Adam Shostack: “Threat Modeling: Designing for Security”

Adam Shostack is a leading cybersecurity specialist and the author of Threat Modeling: Designing for Security (Wiley, 2014). He’s also the President of Shostack & Associates, which he founded in 2017.

Since publication, Mr. Shostack’s book has received rave reviews on popular platforms like Amazon and it is still in high demand.

“Adam’s Threat Modeling: Designing for Security is a must and required reading for security practitioners,” begins one such review. “Threat modeling should become standard practice within security programs and Adam’s approachable narrative on how to implement threat modeling resonates loud and clear.”

If you’d like to get in touch with Adam Shostack and his team at Shostack & Associates regarding help with threat modeling or engineering more secure systems, head to You can also head to vpnMentor to check out an excerpt from his book here.



Adam Shostack: Learning Threat Modeling for Security Professionals

Course by: Adam Shostack


In the twenty-first century, no one doubts the importance of cybersecurity. Threat modeling is where it starts. Threat modeling is a framework for thinking about what can go wrong, and the foundation for everything a security professional does.

This training course provides an overview of the traditional four-question framework for (1) defining what you’re working on, (2) discovering what can go wrong, (3) deciding what to do about it, and (4) ensuring you’ve done the right things in the right ways for the systems you’re delivering.

Instructor Adam Shostack also reviews the STRIDE model for identifying six types of threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Using a simple case study—a billing system for a media server that serves ads—Adam shows how to apply the principles and find security and privacy problems so the developer can include appropriate configurations and controls as part of the operational design and rollout.

Areas covered by Adam in this course:

  • Develop secure products
  • Why would you threat model?
  • A simple approach to threat modeling

There are 2 main parts of the course in which Adam explained the things in details.

1. The Four Question Framework

  • What are we working on?
  • What can go Wrong?
  • What are we going to do about it?
  • Did we do a good job?


  • Spoofing a specific server
  • Tampering with a file
  • Interlude: scope and timing
  • Repudiating an order
  • Information disclosure
  • Denial of service
  • Elevation of privilege

Visit for complete information about the course and other technical details.

Adam Shostack: Positive Reputation

Adam Shostack is a consultant, entrepreneur, technologist, author and game designer with years of experience in his field, much of which he spent working with Microsoft. Today, he’s serving as the President of Shostack & Associates in the Greater Seattle Area, and he continues to build on his already positive reputation.

Below, for example, is one of many shining recommendations from Adam Shostack’s LinkedIn profile, written by a former colleague:

“Adam’s work was cutting edge. His technical implementations embody a particularly lucid view of privacy for individuals and organizations.”

For those who’d like more information about Adam Shostack and his company, Shostack & Associates, click through to his personal website, There, you can access his firm’s website, sign up for his mailing list, check out his work as an author and explore his list of career accomplishments. You can also visit this link to watch an excerpt from Mr. Shostack’s recent interview on threat modeling.


Adam Shostack: Information Security Visionary

Adam Shostack is an information security specialist with more than a decade of experience and several successful startups to his name. He’s also the founder and President of Shostack & Associates, which launched in 2017, and the author of Threat Modeling: Designing for Security (Wiley, 2014). Mr. Shostack’s peers and clients hold him in high regard and he has received numerous shining recommendations for his excellence.

For example, the following recommendation is from Adam Shostack’s LinkedIn profile:

“Adam holds a place in the evolution of privacy as a consumer, business and regulatory issue,”

wrote his colleague. “An exceptional mind and visionary.”

Looking for more information on Adam Shostack’s career as a cyber security specialist, author, and consultant? If so, head to his profile on DARK Reading here. There, you can find a list of content he has produced along with upcoming live events.


Adam Shostack: Recent Addition to the Continuum Security Advisory Board

Noted threat modeling expert Adam Shostack is proud to serve on the Continuum Security Advisory Board – a role that was made official in May of 2018. As a member of the Board, Shostack looks to contribute his considerable knowledge of and expertise in threat modeling and information security toward the development of solutions that make security a key component of the development lifecycle.

As Adam Shostack knows, Continuum Security is focused on building the tools information security and development professionals need to test and manage software security. Continuum’s aim is to develop processes and tools that integrate seamlessly within the normal development process – rather than as an addition with the potential to slow down development. Continuum is responsible for the IriusRisk Threat Modeling Program – a solution for creating threat models and managing application risks throughout the process of development.

Continuum officially announced Shostack to the Advisory Board last May.

Adam Shostack: A Closer Look at Threat Modeling

With the release of 2014’s Threat Modeling: Designing for Security, renowned threat modeling expert Adam Shostack looks not only to introduce software developers and security professionals to this now essential information security skill, but also to provide helpful lessons and tips for identifying, preparing for and preventing potential security threats well into the future.

Through Threat Modeling: Designing for Security, Adam Shostack aims to:

• Provide software and security developers an easy, accessible how-to guide for designing more secure systems and products.

• Show security professionals how to threat model – as well as to provide an exploration of various threat modeling approaches, such as software-centric, attacker-centric and asset-centric.

• Provide actionable advice that isn’t tethered to any specific programming language, operating system or software.

Threat Modeling: Design for Security is the only information security book to be selected as a finalist for the Dr. Dobbs Joly Award since Secrets and Lies and Applied Cryptography.

Adam Shostack: Answering the Tough Questions on Information Security

Adam Shostack and Andrew Stewart are the authors of 2008’s The New School of Information Security – a book that seeks not only to answer the tough questions about information security, but also to provide anyone from CIOs and IT managers to company security specialists a new way of thinking when it comes to identifying, addressing and resolving the most complex and urgent security problems facing the modern organization.

As experts in information security, Adam Shostack and Andrew Stewart offer unique insight into the challenges faced throughout the field of security – as well as:

• How to gather the evidence needed to make better decisions when it comes to information security.

• Why collaboration is so essential to improving cybersecurity in the current era, and how the industry can come together to take significant leaps forward.

• What security industry leaders can learn from other scientific fields when it comes to improving security.

Adam Shostack: Threat Modeling in 2018

Adam Shostack authored Threat Modeling: Designing for Security, which was one of the only information security-themed books to be selected as a finalist for the Jolt Award.

Check out the video & get to know about Threat Modeling in 2018 by Adam Shostack.

Visit for more information about him.

Adam Shostack: Past Client Successes

Adam Shostack offers clients the best in information security consulting – providing custom security solutions that include anything from complex, technical security problem-solving to comprehensive business strategy services.

The President of Shostack & Associates, Shostack aims to add and deliver value to clients and organizations of all sizes around the globe – and to ensure their unique security problems are addressed and resolved as thoroughly as possible.

To date, Adam Shostack and the Shostack & Associates team have delivered:

  • Go-to-market advice for a small security startup.

  • Complete qualification training and product analysis to a government organization.

  • Design and rollout of the security development lifecycle for a high-profile manufacturer.

  • A full review of the security process for a top banking institution.

  • One-on-one threat modeling training of 75 security engineers at a top technology firm.

Shostack & Associates offers clients the value and unique perspective that only comes from years of information security experience, training and expertise.

Visit to know more about him.