Certified Threat Modeling ProfessionalTM
Discover how threat modeling reduces security vulnerabilities by up to 65%. The curriculum covers STRIDE, PASTA frameworks, data flow analysis, ASVS and threat modeling as code techniques for modern DevOps environments that 83% of security professionals consider essential for modern app protection.
Over 5,000+
Learners Certified
Self-paced learning
Browser based lab access
24/7 Instructor support
Self-paced learning mode
Browser based lab access
24/7 Instructor support
Self-paced learning mode
Browser based lab access
24/7 Instructor support
Trusted by top companies across industries, empowering thousands of professionals worldwide. Join the ranks of security leaders
CTMP Threat Modeling Training Course Prerequisites
- Course participants should have knowledge of basic security fundamentals like Confidentiality, Integrity, and Availability (CIA)
- Basic knowledge of application development is preferred but is not necessary
Chapter 1: Threat Modeling Overview
- What is Threat Modeling?
- The Threat Model Parlance
- Security is a Balancing Act
- Design Flaws and Risk Rating
- Why Threat Model?
- Threat Modeling vs. Other Security Practices
- Threat Modeling Frameworks and Methodologies
- List/Library Centric Threat Modeling
- Asset/Goal Centric Threat Modeling
- Threat Actor/Attacker Centric Threat Modeling
- Software Centric Threat Modeling
- Trust Boundaries vs. Attack Surfaces
- Modern Threat Modeling Approaches for Agile and DevOps
- Risk Management Strategies with Examples
- Avoiding Risks
- Accepting Risks
- Mitigating Risks
- Transferring Risks
- Hands-on Exercises:
- Breakout Sessions to Identify Threats for a Multi-Tiered Application
Chapter 2: Threat Modeling Basics
- Threat Modeling and Security Requirements
- Threat Modeling vs Threat Rating
- Diagramming for Threat Modeling
- List Centric Threat Modeling
- Exploring the STRIDE Model
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privileges
- Pros and Cons of STRIDE
- STRIDE defenses
- Authentication
- Integrity
- Non-Repudiation
- Confidentiality
- Availability
- Authorization
- STRIDE Threat examples
- Goal/Asset Based modeling Approach
- Attack Trees
- Attack Tree Analysis
- Attacker/Threat Actor Centric Modeling Approach
- Using MITRE ATT&CK for Attacker Centric Threat Modeling
- Software Centric Threat Modeling
- Other Threat modeling methodologies
- PASTA
- VAST
- Hybrid Threat modeling
- RTMP
- OCTAVE
- Gamified approaches for Threat Modelling
- Virtual Card Games
- Adversary Card Games
- Introduction to Threat Rating
- DREAD
- OWASP Risk Rating Methodology
- Bug Bar
- Rapid Risk Assessment
- Hands-on Exercises:
- Creating a Data Flow Diagram for Threat Modeling
- Using OWASP Cornucopia to Identity Web Related Threats
- Creating Threat Actor Personas
- Using Threat Actor Personas to Identify Threats
- Risk Rating with OWASP Risk Rating Methodology
What you’ll learn from the Certified Threat Modeling Professional Course?
Implement four proven threat modeling methodologies/frameworks (STRIDE, PASTA, VAST, and RTMP) to identify critical security vulnerabilities before they impact your systems and applications.
Transform security from blocker to enabler by mastering Agile Threat Modeling approaches that integrate seamlessly with DevOps pipelines and CI/CD workflows.
Create actionable threat models using industry-standard tools like OWASP Threat Dragon, IriusRisk, Threat Modeler, CAIRIS, and "Threat Modeling as Code" techniques.
Apply risk assessment frameworks (DREAD, OWASP Risk Rating) to prioritize vulnerabilities, allocate resources effectively, and communicate risks to stakeholders.
Design secure cloud-native applications by examining real-world case studies of AWS S3, Kubernetes, and enterprise applications with practical validation techniques.
Build scalable security processes that work across multiple teams using automation and templates, while ensuring you meet key compliance standards like PCI-DSS.
