{"id":13652842,"url":"https://github.com/redshiftzero/awesome-threat-modeling","last_synced_at":"2026-02-14T19:03:54.140Z","repository":{"id":43445000,"uuid":"159863208","full_name":"redshiftzero/awesome-threat-modeling","owner":"redshiftzero","description":"a curated list of useful threat modeling resources","archived":false,"fork":false,"pushed_at":"2024-06-28T14:56:13.000Z","size":18,"stargazers_count":144,"open_issues_count":0,"forks_count":20,"subscribers_count":7,"default_branch":"master","last_synced_at":"2026-02-05T08:10:37.005Z","etag":null,"topics":["risk-assessment","security","threat-modeling"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redshiftzero.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-11-30T18:27:10.000Z","updated_at":"2026-01-27T14:24:40.000Z","dependencies_parsed_at":"2025-11-16T12:00:35.843Z","dependency_job_id":null,"html_url":"https://github.com/redshiftzero/awesome-threat-modeling","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/redshiftzero/awesome-threat-modeling","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redshiftzero%2Fawesome-threat-modeling","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redshiftzero%2Fawesome-threat-modeling/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redshiftzero%2Fawesome-threat-modeling/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redshiftzero%2Fawesome-threat-modeling/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redshiftzero","download_url":"https://codeload.github.com/redshiftzero/awesome-threat-modeling/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redshiftzero%2Fawesome-threat-modeling/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29452610,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T15:52:44.973Z","status":"ssl_error","status_checked_at":"2026-02-14T15:52:11.208Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["risk-assessment","security","threat-modeling"],"created_at":"2024-08-02T02:01:03.265Z","updated_at":"2026-02-14T19:03:54.125Z","avatar_url":"https://github.com/redshiftzero.png","language":null,"readme":"# awesome-threat-modeling\nA curated list of useful threat modeling and risk management resources. Please feel free to contribute.\n\n# Table of Contents\n1. [General](#general)\n2. [Data Flow Diagrams](#data-flow-diagrams)\n3. [Threat Enumeration](#threat-enumeration)\n4. [Prioritization Methodologies](#prioritization-methodologies)\n5. [Conference Talks](#conference-talks)\n6. [Books](#books)\n7. [Tools](#tools)\n\n## General\n\n* [OWASP page on Application Threat Modeling](https://www.owasp.org/index.php/Application_Threat_Modeling)\n* [OpenSAMM Threat Assessment](https://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1)\n* [Microsoft threat modeling posts](https://blogs.msdn.microsoft.com/larryosterman/2007/10/01/some-final-thoughts-on-threat-modeling/)\n\n## Data Flow Diagrams\n\n* [Presentation (PDF) with very good introduction to DFDs](https://people.eecs.berkeley.edu/~daw/teaching/cs261-f12/hws/Introduction_to_Threat_Modeling.pdf)\n* [DFD Example and explanation](https://www.cs.uct.ac.za/mit_notes/software/htmls/ch06s02.html)\n\nGood tools for generating DFDs:\n\n* [graphviz](https://graphviz.gitlab.io/about/)\n* [draw.io](https://www.draw.io/)\n* [TikZ](http://www.texample.net/tikz/examples/data-flow-diagram/)\n\n## Threat Enumeration\n\n* [STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege)](https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20))\n* [Attack Trees](https://www.schneier.com/academic/archives/1999/12/attack_trees.html)\n\n## Prioritization Methodologies\n\n* [DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)](https://wiki.openstack.org/wiki/Security/OSSA-Metrics#DREAD)\n\n## Conference Talks\n* [Rapid Threat