Threat Modeling
Threat modeling is a structured security practice of proactively identifying, categorizing, and prioritizing potential threats to a system or application before they can be exploited. Practitioners decompose system architecture into data flow diagrams, identify trust boundaries, and apply frameworks such as STRIDE or PASTA to enumerate what could go wrong. The goal is to surface design-level risks early—during planning or development—so that mitigations can be built in rather than bolted on.
In 2026, AI companies face regulatory pressure (EU AI Act, NIST AI RMF) that explicitly requires risk and threat analysis for high-risk AI systems, making threat modeling a compliance-critical skill. The rapid proliferation of agentic and LLM-integrated systems has introduced novel attack surfaces—prompt injection, model theft, supply-chain poisoning—that classical security testing misses, and threat modeling is the primary design-phase tool for addressing them. Security engineers and AI safety teams who can model threats across model serving infrastructure, agentic pipelines, and data pipelines are in high demand across AI labs and enterprise AI programs.
🎓 Courses
Secure Your AI: Threat Modeling
Directly addresses AI-specific threat modeling—teaches STRIDE applied to AI pipelines, data flow diagram construction for ML systems, and professional security documentation. Highly relevant for anyone working on LLM or agentic products.
Modelling Threats – Strategies in Threat Modelling
Hands-on course covering STRIDE, DREAD, MITRE ATT&CK, Attack Trees, and tools like OWASP Threat Dragon and Threagile. Good breadth of frameworks in roughly 5 hours with a shareable certificate.
Cloud Security Governance and Threat Modeling
Practical entry point for cloud practitioners covering STRIDE applied to cloud architectures, MITRE ATT&CK for cloud, and threat intelligence integration. Useful context for teams operating AI workloads on cloud infrastructure.
Certified Threat Modeling Professional (CTMP) – Training Course
Comprehensive self-paced course with 20+ cloud-based hands-on labs covering STRIDE, PASTA, Agile Threat Modeling, and Threat Modeling as Code. Pairs with a recognized industry certification and a practical 6-hour exam.
Threat Modeling the Right Way for Builders
Free AWS-offered workshop that teaches threat modeling in the context of building on AWS. Good starting point for engineers who need to apply threat modeling to cloud-native and AI infrastructure.
📖 Books
Threat Modeling Best Practices: Proven Frameworks and Practical Techniques to Secure Modern Systems
Derek Fisher · 2025
The most current (October 2025) book on the topic. Covers STRIDE, PASTA, MITRE ATT&CK, PyTM, and Attack Trees with case studies across cloud, IoT, supply chains, and AI-driven threats. Published by Packt, 322 pages.
Threat Modeling: A Practical Guide for Development Teams
Izar Tarandach and Matthew J. Coles · 2020
The O'Reilly practitioner reference used widely by development teams to integrate threat modeling into the SDLC. Covers multiple methodologies and is the most team-process-oriented book in the field.
🛠️ Tutorials & Guides
Threat Modeling Cheat Sheet
Authoritative, free reference from OWASP covering the full threat modeling process, STRIDE examples, and integration with the SDLC. The most-linked practitioner reference on the web.
A Complete Guide to Threat Modeling with STRIDE Using OWASP Threat Dragon
Step-by-step walkthrough of building a STRIDE threat model for a 3-tier web application using the free OWASP Threat Dragon tool. Good hands-on complement to theory-focused courses.
What Is the STRIDE Threat Model? Beginner's Guide
Well-structured 2026 guide comparing STRIDE, PASTA, and DREAD with practical examples. Good entry point for beginners before enrolling in a formal course.
🏅 Certifications
Certified Threat Modeling Professional (CTMP)
Practical DevSecOps · Paid (see pricing at practical-devsecops.com/pricing/)
Vendor-neutral, CISA/NICCS-listed certification with a practical 6-hour hands-on exam (not multiple choice). Recognized by industry and verifiable via Credly. The most established dedicated threat modeling credential available.
Learning resources last updated: June 18, 2026