Whiteboard Hacking – aka Hands-on Threat Modeling for Defenders

This training takes you into the practical world of threat modeling, combining hands-on exercises and real-world scenarios. This hands-on threat modeling training offers an immersive experience, grounded in 25 years of practical expertise and refined through a decade of delivery at various conferences and organizations, avoiding a lecture-heavy approach. By the end of this training, you’ll walk away not just with knowledge, but the ability to practice threat modeling effectively in your organization.

You’ll engage in hands-on activities inspired by actual industry projects, including embedding threat modeling into cybersecurity and DevOps workflows. Highlights include applying the MITRE ATT&CK framework in real-world exercises and tackling modern challenges like modeling threats for AI-driven systems—specifically, a machine-learning-powered chatbot. To amplify your skills, we’ve elevated the classic threat modeling war game: a CTF-style battle for control over an offshore wind turbine park, designed to simulate high-stakes adversarial scenarios.

Before the training, all participants will complete a knowledge and experience alignment assessment to ensure everyone starts with the foundational understanding required to succeed. This pre-training check includes access to curated materials designed to bring participants up to speed, including our self-paced introduction to threat modeling.

As practitioners with hands-on experience, we understand the gap between book-based knowledge of threat modeling and the practical challenges faced in real-world environments. To address this, we’ve developed a series of comprehensive, real-world case studies. Each scenario includes detailed environments, tailored challenges, and reusable templates to guide you through building effective threat models.

In this course, you’ll collaborate in teams of 3 or 4 to tackle the stages of threat modeling across diverse systems and industries, including:

– Applying diagramming techniques to a travel booking service.

– Threat modeling a cloud-based update service for an airport IoT kiosk.

– Constructing an attack tree targeting a nuclear research facility.

– Building a SOC Risk-Based Alerting system with MITRE ATT&CK.

– Mitigating threats in a microservices-based payment system using S3 buckets.

– Threat modeling a Machine Learning-Powered CareBot.

– Integrating the OWASP Threat Modeling Playbook into agile development.

 -Evaluating and securing the CI/CD pipeline.

– Competing in a CTF-style war game to seize control of Zwarte Wind, an offshore wind turbine park.

After each exercise, we facilitate in-depth discussions and provide a documented solution to reinforce your understanding.

This training continues beyond the classroom: every participant receives access to our Threat Modeling Playbook and one year of online learning resources to ensure you can continue to elevate your threat modeling skills long after the course ends.