Threat Modeling: None of Your Security Tools Help me Get More Money for my Security Program

This entry is part [part not set] of 24 in the series Hack the Planet

In this episode of the Hack the Planet Podcast:

For too long, the confusion caused by the Adam Shostack/MS threat modeling “methodology” has prevented security teams from doing any productive risk analysis. That ends now. We clear up the confusion around what a threat model is, what it’s for, how best to go about developing one, what is so very very wrong with the Adam Shostack/MS method of threat modeling, and how to achieve better results with less effort and arguing.

Check out the links for useful templates and examples. And remember: a dataflow diagram is an important piece of design documentation, but it is not and can never be an effective threat model.

Threat Modeling Template Examples from SymbolCrash, adjust these to suit!

Simple Threat Model Example:

CVSS 3.1 Auto-calculating Model with Automatic Coloring by Severity:

“How to measure anything in cybersecurity risk”

CVSS 3.1 Calculator at

Automated Secrets Detection:

Old-School SANS Threat Modeling Template Example:

Mentioned Tools:

C4 model:

What is the Actual Financial Impact of a Breach?

Threat Modeling Tools that uselessly force everything into a DFD (not recommended):
ThreatModeler –
Irius Risk –
OWASP ThreatDragon –
MS Threat Modeling Tool –

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.