OWASP Threat Model Cookbook

GitHub forks GitHub contributors GitHub repo size GitHub last commit

This project is about creating and publishing threat model examples into our GitHub repository. They can be in the form of code, graphical or textual representations. The models will use diverse technologies, methodologies and techniques.

It is not a goal of the project to prescribe which methodologies to use but rather to collect examples. It will also not create content to educate people on threat modeling. Other OWASP projects such as Threat Modeling Project exists to that end.


Currently the landscape of threat modeling is limited to a few books and methodologies that are widely accessible and in some cases open source. However, there’s a lack of openly available content that is beyond just a blanket examples for existing methodologies. For instance, you could read a timeless awesome book, but the few complete examples the book is providing are outdated due to technology changing rapidly while threat model methodologies changes in a slower pace.

This project is scoped in such a way that the only outcomes of what we produce are examples. You could infer your own methodologies using examples as component for your own toolbox of techniques. You could also simply follow an prescriptive and well defined method and refer to this project deliverable to give you examples on similar techniques.

We also will have duplicate example of the same systems. Either using the same techniques, or different techniques. The reason for having the same technique but with multiple example is to show people that thread models by their nature will differ depending on the author. They should have recognizable components that allow a common language so viewers will understand the meaning, but like manuscript writing and hand drawing, the look will differ. Some will be ugly, but give an example of a quick solution, while other will look amazing and give you example of putting time into it. Perhaps you will judge that both gives the same results for you, thus choosing the quicker version. And for other people, they’ll find that a detailed and more defined version will look better and encourage contribution. It’s all up to you, browse the examples, try to comprehend them, and make your version. And if you can open source it, contribute!

Contributions will be accepted for any open source content that can follow our license. Note that most of the cases, it might be about made up systems that doesn’t really exist, or system that exist but that people doesn’t know the real internal architecture. So by definition, this project is not about giving you examples of good systems, but rather good threat model. A bad system being modeled here could actually give you a better example of how threat model can be useful to point out flaws.


The written documents, diagrams and code of this project are free software. For code, you can redistribute it and/or modify it under the terms of the Apache 2.0 License and under CC-BY 3.0 License for the rest of diagrams and documents.


Subsequent Updates will add

  • Reorganization of the repository structure to reflect current goals
  • Self documentation in the repository about the ways of working
  • Adding more starting model examples
  • Getting GitHub PRs from contributors to add more examples
  • Getting GitHub issues to give feedback on examples to contributors </strong>

Getting Involved

Involvement in the development and promotion of OWASP Threat Model Cookbook is actively encouraged! You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows: