educational content.
Course delivery options
In 2020, we made the shift from in-person to distributed delivery. We invested heavily in instructional design and production, and our customers tell us they’re very happy with the learning experience. We learned about the real learning and logistical advantages of distributed courses. Those advantages include better integration into a workday, travel-free participation for distributed teams, and each participant’s ability to take their time with exercises.
Instruction options
Live instruction
In-person or distributed
Fixed meetings times, pace
Instructor + peer learning
Open or private
Computer-Based Training
Distributed only
Learn at your own time, pace
Peer, instructor interaction on Slack
Price advantage
Live instruction logistics options
In-Person delivery
Learn over 1-3 days
Different attention levels
Travel requirements
Distributed delivery
Learn over a week
Flexible homework time
No travel
Open courses
Open to anyone
No NDA
Committed calendar
Individual seats (no minimum)
Private courses
One customer
NDA
Negotiated calendar
Minimum seats
Open courses
When you want live instruction training for only a few people, our open courses are a great way to go. This can be getting new hires to align with a team, it can be dipping your toe in before making a larger investment, or maybe you’re at a smaller organization. Our open courses are a mix of distributed and in-person. All are taught personally by Adam Shostack.
We work with a variety of partners because of their unique strengths and relationships. We know that many large organizations find it easier to work within existing relationships, and are always happy to engage through a partner. Our current list includes (alphabetically):
Archimedes Center for Health Care and Medical Device Cybersecurity - Archimedes is an independent, pioneering center focused on the education and advancement of medical device security where key industry players come together for learning in a safe place.
Blackhat - Many people appreciate the chance to get intensive training at a popular conference. Current Blackhat trainings are listed in the open trainings list above.
CMDC - We do in-person trainings for the medical device community with the University of Minnesota’s Center for Medical Device Cybersecurity.
Cybersec Games - Cybersec Games produces all our training materials, including games, stencils and whiteboard books, and was a real collaborator in bringing the ideas to life. We also jointly deliver live instruction Elevation of Privilege Play to Learn sessions, at the same link.
IANS Research - Adam is an IANS Faculty member, and regularly engages in Ask-An-Expert calls and consulting work via IANS.
IriusRisk - Secure software by design with automated threat modeling. Adam is an advisory board member, and IriusRisk is a close partner. IriusRisk customers can purchase training and coaching via IriusRisk.
The Medical Device Innovation Consortium. We collaborated on the Playbook for Threat Modeling Medical Devices, and regularly deliver the original and best Threat Modeling Boot Camps.
Zatik Security provides expert appsec guidance and staffing, and we partner with them including delivering training to their customers.
Please note we are using “partner” like normal human beings, and have a variety of business relationships with the companies listed.
Course catalog
100 level
Our 100 level courses are all delivered via computer based training, and include:
In partnership with Linkedin Learning, Adam has an ever-growing collection of courses at Adam Shostack's Instructor Page at Linkedin Learning. (These are only sold by Linkedin, so we don't have course numbers.) The most current list is always there, but currently the courses are:
Threat Modeling Intensive (222, two days) We also have industry-specific versions of this course available, including medical device maker focused-versions and others in development.
300 level
Our 300-level courses are a mix of delivery modes, appropriate to each course.
