Adam Shostack: “Threat Modeling: Designing for Security”

Adam Shostack is a leading cybersecurity specialist and the author of Threat Modeling: Designing for Security (Wiley, 2014). He’s also the President of Shostack & Associates, which he founded in 2017.

Since publication, Mr. Shostack’s book has received rave reviews on popular platforms like Amazon and it is still in high demand.

“Adam’s Threat Modeling: Designing for Security is a must and required reading for security practitioners,” begins one such review. “Threat modeling should become standard practice within security programs and Adam’s approachable narrative on how to implement threat modeling resonates loud and clear.”

If you’d like to get in touch with Adam Shostack and his team at Shostack & Associates regarding help with threat modeling or engineering more secure systems, head to You can also head to vpnMentor to check out an excerpt from his book here.



Adam Shostack: Learning Threat Modeling for Security Professionals

Course by: Adam Shostack


In the twenty-first century, no one doubts the importance of cybersecurity. Threat modeling is where it starts. Threat modeling is a framework for thinking about what can go wrong, and the foundation for everything a security professional does.

This training course provides an overview of the traditional four-question framework for (1) defining what you’re working on, (2) discovering what can go wrong, (3) deciding what to do about it, and (4) ensuring you’ve done the right things in the right ways for the systems you’re delivering.

Instructor Adam Shostack also reviews the STRIDE model for identifying six types of threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Using a simple case study—a billing system for a media server that serves ads—Adam shows how to apply the principles and find security and privacy problems so the developer can include appropriate configurations and controls as part of the operational design and rollout.

Areas covered by Adam in this course:

  • Develop secure products
  • Why would you threat model?
  • A simple approach to threat modeling

There are 2 main parts of the course in which Adam explained the things in details.

1. The Four Question Framework

  • What are we working on?
  • What can go Wrong?
  • What are we going to do about it?
  • Did we do a good job?


  • Spoofing a specific server
  • Tampering with a file
  • Interlude: scope and timing
  • Repudiating an order
  • Information disclosure
  • Denial of service
  • Elevation of privilege

Visit for complete information about the course and other technical details.