OWASP
Update: Threat Modeling Cheat Sheet
What is missing or needs to be updated?
Personally I find the content of the Threat Modeling Cheat Sheet useful and of high quality, but it does seem less like a cheat sheet (ie what is the minimum I need to know to get me started) and more conceptual in nature. This make it longer than it could be, and so less useful as a cheat sheet (although still really useful)
I would not want to lose any of the content in the Threat Modeling Cheat Sheet, but suggest that a good proportion of it could be transferred to a revamped Threat Modeling Project which is a more natural home for some of the existing content in Threat Modeling Cheat Sheet
This has come about from a discussion in the Threat Modeling Project
How should this be resolved?
review and cut down the amount of material in the Threat Modeling Cheat Sheet , and transfer the removed content (in revised form) into the Threat Modeling Project
I'm always for keeping cheat sheets short. @mackowski and @jmanico what do you think? It sounds like @adamshostack is in favor but I'd like his official opinion in this thread.
I really like this direction 👍
I agree that the current content is high quality, but tightening it into a more “minimum viable” cheat sheet would make it much more actionable for practitioners who just want to get started.
If helpful, I can:
- Propose a shortened “core workflow” version of the Threat Modeling Cheat Sheet (e.g., scope → assets → threats → mitigations → validation)
- Identify sections that are more conceptual/background and suggest moving them (in revised form) to the Threat Modeling Project
- Open a PR that focuses on clarity, structure, and quick-reference value rather than removing useful content
We're definitely open to PRs. We should ask @adamshostack to review anything before merging it.
Thanks for the feedback
I’m happy to work on a PR with that review process in mind. My plan would be to:
- Refactor the Threat Modeling Cheat Sheet into a concise, quick-start reference focused on “what do I need to do first?”
- Preserve the existing high-quality content by identifying sections that are more conceptual or explanatory and proposing their migration (in revised form) to the Threat Modeling Project
- Emphasize a clear, repeatable core workflow (e.g., scope → assets → threats → mitigations → validation) suitable for practitioners and newcomers
I’ll make sure to keep the changes incremental and tag @adamshostack for review before anything is finalized. Once I have an initial draft, I’ll open a PR for discussion.
Hello @aakarshgopishetty , be aware that threat modeling is not an easy subject to describe in a cheat sheet because it needs to focus on the 'how to do it' not the 'what it is' The approaches to threat modeling are many and all equally valid, and there are very experienced practitioners in this domain. I guess what I am saying is that unless you have significant experience in threat modeling in various environments and with various types of teams, then you may find this much more difficult than at first sight
Thank you for the clarification, @jgadsden — that’s a very fair and important point.
I completely agree that threat modeling is fundamentally about how to do it, and that it’s a nuanced practice with many valid approaches depending on context, team maturity, and environment. I also appreciate that there is a lot of deep practitioner experience embedded in the existing content.
My intention wouldn’t be to oversimplify or prescribe a single “correct” methodology, but rather to help shape the cheat sheet into a starting aid for newcomers — something that helps them take their first practical steps, while clearly pointing to the Threat Modeling Project for deeper guidance, methodologies, and practitioner insight.
Given your feedback, I think the safest approach would be to keep any changes very conservative and incremental, and to focus on structure, signposting, and clarity rather than rewriting core guidance. I’d also welcome review and direction from more experienced threat modeling practitioners before proposing anything substantial.
Thanks again for the guidance — it’s helpful to understand the expectations and constraints up front.
I'd encourage @aakarshgopishetty to look at the threat model project, which has adopted the four question framework as its organizing principle, and not promulgate "scope → assets → threats →" thinking.
@aakarshgopishetty I see from your comment, subsequently deleted, that you are feeding this conversation into ChatGPT and copying out the answers to us The changes that I would like to see for the Threat Modeling Cheat Sheet need to be concise, informative and accurate; we will not get this if you are intending to use ChatGPT for your contribution
Thank you for raising this concern, @jgadsden — I understand why this would be worrying, and I appreciate you being direct about it.
To clarify: I use ChatGPT primarily as a language and structuring aid, not as a source of threat-modeling guidance or technical authority. My intent was to ensure my written responses were clear and well-phrased, not to outsource analysis or decision-making. That said, I recognize that this was not made explicit, and I understand how it could give the wrong impression.
I fully agree that contributions to the Threat Modeling Cheat Sheet must be concise, accurate, and grounded in real practitioner understanding. If I proceed further on this issue, I will do so based on direct study of the existing Cheat Sheet and the Threat Modeling Project materials, and I’ll rely on my own reasoning and references rather than generated content.
If you or the maintainers feel it’s more appropriate that I step back from proposing edits here, I completely respect that as well. Either way, thank you for the time and care you’re putting into maintaining the quality of this work.
We have our AI policy in CONTRIBUTING.md, you can review that. In the end we'll judge the PR based on the quality of the content. If you feel that you're up to the task, please proceed, as long as you're being forthright about how you're using AI (and preferably share the prompts).