Back to Pre-Conference Training Page

Back to Conference Home Page

The Art of Practical Threat Modelling

Two-Day Interactive (Classroom) Training - OWASP New Zealand Day 2026

Course Details

Dates: Tuesday and Wednesday, 1-2 September 2026

Time: 8:45 a.m. to 5:30 p.m. (NZST)

Instructor: Ralph Nicole N. Andalis

Course Fee: NZ $900.00 (plus GST and ticketing fees)

Registration Site: https://events.humanitix.com/owaspnz2026-training

Course Description

They say Threat Modelling is an art form just as technical as it is. It was also thought to be hard to use or teach. I will show you how to do it, step-by-step as I have done in my security consulting practice and past experiences. We will dive into different Threat Modelling methodologies from the most common STRIDE and DREAD methodologies to the more advanced PASTA and NIST methodologies. This will help you decide which ones to use, but the ultimate goal is to identify threats, work with your engineers, agree on fixes, perform mitigation, and improve your layered defense-in-depth.

This two-day Threat Modelling training is geared towards intermediate audiences with software engineering and security engineer/pentester backgrounds who have never done any threat modelling work but are trying to get into it. However, it also has modules that would help beginners get up to speed in threat modelling practically right after the training, so beginners are also welcomed. Many cybersecurity practitioners face threat modelling requirements as part of their jobs but don’t know where to start or how to do it. This training focuses on arming them with the knowledge and techniques used by the instructor in his security consultancy career. Practically, anyone can join this class even without those backgrounds, provided they have at least some basic idea of how programs work at a code level, basic cybersecurity issues and threats and anyone interested in learning them.

The main goal of this training is to equip participants with an understanding of the importance of threat modelling in dealing with and understanding cyber threats to their applications and networks. The trainer’s goal is to prevent more software security bugs from inception by teaching students how to build more secure software or find underlying security flaws and bugs, minimizing the risks and impact of the engineered software. Participants will be immersed in STRIDE, DREAD, PASTA and NIST methodologies for threat modelling and will create their own threat models during the training. STRIDE and DREAD are the most common threat modelling methodologies which we will focus on during the first part of the training. In the remaining half, we will move on to PASTA, which has become an increasingly popular methodology asked of practitioners and consultants to present a different point of view of an organization’s potential threats. We will also look at the NIST threat modelling methodology as another comparison. This class focuses on being technology-agnostic with threat modelling methodologies; threat modelling software, while useful, is not relevant to the main goal of the training.

Topic Outline

Day 1 - Introduction to STRIDE and DREAD

• Discuss the Basics and Overview of Threat Modelling
• Discuss the Threat Modelling Terminologies
• Real-life examples of threat models of information systems (let’s skip the example of a house, office, etc) and this will be about web apps, mobile apps, networks, cloud infrastructure, etc.
• Hands-on Exercises for Identifying Threat Model Elements (assets, control, threat actors, and trust boundary)
• Hands-on Exercises for Identifying Threat Model Elements (threats, attack vector, attack surface, attack, etc.)

• Q&A

• Discuss the Threat Modelling Techniques
• Discuss STRIDE and DREAD in detail usage for threat models
• Discuss the Threat Modelling Process
• Real-life examples of information system threat models using STRIDE and DREAD

• Q&A

• Hands-on Exercises with STRIDE on the first two-three exercises each
• Hands-on Exercises with DREAD overlay of risk on the first two-three exercises each
• Review of the previous threat models
• Discuss mitigation/recommendations
• Discuss Full Threat Models from start to finish using STRIDE and DREAD
• Hands-on Exercises adding mitigation on the first two-three exercises each
• Hands-on Exercises of Full Threat Models on the first two-three exercises each
• Q&A

Day 2 - Introduction to the PASTA Method

• Discuss the Overview of PASTA methodology
• Discuss the seven stages in PASTA methodology
• PASTA vs. STRIDE and DREAD
• Discuss PASTA in detail usage for threat models
• Discuss the PASTA Threat Modelling Process
• Hands-on Exercises with PASTA threat modelling
• Discuss mitigation/recommendations
• Discuss Full Threat Models from start to finish using PASTA
• More hands-on exercises and adding mitigation on the first two-three exercises each

• Q&A

• Discuss the Overview of NIST methodology
• STRIDE vs. DREAD vs. PASTA vs. NIST
• Q&A

** Threat Modelling Tools (OWASP Threat Dragon, Lucid Chart and any other diagramming software) ** More interactive workshop examples of threat modelling (depends on the group’s pace) ** Q&A

Your Instructor

Ralph Nicole N. Andaliss - Biography to be provided