Certified Threat Modeling Professional E-Learning

Participants should have:

• A basic understanding of core security principles including confidentiality, integrity, and availability
• Some familiarity with application development concepts is helpful but not required

Target audience

This course is designed for:

• Security professionals embedding threat modeling into DevSecOps workflows
• Developers and architects responsible for secure software design
• Compliance teams implementing secure design standards
• Product managers and Agile teams involved in secure SDLC practices

By the end of this course, learners will be able to:

• Apply threat modeling frameworks (STRIDE, PASTA, VAST, RTMP) to identify design flaws
• Create and validate actionable threat models using tools such as OWASP Threat Dragon and IriusRisk
• Implement threat modeling as code to support Agile and CI/CD environments
• Prioritise risks using frameworks including OWASP Risk Rating and DREAD
• Translate security requirements into user stories and abuse cases
• Design secure architectures for native and cloud-native applications
• Support regulatory compliance and cross-functional collaboration through threat model automation

Threat modeling overview

• What is threat modeling and why it matters
• Comparing threat modeling to other security practices
• Framework categories: list-based, asset-based, actor-based, software-centric
• Trust boundaries vs attack surfaces
• Applying risk strategies: mitigation, avoidance, transfer, acceptance
• Hands-on: breakout exercise to identify threats in a multi-tiered application

Threat modeling basics

• STRIDE breakdown with examples and mitigations
• Goal/asset-based and attacker-centric modeling
• Attack trees and threat actor personas
• Exploring methodologies: PASTA, VAST, RTMP, OCTAVE
• Risk frameworks: OWASP Risk Rating, DREAD, Bug Bars
• Hands-on: data flow diagramming, persona creation, threat rating

Agile threat modeling

• Integrating threat modeling into Scrum and Agile workflows
• Threat modeling as code and compliance as code
• Use cases and abuse cases for requirements engineering
• Writing UML diagrams and threat models alongside source code
• Privacy impact assessments and secure backlog planning
• Hands-on: BDD security, threat modeling password reset flows, compliance as code

Reporting and deliverables

• Threat model documentation and automation strategies
• Managing models across tickets, code, and audit systems
• Validating threat models against real-world deployments
• Tools: OWASP Threat Dragon, CAIRIS, IriusRisk, model templates
• Hands-on: creating and validating threat models in multi-tiered and multi-cloud systems

Secure design principles and case studies

• Principles of secure design: least privilege, fail-safe defaults, open design
• Threat modeling real-world systems: AWS S3, Kubernetes, and legacy applications
• Testing mitigations and verifying implementation coverage
• Hands-on: AWS and Kubernetes case studies, design flaw identification

Exams and assessments

This course includes a certification exam for the Certified Threat Modeling Professional™.

• The exam includes real-world scenario questions based on DevSecOps integration and secure design principles
• Hands-on exercises and knowledge checks are provided throughout to reinforce learning
• Completion of the final validation project is required to earn the certificate
• The exam is a task-oriented examination in which you will be required to solve 5 challenges within a timeframe of 6 hours, with an additional 24 hours to complete the report and submit it for evaluation.

Hands-on learning

This course with approx. 20hrs of e-learning includes:

• Diagram-based modeling using DFDs and attack trees
• Threat modeling exercises across CI/CD, cloud-native, and Agile projects
• Tool-based labs with OWASP Threat Dragon, IriusRisk, and code-based modeling
• Risk prioritisation and validation through automation frameworks
• Persona-driven analysis and security control validation
• Upon completion of the purchase, learners will have the opportunity to select their preferred commencement date. The course will be provided on the chosen start date.
• 3-years of access to the videos and checklists, 60 days of browser-based labs, PDF Manual.

• Exam included
• Online exam voucher
• Dedicated tutor support via email during your course from expert instructors