Chapter 3: Agile Threat Modeling
- Agile Threat Modeling Approaches
- Threat Modeling Diagrams as Code
- Threat Modeling Inside The Code
- Threat Modeling as Code
- Compliance and Audit as Code
- Rapid Threat Model Prototyping
- Security Requirements as Code With BDD Security
- Events of Agile Software Development Through Scrum
- Writing Security Requirements for Agile Software Development
- Writing Use Cases and Abuse Cases
- Privacy Impact Assessments and Security Requirements
- Identifying Privacy Related Threats
- Hands-on Exercises:
- Writing Abuse Cases for Password Reset Workflow
- Threat Modeling Privacy for your system
- Exploring UML as Code
- Creating Attack Trees Using Code
- Writing Threat Models Alongside Code
- Writing Threat Models With Code
- Writing Threat Models As Code
- Writing Compliance As Code for PCI-DSS
Chapter 4: Reporting and Deliverables
- How To Manage Threat Models
- Documentation
- Backlog
- Bugs, and Tickets
- Code
- Automatio
- Threat Modeling Tools and Templates
- Microsoft Threat Modeling Tool
- OWASP Threat Dragon
- CAIRIS Platform
- Threat Modeling As Code Tools
- Freemium Tools
- Threat Model Templates and Examples
- Validating Threat Models
- Threat Model Versus Reality
- All Threats Accounted For Risk
- Mitigations Are Tested
- Are We Done Threat Modeling?
- Hands-On Exercises:
- Threat Modeling with OWASP Threat Dragon
- Threat Modeling Multi-Tiered Application with Irius Risk
- Threat Modeling for Multi-Cloud with Irius Risk
- Validating Threats with Automated Tests
- Validating Mitigations with Automated Tests
Chapter 5: Secure Design Principles and Threat Modeling Native, and Cloud Native Applications
- Exploring Principles of Secure Design with Examples
- Principle of Economy of Mechanism
- Principle of Fail Safe Defaults
- Principle of Complete Mediation
- Principle of Open Design
- Principle of Separation of Privilege
- Principle of Least Privilege
- Principle of Least Common Mechanism
- Principle of Psychological Acceptability
- Case Study of AWS S3 Threat model
- Case Study of Kubernetes Threat Model
- Case Study of Very Secure FTP daemon
CTMP Course Certification Process
- After completing the course, you can schedule the CTMP exam on your preferred date.
- Process of achieving Practical DevSecOps CTMP Certification can be found here.
Benefits of enrolling in the
Practical DevSecOps Courses
Master today’s security challenges with our updated curriculum and hands-on labs, preparing you for real-world threats.
Browser-based lab
Access all tools and exercises directly in your browser. Enjoy a practical, hassle-free learning experience - no downloads or installations needed!
Explore commands with our new AI-Powered 'Explain to me' feature
Gain detailed insights into any command with our AI-powered feature, designed to enhance your understanding and accelerate your learning.
Master cutting-edge tools
Enhance your security skills through hands-on experience with the latest industry tools in our labs. Get equipped for real-world applications and stay ahead of industry changes.
Frequently asked questions (FAQs)
What are the prerequisites required before enrolling in the Certified Threat Modeling Professional Course?
To enroll in the CTMP course, students should have a basic understanding of security fundamentals such as confidentiality, integrity, and availability. While application development knowledge is beneficial, it is not mandatory.
What's included in the Certified Threat Modeling Professional course package?
The course includes 3 years of video access, 60 days of browser-based labs, 30+ guided lab exercises, a PDF manual, 24/7 student support, and a one exam attempt.
Do the labs for the Certified Threat Modeling Professional course start immediately after enrollment?
No, The Threat Modeling course does not begin automatically upon enrollment. After purchasing the course, students will have the opportunity to select their desired start date, which will mark the beginning of their course access period.
Does the course come with CPE points?
Yes, the course offers 24 CPE (Continuing Professional Education) points upon completion.
What is the exam format?
The exam consists of 5 challenges to be solved within 6 hours, followed by a 24-hour window to complete and submit the report for evaluation. For more information, visit this link.
Should I go to an exam center, or is the exam online?
Yes, it is an online exam. You can take the exam from the comfort of your home or office.
How long is the Certified Threat Modeling Professional course Valid?
Threat Modeling Certification is a lifetime credential. Once you’ve earned your certification, it will last throughout your career.
Why Certified Threat Modeling Professional Course from Practical DevSecOps?
The first of its kind vendor-neutral Certified Threat Modeling Professional Certification delivers hands-on training through real-world exercises across all five chapters. Unlike theoretical courses, it focuses on practical implementation in DevSecOps environments with expert instructors who’ve successfully integrated threat modeling into Agile and CI/CD workflows.
What will you learn:
Implement four proven methodologies (STRIDE, PASTA, VAST, RTMP) to identify vulnerabilities before deployment.
- Create threat models using industry tools and “Threat Modeling as Code” techniques. Apply risk frameworks to prioritize issues and communicate effectively with stakeholders.
- Build scalable security processes that work across teams while meeting compliance standards.
Hear from our learners
Explore the global impact of our Threat Modeling Professional Certification through our learners’ testimonials.
After two months of studying and a grueling 12-hour exam last Saturday, I'm happy to share I can now call myself a Certified DevSecOps Professional!