Modeling](https://www.youtube.com/watch?v=4zxM1KhLXvI) - Akshay Aggarwal - Blackhat USA (2005)\n* Elevation of Privilege: The easy way to threat model [Part 1](https://www.youtube.com/watch?v=gZh5acJuNVg) and [Part 2](https://www.youtube.com/watch?v=uDtVBoj9VpQ) - Adam Shostack - Blackhat (2010)\n* [Threat Modeling Best Practices](https://www.youtube.com/watch?v=58Qga-ergBQ) - Robert Zigweid - AppSecUSA (2010)\n* [Threat Modeling: Lessons from Star Wars](https://www.youtube.com/watch?v=-2zvfevLnp4) - Adam Shostack - Brucon (2014)\n* [Incremental Threat Modeling](https://www.youtube.com/watch?v=WePVoeYrhpg) -  Irene Michlin - AppSecEU (2017)\n* [Threat Modeling with PASTA](https://www.youtube.com/watch?v=hHIgW8ZUi4A) - Tony UcedaVelez - AppSecEU (2017)\n* [Value Driven Threat Modeling](https://www.youtube.com/watch?v=3Fl_7FrM_gI) - Avi Douglen - AppSecUSA (2018)\n* [Threat Modeling Toolkit](https://www.youtube.com/watch?v=KGy_KCRUGd4) - Jonathan Marcil - AppSecCali (2018)\n* [Lessons From The Threat Modeling Trenches](https://www.youtube.com/watch?v=DEVt1Adybvs) - Brook Schoenfield - AppSecCali (2018)\n* [Threat Model as Code](https://www.youtube.com/watch?v=fT2-JuvK428) - Abhay Bhargav - AppSecUSA (2018)\n* [Threat Modeling at speed and scale](https://www.youtube.com/watch?v=5jyL-CHib54) - Stuart Winter-Tear - DevSecCon London (2018)\n* [Threat Modeling: uncover vulnerabilities without looking at code](https://www.youtube.com/watch?v=Fmp9UFjPiJs) - Chris Romeo - NDC (2018)\n* [Threat Modeling in 2018](https://www.youtube.com/watch?v=DMFF8zQqEVQ) - Adam Shostack - Blackhat USA (2018)\n* [Threat Modeling in 2019](https://www.youtube.com/watch?v=ZoxHIpzaZ6U) - Adam Shostack - RSA Conference (2019)\n* [Offensive Threat Models Against the Supply Chain](https://www.youtube.com/watch?v=J6o7YTnAqYg) - Tony UcedaVelez - AppSecCali (2019)\n* [Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team](https://www.youtube.com/watch?v=VbW-X0j35gw) - Izar Tarandach - AppSecCali (2019)\n* [Game On! Adding Privacy to Threat Modeling](https://www.youtube.com/watch?v=uzOdpuAhr28) - Adam Shostack, Mark Vinkovits - AppSecCali (2019)\n* [Adaptive Threat Modeling](https://www.youtube.com/watch?v=YTtO_TGV2fU) - Aaron Bedra - GOTO Chicago (2017)\n\n## Books\n\n* Shostack, [Threat Modeling: Designing for Security](https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998)\n* NIST, [Guide to Data-Centric System Threat Modeling](https://csrc.nist.gov/publications/detail/sp/800-154/draft)\n\n## Tools\n\n* [Microsoft TMT](https://docs.microsoft.com/en-us/azure/security/azure-security-threat-modeling-tool)\n* [OWASP Threat Dragon](https://threatdragon.org/)\n* [Mozilla Seasponge](https://github.com/mozilla/seasponge)\n* [IriusRisk](https://continuumsecurity.net/threat-modeling-tool/)\n* [eramba](http://www.eramba.org/)\n* [Elevation of Privilege (EoP) Threat Modeling Card Game](http://www.microsoft.com/en-us/download/details.aspx?id=20303)\n* [Threat Playbook](https://we45.gitbook.io/threatplaybook/)\n* [pytm](https://github.com/izar/pytm)\n* [ThreatSpec](https://threatspec.org/)\n* [Threat Model SDK](https://github.com/stevespringett/threatmodel-sdk)\n* [TaaC-AI](https://github.com/yevh/TaaC-AI)\n","funding_links":[],"categories":["Other Awesome Lists","Continuous Security Testing","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","Other Lists","Threat Intelligence"],"sub_categories":["Other Security Awesome Lists","TeX Lists","Penetration Testing Report Templates"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredshiftzero%2Fawesome-threat-modeling","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredshiftzero%2Fawesome-threat-modeling","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredshiftzero%2Fawesome-threat-modeling/lists"}