Would recommend the course to anyone that wants to really get hands-on and technical with tooling such as SCA, SAST, DAST, IaC and CaC.
I received good news over the Thanksgiving week: I passed my Certified Container Security Expert exam! This is exam is provided by the Practical DevSecOps training group, which I highly recommend for hands-on skills in the DevSecOps field. The practical labs and 6 hour exam covers a number of security strategies and tools, including: Harbor, Cosign, Trivy, Grype, Snyk, Dockle, Seccomp and many more! The training is FIRST CLASS!
I am happy to share that I have lately gained the Practical DevSecOps Professional Certification (CDP).
Thanks to the Practical DevSecOps team, for both excellent material and a lot of great practical labs.
The certification finished off with a challenging 12 hours practical exam and extensive report writing.
I'm excited to share that I have successfully obtained the CCNSE certification!
This accomplishment has provided me with advanced abilities to effectively secure microservices, containers and Kubernetes environments.
I now possess comprehensive expertise in handling attacks, implementing defenses, and ensuring compliance within these complex systems.
I would like to give big thanks to the very responsive team at Practical DevSecOps.
After two months of studying and a grueling 12-hour Practical exam, I'm happy to share that I can now call myself a Certified DevSecOps Professional!
Warmly recommend this excellent course for technical architects, or engineers who want to gain hands-on skills on how to embed security across modern SDLC.
The labs covered running below mentioned security tools using Docker and building E2E DevOps pipeline with integrated security automation using GitLab, Jenkins, CircleCI, and GitHub Actions.
SCA, SAST, DAST, Infra as Code/hardening (IaC), Compliance as Code(CaC), Vulnerability mgmt
Thanks Practical DevSecOps
This was a great course with practical training for how to embed automated security scanning into a CI/CD pipeline, plus hardening and compliance checks using an everything-as-code approach. Finishing off with a challenging 12 hour practical exam and extensive report writing requirement and assessment to gain the Certified DevSecOps Professional (CDP) certificate. Thanks to Mohammed A. Imran and Raj Shekar of Practical DevSecOps.
After very challenging 12-hours hands-on exam and preparing extensive exam report I am now Certified DevSecOps Professional (CDP)!
The quality of the course material was surprisingly good and the lab environment is better than any other that I've come across. And in the AppSec field, I have seen quite a few of them. If you want to learn about application security, CI/CD pipelines, Docker, IaC, CaC, SAST, DAST, SCA and these other crazy but very cool acronyms and buzzwords, you would be very wise to join this course.
Whoa! After completing 139 lab exercises and intensive 12 hour exam in 1,5 months, I am finally a Certified DevSecOps Professional too. 🎉
Warmly recommend this excellent course for technical Product Owners, architects or engineers who want to gain hands-on skills on how to embed security across modern SDLC.
The labs covered running below mentioned security tools using Docker and building E2E DevOps pipeline with integrated security automation using GitLab, Jenkins, CircleCI and GitHub Actions.
SCA: Safety, pip-audit, RetireJS, dependency-check, Snyk, npm audit, auditjs, bundler-audit SAST: Trufflehog, detect-secrets, Bandit, Gosec, semgrep, hadolint, FindSecBugs, njsscan, pylint, Brakeman, SonarQube DAST: nikto, nmap, SSLyze, ZAP, Dastardly Infra as Code/hardening: Ansible, AnsibleVault, TFLint, Checkov, Terrascan, tfsec, Snyk Compliance as Code: Inspec for CIS Benchmark, ASVS, Docker compliance Vulnerability mgmt using DefectDojo
I am happy to share that I have lately gained the Practical DevSecOps Professional Certification (CDP).
Thanks to the Practical DevSecOps team, for both excellent material and a lot of great practical labs.
The certification finished off with a challenging 12 hours practical exam and extensive report writing.
I recently took the Certified DevSecOps Professional (CDP) certification from Practical DevSecOps. I would recommend the course for anybody that is interested in DevSecOps. The course material was well-written and presented. The labs were very helpful for real-world applications, and the test was a fun challenge.
Future-Proof Your Career with Threat Modeling Training
Unlock your potential with Threat Modeling Training! Our Certified Threat Modeling Professional Course equips you with job-ready skills. Conquer the 6-hour exam with confidence and open doors to exciting opportunities and Challenges.
Unmatched practical focus
70% hands-on labs for Master real-world scenario’s.
Expert-crafted curriculum
Get real-world insights from the experienced Security Experts.
Practical exam
Take a 6-hour examination to show what you have learned.
24/7 expert support
Unbeatable guidance throughout your learning journey.